JShelter: Give Me My Browser Back

SECRYPT ... : proceedings of the International Conference on Security and Cryptography. International Conference on Security and Cryptography Pub Date : 2022-04-04 DOI:10.48550/arXiv.2204.01392

Libor Polcák, Marek Salon, Giorgio Maone, Radek Hranický, Michael McMahon

{"title":"JShelter: Give Me My Browser Back","authors":"Libor Polcák, Marek Salon, Giorgio Maone, Radek Hranický, Michael McMahon","doi":"10.48550/arXiv.2204.01392","DOIUrl":null,"url":null,"abstract":"The web is used daily by billions. Even so, users are not protected from many threats by default. This position paper builds on previous web privacy and security research and introduces JShelter, a webextension that fights to return the browser to users. Moreover, we introduce a library helping with common webextension development tasks and fixing loopholes misused by previous research. JShelter focuses on fingerprinting prevention, limitations of rich web APIs, prevention of attacks connected to timing, and learning information about the device, the browser, the user, and surrounding physical environment and location. We discovered a loophole in the sensor timestamps that lets any page observe the device boot time if sensor APIs are enabled in Chromium-based browsers. JShelter provides a fingerprinting report and other feedback that can be used by future security research and data protection authorities. Thousands of users around the world use the webextension every day.","PeriodicalId":74779,"journal":{"name":"SECRYPT ... : proceedings of the International Conference on Security and Cryptography. International Conference on Security and Cryptography","volume":"118 1","pages":"287-294"},"PeriodicalIF":0.0000,"publicationDate":"2022-04-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"SECRYPT ... : proceedings of the International Conference on Security and Cryptography. International Conference on Security and Cryptography","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.48550/arXiv.2204.01392","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

The web is used daily by billions. Even so, users are not protected from many threats by default. This position paper builds on previous web privacy and security research and introduces JShelter, a webextension that fights to return the browser to users. Moreover, we introduce a library helping with common webextension development tasks and fixing loopholes misused by previous research. JShelter focuses on fingerprinting prevention, limitations of rich web APIs, prevention of attacks connected to timing, and learning information about the device, the browser, the user, and surrounding physical environment and location. We discovered a loophole in the sensor timestamps that lets any page observe the device boot time if sensor APIs are enabled in Chromium-based browsers. JShelter provides a fingerprinting report and other feedback that can be used by future security research and data protection authorities. Thousands of users around the world use the webextension every day.

查看原文本刊更多论文

把我的浏览器还给我

每天都有数十亿人在使用网络。即便如此，默认情况下，用户也无法免受许多威胁。这份立场文件建立在之前的网络隐私和安全研究的基础上，并介绍了JShelter，一个为将浏览器还给用户而战的网络扩展。此外，我们还介绍了一个库来帮助完成常见的web扩展开发任务，并修复以前研究中滥用的漏洞。JShelter专注于防止指纹识别、限制丰富的web api、防止与时间有关的攻击，以及学习有关设备、浏览器、用户和周围物理环境和位置的信息。我们在传感器时间戳中发现了一个漏洞，如果在基于chrome的浏览器中启用了传感器api，则允许任何页面观察设备启动时间。JShelter提供指纹报告和其他反馈，供未来的安全研究和数据保护机构使用。全世界每天都有成千上万的用户使用这个web扩展。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

SECRYPT ... : proceedings of the International Conference on Security and Cryptography. International Conference on Security and Cryptography

自引率

0.00%

发文量