Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Timing is Everything: the Importance of History Detection
KTH, School of Computer Science and Communication (CSC), Theoretical Computer Science, TCS.
2011 (English)In: Computer Security – ESORICS 2011: 16th European Symposium on Research in Computer Security, Leuven, Belgium, September 12-14,2011. Proceedings / [ed] Vijay Atluri, Claudia Díaz, Springer, 2011, 117-132 p.Conference paper, Published paper (Refereed)
Abstract [en]

In this work, we present a Flow Stealing attack, where a victim's browser is redirected during a legitimate flow. One scenario is redirecting the victim's browser as it moves from a store to a payment provider. We discuss two attack vectors.

Firstly, browsers have long admitted an attack allowing a malicious web page to detect whether the browser has visited a target web site by using CSS to style visited links and read out the style applied to a link. For a long time, this CSS history detection attack was perceived as having small impact. Lately, highly efficient implementations of the attack have enabled malicious web sites to extract large amounts of information. Following this, browser developers have deployed measures to protect against the attack. Flow stealing demonstrates that the impact of history detection is greater than previously known.

Secondly, an attacker who can mount a man-in-the-middle attack against the victim's network traffic can also perform a flow stealing attack.

Noting that different browsers place different restrictions on cross-frame navigation through JavaScript window handles, we suggest a stricter policy based on pop-up blockers to prevent Flow Stealing attacks.

Place, publisher, year, edition, pages
Springer, 2011. 117-132 p.
Series
Lecture Notes in Computer Science, ISSN 0302-9743 ; 6879
Keyword [en]
CSS History Detection, Flow Stealing, Web Security
National Category
Computer Science
Identifiers
URN: urn:nbn:se:kth:diva-32423DOI: 10.1007/978-3-642-23822-2_7ISI: 000307366400007Scopus ID: 2-s2.0-80053026930ISBN: 978-3-642-23821-5 (print)OAI: oai:DiVA.org:kth-32423DiVA: diva2:410601
Conference
16th European Symposium on Research in Computer Security, ESORICS 2011; Leuven; 12 September 2011 through 14 September 2011
Note

QC 20110420

Available from: 2011-04-14 Created: 2011-04-14 Last updated: 2013-04-19Bibliographically approved
In thesis
1. Aspects of Secure and Efficient Streaming and Collaboration
Open this publication in new window or tab >>Aspects of Secure and Efficient Streaming and Collaboration
2011 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

Research within the area of cryptography constitutes the core of this the- sis. In addition to cryptography, we also present results in peer-assisted streaming and web security. We present results on two specific cryptographic problems: broadcast encryption and secure multi-party computation. Broad- cast encryption is the problem of efficiently and securely distributing content to a large and changing group of receivers. Secure multi-party computation is the subject of how a number of parties can collaborate securely. All in all, this thesis spans from systems work discussing the Spotify streaming system with millions of users, to more theoretic, foundational results. Streaming is among the largest applications of the Internet today. On- demand streaming services allow users to consume the media content they want, at their convenience. With the large catalogs offered by many services, users can access a wide selection of content. Live streaming provides the means for corporations as well as individuals to broadcast to the world. The power of such broadcasts was shown in the recent (early 2011) revolts in Tunisia and Egypt, where protesters streamed live from demonstrations. To stream media to a large global audience requires significant resources, in particular in terms of the bandwidth needed. One approach to reduce the requirements is to use peer-to-peer techniques, where clients assist in distributing the media. Spotify is a commercial music-on-demand streaming system, using peer-to-peer streaming. In this thesis, we discuss the Spotify protocol and measurements on its performance. In many streaming systems, it is important to restrict access to content. One approach is to use cryptographic solutions from the area of broadcast encryption. Within this area, we present two results. The first is a protocol which improves the efficiency of previous systems at the cost of lowered secu- rity guarantees. The second contains lower-bound proofs, showing that early protocols in the subset cover framework are essentially optimal. Many streaming systems are web-based, where the user accesses content in a web browser. Apart from this usage of the web, subscriptions for streaming services are bought using a web browser. This means that to provide a secure streaming service, we must understand web security. This thesis contains a result on a new type of attack, using an old history detection vulnerability to time the execution of a redirect of a victim’s browser. Within the area of secure multi-party computation, this thesis has three contributions. Firstly, we give efficient protocols for the basic functions of summation and disjunction which adapt to the network they run on. Secondly, we provide efficient protocols for sorting and aggregation, by using techniques from the area of sorting networks. Finally, we prove a dichotomy theorem, showing that all functions with three distinct outputs are either maximally easy or maximally difficult with regards to the security provided.

Place, publisher, year, edition, pages
Stockholm: KTH Royal Institute of Technology, 2011. xi, 74 p.
Series
Trita-CSC-A, ISSN 1653-5723 ; 2011:05
National Category
Computer Science
Identifiers
urn:nbn:se:kth:diva-32424 (URN)978-91-7415-942-4 (ISBN)
Public defence
2011-05-13, D2, Lindstedtsvägen 5, KTH, Stockholm, 13:15 (English)
Opponent
Supervisors
Funder
ICT - The Next Generation
Note
QC 20110420Available from: 2011-04-20 Created: 2011-04-14 Last updated: 2012-06-14Bibliographically approved

Open Access in DiVA

No full text

Other links

Publisher's full textScopus

Search in DiVA

By author/editor
Kreitz, Gunnar
By organisation
Theoretical Computer Science, TCS
Computer Science

Search outside of DiVA

GoogleGoogle Scholar

doi
isbn
urn-nbn

Altmetric score

doi
isbn
urn-nbn
Total: 73 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf