Protecting user identity against Silhouette

For those who might have a hard time going through the summary, the attack is very simple:<p>If I block you, then when you load my twitter page, the load takes less time than if I don&#x27;t block you.<p>So if the attacker wants to track 2^^N users, they number these users 1 ... 2^^N and each user can be given a binary number that is 0 or 1 in N positions, corresponding to whether N fixed accounts block them or not.<p>So, there is a lot of set up work to create N bot accounts that together block or don&#x27;t block 2^^N people.<p>Then, the attacker tricks a user to loading their webpage which has a script that loads each of the N twitter profiles. If you are logged into twitter, your session cookie will be sent and the load time will be different or not for each of these accounts and so the attacker will be able to identify you if you are in the group of 2^^N users.<p>This type of attack is awesome (in a dark way) in that it can work for a lot of sites other than twitter. It points out a general weakness whenever a social media website takes a different time to load based on an attribute not in your control.<p>For example, it doesn&#x27;t work with &#x27;friends&#x27; if you need to approve friends, as you wont approve the bots friending you, but you can&#x27;t block the bots from blocking you. Amazing.<p>The long term solution is same site cookies, which is also a solution for a lot of these CSRF type attacks. Great stuff.

This explains why visiting twitter.com has been horribly broken for months. Literally every time I try to visit twitter.com in Safari, it would just load a blank page and do nothing, and I&#x27;d have to manually reload before it would come back to life.<p>Though trying right now it&#x27;s working. So either they changed something, or upgrading to Safari 12 fixed this issue (or turning off legacy extensions did, which was a side-effect of upgrading to Safari 12, though I wouldn&#x27;t expect Ghostery or the DuckDuckGo extension to prevent twitter.com from reloading).

&gt; We support a legacy version of Twitter (known internally as M2) that operates without the need for JavaScript. We needed to make sure our reloading solution didn&#x27;t require JavaScript.<p>Ooh, I did not know this existed. It&#x27;s nice that they&#x27;ve kept it alive!

I&#x27;m not normally one for meta-comments on HN, but reading the thread title here freaked me out for a moment... I wish I could protect <i>my</i> identity from being associated with an attack against online privacy!

What is the point of showing a different page to a blocked user then to a logged out user?<p>The blocked user can simply log out or switch to a private tab to see the profile anyhow.

&gt; Tuesday, 18 September 2018<p>…<p>&gt; <i>Recently [emphasis mine]</i> we learned of a new technique for discovering the identity of logged-in users to online platforms including Twitter<p>…<p>&gt; The issue was reported to us in <i>December 2017 [emphasis mine]</i><p>This appears to be some new definition of ‘recently’ of which I was hitherto unaware.<p>It’s definitely a clever attack, and definitely a clever set of fixes. But a better phrase would have been ‘some time ago’ rather than ‘recently.’

I’m impressed by how quickly browsers implemented the sameSite cookie attribute.

So that explains why I’ve noticed twitter stopped working with view-source a bit ago. I was curious as to why it required to redirect on itself, or a valid referrer from itself, before letting me get anywhere.

Wouldn’t a better solution be to flush some small part of the page immediately (maybe just the html open tag) so that they get this immediate page load, and then flush out the rest of the page when it’s ready? That way no timing is leaked, but there’s still only one page load?

This type of vulnerability (Silhouette) seems absolutely terrible to protect against. XSRF is bad enough, and now we need dummy pages reloading themselves for basic user privacy? Is the SameSite attribute going to be enough to stop these timing based information leaks?

SameSite is supported by many more browsers than just Chrome these days:<p><a href="https:&#x2F;&#x2F;caniuse.com&#x2F;#search=SameSite" rel="nofollow">https:&#x2F;&#x2F;caniuse.com&#x2F;#search=SameSite</a>

Now that they have this fixed, I hope they are working on a solution for all of the clone accounts that pose as Elon Musk or Charlie Lee and others.