NDSS 2025 – Exploiting the Complexity Of Modern CSS For Email And Browser Fingerprinting
好的,我现在需要帮用户总结一篇文章的内容,控制在100字以内,并且不需要特定的开头。首先,我得仔细阅读用户提供的文章内容。
文章标题是“级联间谍表:利用现代CSS复杂性进行电子邮件和浏览器指纹识别”。作者们来自CISPA亥姆霍兹信息安全中心。他们研究了现代CSS的动态特性,用于无脚本的指纹识别,绕过了现有的缓解措施。他们提出了三种基于模糊测试和模板的技术,利用CSS容器查询、算术函数和复杂选择器。这些方法在浏览器中能区分97.95%的测试组合,在8个邮件应用中也有效。最后,他们提出了两种防御机制:预加载条件资源和邮件代理服务。
接下来,我需要将这些关键点浓缩到100字以内。要突出研究重点、方法、结果和防御措施。同时保持语言简洁明了。
可能的结构是:研究现代CSS特性用于无脚本指纹识别,适用于浏览器和邮件应用,并提出防御机制。
现在组织语言:
研究者分析了现代CSS特性用于无脚本指纹识别,适用于浏览器和邮件应用,并提出预加载资源和邮件代理作为防御措施。
检查字数是否在限制内,并确保涵盖主要点。
</think>
研究者分析了现代CSS特性用于无脚本指纹识别,适用于浏览器和邮件应用,并提出预加载资源和邮件代理作为防御措施。
2026-1-6 16:0:0
Author: securityboulevard.com(查看原文)
阅读量:0
收藏
Session 8A: Email Security
Authors, Creators & Presenters: Leon Trampert (CISPA Helmholtz Center for Information Security), Daniel Weber (CISPA Helmholtz Center for Information Security), Lukas Gerlach (CISPA Helmholtz Center for Information Security), Christian Rossow (CISPA Helmholtz Center for Information Security), Michael Schwarz (CISPA Helmholtz Center for Information Security)
PAPER
Cascading Spy Sheets: Exploiting the Complexity of Modern CSS for Email and Browser Fingerprinting
In an attempt to combat user tracking, both privacy-aware browsers (e.g., Tor) and email applications usually disable JavaScript. This effectively closes a major angle for user fingerprinting. However, recent findings hint at the potential for privacy leakage through selected Cascading Style Sheets (CSS) features. Nevertheless, the full fingerprinting potential of CSS remains unknown, and it is unclear if attacks apply to more restrictive settings such as email. In this paper, we systematically investigate the modern dynamic features of CSS and their applicability for script-less fingerprinting, bypassing many state-of-the-art mitigations. We present three innovative techniques based on fuzzing and templating that exploit nuances in CSS container queries, arithmetic functions, and complex selectors. This allows us to infer detailed application, OS, and hardware configurations at high accuracy. For browsers, we can distinguish 97.95% of 1176 tested browser-OS combinations. Our methods also apply to email applications – as shown for 8 out of 21 tested web, desktop or mobile email applications. This demonstrates that fingerprinting is possible in the highly restrictive setting of HTML emails and expands the scope of tracking beyond traditional web environments. In response to these and potential future CSS-based tracking capabilities, we propose two defense mechanisms that eliminate the root causes of privacy leakage. For browsers, we propose to preload conditional resources, which eliminates feature-dependent leakage. For the email setting, we design an email proxy service that retains privacy and email integrity while largely preserving feature compatibility. Our work provides new insights and solutions to the ongoing privacy debate, highlighting the importance of robust defenses against emerging tracking methods.
ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.
