Websites Use Session-Replay Scripts to Eavesdrop on Every Keystroke and Mouse Movement

The security researchers at Princeton are posting

You may know that most websites have third-party analytics scripts that record which pages you visit and the searches you make. But lately, more and more sites use "session replay" scripts. These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.

The stated purpose of this data collection includes gathering insights into how users interact with websites and discovering broken or confusing pages. However the extent of data collected by these services far exceeds user expectations; text typed into forms is collected before the user submits the form, and precise mouse movements are saved, all without any visual indication to the user. This data can't reasonably be expected to be kept anonymous. In fact, some companies allow publishers to explicitly link recordings to a user's real identity.

The researchers will post more details on their blog; I'll link to them when they're published.

News article.

Posted on November 22, 2017 at 8:54 AM • 84 Comments

Comments

WinterNovember 22, 2017 9:03 AM

Sounds like something that will trip over the GDPR in teh EU coming next June. With rather interesting legal consequences.

JohnNovember 22, 2017 9:26 AM

The power of "Research"

some things happen for years, dozens of years, and are obvious to everyone (for all webmasters).

but as soon as the research is released (made by an elite university), as it becomes the main topic on all resources

Sean MacdonaldNovember 22, 2017 9:31 AM

explicit linking is definitely not cool and hopefully not legal. Anonymized but not aggregated session replay could be considered fair play, but very creepy. Content creators will (lazily and falsely) claim that they can't improve UX without it.

CraigNovember 22, 2017 9:33 AM

One more step toward turning the internet into a real-life panopticon, as if the ability of network providers to do deep-packet inspection wasn't bad enough.

oopsNovember 22, 2017 9:37 AM

So, I have a couple tabs open in my browser, and I -TAB to change focus to my password manager. I type in my passphrase because I have a 30 second timeout on the password manager. And, oops, I realize focus was still on some other browser tab. But I breath a sigh of relief because I had not hit in that other browser tab. You're saying that sign of relief was not really justified.

ShallowmouthNovember 22, 2017 10:03 AM

Hi Bruce,

It's worth noting that the researchers have totally ignored IBM Tealeaf, which is a session replay solution that use actual hardware at the client site and records far more than any other option. Could it be that Princeton's financial relationship with IBM has some relation to this?

barfaNovember 22, 2017 10:46 AM

Would it be possible to obfuscate this kind of data with a broeser plugin or built-in browser function?
Perhaps the browser could just feed the page a stream of random data of the mentioned types.
Or perhaps the browser could load the page in two sessions that are sandboxed from each other:
One session is anonymized in every way, and this is the one that is shown to the user and that the user scrolls in etc.

And one that is the real session that keeps cookies and has the user logged in on the page if so, but this session only gets data when the user actually does an action that should get a reaction from the page.

T33nsyNovember 22, 2017 11:07 AM

I take it that Mouseflow is another example (I'm not familiar with the examples mentioned in the report).

Mouseflow is quite cool, if it is your job to tweak a site design to optimize for clickthrough or whatever. You can see exactly what people are doing on your website, and what they find interesting: the mouse tends to hang around whatever it is they are looking at. Also good for A/B testing. If you are running a commerce site, really you need something like this.

But definitely creepy. Use Noscript. Many commerce sites won't work without Javascript, but you can enable scripts selectively, so that Mouseflow doesn't get a look-in but the site still works.

SpackNovember 22, 2017 11:07 AM

Session replay scripts acting as keyloggers punish users for making mistakes and takes away one of the key factors of agency - that what you typed in isn’t submitted until you affirmatively take action to submit it.

WaelNovember 22, 2017 11:16 AM

JavaScript needs to disappear. I know the (half) mentality of all the JavaScript (lobotomized) developers I dealt with in the past. Not good.

WaelNovember 22, 2017 11:21 AM

@G,

Ghostry, NoScript, and friends. Something changed with Ghostry as well. I thought they started collecting some metadata from clients. I still use it.

HenningNovember 22, 2017 11:28 AM

This report, together with the ease of uMatrix (same creator as uBlock Origin adblocker) caused me to finally start blocking scripts.
Noticed that uBlock has a advanced mode (in settings) that can do similar things but uMatrix seems far more easier to set up.

For those that are unhappy with configuring noscript I totally recommend it.

A big kudos to Bruce Schneier for keeping this site working well without scripts enabled btw. Five scripts blocked and everything seems to work and look as it should.

Clive RobinsonNovember 22, 2017 11:31 AM

@ Wael,

This is significant

It is and it isn't depending how far down the rabit hole you go...

We've known for a decade or so that a web input box can be read as you type, it is how Google's "Auto guess/compleat" worked/s.

But most people thought that "The Chocolate Factory" was being cool and sticking by "Do no evil". Google might have been, but some myself included thought otherwise and I turned javascript off from then onwards, as well as cookies.

