Stealing web browser history using cache timing

From @longears on Thu Jun 09 2016 17:23:42 GMT+0000 (UTC)

I understand that the current IPFS implementation is not focused on privacy and anonymity. That being said, what could be done about this attack:

  1. You visit a web page on your local gateway
  2. Javascript on that page requests various known hashes from other pages. By timing how long it takes to load, it learns what’s already cached and what isn’t.
  3. The web page now knows what other pages you’ve visited via IPFS, and possibly when (if that page has content that changes often).

Some mitigations could be:

  • Add a command line flag for the daemon automatically clear your cache (ipfs repo gc) every N minutes. This might interfere with other things you were doing at the same time (e.g. adding files using the new files API doesn’t pin them immediately)
  • Add a command line flag to disable the cache completely (don’t keep blocks that are unpinned)
  • Add a command line flag to add a random latency to the local HTTP gateway

Mitigations that wouldn’t work:

  • Running IPFS behind Tor would hide your ip address but wouldn’t stop this attack. This might even be a way to de-anonymize Tor users by examining their browser history. Should Tor users clear their IPFS cache after each page load?
  • At first it seems that this attack wouldn’t be useful because if anyone else has already attacked you, your cache will be full of known hashes and later attackers will think that you’ve visited every single one. But a site may contain so many hashes that each attacker could use a different one.

    Copied from original issue:

From @Kubuxu on Thu Jun 09 2016 17:37:00 GMT+0000 (UTC)

I wouldn’t say that IPFS makes it anymore dangerous to use JS, currently attacker can use JS to just make your browser download unique file from his server which also can be cached.

It is worth mentioning that current web pages are also heavily cached (CDNs and so on), so I think same attack could be performed on users on normal web.

This just show that running JS strips you from any guarantee of anonymity and that is why it is so important not to run JS on TOR.