27C3 - Version 1.6.3

27th Chaos Communication Congress
We come in peace

Dominik Herrmann
Day Day 1 - 2010-12-27
Room Saal 2
Start time 14:00
Duration 01:00
ID 4140
Event type Lecture
Track Hacking
Language used for presentation English

Contemporary Profiling of Web Users

On Using Anonymizers and Still Get Fucked

This talk will provide a summary of recently discovered methods which allow to break the Internet's privacy and anonymity.

We will show, amongst others:

  • ways of distinguishing bots from humans. We use this technique to provide crawlers with false data or lure them into tar pits.

Other than CAPTCHAs we introduce methods that profile the holistic behaviour within a single web session to distinguish users or bots within a longer timeframe based on subtle charactistics in most bots' implementations.

  • breaking filtering of JavaScript in web-based proxies.

While next to all web proxies advertise the capability of filtering JavaScript, the ubiqity of XSS and CSRF attacks have proven that correct filtering of arbitrary HTML is extremly difficult.

  • track and re-identifying users based upon their web-profile.

We show how a third-party observer (e. g. proxy server or DNS server) can create a long-term profile of roaming web users using only statistical patterns mined from their web traffic. These patterns are used to track users by linking multiple surfing sessions. Our attack does not rely on cookies or other unique identifiers, but exploits chatacteristic patterns of frequently accessed hosts. We demonstrate that such statistical attacks are practicable and we will also look into basic defense strategies.

  • traffic analysis and fingerprinting attacks on users of anonymizing networks.

Even if anonymizeres like Tor are used, a local adversary can measure the volume of transfered data and timing characteristics to e. g. determine the retrieved websites. We will shortly sketch the current state of the art in traffic analysis, which has been improved significantly within the last year.