Kevin Froman's blog

Blog on security, programming, & other musings

Timebleed Breaking Privacy With a Simple Timing Attack

2017-04-18

TimeBleed: Simple Attack, Serious Issue

TimeBleed logo

Background

While researching IPFS, I realized that using a simple timing attack, attackers could IPFS' gateway to check what pages a user has accessed, and download unique pages for use as a 'supercookie'.

Shortly after, I realized this attack would apply to the web in general, and could have serious implications for other networks/software.

The Attack

The attack is simple. A malicious website will simply send an XHR request (or a hidden img tag) to a website it wishes to test for. If the user has recently visited the requested website, the domain will resolve/respond faster than if they had not, due to DNS and other caching.

The "same origin" policy does not prevent this, since requests can still be measured.

Whats the big deal?

Trackers, scammers, hackers, and anyone else could check if you have visited any given site recently.

Scareware could use this to extort users who visit adult websites.

While tracking is possible using normal 'web bugs', the target website needs to embed this themselves, and many browser extensions/settings will protect against them. TimeBleed is not so simple to prevent.

Tor Browser

Tor Browser effectively defends aganist this attack by properly isolating connections, see here for more information.

Orfox

orfox logo

Orfox, the unofficial but most recommended browser for using Tor on Android devices, sadly does not defend against TimeBleed, which could be used to help correlate multiple connections. Orfox needs to use the unlinkability features specified in the Tor Browser draft.

Other Networks

Freenet, ZeroNet and I2P are vulnerable to varying degrees.

Freenet

freenet log

Freenet is affected by this the worst.

Some Freenet "links" (keys) are consistant to every file, so an attacker could generate many links for files they are interested in checking for,or they could use site indexes/search engines to create a list.

Like most of the other networks in this post, Freenet's default and most popular implementation ('FRED') uses an HTTP server to provide access to "websites" within the network.

Although it is not perfect, Freenet does a decent job protecting users. Despite this, TimeBleed can be used to check a user's FRED for cached keys. An attacker could embed the TimeBleed script into normal web traffic, as web browsers do not prevent 3rd party requests to localhost servers.

ZeroNet

ZeroNet Logo

ZeroNet is affected much in the same way as IPFS, with attackers being able to check what sites a person has in their client. Like IPFS, this is not a huge deal as nodes can already see who has what site, however ZeroNet nodes can also hide behind Tor, VPNs, etc. TimeBleed is potentially a way of bypassing that, and in addition it can be used as a supercookie by "sending" ZeroNet users unique sites, and checking for them later.

I was getting somewhat conflicting results when testing ZeroNet, so anyone who tests ZeroNet for this themselves, please let me know what you find. I noticed that .bit domains are more reliable for detection than Bitcoin address websites.

I2P

I2P logo

I2P is affected in the same way as Orfox, however, in some cases it is permanent, as I2P has no concept of domains at the network level. Instead, I2P uses an 'addressbook' (similar to a hosts file) to map hostnames. If a user tries to visit a site not in their address book, I2P offers to use a 'jump service'. If the jump service finds the site for them, they have the option of adding it to their book.

If the user chooses to do so, this will make the user's addressbook unique and therefore fingerprintable.

Proof of Concept

I have created a proof of concept page with a tl;dr description of the issue.

Lessons Learned & Mitigation

this is fine gif

It is very difficult to make a web based application anonymous. There is much room to slip up, and something as simple as how long a request response takes can give away a lot of information.

Browser vendors should implement a setting to 'forget' cross origin request DNS connections/sessions. I think this is a long shot because they still enable 3rd party cookies by default...

Users who want to prevent this attack should use the noscript + uMatrix addons, or Tor Browser. When using Orfox, restarting Orbot & Orfox will close your tunnels and cache.

Written by anonymous