For those of you who may not have seen it there is a very good paper partially by Microsoft Research and partially by Indiana.edu called Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow. Initially it really upset me off that this paper was written, not because it’s not excellent, but because it’s partially what I was going to be speaking about at Blackhat. Alas… they came out with it first, and frankly, I think they did a much better job at slicing and dicing with the math. So once being upset by being beaten to the punch had worn off Josh Sokol and I had to change the presentation that we’ll be doing at Blackhat, and we’ll only be glossing over this as a result. But please check it out, it must have taken quite a while to build up those abuse cases.

Anyway, the reason I originally started thinking about this was because of something from Bruce Schneier I read a decade or so ago (I believe it was in Applied Cryptography). It basically said that in certain crypto systems you could tell certain things about the people involved. For instance, if you had one user who sent an encrypted message to two users who then sent the same message to four users who then sent it to 8 and so on… you might be able to infer a chain of command (or, just as likely - a really funny/crude joke that no one wants their bosses to find out about).

But when you’re talking about HTML, you have a lot of things that sort of act as subordinates in the same way as a chain of command might. For instance, HTML can load JavaScript, CSS, Objects, etc… those can load more JavaScript, Images, Bindings, etc… All of that has a certain behavior in the browser, and in one way or another can be detected. So the trick is how do you detect it? The Indiana paper does a good job of enumerating some of those possibilities, but there are a lot of other tricks an attacker could use as a man in the middle to reduce the noise on the wire. That’s what the presentation is largely about. Anyway, check out the paper!