But then along came Google Analytics where it is clear some information IS being stored, you just have no idea how much...

However as you've no doubt read in the past few days newer versions of Google's Android OS now have an inbuilt tracking function you can not turn off, what else it does now or in the future is anybodies guess... Nine is it will get worse untill a court finally says NO, then Google will do a work around untill the next court says NO and so on...

We know MS have instrumented Win10 up a lot, but you can still --we believe-- turn it off on IAX86 platforms (not so for ARM apparently). It takes no great foresight to realise that the instrumentation is only going to get worse and harder to turn off, because amongst other things of the warrants Apple have received over dead mass shooters...

As you might also have heard some manufacturers have started to add "hardware instrumentation" in the equipment we buy that likewise can not be turned off either (and I'm not just talking Intel ME).

Then there is what CloudFare get upto with their MiTM of all the traffic that goes across their network even if encrypted. We are supposed to trust that just like Google in the past they are not recording it... But the thing about a MiTM is it's two way so we also have to trust they are not inserting similar scripts on the return leg etc...

And people wonder why I use older hardware and OS's and lock them down as best I can, and take the risk of using them rather than upgrade to something "backdoored by design"...

This perversion for making everything client side executable even when it's supposed to be sand boxed is just wrong at so many levels but just about every user alows it so there is no reason for the industry to change. Thus they have to be hit with state level court cases and class action suits before their behaviour will change.

Oh and it's an odds on bet that the FiveEyes Governments have already put the fix in on the courts one way or another. Because just as in the days of old with "Press Barons" if the power of properganda etc lies in the hands of a few they can be squeased to do a Governments bidding... Thus the same old game gets dusted off and updated for a new generation of technology, this time it is oh so much more Orwellian...

Nuff said?

Gunter KönigsmannNovember 22, 2017 11:46 AM

Already waiting for the leak caused by all passwords being stored and transmitted in save ways,but all keystrokes they consist of being accessible for the rest of the world. Perhaps not even due to JavaScript in the main website. But there will be a way to make an ad or (if CDs protection and friends really disallow that) an CMS plug-in include such a functionality.

Clive RobinsonNovember 22, 2017 11:47 AM

@ T33nsy,

Use Noscript. Many commerce sites won't work without Javascript, but you can enable scripts selectively,

That might be great till "Noscript" stops working silently as it dod a few days ago.

I went for the "javascript off" by default a long time ago, thus I've never realy seen what others might lose by doing so today.

The thing is if it has not already started there will be "commercial preasure" on Noscript, HTML5 has "bad stuff" built in because of such preasure, likewise as there was and still is with AdBlockers. My view is that if you don't smack the idiots on the nose realy hard from day one they will just keep pushing till they get their way. So rather than alow them to build financial reserves to fight with it's better to just cut them dead from day one.

The thing is commerce sites do not need scripting to work the way they do, the card issuers can actually take away that issue, but they won't for various reasons. Have a look at the PCI rules, about obtaining and storing customers data, then go and look for those big companies that flout them but the PCI won't realy sanction due to the loss of income...

Gunter KönigsmannNovember 22, 2017 12:31 PM

@Clive: I don't think that there is bad will or being ruled by the interest of the ones that own the big money behind that. After all most firms earn money with other things than tracking mouses. I believe a lack of regulation is mostly caused by a wide-spread lack of interest and the ones who could control not having enough manpower/knowledge/rights to watch what data is stored in which way.

WaelNovember 22, 2017 12:57 PM

@Clive Robinson,

We've known for a decade or so that a web input box can be read as you type, it is how Google's "Auto guess/compleat" worked/s.

Yes, but it's more than that. We knew that evwn in applications, say a text editor, snapshots of the document are sent to homebase before the user saves the document. Why are they collecting snapshots of my confidential data? To help me recover when I loose it? Freee unadvertised Version Control System? This is an example. And everytime I upgrade my OS, whatever it is, I need to make sure my settings are preserved. Not the case.

But then along came Google Analytics where it is clear some information IS being stored, you just have no idea how much...

Too much, if you ask me.

However as you've no doubt read in the past few days newer versions of Google's Android OS now have an inbuilt tracking function you can not turn off...

Just came accros it this morning. Just after I read this blog post.

Nuff said?

No. If you look, as you very well know, from the underground up:

Hardware, Firmware, UEFI, Kernel, Device Drivers, Operating System, Sandboxing Frameworks, Browser, Execution Environments in the Browser, Protocols, you'll find a snitch at each level, and we say "Defense in Depth"? This is "Attack In Depth", and It needs to be countered by Defense in Depth, Width, Hight, and a forth dimension or fifth. As well as regulations and Law.
It's hard to find any pleasant news these days. The situation is deteriorating by the day.

