Presentation is loading. Please wait.

Presentation is loading. Please wait.

CAN YOUR WEB BROWSER KEEP A SECRET? Terry Labach.

Published byShauna Houston Modified over 9 years ago

Similar presentations

Presentation on theme: "CAN YOUR WEB BROWSER KEEP A SECRET? Terry Labach."— Presentation transcript:

1 CAN YOUR WEB BROWSER KEEP A SECRET? Terry Labach

2 CAN YOUR WEB BROWSER KEEP A SECRET? NO Can Your Web Browser Keep a Secret? 2

3 QUESTIONS? Can Your Web Browser Keep a Secret? 3

4 YOU ARE BEING WATCHED Can Your Web Browser Keep a Secret? 4

5 BROWSERS Desktop  Firefox (Windows, Macintosh, Linux)  Internet Explorer (Windows)  Safari (Macintosh)  Chrome (Windows, Macintosh, Linux)  Opera (Windows, Macintosh, Linux)  WhiteHat Aviator (Windows, Macintosh) WhiteHat Aviator Can Your Web Browser Keep a Secret? 5

6 BROWSERS Mobile  Firefox (Android)  Dolphin (Android, iPhone)  Internet Explorer (Windows Phone)  Metro (Windows Phone)  Atomic (iPhone)  Chrome (Android, iPhone)  Safari (iPhone)  Opera (Android, iPhone, Windows Phone) Can Your Web Browser Keep a Secret? 6

7 WHAT SCARES YOU? “My political philosophy is: anything smaller than me is cute; anything bigger than me is scary - elephants, the ocean, Microsoft, the IRS, the IRA, IBM, ICBMs, committees and other mobs, Rush Limbaugh.” - Michael Swaine, Dr. Dobb's Journal Can Your Web Browser Keep a Secret? 7

8 THREATS TO YOUR PRIVACY Business Government Criminals Can Your Web Browser Keep a Secret? 8

9 THREATS Business and government have not generally been thought of as threats We know better now Can Your Web Browser Keep a Secret? 9

10 BUSINESS “We’re looking for a cookie alternative...this is well within the rules and regulations and laws and policies that we have.” - Rich Harris, chief executive of AddThis, on testing of new tracking techniques designed to be harder to avoid.AddThis “Your online profile is being sold on the web. It's kind of crazy and it's not harmless.” - Sharon Goott Nissim, Electronic Privacy Information CenterElectronic Privacy Information Center Can Your Web Browser Keep a Secret? 10

11 YOU ARE THE PRODUCT Can Your Web Browser Keep a Secret? 11

12 GOVERNMENT “If there were one thing that I would ask for discussion on is that there has to be some mechanism of accountability for you to sign on to an Internet account that makes it like a digital fingerprint that identifies it to you sitting behind the computer or something at that time. There are mechanisms to do it, but the Internet is so big and so vast at this point, and it’s worldwide, I’m not sure how that could happen, but that would certainly assist everybody.” - Scott Naylor of the Ontario Provincial Police testifying at a Canadian Senate committee in Nov. 2014 Can Your Web Browser Keep a Secret? 12

13 GOVERNMENT “When conducting national security investigations, the U.S. Federal Bureau of Investigation can issue a National Security Letter (NSL) to obtain identifying information about a subscriber from telephone and Internet companies. The FBI has the authority to prohibit companies from talking about these requests. But we’ve been trying to find a way to provide more information about the NSLs we get—particularly as people have voiced concerns about the increase in their use since 9/11.” - Richard Salgado, Google Can Your Web Browser Keep a Secret? 13

14 GOVERNMENT “We have the legal authority to intercept and access communications and information pursuant to court order, but we often lack the technical ability to do so.... if the challenges of real-time interception threaten to leave us in the dark, encryption threatens to lead all of us to a very dark place.” - James Comey, FBI Director, Oct. 2014 Can Your Web Browser Keep a Secret? 14

15 BILL C-51 2015 “anti-terrorism” bill Permits broad information sharing across government for wide range of purposes CSE included in departments allowed to share data Can Your Web Browser Keep a Secret? 15

16 LEVITATION Communications Security Establishment (CSE) analyzes records of up to 15 million downloads daily from popular websites By law, can’t target Canadians Data collected without ensuring “targets” are non-Canadian Can Your Web Browser Keep a Secret? 16

17 GOVERNMENT “...this is not "surveillance," it's "data collection." They say it is done to keep you safe. They're wrong. There is a huge difference between legal programs, legitimate spying, legitimate law enforcement -- where individuals are targeted based on a reasonable, individualized suspicion -- and these programs of dragnet mass surveillance that put entire populations under an all-seeing eye and save copies forever. These programs were never about terrorism: they're about economic spying, social control, and diplomatic manipulation. They're about power.” - Edward Snowden, December 2013 Can Your Web Browser Keep a Secret? 17

