Browser Exploit Against SSL/TLS

In letzter Zeit gibt es viele schlechte Nachrichten rund um SSL/TLS, hier ist noch eine:

Die Forscher Juliano Rizzo und Thai Duong wollen kommenden Freitag auf der Sicherheitskonferenz ekoparty in Buenos Aires ein Tool namens BEAST (Browser Exploit Against SSL/TLS) vorstellen, mit dem ein Angreifer im gleichen Netz via SSL übertragene Browsercookies abgreifen und entschlüsseln können soll. (…) Gegenüber The Register gab Rizzo an, dass er dadurch ein verschlüsselt übertragenes PayPal-Cookie in unter zehn Minuten knacken könne.


Respawning Cookies

Ashkan Soltani erklärt die technischen Hintergründe von schwer zu löschenden Cookies.

What differentiates KISSmetrics apart from Hulu with regards to respawning is, in addition to Flash and HTML5 LocalStorage, KISSmetrics was exploiting the browser cache to store persistent identifiers via stored Javascript and ETags. ETags are tokens presented by a user’s browser to a remote webserver in order to determine whether a given resource (such as an image) has changed since the last time it was fetched. Rather than simply using it for version control, we found KISSmetrics returning ETag values that reliably matched the unique values in their ‘km_ai’ user cookies.


As explained above, KISSmetrics uses the same identifier for consumers across the different websites it serves. In addition to data enhancement, this practice may be problematic because it enables KISSmetrics to uniquely track individuals across sites they visit. This makes KISSmetrics’ position more similar to a network advertiser than an analytics provider.


Evercookie – never forget

Schon beeindruckend wie viele Möglichkeiten es gibt einen dauerhaften Cookie zu setzen.

evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they’ve removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others.


OS X: Flash Cookie Removal entfernt Flash Cookies.

For those who do not know about Flash cookies, more properly referred to as Local Shared Objects (LSO), they operate in a similar way to regular browser cookies but are stored outside the purview of your browser, meaning you cannot delete them from within your browser, whether Safari, Firefox, Opera or any other. Typically they are issued from sites or 3rd party sites that contain Adobe Flash content. Since virtually all internet advertising is delivered in Flash, Google/Doudleclick and all other internet advertising companies are sure to be tracking your browsing behavior with Flash cookies. These companies can see you traverse the Internet as you come upon the plethora of sites that contain their embedded advertising.


Cross Browser Client-Side Persistent Storage Without Cookies

Paul Duncan hat PersistJS released eine Client-Side JavaScript persistent Storage Bibliothek.

PersistJS nutzt die unterschiedlichen Möglichkeiten die für persistent storage bereits existieren und schafft ein einheitliches Interface zu ihnen und ist somit nicht auf Plugins oder Flash angewiesen.

  • flash: Flash 8 persistent storage.
  • gears: Google Gears-based persistent storage.
  • localstorage: HTML5 draft storage. (development WebKit)
  • whatwg_db: HTML5 draft database storage.
  • globalstorage: HTML5 draft storage (old spec). (Firefox 2.0+, Internet Explorer 8)
  • ie: Internet Explorer userdata behaviors. (Internet Explorer 5.5+)
  • cookie: Cookie-based persistent storage.