HTTPS Everywhere和Let s Encrypt项目的开发者Yan Zhu在上周末举行的 ToorCon 2015大会上介绍了一种滥用HSTS（HTTP Strict Transport Security）和内容安全策略（CSP）嗅探浏览器历史的时序攻击方法Sniffly（幻灯片、演示、源代码）。Sniffly允许任意网站嗅探浏览器历史： 当用户访问一个嵌入Sniffly代码的网页，它会试图通过HTTP加载来自HSTS域名的图像，Sniffly将一个CSP策略设置为限制图像通过HTTP，这意味着在重定向到HTTPS前图像源被封锁了。当图像被CSP屏蔽，它会调用处理程序onerror，onerror会先尝试计算图像从HTTP重定向到HTTPS所需的时间。如果时间是在毫秒内，那么这意味着浏览器不需要发出网络请求，也就是用户以前访问过目标域名。如果时间是100毫秒左右，那么这意味着浏览器需要发出网络请求，也就是用户以前没有访问过目标域名。

sniffly-master
..............\.gitignore
..............\LICENSE
..............\README.md
..............\src
..............\...\index.html
..............\...\index.js
..............\util
..............\....\process.py
..............\....\results.log.sample
..............\....\run.sh
..............\....\scrape.py
..............\....\strict-transport-security.txt
..............\....\transport_security_state_static.json

• We are an exchange download platform that only provides communication channels. The downloaded content comes from the internet. Except for download issues, please Google on your own.
• The downloaded content is provided for members to upload. If it unintentionally infringes on your copyright, please contact us.
• Please use Winrar for decompression tools
• If download fail, Try it againg or Feedback to us.
• If downloaded content did not match the introduction, Feedback to us，Confirm and will be refund.
• Before downloading, you can inquire through the uploaded person information

Nothing．