> “If you’re an average internet user, you may not think too much about your privacy when you visit a random website,” says Reza Curtmola, one of the study authors and a computer science professor at NJIT. "But there are certain categories of internet users who may be more significantly impacted by this, like people who organize and participate in political protest, journalists, and people who network with fellow members of their minority group."<p>I get so dizzied by statements like this. It's almost as if researchers want to undermine their own work. Privacy can be <i>essential</i> for certain groups, but it should be a priority for everyone. Frankly I'm not even sure the statement about minority groups is true anymore. We've seen unmasking used by corporations, interest groups, governments, etc against a wide variety of people with dangerous outcomes.<p>I'd prefer we refactor messaging to make people realize that this is important to everyone and that we lay an impotus to do something about it, especially as governments all over the world are moving to eliminate personal and online privacy.
Relevant paragraphs:<p>> How this de-anonymization attack works is difficult to explain but relatively easy to grasp once you have the gist. Someone carrying out the attack needs a few things to get started: a website they control, a list of accounts tied to people they want to identify as having visited that site, and content posted to the platforms of the accounts on their target list that either allows the targeted accounts to view that content or blocks them from viewing it—the attack works both ways.<p>> Next, the attacker embeds the aforementioned content on the malicious website. Then they wait to see who clicks. If anyone on the targeted list visits the site, the attackers will know who they are by analyzing which users can (or cannot) view the embedded content.<p>> The attack takes advantage of a number of factors most people likely take for granted: Many major services—from YouTube to Dropbox—allow users to host media and embed it on a third-party website. Regular users typically have an account with these ubiquitous services and, crucially, they often stay logged into these platforms on their phones or computers.<p>Isn't this one of the older forms of de-anonymization? And this is pretty visible to the user too, embeds hint to even non-technical people they can be tracked across websites.
Firefox container mode stops this. I can imagine a product that makes every tab an ephemeral container by default, and you had to explicitly opt-in to a container profile to share cookies, etc. cross-tab.
At this point, I’m convinced that the web is now sophisticated enough that it’s inherently unsafe, and anyone who wants to track you has a myriad of nuanced ways to probe various technical indicators, timings, and form heuristics about who you might be at the very least.<p>Considering there are commercial solutions KNOWN to do this today, and do so with staggering accuracy even through VPNs and relays such as Apple’s, it seems like a game that can’t be cat-and-moused anymore.<p>It’s done, there’s too much exposed information when browsing the web.<p>Ironically, even Stallman’s technique of emailing webpages to himself to read is risky depending on how the page is sent to him and whether scripts are completely removed or disabled.<p>It just feels like playing with fire. You always have the chance of being burned. Or rather, the only winning move is to not play.
TL;DR (the crucial info is, predictably, at the very end): share a picture with someone via dropbox or whatever and embed that dropbox page on a website you control, then "analyze accessible information about the target’s browser and the behavior of their processor as the request is happening to make an inference about whether the content request was allowed or denied."<p>So you can confirm via unspecified vectors whether a visitor is among a specific set of persons if they are logged in with the right user account. (Not exactly a way to unmask any anonymous user on any major platform, the way the headline sounds.)<p>Edit: oh, it's not at the very end. Beyond the horizontal line and newsletter begging there's a few more paragraphs I didn't see before. Credit where it's due, they didn't bury it at the end but, instead, only 988 words stand between you and the above information!
Can someone explain why the cache timing pattern gets such a strong signal for something so seemingly distant? Is this about memory locality or just the effects of a different “CPU workload” in general?<p>Also, what JS APIs are used to carry out such high resolution time measurements?
I don't know. Seems like this only affects people with no opsec. Surely if you're doing stuff on the internet you think is likely to attract attention from law enforcement you're at the least using a different browser profile than the one you use to post your cat memes and food pictures?? Surely you'd be using a different browser or even device.
WebKit has a feature where all script-accessible cookies are deleted after 7 days: <a href="https://webkit.org/tracking-prevention/" rel="nofollow">https://webkit.org/tracking-prevention/</a><p>While this feature is annoying in that I have to repeatedly log in to some websites that I visit less frequently, it could make this exact attack less effective.
"A new attack can unmask anonymous users on any major browser"<p>Yet another reason to prefer minor browsers for "anonymous" or recreational browsing<p>I'm using one to submit this comment
Expecting otherwise is not reasonable.<p>Digital privacy does not exist, even for tech savvy people. Anybody saying otherwise is trying to sell you something.
Oh haha this might be an attack itself:<p>> The researchers developed a browser extension that can thwart such attacks, and it is available for Chrome and Firefox. But they note that it may impact performance and isn’t available for all browsers.<p>And if you click through to the Firefox one...<p>> This add-on is not actively monitored for security by Mozilla. Make sure you trust it before installing.