WaelNovember 22, 2017 1:17 PM

@Clive Robinson,

And on top of that we get the genius researchers that spend their time on exfilterating data from air-gapped devices using cross modulation, ultrasound, heat sensing, light emissions! Yea, we need all the help we can get. Then there is the backdoor, front door efforts, and: they want to outlaw encryption. The backdoors encryption, that is.

Rant over. I feel better now :)

Oh, the cameras and other "protection" devices too... I'm sure I missed like 10 dozen other things. And that's what we know. What we don't know is likely worse.

Bob Dylan's Nasty EarNovember 22, 2017 1:28 PM

Who surfs the internet with a computer tied to their real life identity? That has always been the lesson. Cut the bastards off at the root. This isn't difficult.

Use Tor..or...
use public wifi---or...
create an VPN account in a fake name and pay with gift cards/bitcoin/etc...

There are many ways to do it but stop giving them your identity for free.

Yeah?November 22, 2017 1:46 PM

"Use Tor..or...
use public wifi---or.."

Are you just pretending to be anonymous but actually really at all?

Clive RobinsonNovember 22, 2017 2:09 PM

@ Bob Dylan's Nasty Ear,

Who surfs the internet with a computer tied to their real life identity? That has always been the lesson. Cut the bastards off at the root. This isn't difficult.

No you think it isn't difficult but it is. If you hunt around you will find examples of all the methods you mention that have been tied back to people who then find themselves becoming defendant's and facing the over scope of IT legislation and being told they are looking at 35 to so long it will be life in jail before they get close to parole.

Tor has a number of design flaws that although I and others have not only mentioned them but also indicated what is required to fix them, the Tor developers still ignore them at your peril not theirs if you use Tor.

Likewise I've indicated the problems with nearly all security apps used on Smart devices and PCs. The problems are such that it's mostly pointless using such apps for secrecy/confidentiality. People won't change because it's easier to belive the rhetoric than it is to draw a simple picture, think a bit and then be proactive.

You might want to have a look at,

https://grugq.github.io/presentations/COMSEC%2520beyond%2520encryption.pdf

For a partial light hearted primer on ComSec.

Clive RobinsonNovember 22, 2017 2:33 PM

@ Wael,

And that's what we know. What we don't know is likely worse.

Do you remember the good old days when we used to joke that TSA staff would get PR training of the medical kind?

Well some of the stuff I've thought up would definitely give you that "icy feeling in the lower regions" to meet up with "the sense of intrusion"... Unlike the good old days when I'd happily discuss how to own air-gapped voting machines (then see it turn up in stuxnet). I've decided that I'll keep them to me and my nightmares, such that others might sleep easier for a little longer...

Just remember "As long as the laws of physics alow" some government funding seeking idiot will try to do it. The more high tech the solution the bigger the profit...

Just for a laugh, have you thought about the marketing opportunities for a personal hair dressing drone?

WaelNovember 22, 2017 3:13 PM

@Clive Robinson,

Do you remember the good old days when we used to joke that TSA staff would get PR training of the medical kind?

Of course!

Re: TSA... It's a matter of perspective. Before I had my TSA pre-check card, I always opted out of the nudie radiation machine. They usually asked if I'm worried about backscatter or millimeter waves. I used to answer: no, I just like the free massage.

Well some of the stuff I've thought up would definitely give you that "icy feeling in the lower regions"

I already have that ;)

I've decided that I'll keep them to me and my nightmares,

Wise choice. Evidently there are scumbag lurking freeloaders here that will take ideas and hire a couple of moron developers (and I'm using the term loosely, code-cutters is better) then get funding for the project.

some government funding seeking idiot will try to do it. The more high tech the solution the bigger the profit...

They're a dime a baker's dozen. Well, everyday 'another one' is born. And we get the short end of the stick!

Just for a laugh, have you thought about the marketing opportunities for a personal hair dressing drone?

Great idea! Let the next moron pimp it to a gov organization ;)

WaelNovember 22, 2017 3:23 PM

@Grauhut,

You don't like to be js tracked? Use uMatrix

Sounds essential now. Thanks, will give a try.

JacquesNovember 22, 2017 3:58 PM

NoScript in Firefox 57 looks awful. It was late to release (whereas Mozilla should have prioritized hell if the developer get it ready on time; it is one of the most important Firefox add-ons), and when it was released, the UI is an ugly hodgepodge.

Firefox is going the way of the Dodo. In contrast, Brave has script-controls built into the browser by default. It is easy to use that doesn’t look hideous like the new NoScript. Brave is going to supplant Firefox.

umm?November 22, 2017 5:05 PM

I wonder how well sandboxed some of the replay software is... There are a number of ways to navigate to a specific website via keyboard input. I'd be willing to guess they haven't all been considered, especially because the developers can't plan for all functionality embedded within different client websites. A whitelist of target pages would stop a major class of attack, but who wants to waste a couple of minutes on updating that list? And of course javascript will be enabled.