18 CITIZENFOUR Documentary on Edward Snowden, playing at Princess Cinema in Waterloo Sun, Feb 22, 2015 - 7:00pm Tue, Feb 24, 2015 - 6:45pm Wed, Feb 25, 2015 - 9:15pm Can Your Web Browser Keep a Secret? 18

19 YOU ARE THE TARGET Can Your Web Browser Keep a Secret? 19

20 RISKS TO YOU Unintentional release of private information Businesses can target and manipulate you Financial loss Harassment from government and law enforcement Embarrassment Emotional distress Can Your Web Browser Keep a Secret? 20

21 PRIVATE INFORMATION Google, Facebook, Yahoo!, etc. present ads that their analysis indicates might be of interest User could be inadvertently outed based on ads presented Can Your Web Browser Keep a Secret? 21

22 IT’S LEGAL —Why did yeh ask abou’ Facebook? —Somethin’ Bertie told me, said Jimmy Sr.— Somethin’ he heard. —It’s illegal if it’s Bertie. —No, said Jimmy Sr.—It’s not. It’s f****** immoral but. - Roddy Doyle, from his novel The Guts Can Your Web Browser Keep a Secret? 22

23 EMBARRASSMENT Pop-up ad led to married Facebook user being given Zoosk.com account The dating site populated her new account with data from her Facebook profile Can Your Web Browser Keep a Secret? 23

24 BIG DATA DOESN’T FORGET OfficeMax sent customer mail addressed to "Mike Seay, Daughter Killed in Car Crash.“  OfficeMax stated "is a result of a mailing list rented through a third-party provider“ Globe and Mail report on woman inundated with ads for baby and toddler products, based on Big Data  Woman had suffered two miscarriages, unable to stop ads Can Your Web Browser Keep a Secret? 24

25 BIG DATA Collection of your data largely unregulated  Not like credit industry, where you can request and correct credit reports Some data brokers will let you request reports  This usually (and ironically) involves disclosing personal data to them so they match your record correctly Can Your Web Browser Keep a Secret? 25

26 DIFFERENTIAL PRICING Price discrimination Price steering Retailers use information about you to alter pricing that you see. e.g. Orbitz showed costlier hotel rooms to Mac users after market research showed they tend to spend more money than PC users Can Your Web Browser Keep a Secret? 26

27 THE TRACKERS Facebook Google Twitter Quantcast ComScore Clearspring Doubleclick Neilsen Yahoo AppNexus Can Your Web Browser Keep a Secret? 27

28 SEARCH HISTORY LEAKAGE Amazon uses your browsing history to suggest itemsbrowsing history How?  Your previous Amazon searches  Similar searches and eventual purchases by other customers Sounds like metadata! Can Your Web Browser Keep a Secret? 28

29 RECOMMENDED FOR YOU... Can Your Web Browser Keep a Secret? 29

30 LEAKY BROWSERS Browsers provide information to remote web sites  IP address  Browser version  Computer information  Location information Reporting tools  https://panopticlick.eff.org/ https://panopticlick.eff.org/  http://www.whatismybrowser.com/ http://www.whatismybrowser.com/  http://www.whatbrowser.org/ http://www.whatbrowser.org/ Can Your Web Browser Keep a Secret? 30

31 INFORMATION LEAKAGE Site with malware can use your browser type to craft an attack e.g. browsing with Internet Explorer identifies you as a Windows user Functionality might be compromised without cause if browser you use is not formally supported Can Your Web Browser Keep a Secret? 31

32 USER AGENTS Passed to web server e.g. Windows / IE 11: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) User Agent Overrider  Firefox  transmits arbitrary User Agent values Can Your Web Browser Keep a Secret? 32

33 GEOLOCATION Your geographical location can be inferred from your computer Not 100% reliable due to errors in records Can also be spoofed Can Your Web Browser Keep a Secret? 33

34 PROXIES AND GEOLOCATION Route your network traffic through a proxy server Various reasons to use proxies Can be used to make geolocation believe you are located wherever the proxy server is TunnelBear is one popular proxy Can Your Web Browser Keep a Secret? 34

35 USING A PROXY 1 Can Your Web Browser Keep a Secret? 35

36 USING A PROXY 2 Can Your Web Browser Keep a Secret? 36

37 TRACKING Using unique identifiers, businesses can track your web browsing By connecting your browsing habits among sites or comparing with other individuals, trends can be identified to assist the business Can Your Web Browser Keep a Secret? 37

38 COOKIES Browsers can store files on behalf of a web site Each time that site is visited, the browser sends the cookie back to indicate previous activity  logged-in status  shopping cart Contents stipulated by remote site Could leak personal data Can be used to track your Web activity Can Your Web Browser Keep a Secret? 38

