New browser exploit tracks even the most paranoid web users

By Justin Pot October 27, 2015

have i been pwned owner uncovers 13 million plaintext passwords leaked from free webhost is a safe password even possible we — guteksk7/Shutterstock

When it comes to tracking your web browsing, webmaster have all sorts of options – many of which web users actively block. But what if a malicious website owner could turn security features against you?

A researcher proved it’s possible to do just that over the weekend.

Most web users are aware that sites use can use cookies or browser fingerprinting to track you – it’s why so many users make a habit of deleting cookies, scrambling their user agents, and taking advantage of Incognito Mode.

But in a presentation over the weekend security researcher Yan Zhu showed the world a new tracking method that gets around even the most paranoid user, by exploiting the certificates your browser uses to connect to secure sites.

Don’t believe me? Try Zhu’s site Sniffly out for yourself in Chrome or Firefox, and you’ll probably end up with an accurate list of sites you have and haven’t visited.

icymi, sniffing browser history using HSTS/CSP code + demo is up at https://t.co/iAxVPyOGzv. it's called that b/c i had a cold last week.

— Yan⚠ (@bcrypt) October 26, 2015

To (dramatically) simplify what’s going on here, the exploit attempts to load various images from encrypted domains, then detects whether or not your browser can establish a secure connection with those sites. If it can connect, it’s because you have an HSTS pin for the site – so there’s a good chance you’ve visited the site before.

It’s a simple way to get a quick list of which secure sites you have and haven’t visited. The information collected this way is less reliable, only relates to sites encrypted using HTTPS, and is less specific that other methods – the sites you’ve visited are revealed, not the individual pages. But it’s still noteworthy, because nothing like it’s been done before.

You can watch Zhu’s entire presentation, read the slides or check out Sniffly on GitHub, if you want a more complete breakdown of how the exploit works.

Editors' Recommendations

Topics

Former Digital Trends Contributor

Justin's always had a passion for trying out new software, asking questions, and explaining things – tech journalism is the…

Computing

Who is Microsoft’s new Edge browser for? Probably not you or me

Person surfing the Internet with Microsoft Edge browser.

I tried using Microsoft’s Edge browser. I gave it a fair shot, setting it as my default browser for several months and using it for both work and play. After a while, though, the writing was on the wall: although it offered some nice features, like ink notes and ebook reading, it would never replace Chrome or Firefox as my go-to browser.

Now that Microsoft is switching to the Chromium open-source engine to power Edge, and essentially abandoning the Universal Windows Platform (UWP) version, I’m left with more questions than answers. What exactly -- and who -- is the new Edge browser for? And will any of us ever have a reason to switch?
A focus on enterprise
Let’s face it: Microsoft has been shifting its focus from consumers to business customers for years now. That writing has been on the wall, as well. Microsoft simply isn’t all that concerned lately about making Windows 10 a platform that appeals directly to average people. It works fine, of course, but Microsoft is far more focused on making you more productive within the context of your business.

Computing

Best HP laptop deals: Get a 17-inch workhorse for $370 and more

An open HP Spectre x360 16 sits on a table, angled so that the screen and keyboard can be seen.

HP is one of the best laptop brands on the market, and if you're thinking of picking up a new laptop, then you may want to consider one of its many varieties of laptops. Not only that, but HP usually has some form of deal going on each of its sub-brans, so whether you're looking for an HP Omen gaming laptop or a Spectre X360 2-in-1 convertible, you'll likely find a good deal on it. Of course, it can be hard to navigate the dozens of different types of laptops HP has, which is why we've gone out and collected some of our favorite deals to help save you the trouble. That said, if you can't find quite what you're looking for below, be sure to check out these other great laptop deals and gaming laptop deals as well.
HP Laptop 15z -- $250, was $500

If you need a budget laptop for basic tasks, you can't go wrong with the HP Laptop 15z. With its AMD Athlon Silver 7120U processor, AMD Radeon Graphics, and 8GB of RAM, it's going to be a dependable device for doing online research and working with productivity apps. The laptop features a 128GB SSD with Windows 11 Home pre-loaded, and a relatively large 15.6-inch HD screen for its low price.

Computing

Some Intel CPUs are about to take a big performance hit, report says

Intel's 14900K CPU socketed in a motherboard.

High-end Intel CPUs are about to lose some significant performance, according to a new report from BenchLife (via VideoCardz). The outlet claims Intel has sent guidance to motherboard partners to implement the Intel Default Settings on Z790 motherboards, following a wave of reports of instability on recent high-end Intel CPUs.

According to the report, these default settings will enforce a PL2 of 188 watts. Intel maintains power limits (PL) for its processors. PL1 is the base power, or the power that the processor can sustain for long periods of time. PL2 is the maximum boost power, which the processor can hit for brief spurts when under a heavy load.