I'd assume that reproducing the input would be handled at the browser-level, but unfortunately it would not surprise me if a simulated keypress was equivalent to an OS-level keypress.

65535November 22, 2017 5:52 PM

This is disturbing.

I downloaded the cvs and see such DSL sites as CentruyLink on line 450. Sure they could say the use this scrip to "troubleshoot" DSL problems - but most lively they record passwords also.

I did a search on the excel cvs and did not find the Schneier on it. Let me know if anybody else has more thoughts on this replay attack.

[page to get actual cvs]:
https://webtransparency.cs.princeton.edu/no_boundaries/session_replay_sites.html
cvs link:
https://webtransparency.cs.princeton.edu/no_boundaries/data/sr_site_list.csv.zip

@ Wael

"JavaScript needs to disappear."

I agree!

@ umm?

"A whitelist of target pages would stop a major class of attack, but who wants to waste a couple of minutes on updating that list? And of course javascript will be enabled.... I'd assume that reproducing the input would be handled at the browser-level, but unfortunately it would not surprise me if a simulated keypress was equivalent to an OS-level keypress."

That is an interesting observation. Most sites including Universities require Java to be enabled. Maybe that is now they spy on students?

@ Clive R.

"I went for the "javascript off" by default a long time ago..."

Good advice.

@ Jerry
"Yet another reason to judiciously enable javascript."

True.

But, allot of sites require it when you hit their password page. When you do you could be giving away your keystrokes to that password.

@ T33nsy

"...definitely creepy. Use Noscript. Many commerce sites won't work without Javascript, but you can enable scripts selectively, so that Mouseflow doesn't get a look-in but the site still works."

That is an idea.

Now, the problem with my customers who use FF and NoScrip1 is when they come upon a page that requires java script the just "Temporaray allow this whole page" option in noSrip1. That is bad policy - but a quick fix.

I admit it is time consuming to pick through the list of blocked domain with java and only enable the ones which make the page work or minimally work.

NoScrp1 should have a method where you mouse highlight the part of the page that you want to work and the actual nomain repsonisble for that page area is blocked is identified. Then the user could decide the risk of unblocking that domain. Althougth this domain blocked could possibly be using this horrible replay attack/keylogger. This decision should be analyized/contoled by the user. Does Nosrip1 have a method to do so? Let me hear about it.

meNovember 22, 2017 7:32 PM

@clive
I appreciate what you have to say, but the way you choose to say it, by deliberately misspelling words left and right, is pretty annoying to have to read. Please, reconsider how likely you are to be “outed” because you spell words correctly.

Gunter KönigsmannNovember 22, 2017 11:12 PM

I just remembered: after a security update when I had a famous vhdl programming forum open my browser started to ask if the website really is intended to read my Clipboard as soon as I copied text in my text editor....

WaelNovember 22, 2017 11:49 PM

@Gunter Königsmann,

had a famous vhdl programming forum open my browser started to ask if the website really is intended to read my Clipboard

Unbelievable! A couple of weeks ago my browser popped up something saying:

$2.99 for Gunter's clipboard contents! I clicked ok and got this:

VHDL Code: Library ieee; use ieee.std_logic_1164.all; ... entity xnor1 is port(a,b:in bit ; c:ou

Where's the rest? I want a refund :(

WhiskersInMenloNovember 23, 2017 12:37 AM

Add to this the proposed net neutrality rule changes some are pushing.
Combined with TLA data gathering features.
Things could get interesting.....

Without a foundation of net neutrality all manner of mis direction of data
even modification of CSS file fetch. Without robust cryptography the CSS that is fetched by trusted
sites could be modified in many ways.

Even routers could have tables hacked to return odd answers.
8.8.8.8 DNS requests could be fetched from 80.248.150.170
IP packet headers edited coming and going could make it very difficult
to audit abuses: political, criminal, social, financial, greed, graft....


On the net neutrality front some of the actions that services like Facebook and
Google might engineer to thwart the most recent style of political fake news
mind shaping is not a neutral act and could be taken one step beyond caution
to become a much larger problem.

All triggered by a web page that captured something handy to use.

Nick PNovember 23, 2017 12:37 AM

On a related note, Clifford Oravec sells a tool called Tamboo that tells you what users did on your site. His page shows how such tools are described to customers in terms of benefits they'll get. Makes sense for them, too, even though creepy and bad overall for consumers. Ran into that reading his "Epic Bootstrapping Guides" (start) on https://Barnacl.es.

Gunter KönigsmannNovember 23, 2017 1:18 AM

@wael: That's a thing I wonder, too: actually writing code might be more efficient than stealing random code snippets (and from time to time an entire file). And most firms could gather more important data by actually listening to theit customers than by intensively tracking their mouse movements.

Does collecting Big Data actually pay out in the end?

