Fresh walls erected against privacy-busting web threats

The latest version of Chrome partitions the browser’s HTTP cache as Google aims to step up defenses against an increasingly diverse family of cyber-attacks.

HTTP resources cached by Chrome 86, which was rolled out on October 6, are “keyed using a new ‘Network Isolation Key’ in addition to the resource URL”, said Eiji Kitamura, a web developer advocate for Google, in a post published on the Google Developer hub last week.

“The Network Isolation Key is composed of the top-level site and the current-frame site,” he added.

XS Leaks plumbed

Unlike its predecessors, Chrome 85 caches resources fetched from the network with the resource URLs serving as the cache key.

While Kitamura said the mechanism had improved performance, the truncated time a website takes to respond to HTTP requests “can reveal that the browser has accessed the same resource in the past, which opens the browser to” various forms of cross-site leak (XS-Leak) attacks.

XS-Leak attacks are an umbrella term for various browser side-channel techniques that can be used to infer and collect information about users.

Kitamura cites scenarios in which “an adversary can detect a user’s browsing history by checking if the cache has a resource which might be specific to a particular site or cohort of sites”.

Alternatively, “an adversary can detect if an arbitrary string is in the user’s search results by checking whether a ‘no search results’ image used by a particular website is in the browser’s cache”, an XS-Leak variant called a cross-site search (XS-Search) attack.

Attackers can also use cross-site tracking, where the cache is “used to store cookie-like identifiers as a cross-site tracking mechanism”, Kitamura added.

Caching in smashing

First announced last year, the partitioning of HTTP caches in Chrome 86 could have a bearing on whether website developers serve content via third parties.

Caching helps browsers serve content faster by storing data that, if requested subsequently, can be retrieved locally from a browser instead of a remote web server.

However, Kitamura acknowledged that partitioning caches “may impose performance considerations for some web services”.

Responding to the development, London-based independent hacker and technology blogger Terence Eden told The Daily Swig: “Cache partitioning removes the most common need for using CDNs [Content Delivery Networks] for serving third-party content like JavaScript libraries and web fonts.

“People browsing the web will no longer benefit from the speed and bandwidth benefits of sites sharing common libraries – but people will gain some much-needed privacy protection.”

Eden, who in a blog post published on Sunday (October 11) questioned the supposed performance gains generated by using CDNs to serve JavaScript libraries, added: “Now’s an excellent time for web developers to reduce their dependency on shared library hosting. Developers should treat their users with respect and make sure that they choose solutions which preserve their users’ privacy.”

Rising star heads for the top 10

In March 2019, The Daily Swig reported on the discovery of two new XS-Leak methods, prompting one Google security researcher to predict the technique’s ascension to the OWASP Top 10.

One such technique could potentially identify a user or their email recipients by deleting the HTTP cache for a specific resource before forcing the browser to render a website and, finally, checking if the browser cached the originally deleted resource.

A Polish researcher, meanwhile, unearthed a “brand new technique for cross-origin content and status types detection” that could leak user information.

History of partitioning

Safari, in 2013, and Firefox, in 2019, have previously introduced HTTP cache partitioning features.

Google also sought to tackle the XS-Leak threat, among other common web-based attacks, in June with the launch of Fetch Metadata request headers, which provide web servers with extra security information that can inform decisions of whether to block or allow requests.

In other changes, Chrome 86 is also showing a small sample of users the site domain name by default, and full URL on hover, to ascertain whether the move could help users verify the authenticity of websites.


RELATED Google launches Fuzzilli grant program to boost JS engine fuzzing research