New browser exploit tracks even the most paranoid web users

By Justin Pot October 27, 2015

have i been pwned owner uncovers 13 million plaintext passwords leaked from free webhost is a safe password even possible we — guteksk7/Shutterstock

When it comes to tracking your web browsing, webmaster have all sorts of options – many of which web users actively block. But what if a malicious website owner could turn security features against you?

A researcher proved it’s possible to do just that over the weekend.

Most web users are aware that sites use can use cookies or browser fingerprinting to track you – it’s why so many users make a habit of deleting cookies, scrambling their user agents, and taking advantage of Incognito Mode.

But in a presentation over the weekend security researcher Yan Zhu showed the world a new tracking method that gets around even the most paranoid user, by exploiting the certificates your browser uses to connect to secure sites.

Don’t believe me? Try Zhu’s site Sniffly out for yourself in Chrome or Firefox, and you’ll probably end up with an accurate list of sites you have and haven’t visited.

icymi, sniffing browser history using HSTS/CSP code + demo is up at https://t.co/iAxVPyOGzv. it's called that b/c i had a cold last week.

— Yan⚠ (@bcrypt) October 26, 2015

To (dramatically) simplify what’s going on here, the exploit attempts to load various images from encrypted domains, then detects whether or not your browser can establish a secure connection with those sites. If it can connect, it’s because you have an HSTS pin for the site – so there’s a good chance you’ve visited the site before.

It’s a simple way to get a quick list of which secure sites you have and haven’t visited. The information collected this way is less reliable, only relates to sites encrypted using HTTPS, and is less specific that other methods – the sites you’ve visited are revealed, not the individual pages. But it’s still noteworthy, because nothing like it’s been done before.

You can watch Zhu’s entire presentation, read the slides or check out Sniffly on GitHub, if you want a more complete breakdown of how the exploit works.

Editors' Recommendations

Topics

Former Digital Trends Contributor

Justin's always had a passion for trying out new software, asking questions, and explaining things – tech journalism is the…

Computing

Power up your tech game this summer with Dell’s top deals: Upgrade for a bargain

Dell Techfest and best tech on sale featured.

One of the best times to upgrade your tech stack, be it your desktop, a new laptop, or some high-resolution monitors, is when great deals are to be had. Well, I'm here to share that thanks to Dell's top deals, you can power up your tech game and have most of the summer to make it happen. Maybe you're happy with your current system or setup. That's excellent, but you're likely considering upgrading somewhere, and that's precisely what these deals are all about. Dell has a smorgasbord of deals on laptops, desktops, gaming desktops, monitors, accessories, and so much more. We'll call out a few of our favorite deals below, but for now, know that you should be shopping this sale if you're interested in anything tech-related.

What summer tech should you buy in Dell's top deals?

Computing

I love the MacBook Pro, but this Windows laptop came surprisingly close

Apple MacBook Pro 16 downward view showing keyboard and speaker.

There are some great machines in the 15-inch laptop category, which has recently been stretched to include the more common 16-inch laptop. The best among them is the Apple MacBook Pro 16, which offers fast performance for tasks like video editing and the longest battery life.

The Lenovo Yoga Pro 9i 16 is aimed not only at other 16-inch Windows laptops but also at the MacBook Pro 16. It offers many of the same benefits but at a lower price. Can it take a place at the top?
Specs and configurations

Computing

How to set an ‘Out of Office’ message in Microsoft Teams

Person using Windows 11 laptop on their lap by the window.

Many people use Microsoft Teams regularly to communicate with colleagues both inside of the office and remotely. It is considered one of the most efficient ways to ensure you can stay in contact with the people on your team, but what if you need to let people know you’re not readily available? Microsoft Teams has a method for you to set up an "Out of Office" status for your profile to let staff members know when you’ll be gone for the afternoon, for several days on vacation, or for an extended period.
Where do I go to set up my ‘Out of Office’ status for Teams?
It is important to note that your Microsoft Teams and Outlook calendars are synced. This includes your out-of-office status and automatic replies. So, whatever you set up in Microsoft Teams will reflect in Outlook. Similarly, you can set up your out-of-office status in Outlook, and it will be reflected in Teams; however, the former has a more straightforward instruction.

First, you can click on your profile icon in Teams and go directly to Schedule an out of office, as a shortcut. This will take you to the settings area where you can proceed. You can also click the three-dot icon next to your profile icon, then go to Settings > General, then scroll down to the bottom of the page. There, you'll find out-of-office settings and click Schedule.