WaelNovember 23, 2017 1:33 AM

@Gunter Königsmann,

more efficient than stealing random code snippets...

True, but this's about ideas theft. One needs to develop confidential ideas on an off the grid device.

by intensively tracking their mouse movements.

Often times these invasive ideas come from engineers that try to be 'innovative'. I witnessed that a few times in the past.

Does collecting Big Data actually pay out in the end?

To business models that depend on selling customers' information, yes. Doesn't seem to have been helpful to stop 'crimes'.

hmmNovember 23, 2017 1:44 AM

" actually writing code might be more efficient than stealing random code snippets "

The people for whom that is true don't need to steal code snippets. Therein the rub.

Wesley ParishNovember 23, 2017 1:56 AM

For what very very little it's actually worth, this is covered by my observations on personal data being generated by the individual and not by the company, and therefore personal data is owned and copyrighted by the individual and never by the company unless a specific, overt, formal grant of copyright is made.

This is personal data. It belongs to the individual generating it, and never under any circumstances to the company collecting it.

Individuals concerned about this should consider using the DMCA to shut down offending websites. The companies concerned are pirates, after all, and one should show no mercy to information pirates. They themselves show no mercy to individuals.

Clive RobinsonNovember 23, 2017 2:10 AM

@ Gunter Königsmann,

Does collecting Big Data actually pay out in the end?

For a few like Google yes, for most not realy.

Look at it this way if adding a few lines of code to an existing system opens up a new revenue stream then the "free market mantra" says you would be leaving money on the table if you did not. So companies start collecting user data...

The problem is converting the data into dollars, it's a very competitive market with an exponential pay off curve. Which means to make a little you have to work a lot to get to a break even point as you mostly have to work with aggregators who take a big slice of the potential money available.

All of that is before you get close to the likes of "reputational damage" and "court action".

For instance Oracle it appears have just "outed" Google for their new low down trick of making location collection mandatory in the Android OS. Google will no doubt try to do what they did with the collection of WiFi data which is blaim it on a rouge employee. Which is frankly unbelievable. Further it appears that Google is not keeping such data siloed as it promissed a Judge it would...

Google will in all propability just blag it out knowing that news stories have a very short life span... Because Google know that their customers do not care one jot about the loss of security and privacy of Googles users, in fact the very opposit, they actively encorage it by their purchas policy.

Google get the big data bucks because they don't just collect user data they process it into a finished product and have all the contacts to get the best prices.

Unlike a smaller business where their real customers are also their users so even small reputational damage hurts their bottom line unlike Google...

WinterNovember 23, 2017 3:31 AM

@Clive
"Look at it this way if adding a few lines of code to an existing system opens up a new revenue stream then the "free market mantra" says you would be leaving money on the table if you did not."

That is why the laws they are a-changing. Next year, being cavalier with sensitive data can start haemorrhaging money. Look at the fines Google got recently. That is not going to get more easy next year.

Especially, the definition and managing of "Informed Consent" and "Privacy by Design" in the upcoming GDPR will lead to interesting court cases. The corporate legal types I hear and read all give the impression of deer looking into the headlights.

keinerNovember 23, 2017 4:21 AM

Combination of NoScript and uMatrix even more recommended. But I would stick to Palemoon or Firefox ESR for the moment.

NoScript in FF57 is only half-bake at the moment...

Clive RobinsonNovember 23, 2017 6:39 AM

@ keiner,

NoScript in FF57 is only half-bake at the moment...

Whilst I've no involvment with the whole mess of the FF update, I do know some who jumped right in and did the upgrade.

Their comments --are mainly not publishable without a profanity filter in overdrive-- suggest that things are not well in the FF garden. Apparently it is killing system performance even when it has over kill levels of memory thrown at it amongst other problems. One comment was that the upgrade was not even beta grade...

All of which suggests to me that there needs to be a serious period of bug squashing at the very least if not some re-engineering.

Which kind of makes me think most folks for now would be better off not upgrading on any machine they might need for anything other than a boat anchor.

WaelNovember 23, 2017 7:18 AM

How difficult is it to find the module that handles JavaScript and add a configurable firewall to manage it such that it allows only acceptable functionality in a way that doesn't break web sites but at the same time stops snooping? It's only a few lines of open source code!

For the more deviant types, it's reccomended to supplement that with some randomness, like moving the mouse outside of screen boundaries, or typing nonsense in different languages.

For the wicked types, it's reccomended to craft the module to induce weaknesses at the mothership (you know, go to system level, as they say in movies) and hack the base. The module can then siphon data from the web server instead of the other way around.

Clive RobinsonNovember 23, 2017 7:53 AM

@ Winter,

The corporate legal types I hear and read all give the impression of deer looking into the headlights.

But they are not the ones going to lose their shirts if it all goes south... So if they are "going headless" things must finaly be moving in the right direction.

