Understanding the Potential Identity Leak Warning in NoScript
Recently, while using the Tor Browser, NoScript popped up a warning about a potential identity leak when I opened a Stack Overflow link in a new tab from DuckDuckGo. This warning raised questions about how this identity leak or de-anonymization attack works.
What is this potential identity leak that NoScript warns about?
NoScript’s warning suggests that loading a page from Stack Overflow might allow DuckDuckGo to acquire information about the user’s identity, specifically if the user is logged in on Stack Overflow. This raises concerns about potential information leakage.
How does this identity leak/de-anonymization attack work?
NoScript’s settings reveal a feature called ‘Cross-tab identity leak protection’, which aims to protect against a de-anonymization attack. This attack relies on a cache-timing side channel and the ability to share a resource with a specific user on websites like Twitter and Google. The attacker uploads a resource to a resource-sharing service, binds it to the victim’s identity, and embeds it into an attacker-controlled webpage. When the target visits the webpage, their browser makes a cross-site request for the embedded resource, passing their authentication cookies. By measuring contention to the CPU cache, the attacker can determine if the resource has been loaded, revealing the target’s identity.
This de-anonymization attack primarily targets a niche threat model and is not a widespread concern. However, NoScript’s warning highlights the importance of being cautious when browsing and using security features like NoScript to protect against potential identity leaks.