reminder: history timing attacks

[Thorin-Oakenpants]

see #448

• 1632765 - just this bug will do, some of the others are access denied
• refer to Emilio's email (@earthlng, I sent you a copy months ago: ask if you want it again) on how it works: relies on other prefs combo
• test - @earthlng has some private tests for history stealing
• add to user.js
• get naked, drink beer, assign jesus was listening label (in any order)

[Thorin-Oakenpants]

So 77 flipped

pref("layout.css.always-repaint-on-unvisited", true); // prev: false
pref("layout.css.notify-of-unvisited", true); // prev: false

and we have the existing

user_pref("layout.css.visited_links_enabled", false);

What I don't have is a history stealing PoC - @earthlng

My assumption is that we want all three as true for it to work (I'll have to recheck what emilio said): but I'm not sure how to do that: what with ESR

edit: actually I think I'm off-target there. if visited links aren't enabled, then they are treated are unvisited links and still get repainted. Since the pref still has a graphical UI, then it should be covered in the mitigation code

[earthlng]

I'll do some testing in FF77 and report back.
ATM it looks like a recent update to RFP already thwarts my PoC even without those new mitigations in FF77

[earthlng]

Test results are in! ;)

1st of all, some recent changes to RFP always round the timings of the method I use in my PoC to only a precision of 100ms and thus make the attack pretty much impossible AFAICT.
RFP in ESR68.x doesn't have that protection yet though.

Without RFP, the 2 new prefs seem to suffer from the same problem as their last mitigation attempt in that they merely make visited links return lower timings instead of vice-versa.
They do slow the attack down though but the best mitigation still seems to be RFP at this point.
IDK if the repainting due to the new mitigations result in noticeable performance impacts during normal browsing.

The value of layout.css.visited_links_enabled doesn't seem to matter.

PoC results with the new mitigations and layout.css.visited_links_enabled=false

PoC results (w same parameters) with the new mitigations and visited_links_enabled=true

Visited links were mintpressnews, bugzilla and RT.

For comparison, running the PoC with the same parameters as used for the pix above but without the new mitigations results in average timings of ~66ms.
But to get accurate history stealing results in that case, I need to adjust the PoC parameters to achieve average timings of around 100ms.

I could probably optimize the PoC parameters a bit to make the attack overall faster but this is just to illustrate that the new mitigations on their own don't really make history stealing impossible.

[Thorin-Oakenpants]

link 557579, 773338, 884270, 1131288 considered fixed in 1632765

That and we use RFP which has timing protection (there are timer techniques to bypass RFP in this regard).. We also clear history on close.

We currently disable link visitedness : 0805 layout.css.visited_links_enabled = false. This should no longer make any difference since FF77 (so ESR78 users are covered) when 1632765 landed