NAME: Kizito Nyuytiymbiy Andrew ID: knyuytiy Paper Review_#: 4

Paper: Timing Attacks on Web Privacy

Synopsis/Introduction
Compromising the privacy of users browsing history is a common class of attacks whereby a
malicious website can determine whether a user has recently visited some other unrelated
webpage. Browsers cache information when users visit sites to reduce the waiting time for
subsequent visits. This poses a security vulnerability on the user’s privacy because an attacker
can determine by measuring the access time when the user request for a page, if the response is
served from the local cache or from the web. These timing attacks are so dangerous because they
are done without the victim’s knowledge using basic properties of web browsers. This paper
provides a way to mitigate such attacks by reengineering browser technology since the root
vulnerability exploited is in the browser design and not due to any fixable bugs.

Problem Statement
The problem states: How can user’s browsing information and privacy be secured from timing
attacks usually done when they visit attackers’ sites?

Impact
 Firstly, this paper sensitizes deeply on how vulnerable ones browsing information is to
subtle untraceable attacks.
 Secondly, it enlightens greatly about how the cache works and how its core strength
which in providing fast access to already visited information is a key weakness to the
security of the user’s browsing history and privacy.
 Tools that provide anonymous web browsing do not even help prevent these types of
attacks and could rather be helping the attacks. With this knowledge, a user will not be
wasting time putting his information at even greater risks by installing these tools.

Strengths
 The paper proposes a robust and more deterministic approach to browser information
security by redesigning the browser. I think this solution is most suitable because the
problem is due to inherent properties of all core browser design.
 The paper also highlights a common phenomenon is engineering solutions. At times the
best solution to one problem, poses a new kind of problem. Caching makes access to
recently visited webpages and files faster. However, it introduced vulnerability in ones
browsing history because using access timing, an attacker can keep track of ones
browsing history which can be used in very undesirable ways without the user’s
knowledge nor consent.

Date: 22/09/2018
NAME: Kizito Nyuytiymbiy Andrew ID: knyuytiy Paper Review_#: 4

 The researchers did preliminary testing to indicate that their results and conclusions were
not affected by the choice of browser used in the research [1]. They used Netscape
Navigator 4.5 and tested too with Internet Explorer.
 The researchers distinguished their experimental conditions and results from what is
likely to be in practice. Like in the cache hits and misses they observed while running test
where the server and the client are in one network, they said in practical circumstances,
miss times would be longer, giving the attacker even higher measurement accuracy than
our experiments show.

Weaknesses
 The experiments were done in one departmental network which hosts both the Web
server and the client browser. This proximity setup made cache miss times to be much
lower than they would be in practice, thereby making it artificially difficult to distinguish
hits from misses [1]. The real-world problem was therefore not directly replicated but
from this inadequate setup, logical projections and inductions were made.

References

[1] E. W. Felten and M. A. Schneider, "Timing Attacks on Web Privacy".

Date: 22/09/2018