The attack described on the first page of TFA didn't involve any 'reconstruction'. They were able to access the web histories by stealing cookies and using them to access the web histories Google provides. In the second page they talk about using the cookies to view a users' Google Suggest results.
Still, this is relatively unsurprising. If you snoop on my non-https transmissions, yeah, you can get a lot of information that I consider private. It would be nice if everything were https (the EFF has been pushing for all GWS to use https for a while now), but it's not news to me that it's not. The most novel thing here is that because they could access/reconstruct web history by getting my cookies, they didn't need to be watching me when I did my searches--getting my cookie now is as good as sniffing my packets when I was doing criminal activity yesterday.
Totally agreed. One of the first things I do when I do a new install (for me personally) is to make sure in FF that either I have cookies turned off or to have FF ask me everytime. its just like noscript, where yes, it can get annoying for a while, but then once your whitelist is fairly complete it is very worth it. Or you can just always start FF in a private browsing session too.
Um, do you understand the attack at all? The attackers intercepted your cookies from Google, using a standard man-in-the-middle attack, and used them to access your account. Cookie whitelisting is useless here: the only cookies are legitimate ones from Google, and if you deny those, you can't log in (as with any cookie-based authentication).
Yes, exactly. If you are rejecting the cookies, you aren't logged in, and your search history is tracked less. I don't consider the personalization a feature, so I prefer not to be logged in.
(I do this in a somewhat hilarious fashion, I log into Google to use gmail, and then I delete the cookies for google.com (but not for mail.google.com). Paranoia, I am doing it wrong.)
+1 mod this to 5 and then re-edit the article & title please. This is not the same as the work identifying people from their movie ratings for example.
If you had read the paper you would see that Google asks for a reauth when an attempt is made to access the web history, so instead they choose the most frequent prefixes that are used in searches, and use them to ask google for search suggestions. Reconstruct is a perfectly suitable word to describe this process.
The title of the original paper is: Private Information Disclosure from Web Searches.
They found a security vulnerability, and retrieved the information using probable prefixes. The reason I dislike the title is because it sounds a lot like the SIGIR 06 paper
where they actually did reconstruction using publicly available information combined with collaborative filtering like technology against anonymized data.
Reconstructing? (Score:5, Informative)
The attack described on the first page of TFA didn't involve any 'reconstruction'. They were able to access the web histories by stealing cookies and using them to access the web histories Google provides. In the second page they talk about using the cookies to view a users' Google Suggest results.
Still, this is relatively unsurprising. If you snoop on my non-https transmissions, yeah, you can get a lot of information that I consider private. It would be nice if everything were https (the EFF has been pushing for all GWS to use https for a while now), but it's not news to me that it's not. The most novel thing here is that because they could access/reconstruct web history by getting my cookies, they didn't need to be watching me when I did my searches--getting my cookie now is as good as sniffing my packets when I was doing criminal activity yesterday.
Re: (Score:1, Insightful)
Cookie white-listing seems saner and saner.
Re: (Score:1)
Re: (Score:2)
Cookie white-listing seems saner and saner.
Um, do you understand the attack at all? The attackers intercepted your cookies from Google, using a standard man-in-the-middle attack, and used them to access your account. Cookie whitelisting is useless here: the only cookies are legitimate ones from Google, and if you deny those, you can't log in (as with any cookie-based authentication).
Re: (Score:1)
Yes, exactly. If you are rejecting the cookies, you aren't logged in, and your search history is tracked less. I don't consider the personalization a feature, so I prefer not to be logged in.
(I do this in a somewhat hilarious fashion, I log into Google to use gmail, and then I delete the cookies for google.com (but not for mail.google.com). Paranoia, I am doing it wrong.)
Re: (Score:3, Informative)
+1 mod this to 5 and then re-edit the article & title please. This is not the same as the work identifying people from their movie ratings for example.
Re: (Score:3, Informative)
Re: (Score:2)
The title of the original paper is: Private Information Disclosure from Web Searches.
They found a security vulnerability, and retrieved the information using probable prefixes. The reason I dislike the title is because it sounds a lot like the SIGIR 06 paper
http://video.google.com/videoplay?docid=6474169875352273382# [google.com]
where they actually did reconstruction using publicly available information combined with
collaborative filtering like technology against anonymized data.
This article isn't a bad one, and intere
Re: (Score:1)