利用 Side-channel 資訊判斷被 HTTPS 保護的 Netflix 影片資訊

在「Netflix found to leak information on HTTPS-protected videos」這篇看到了研究員透過 VBR 所透露出的 side channel 資訊,成功的取得了被 HTTPS 保護的 Netflix 影片資訊。這對於美國的 ISP 是個大利多 (加上之前通過的法案),但對於個人隱私則是嚴重的打擊。

這項研究的準確率非常高:

To support our analysis, we created a fingerprint database comprised of 42,027 Netflix videos. Given this collection of fingerprints, we show that our system can differentiate between videos with greater than 99.99% accuracy. Moreover, when tested against 200 random 20-minute video streams, our system identified 99.5% of the videos with the majority of the identifications occurring less than two and a half minutes into the video stream.

而且他們居然是用這樣的單機分析:

null

苦啊...

Bitcoin.org 對於接下來的 release 發出警告

Bitcoin.org 發出了有點摸不著頭緒的警告:「0.13.0 Binary Safety Warning」。

Bitcoin.org has reason to suspect that the binaries for the upcoming Bitcoin Core release will likely be targeted by state sponsored attackers. As a website, Bitcoin.org does not have the necessary technical resources to guarantee that we can defend ourselves from attackers of this calibre.

而且直接是點名可能是針對中國區的用戶:

We ask the Bitcoin community, and in particular the Chinese Bitcoin community to be extra vigilant when downloading binaries from our website.

由於 Bitcoin.org 全站走 HTTPS,這是在暗示會出現「不小心發出 Bitcoin.org 的 SSL certificate」的事情?另外官方也建議使用 PGP public key 驗證:

We strongly recommend that you download that key, which should have a fingerprint of 01EA5486DE18A882D4C2684590C8019E36C2E964. You should securely verify the signature and hashes before running any Bitcoin Core binaries. This is the safest and most secure way of being confident that the binaries you’re running are the same ones created by the Core Developers.

來拿板凳蹲著看,順便拉一張目前 certificate 看到的資訊,目前是從 RapidSSL SHA256 CA - G3 簽出來:

PGP 短 ID 的安全問題

PGP 短 ID 的安全問題出來了,不見棺材不掉淚啊:「Fake Linus Torvalds' Key Found in the Wild, No More Short-IDs.」。

重點在這段,已經有人發出攻擊了:

Search Result of 0x00411886: https://pgp.mit.edu/pks/lookup?search=0x00411886&op=index
Fake Linus Torvalds: 0F6A 1465 32D8 69AE E438  F74B 6211 AA3B [0041 1886]
Real Linus Torvalds: ABAF 11C6 5A29 70B1 30AB  E3C4 79BE 3E43 [0041 1886]

Search Result of 0x6092693E: https://pgp.mit.edu/pks/lookup?search=0x6092693E&op=index
Fake Greg Kroah-Hartman: 497C 48CE 16B9 26E9 3F49  6301 2736 5DEA [6092 693E]
Real Greg Kroah-Hartman: 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 [6092 693E]

另外作者給了還蠻重要的觀念:

DO NOT TRUST ANYTHING SHORTER THAN THE FINGERPRINTS.

Firefox 擋 Canvas Fingerprint 的套件

在「How to block Canvas Fingerprinting in Firefox」這篇終於看到擋 Canvas Fingerprint 的延伸套件了:「CanvasBlocker」。

關於 Canvas Fingerprint,可以參考之前「用 Canvas Fingerprint 取代部份 Cookie」這篇文章。

截圖看起來有點陽春 (設定的方式很 geek),不過算是個開始,之後應該會愈改愈好:

MasterCard 推出需要指紋辨識後才能使用的信用卡

從「MasterCard's New Credit Card Will Come With a Fingerprint Scanner」這邊看到的:

金融產業一向是被逼了以後才會做的 (因為本來就賺的好好的,而且帶有壟斷性質):

But MasterCard is now teaming up with biometric tech company Zwipe to prevent people from paying for items this way with stolen credit cards.

Google Chrome 對只有 SHA-1 fingerprint 的淘汰過程

現在 Google Chrome 是 37 版,接下來的幾個版本會開始針對只有 SHA-1 fingerprint 的 SSL certificate 降低安全評價:「Gradually sunsetting SHA-1」。

這是 39 版預定的情況,會出現警告:

這是 40 版預定的情況,安全 icon 會消失:

而這是 41 版直接廢止的情況,當作不合法的 SSL certificate 處理:

另外,預先安裝的 root certificate 不受影響,因為並不是看 SHA-1 hash:

Note: SHA-1-based signatures for trusted root certificates are not a problem because TLS clients trust them by their identity, rather than by the signature of their hash.

整個過程大約會在 2015Q1 告一個階段。

用 Canvas Fingerprint 取代部份 Cookie

Canvas Fingerprint 已經很久了,在「The Web never forgets: Persistent tracking mechanisms in the wild」說明了 Canvas Fingerprint 的歷史:

Canvas fingerprinting is a type of browser or device fingerprinting technique that was first presented by Mowery and Shacham in 2012.

原始論文可以在「Pixel Perfect: Fingerprinting Canvas in HTML5」這邊看到。原理是利用不同機器對字型 render 不一樣的原理再對產生出來的圖片 hash 後當作 cookie 替代品。

兩個禮拜前突然紅起來是因為被發現廣泛使用在很多服務以及網站上,像是 AddThis (於是一堆網站中獎),以及 WhiteHouse.gov (喔喔!),然後還有 YouPorn.com (XDDD):「White House Website Includes Unique Non-Cookie Tracker, Conflicts With Privacy Policy」、「Meet the online tracking device that is virtually impossible to block」。

拿 canvas fingerprint 去各瀏覽器的 extension 上找,目前 Google Chrome 上可以安裝「CanvasFingerprintBlock」來擋,Firefox 的沒找到?