In the the conference Toorcon 2015, Independent researcher Zhu Yan (Yan Zhu) demonstrated the operation of the two bugs related to HSTS AND HPKP, with which you can monitor the activity of millions of users of Google Chrome and Mozilla Firefox. Exploiting bugs, you can find out what resources the user visited before (even if the victim regularly cleans the browser history), as well as to plant it analogue cookie, which will continue to monitor the activity, even after the removal of ordinary cookie.
The main problem has been found in the mechanism HSTS, which is used to activate the forced a secure connection through the protocol HTTPS. Sites that support HSTS, forcing the user’s browser is forced to connect through HTTPS, instead of HTTP.This mechanism is actively used in the work banks, cloud services and other “sensitive” resources.
Yan Zhu demonstrated that protection HSTS can be used not for its intended purpose. If desired, site administrators can abuse the use of the mechanism and find out what resources previously visited their users.
The attack is carried out through non-existent, embedded in the body of the protected HSTS site pictures. Using JavaScript, you can measure the time delay, which is needed for the error. Thus it is possible to determine a user open a particular site before or not. If the user has already visited the site, the delay time will be a few milliseconds. If not – the delay will be longer.Bug exactly works for Firefox and Chrome, although the researcher argues that other browsers that support HSTS, is also under threat. It also reported that the issue is not subject to Tor Browser.
The second vulnerability, which Zhu said, is combined with the above. The bug was discovered in the binding mechanism of public key HPKP (Public Key Pinning HTTP), which, like HSTS, was created to improve the safety of users. HPKP known as a means to bind the certificate created for the fight against fakes. It allows website HTTPS set specific parameters that the browser has to accept all secure connections in the future. The mechanism also allows you to assign multiple certificates.
Site administrators can use HPKP harm, securing for each user a unique text identifier, instead of the certificate. The text can be read on subsequent visits to the site, that is to be used instead of the cookie, to keep track of the user. Even if you remove yourself cookie, a “certificate” will remain.
In post Mozilla, the bug does not work in Firefox, so the only vulnerable to attack by the browser, it seems, is Chrome. To get rid of surveillance through HPKP, in the Chrome address bar would type: chrome: // net-internals / # hpkp and remove specific domain from the list. However, the list of domains can not be bound to see that it is not very convenient.
As a proof-of-concept researcher created a website http://zyan.scripts.mit.edu/sniffly/, who are happy to show the user a detailed history of his Web surfing, telling what sites the user visited, and which are not. The source code for his exploit Zhuposted on GitHub, and called him Sniffly.
Full video presentations from the conference researcher Toorcon:
Photo: Yuri Samoilov
