Simple record

dc.contributor.authorSantos Grueiro, Igor
dc.contributor.otherSanchez-Rola, Iskander
dc.contributor.otherBalzarotti, Davide
dc.date.accessioned2024-07-02T09:13:26Z
dc.date.available2024-07-02T09:13:26Z
dc.date.issued2020
dc.identifier.issn2576-5337en
dc.identifier.otherhttps://katalogoa.mondragon.edu/janium-bin/janium_login_opac.pl?find&ficha_no=159561en
dc.identifier.urihttps://hdl.handle.net/20.500.11984/6566
dc.description.abstractCookies were originally introduced as a way to provide state awareness to websites, and are now one of the backbones of the current web. However, their use is not limited to store the login information or to save the current state of user browsing. In several cases, third-party cookies are deliberately used for web tracking, user analytics, and for online advertisement, with the subsequent privacy loss for the end users. However, cookies are not the only technique capable of retrieving the users’ browsing history. In fact, history sniffing techniques are capable of tracking the users’ browsing history without relying on any specific code in a third-party website, but only on code executed within the visited site. Many sniffing techniques have been proposed to date, but they usually have several limitations and they are not able to differentiate between multiple possible states within the target application. We propose BakingTimer, a new history sniffing technique based on timing the execution of server-side request processing code. This method is capable of retrieving partial or complete user browsing history, it does not require any permission, and it can be performed through both first and third-party scripts. We studied the impact of our timing side-channel attack to detect prior visits to websites, and discovered that it was capable of detecting the users’ state in more than half of the 10K websites analyzed, which is the largest test performed to date to test this type of techniques. We additionally performed a manual analysis to check the capabilities of the attack to differentiate between three states: never accessed, accessed and logged in. Moreover, we performed a set of stability tests, to verify that our time measurements are robust with respect to changes both in the network RTT and in the servers workload. This extended version additionally includes a comprehensive analysis of existing countermeasures, starting from its evolution/adoption, and finishing with a large-scale experiment to asset the repercussions on the presented technique.en
dc.language.isoengen
dc.publisherACMen
dc.rights© 2020 The Authorsen
dc.subjectSecurity and privacyen
dc.subjectBrowser securityen
dc.subjectuser privacyen
dc.subjectbrowser cookiesen
dc.subjecthistory sniffingen
dc.titleCookies from the Past: Timing Server-Side Request Processing Code for History Sniffingen
dcterms.accessRightshttp://purl.org/coar/access_right/c_abf2en
dcterms.sourceDigital Threats: Research and Practiceen
local.contributor.groupAnálisis de datos y ciberseguridades
local.description.peerreviewedtrueen
local.identifier.doihttps://doi.org/10.1145/3419473en
local.contributor.otherinstitutionhttps://ror.org/00ne6sr39es
local.contributor.otherinstitutionhttps://ror.org/0114r0003es
local.contributor.otherinstitutionhttps://ror.org/00sse7z02es
local.source.detailsVol 1. N. 4. Article No.: 24. Pp 1–24. December, 2020
oaire.format.mimetypeapplication/pdfen
oaire.file$DSPACE\assetstoreen
oaire.resourceTypehttp://purl.org/coar/resource_type/c_c94fen
oaire.versionhttp://purl.org/coar/version/c_ab4af688f83e57aaen


Files in this item

Thumbnail

This item appears in the following Collection(s)

Simple record