But I guess a warning should be sounded... This "collect all - repackage to value add - sell on" business stratagy presupposes there is any real value to start with, and a number of people I've talked to have said they are not seeing a return nor are those they know. So there is a probability the Big Data market is actually a dud before it got turned into a "South Sea Bubble". Like all bubbles one of two things happen either the deflate or burst...

The question thus is where is the money that has poured into the Big Data market come from and what are the returns on it. With the secondary question of what the US Government involvement is and to what end.

TerenceNovember 23, 2017 11:18 AM

This reminds me of all the web-based encrypted chat and email services, promising end-to-end encryption, AES256 ciphers, and so on and so forth... which is, of course, completely useless if there is a script recording all the keystrokes and mouse movements in the background.

Clive RobinsonNovember 23, 2017 11:36 AM

@ Terence,

... AES256 ciphers, and so on and so forth... which is, of course, completely useless if there is a script recording all the keystrokes and mouse movements in the background.

It's called an "end run attack" and it's a problem with nearly all PC's, laptops, Tablets, pads and smart phones...

As the communication end point the attacker uses can see the security app plaintext User Interface, the comms end point is beyond the security end point. Which is a well known ComSec failure. It's why the likrs of Signal and Whatsapp are fairly usless security wise... Any application developer that says such a setup is secure is either being economical with the truth, or does not know what they are talking about...

It's a point I've been making for a while now, but people tend to "believe what they want to believe" and disregard the truth. And will if they are unlucky suffer for their choice.

RachelNovember 23, 2017 12:17 PM

T33nsy
re Mouseflow
'the mouse tends to hang around whatever they are looking at'

No it doesn't. Maybe if one has an IQ if 49. Do you need your index finger to follow along what you read?

Rachel loves WaelNovember 23, 2017 12:25 PM

Wael

I had similar thoughrs to you except for one to run their own script inducing infinite randomness. similar to some add-ons that claim to do the same for general browsing content

CassandraNovember 23, 2017 2:41 PM

@Clive

Most people have squandered their resistance for a pocketful of baubles.

(I didn't have you down as an S&G fan)

Wael (The Cold Hearted Snake)November 23, 2017 5:32 PM

@Rachel,

similar to some add-ons that claim to do the same for general browsing content

Better below the add-on levels. More control.

Rachel loves cold heartNovember 24, 2017 10:18 AM

Wael
i appreciated your concise breakdown of the corrupted stack. But why 'apologise' for ' ranting'. The issue is rather how blinded everyone is. There should be more outspoken expression of the issues and more further afield then specialist sites like this blog. As Clive keeps saying, no one wants to hear it.

RachelNovember 24, 2017 10:22 AM

Wael

Sorry forgot to mention. Why on earth are you using Ghostery? You are aware it was quite publically revealed they send data to advertisers? I recall they even admitted it ( I know you alluded to same ). Ublock Origin/ original , Umatrix and Noscript is the perfect Tridosha Trimurti Trifecta by a nose

WaelNovember 24, 2017 10:53 AM

@Rachel,

Yea, I look for alternatives like you and others mentioned. Constant state of change efforts. Takes a lot away from productivity.

If I had the time, and I don't, I would develop an add on called "Stitches". Snitches get Stitches. It would not only defend, but also attack during idle time with fellow distributed add ons to do the deed.

LE4X72November 25, 2017 1:00 AM

I prefer uMatrix over NoScript for two reasons. The first reason is that NoScript's user interface is ugly as sin compared to uMatrix's much easier to read yet equally as functional color-coded permissions grid. The second reason is that uMatrix's developer never got into an unethically-handled pissing war with another plugin developer, as was the case with the NoScript vs. AdBlock Plus fiasco.

Also, why the hell are some of you running both NoScript and uMatrix together? They both do the same job. I'd imagine such an arrangement to be redundant at best, conflicting at worst. What, if any, advantages could this possibly provide?

hmmNovember 25, 2017 3:12 AM

"The second reason is that uMatrix's developer never got into an unethically-handled pissing war with another plugin developer"

Not that was made extremely public anyway.

Plus Palant and Maone were basically 1-man operations, one guy steps on the other guy's wallet, gli affari sono affari. It got a little testy but nobody got SWATTED, that's your best reason?

Do you apply it to all other software developers? I bet you don't.

hmmNovember 25, 2017 3:21 AM

"Also, why the hell are some of you running both NoScript and uMatrix together?"

There are things that Noscript can do that umatrix can't as easily and just the fact that they do them differently is enough to break some sites and not others in specific edge cases. I've seen sites that really don't like umatrix at all even with everything allowed, noscript still functions and you can get content to work while still blocking 3rd party shadeware. They didn't seem to conflict when I was experimenting but I'm sure there are ways to make that happen.

No single solution solves all potential problems on the web in my experience. YMMV.

