I

Know Where Youve Been:

Geo-Inference A6acks via the
Browser Cache
Yaoqi JIA
Department of Computer Science
Na2onal University of Singapore

Do You Care About your

Geo-locaCon?

Video:How to Infer Your Geo-

locaCon without Your Consent

Our Agenda
Background of geo-loca2ons in browsers, browser cache, and
2ming channels
Geo-inference aBacks via the browser cache
Prevalence of geo-inference aBacks
Pros & cons of poten2al solu2ons
Demo Video for aBacks in TorBrowser
Q & A

4!

Geo-locaCon in Browsers

5!

Geo-locaCon in Browsers

6!

Geo-locaCon in Browsers:
Benets & Threats

Benets

Threats

7!

May I Access Your Geo-locaCon?

8!

Sources of Users Geo-locaCons

Browser

Not reliable
9!

Problem Statement

?
Browser
Can the aBacker infer the users
geo-loca2on from his browser?
10!

Background: Browser Cache

Web Application

Network
Module

Parser

Cache

Browser
11!

DirecCves in Response Headers

to Control Cache
StaCc resources:
Expires, Cache-Control: max-age, Last-Modied
Dynamic and sensiCve resources:
Cache-Control: no-cache, no store; Pragma:
no-cache; Expires: 0

12!

Browser Cache Stores StaCc Resources

Browser stores
site-related states
Browser!
13!

Benets of Browser Cache

1st: 1360ms
2nd: 320ms
3rd: 350ms
Save Time!

Browser Cache!
14!

Timing Channels via the Browser

Cache
1st: 1360ms
2nd: 320ms
3rd: 350ms

Browser Cache!
15!

Geo-Inference A6acks via the

Browser Cache
Browser cache
is shared
across all sites
Infer users
geo-loca2ons!

Browser Cache!
16!

Our A6acks:
Infer a Users Geo-locaCon without
the Manual Input, Accessing GPS
Sensors or IP Addresses

17!

What are the Techniques to

Determine the Cache Status of
Targeted Resources?

18!

A6ack Vector (I) : Measuring Image Load

Time
Before Loading
img.onload Fires
var image = document.createElement(`img');
image.setAttribute(`startTime', (new
Date().getTime()));
image.onload = function()
{
var endTime = new Date().getTime();
var loadTime = endTime parseInt(this.getAttribute(`startTime'));
......
}

aBacker.com
19!

A6ack Vector (II) : Measuring Page

Load Time
Before Loading

iframe.onload Fires

var page = document.createElement(`iframe');

page.setAttribute(`startTime', (new
Date()).getTime());
page.onload = function ()
{
var endTime = (new Date()).getTime();
var loadTime = ( endTime parseInt(this.getAttribute(`startTime')));
......
}

aBacker.com
20!

A6ack Vector (III) :Measure the Load

Time of XMLH6pRequests
onloadstart Fires

onloadend Fires

var starTime, endTime, loadTime;

var xmlhttp = new XMLHttpRequest();
xmlhttp.onloadstart = function(){
startTime = (new Date()).getTime();
}
xmlhttp.onloadend = function(){
endTime = (new Date()).getTime();
loadTime = endTime - startTime;
......}

aBacker.com
21!

A6ack Vector (IV) : Use <img>s

complete Property
function cached(url)
{
var image = document.createElement(`img');
image.src = url;
return image.complete || image.width+image.height >
0;
}
aBacker.com

22!

Examples: What Can We

Achieve?
Users country?

Users city?

Users streets or neighborhood?

23!

How to Infer a Users Country? (I)

Google has 191 regional sites.
One site represents one
country or region.

google.com.sg/images/srpr/
logo11w.png

24!

How to Infer a Users Country? (II)

Cached!

Browser Cache!
25!

How to Infer a Users City? (I)

Craigslist provides local classieds
adver2sements and forums for jobs,
housing, etc.
Craigslist has 712 city-specic sites.
Users buy or sell second-hand stu
in their Craigslists city-specic sites.

26!

How to Infer a Users City? (II)

chicago.craigslist.org
s^ay.craigslist.org
newyork.craigslist.org

singapore.craigslist.
com.sg
tokyo.craigslist.jp

Cached!

Browser Cache!
27!

How to Infer a Users Neighborhood?(I)

Predictable URLs

Map Tiles

28!

How to Infer a Users Neighborhood? (II)

Cached!

Browser Cache!
29!

EvaluaCon
Ques2ons to be answered:
(Prevalence) How many websites and browsers can be u2lized to
conduct aBacks?
(Reliability) How big is the 2me dierence between the loading
2me of resources without cache and that with cache?

30!

EvaluaCon Setup
Websites: 191 Googles sites, 100 Craigslists sites, and 55 top
Alexa sites.
Maps: Google Maps, and other 10 map service sites.
Browsers: Five mainstream browsers and TorBrowser
Loca2ons: US, UK, Australia, Singapore, and Japan.

31!

How Many Websites and Browsers

can be UClized to Conduct A6acks?

32!

Alexa Top Websites with

LocaCon-Related Resources

62% of 55 top Alexa global sites

singapore.craigslist.
com.sg
sg.yahoo.com
www.ebay.com.sg
33!

Map Websites with LocaCon-Related

Resources

All of 11 map service sites

34!

SuscepCble Browsers & Plaaorms

Mainstream Browsers

Desktop Plakorms

Par2al

Mobile Plakorms

35!

