Cache-based Targeted Deanonymization Attacks, recommend extension on all browsers?

[ghost]

Could everyone review this? (why I assigned everyone). Initially reported by @pterocles.

Question being: Should we recommend all users to install that extension? Even Tor Browser users?

Introduction/Explanation:

• https://leakuidatorplusteam.github.io

Paper:

• https://leakuidatorplusteam.github.io/preprint.pdf

Repository of mitigating extension:

• https://github.com/leakuidatorplusteam/LeakuidatorPlus

Extension links on stores:

• https://addons.mozilla.org/en-US/firefox/addon/leakuidatorplus/
• https://chrome.google.com/webstore/detail/leakuidator%2B/hhfpajcjkikoocmmhcimllpinjnbedll

Media Articles:

• https://www.wired.com/story/web-deanonymization-side-channel-attack-njit/

[nopeitsnothing]

Other sources of information regarding this type of attack:

Protocol, application and network layer attacks exist for the Tor network as with other networks, mix nets/mesh nets included.

This novel attack uses a seemingly benign frame or other piece of data that is not known to most browsers, that utilizes the same signed-in data that allows you to access content across the web (in layman's, this is how you can view YouTube content off-site and receive the same suggestions as you would logged into the site normally).

Independent research has shown that properly isolating your browsing habits for different sites and using containerized browsing has a significant increase in threat mitigation for specific attacks including XSS and side channel attacks like this. The technique requires you to stay logged into a site to be able to access certain content embeds like Youtube videos, Google docs and others. To easily mitigate you should be using containers.

Containerized browsing habits (similar to Qubes OS VMs per app) can be used to protect your privacy by utilizing compartmentalization to separate your different tasks.

I'll explain using my own setup for simplicity's sake.

Browser: Firefox Beta 103.0 (64-bit)

• Arkenfox user.js enabled, default settings, no overrides
• Recommended extensions enabled only + Multi Account Containers extension
• uBlock Origin, custom blocking mode set
• Enhanced Tracking Protection: set to "Strict" in all profiles
• Cookies and Site Data: Delete cookies and site data when Firefox is closed
• Block pop-up windows by default
• All settings in Deceptive Content and Dangerous Software Protection enabled in all profiles
• New container for each new tab
• Tor Browser for any content I don't need to log in to view but that I need to conceal my identity while using
• Never logged into accounts longer than needed, i.e., destroying browsing history and cookies immediately

Refs:

• https://www.wired.com/story/what-is-side-channel-attack/
• https://www.maketecheasier.com/firefox-multi-account-containers-explained/
• Daniel Arp, Fabian Yamaguchi, and Konrad Rieck. "Torben: A Practical Side-Channel Attack for Deanonymizing Tor Communication". In: ASIACCS. 2015, pp. 597-602.
• Xiaogang Wang et al. "A novel flow multiplication attack against Tor". In: Computer Supported Cooperative Work in Design, 2009. CSCWD 2009. 13th International Conference on. IEEE. 2009, pp. 686-691.
• Sachin Kadloor et al. "Low-cost side channel remote traffic analysis attack in packet networks". In: Communications (ICC), 2010 IEEE International Conference on. IEEE. 2010, pp. 1-5.

[dan-kir]

This doesn't appear to be a new threat, just a new technique, via CPU cache side channel.

Good OPSEC and browser compartmentalization will mitigate. Whether that's using Qubes AppVMs, Firefox Multi-Account Containers extension, multiple browsers or multiple devices.

Interesting that this is a targeted attack. If the threat actor already knows my email or twitter handle and is actively targeting me I have possibly already slipped up somewhere. The user correlation threat described in the Wired article is very realistic.

I wonder if this attack works against Tor Browser when configured to 'Safest' security level? Also can't tell from the paper if this attack works against Brave or not?

I am hesitant to recommend installing a browser extension. There are better ways to defend against this. Might still be worth a mention in the guide.

[NobodySpecial256]

It's worth noting that this attack isn't prevented by isolating browsers into separate VMs, as it leverages a CPU cache side-channel. While installing an extension isn't ideal, it's possibly a suitable stop-gap until the issue is fixed in browsers/hypervisors

[NobodySpecial256]

I just pushed the fix. Closing.