JChristensenNovember 25, 2017 3:09 PM

I downloaded the full list of 96,718 sites surveyed by the CITP study. Of the 13 session replay companies in the data, I found that ten were covered in Ghostery's Advertising, Site Analytics or Customer Interaction categories (my Ghostery installation is uncustomized). The remaining three were detected on only 98 of the 96,718 sites, or about 0.10%. Further work is probably needed before drawing any conclusions but the initial indications seem encouraging. I'm not wild about Ghostery collecting data as mentioned above but during installation it asks about sharing three different data categories so it's straightforward to opt out, or the settings can be changed later.

AntiAntiVirusNovember 27, 2017 4:14 AM

Norton, Kaspersky, Symantec, and Western Union are on the list, ranked 683, 2165, 3300, and 3187, with evidence of session recording sent to clicktale.net (except for westernunion which chose quantummetric.com).

You can also find swiss.com, britishairways.com, costco.com, redhat.com, lenovo.com, and toyrus.com.

hmmNovember 27, 2017 6:38 AM

All companies want this data. Every website wants to know exactly how it's being used for reasons that make perfect business sense. Analytics is reading tea leaves and dove entrails compared to getting a session capture straight up. There's too many ways it's useful to any organization for them to want to stop collecting it, in every direction.

Law is supposed to stop valuables from being stolen, fraud. OUR data is valuable.

But there's no law preventing this abuse, unlike say Walmart putting cameras in their bathrooms.
Anybody think they wouldn't have cameras there if there were no laws against it?

We can be as outraged as we want to be but until those bought traitors in Congress are held to account, you have no right or expectation of privacy nor recourse for protecting it outside of personal tradecraft or outright abstention. Until we get laws similar to the new European standard we are walking beef.

Instead of calling out the political forces in this country that are pushing this agenda along with corporate tax cuts, total deregulation and anti-charter oversight agency administration, we're allowing ourselves to play the beaten wife. It's going to continue apace until something changes, or the power to bring about that change is completely locked away from us.

People who push blanket deregulation are traitors to the society that was built on standards.
Privacy is summarily taken away today - just imagine what will be taken tomorrow.

Dan HNovember 27, 2017 9:07 AM

Someone here, like Clive Robertson, would have more knowledge of answering this question:

Say I have Inferno OS which runs hosted under Windows, and I use the Charon Web browser which, of course, doesn't have Javascript. Since it is hosted on the Windows machine, and there isn't any Javascript, then nothing would be logged for keystrokes or mouse movement.

But how about viruses that target Windows? Can malware and viruses still affect the Windows host when using the Charon Web browser from Inferno OS?

LE4X72November 27, 2017 11:23 AM

@hmm

NoScript's developer fired the first shot against ABP by INTENTIONALLY screwing around with the settings on everyone's ABP installation, for no other reason than it was cutting into a financial bottom line that he -- as a developer of free software, specifically the kind that serves the function of blocking and filtering elements of the web -- shouldn't have had any allusions of entitlement to in the first place. Yes, this was public, so what? We're still the ones who got unwillingly conscripted into someone else's personal army, does the lack of a cover-up attempt somehow make this behavior on the level?

I already had my problems with ABP for playing both sides with their "allow non-intrusive ads" garbage, but after that drama I just gave up on both of them and started using alternatives. It's a matter of trust. Those are my settings. If they need to be clobbered for the result of compatibility between upgrades, that's one thing, but don't do sneaky stuff like that just because your ad revenue is dropping... for your ad blocking tools. Yeeeahhhhh... someone isn't thinking this one out, much.

As for Ghostery, their combination of withdrawing into closed-source, as well as their double-dealing revenue model that actually involves helping feed valuable metadata to the counter-blocking industry, makes it impossible for me to trust them either, which is unfortunate because it's otherwise a really great looking tool. Sure, you can opt out of those dubious things, but the same is true for a lot of things in closed-source software (Windows Telemetry, anyone?), and I'd rather have the option to just remove those features before compilation to make certain they don't just turn themselves back on.

Again, trust. But yeah, I'm picky.

If I'm not mistaken, I believe uMatrix and uBlock Origin are both overseen by one man, too. Same man, actually. He seems genuinely focused on just making good software. I haven't seen a single shady whitelist entry in either of them for as long as I've had them. If that changes, so will my opinion of the developer, but as it stands now I haven't even seen so much as a nag screen or a donate button. I go with the flow like that, I don't believe in staying piously loyal to software or the people who make it, so to answer your question, yes, I do indeed hold other software developers to these principles, thank you very much. Nice try, assuming on my principles blindly like that without knowing one thing about me, though. I've been a passionate fan of video games for three decades, that alone should speak to how much boycotting, voting with my dollar and copyright infringement I've had to engage in over the past few years for matters of principle and conscience, against developers and publishers I used to worship during my childhood and adolescence, no less.