How Signicant is the Time Dierence

between the Loading Time of Resources
without Cache and that with Cache?

36!

Loading Time: Without Cache v.s.

With Cache I
1200
1000
800

Without Cache

600

With Cache

400
200

120ms
1
7
13
19
25
31
37
43
49
55
61
67
73
79
85
91
97
103
109
115
121
127
133
139
145
151
157
163
169
175
181
187

Dierence in image load /me (in millisecond): Without Cache (> 129 ms) v.s.
With Cache (0 1 ms), for 191 Googles regional domains in Chrome on Mac OS X
37!

Loading Time: Without Cache v.s.

With Cache II
2000
1500
1000

700ms

500
0

7 10 13 16 19 22 25 28 31 34 37 40 43 46 49 52 55 58 61 64 67 70 73 76 79 82 85 88 91 94 97 100

Without Cache

With Cache

The signicant dierence between the page load 2me (in millisecond) of 100
Craigslist sites without cache (> 1000 ms) and with cache ( 220 ms)
indicates geo-inference aBacks with Craigslist
38!

Loading Time: Without Cache v.s.

With Cache III
250
200
150

Without Cache
With Cache

100
50
0

1
127
253
379
505
631
757
883
1009
1135
1261
1387
1513
1639
1765
1891
2017
2143
2269
2395
2521
2647
2773
2899
3025
3151
3277
3403
3529
3655
3781
3907
4033
4159
4285
4411
4537

50ms

Dierence in page load /me (in millisecond): Without Cache (> 50 ms) v.s. With
Cache (0 1 ms), for 4,646 map 2les of New York City from Google Maps in
Chrome on Mac OS X.

39!

Loading Time (Android)

2500
2000
1500
1000

700ms

500
0

1 4 7 10 13 16 19 22 25 28 31 34 37 40 43 46 49 52 55 58 61 64 67 70 73 76 79 82 85 88 91 94 97 100

Without Cache

With Cache

The page load 2me of 100 Craigslist sites on Android.

40!

How to Protect Users from Geo-

inference A6acks

Discussion of Defense SoluCons

Private Browsing Mode
Randomizing 2ming measurements
TorBrowser and Segrega2ng browser cache

42!

Private Browsing Mode

is not the Cure
Private Browsing Mode
Clear browser cache aser closing
the window.
Disable disk cache, not the in-
memory cache.
It cannot prevent one site from
inferring the users geo-loca2on from
other sites.
Browser Cache!
43!

Randomizing Timing Measurements

Add noise into 2ming
measurement mechanisms.
Aect web applica2ons
func2onali2es
Intricate engineering
eort.

Browser Cache!
44!

TorBrowser is not Perfect

Adds an addi2onal id=string
property to label every cache entry
with the top-level windows domain.
Insucient for mashup websites,
all the embedded sites in frames
share the same top-level windows
domain, i.e., the mashups domain.
Browser Cache!

45!

Demo Video

46!

Video: Geo-inference A6acks in

TorBrowser

47!

SegregaCng Browser Cache

400%
Deploy Same-Origin Policy
on browser cache.
300%

We experimented in
200%
Chromium
34
100%
High performance
overhead for Alexa Top 100
0% 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47 49 51 53 55 57 59 61 63 65 67 69 71 73 75 77 79 81 83 85 87 89 91 93 95 97
websites

Browser Cache!
48!

To Cache or Not To Cache?

No cache for loca2on-sensi2ve resources (0.7% to 20.7%
overhead).
Cache-Control: no-cache for HTTP response header
Pre-fetch redundant loca2on-sensi2ve resources.
Open challenge to design an ecient and secure caching
mechanism in browsers.

49!

Take-away
Timing channels are s2ll open on mainstream browsers.
Knowing the power and prevalence of geo-inference
aBack (inferring country, city, neighbourhood) and be
cau2ous about it.
Disable cache? No JavaScript?
Never give addi2onal permissions to unfamiliar sites or
open it for a long 2me.
Clear cache before and aser visi2ng a site with your
private informa2on, e.g., online banking site.

50!

Yaoqi JIA
E-mail: jiayaoqi@comp.nus.edu.sg

References
D. Akhawe, A. Barth, P. E. Lam, J. Mitchell, and D. Song, Towards a formal founda2on of web
security, in Computer Security Founda/ons Symposium (CSF), 2010 23rd IEEE, 2010.
A. Bortz and D. Boneh, Exposing private informa2on by 2ming web applica2ons, in Proceedings
of the 16th interna/onal conference on World Wide Web, 2007.
G. Wondracek, T. Holz, E. Kirda, and C. Kruegel, A prac2cal aBack to de-anonymize social network
users, in Security and Privacy (SP), 2010 IEEE Symposium on, 2010.
Z. Weinberg, E. Y. Chen, P. R. Jayaraman, and C. Jackson, I s2ll know what you visited last summer:
Leaking browsing history via user interac2on and side channel aBacks, in Security and Privacy (SP),
2011 IEEE Symposium on, 2011.
M. Jakobsson and S. Stamm, Invasive browser sning and countermeasures, in Proceedings of
the 15th interna/onal conference on World Wide Web, 2006.
G. Aggarwal, E. Bursztein, C. Jackson, and D. Boneh, An analysis of private browsing modes in
modern browsers, in Proceedings of the 19th USENIX Conference on Security, ser. USENIX
Security10, 2010.