The Limitations of Web Privacy: Cracking ShadowCrypt

Abstract

In web settings it is very difficult to assure users their data is being kept private. Recent work has been done to develop a browser extension that can make text based web applications private without trusting any part of the application itself. The name of this project is ShadowCrypt and is available in the Chrome Extension store. This extension fails to address a serious user interface attack which will be described in detail. The effectiveness of this attack was measured through a user study administered through Amazon Mechanical Turk, in which only 5.4% of participants noticed the attack. In addition to a demonstration of the effectiveness of the user interface attack, I created multiple fundamental attacks against ShadowCrypt, exposing the privacy weaknesses of ShadowDOM. Finally, a framework for possible countermeasures is pre- sented in order to provide clear guidelines on how to design a secure input and output system within internet browsers.