*spits on ground*

Back to the subject of ads, I think they were a necessary evil back in the very early days of the public web, back when banners were merely annoying, pop-ups were the epitome of evil and almost everyone was on dial-up. Today they have evolved into a cancerous, predatory and dangerous industry that resorts to illegal tactics for motives we can barely comprehend. As a result, we need to continue to innovate and create forms of generating revenue (or at the very least, reducing operating costs) in ways that don't involve giving advertisers the permission to load whatever third-party ObfuScript they want onto your customers, readers and fan base as they view your website.

moopsNovember 27, 2017 1:05 PM

I'm glad that PrivacyBadger and Disconnect both have zero warnings here at www.schneier.com and a rare "0" for Ghostery blocks.

yes, Ghostery is double dealing, I'm ok with that level of meta-leakage for the convenience.


on the original topic, most of the terrible outcomes of script replay could be stopped if the javascript and html event models did not propagate unescaped key events. [shift,]+[a-z,0-9] should not be visible in the scripting layer. That leaves ctrl and alt and other GUI controls available and protects names and passwords and credit cards and addresses and almost all dangerous personal data.

The event.key field should be left empty on unescaped key events.

There, now give me a trophy!

AnonNovember 27, 2017 10:42 PM

Why do web browsers not at least offer the option to block any data/scripts/elements that do not originate from the current site/web page being viewed??

Web browsers just allow access to too much capability that simply shouldn't exist.

Many versions ago, Firefox removed a convenient way to block images from certain domains, if you just right-clicked and hit "block".

I really think the web browser devs have been subverted by the ad platforms etc.. that are otherwise adversely affected by the privacy tools they were adding. The whole thing is corrupt.

Adrian PeirsonDecember 3, 2017 12:35 AM

Just assume, any live device, is eavesdropping on your activity.
Use a Linux distribution disc on an Airgapped PC.

Wouldn't it be possible to produce an Airgapped mobile phone.
Perhaps using something like Cyanogen Mod or similar but switching off the GSM, Wifi and Bluetooth.

Let's say we want to encrypt a message on such a device.
Ordinarily, anything typed on a mobile phone can potentially be compromised.

We input the message on the keyboard, it's encrypted by an App and output as a QR code.
which can then be scanned to another device for transmission.

Thus the only way off the device is via a QR code, and presumably, it would be exceptionally unlikely that any means of compromising the message.
The device it self could be compromised, but if the only way off the device is via a QR code, then there is no way the encrypted message can be compromised.

An Airgapped mobile phone would be very useful.

Clive RobinsonDecember 3, 2017 12:16 PM

@ Adrian Peirson, JG4,

Wouldn't it be possible to produce an Airgapped mobile phone.

No, because all mobile phones are compromised by design from the hardware upwards... So if at any point the phone does get external connection even briefly then it's nolonger air-gapped, it's compromised, untill proven otherwise, which is a difficult if not near impossible task for even the phones original designers... So the rest of us mear mortals have no chance.

The big problem with mobile phones is connections come in many forms... Including via the USB power socket, the microphone / speaker, the daylight sensor and screen brightnes even sensors such as accelerometers. It's safe to say due to the laws of physics that all transducers --sensors-- you will find on a mobile phone have been compromised in one way or another and published one way or another. With the only thing in common being that they impress/modulate secret information on energy that gets transmitted by conduction, radiation and even convection. Which is why I use the term "Energy-Gapping", not "air-gapping" these days.

That said if you design a device that does not have the proliferation of transducers, then you have a start on developing a secure system.

Importantly though as I identified last century you need to put the human in the communications path to act as a barrier...

A long time ago somebody at the UK Cambridge labs came up with an idea to use coloured dots on a computer screen and use a camera in the device to read it back. As I pointed out the human eye is actually less sensitive to intensity variation than even a cheap web camera. Thus a side channel could be established via the coloured dots intensity... The same holds true for QR Codes and the like.

The reason this is a problem is that by using a sensor you are extending the communications path the attacker has access to into the secure device. Which in turn alows them to extend it past the security end point in the device to the plaintext user interface in a classic "end run" attack. Cyber criminals have done this type of security end point end run attack in the past by adding "shims" to device drivers. Thus falsely reporting bank balances and the like...

As I've repeatedly said over the intervening near couple of decades you need not only to put an instrumented choke point in the communications --ie a human-- but also authenticate the individual transactions not the communications channel.

Doing it any other way has been known to fail in the past against sufficiently advanced attackers, even though they might appear "Micky Mouse" to the likes of the CIA and the UK Secret Service (MI6). Have a read of the first half of Peter Wrights "Spycatcher" book written in the late 1970's / early 1980's when many of the attacks were considered "old hat" by that point. He was the "principle scientist" and later "assistant director" of MI5, and gave the CIA, GCHQ thus NSA a helping hand on a number of occasions.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.