Firefox and Chrome are vulnerable to a new type of attacks on browsers

At the Toorcon conference was demonstrated a new type of attack on the browser, allowing to find out which sites user visited before. The attack is applicable to websites that have HSTS protocols enabled for automation of forwarding to HTTPS when requesting a resource using the HTTP protocol.

It appears even if the user cleaned his history of visits (browsing history). To demonstrate the vulnerability was prepared a special page, which could analyze the opening in past of some popular websites. The vulnerability manifests itself well in Firefox and Chrome browsers, but also affects other browsers that support HSTS protocol. Only the Tor Browser is not vulnerable because of the limitation of precision timer.

mozilla-chrome-vulnerable

The attack is based on the fact that the CSP requesting nonexistent image on the website, using the HTTP protocol, in case on this site HSTS flag is set and the site was opened (visited) earlier, its HSTS parameters are cached and the answer will be returned after request (URL will be immediately requested via HTTPS, bypassing the HTTP request). If a website has not been opened before, first will be sent request on HTTP, and then, after receiving the title HSTS, the browser will send a second request using HTTPS, that is, operation will take significantly longer time. After evaluating the delay in JavaScript code, we can determine with sufficiently high probability that user previously opened a website or not.

Interesting that Chrome developers received reports about a year ago about a similar determining method of opened sites and the problem is still not fixed. If we refer to the site port 443 on the HTTP protocol (http://example.com:443), such address will cause an error if the site has not been opened earlier. If a site has been opened in the past and uses a HSTS flag, the browser will automatically replace the address to https://example.com:443 and the request will be successful.

Another vulnerability is related to the work of the mechanism of binding public keys(HPKP, HTTP Public Key Pinning), allowing to clearly identify which certificates of certifying centers are allowed to use on given website. This vulnerability can be used in Chrome or Firefox to track visitors without using cookies. Using HPKP disguised as certificate, you can bind an arbitrary identified which will be unique for each visitor. Later, this binding can be used to reliably determine the re-visit of the site by user in a similar way as the cookie used for identification. The feature of this is that the binding is maintained regardless of removing cookie and removal of HPKP records is not obvious, since you have to access the inside page (chrome://net-internals/#hpkp) for a particular domain (there is no possibility to see the list of domains with bind hpkp).

Information added: 10/28/2015 05:03 PM;