39 BLOCKING & REMOVING COOKIES Many browsers offer ways to manage and delete cookies Many browsers allow you to prevent the storage of cookies from all or some web sites Can also use browser plug-ins for greater power and flexibility Can Your Web Browser Keep a Secret? 39

40 OTHER TRACKING METHODS Tracking organizations responded to cookie blocking and to their desire to collect and collate more information Canvas fingerprinting Evercookies Cookie syncing Can Your Web Browser Keep a Secret? 40

41 CANVAS FINGERPRINTING Instructs a Web browser to draw a hidden image Each computer draws the image slightly differently, so the images can be used to generate a code to uniquely identify each user’s device. Not covered by legislation on cookies You can see a visible example of a browser fingerprint fingerprint Can Your Web Browser Keep a Secret? 41

42 EVERCOOKIES A site places cookies or cookie-like data in every location allowed by your browser If it finds some cookies missing on subsequent visits, it will recreate them using the cookies that survived  Standard HTTP cookies  Local Shared Objects (LSOs) (Flash cookies)  Silverlight Storage  Storing in RGB values of auto-generated images  Web history  Web cache  Internet Explorer storage  HTML5 Storage Can Your Web Browser Keep a Secret? 42

43 COOKIE SYNCING Allows businesses to work together Invisible redirects and embedded URLS allow multiple businesses to give you cookies, which they link to be able to share your data Can Your Web Browser Keep a Secret? 43

44 LIGHTBEAM (AKA COLLUSION) Records your browsing activity and the sites involved Creates graphic visualization of sites and connections Can Your Web Browser Keep a Secret? 44

45 LIGHTBEAM EXAMPLE Can Your Web Browser Keep a Secret? 45

46 DO NOT TRACK Browser feature  Firefox – Do Not Track  transmits a Do Not Track HTTP header  requires remote site to honour the request  IE – Tracking Protection  limits information sent to third party sites by referring to a user’s list of allowed sites  applies to entire websites, not individual pages  can create or download lists  Chrome – Incognito  won't leave browsing history and cookies on your computer Can Your Web Browser Keep a Secret? 46

47 CAN YOU TRUST YOUR INTERNET PROVIDER? Some jurisdictions mandate Internet filtering Your internet service provider (ISP) may configure their network to prevent you from searching Google over an encrypted (https:) connection Used in schools and for public Wi-Fi Can Your Web Browser Keep a Secret? 47

48 MAN IN THE MIDDLE (MITM) Rogers  injects content into web pages to send messages about monthly data usage  information cached for 30 days  for a while, injected ads into bodies of email messages Verizon advertising cookie  adds secret HTML header to web browsing done from mobile devices  likely other providers do the same Can Your Web Browser Keep a Secret? 48

49 CAN YOU TRUST YOUR COMPUTER MANUFACTURER? Computer companies may have partnerships with advertisers Can Your Web Browser Keep a Secret? 49

50 MAN IN THE MIDDLE (MITM) Lenovo  In 2015, discovered to have installed Superfish software on laptop computers sold  Injects third-party ads on Google searches and websites  Installs own self-signed security certificate authority, which could allow it to intercept user’s private web traffic Can Your Web Browser Keep a Secret? 50

51 PRIVATE BROWSING Mozilla  Private Browsing allows you to browse the Internet without saving any information about which sites and pages you’ve visited. Internet Explorer  When you use InPrivate Browsing, info like passwords, search history, and page history is deleted once you close the tab. Can Your Web Browser Keep a Secret? 51

52 SEARCHING Every Google search you've ever performed is stored Data is correlated to your search data from any other Google services you use. Even if you delete a search from your Google history, Google will keep it for their own purposes Can Your Web Browser Keep a Secret? 52

53 GOOGLE Can Your Web Browser Keep a Secret? 53

54 TOR The onion routing network Transmits your communications around a network run by volunteers all around the world Proxy servers hide your chain of connections Protects the transport of your data Visualization of features  https://www.eff.org/pages/tor-and-https https://www.eff.org/pages/tor-and-https Can Your Web Browser Keep a Secret? 54

55 PROTECTING YOUR PRIVACY Don’t put personal information in on-line searches Don't login to your search engine or related tools Block cookies from your search engine Use web proxies and anonymizing software like Tor Configure browser to avoid tracking Can Your Web Browser Keep a Secret? 55

56 PROTECTING YOUR SEARCHES Google users can view and manage their search history at https://www.google.com/history https://www.google.com/history Use alternative search engines like DuckDuckGo that do not have user logins and do not save your searches DuckDuckGo Authorities and business can’t get data on you that doesn’t exist Can Your Web Browser Keep a Secret? 56

57 PROTECTING YOUR COMMUNICATIONS Web sites can use unencrypted (http:) or encrypted (https:) communications https: indicates that the transmission of data occurs using TLS (formerly SSL) encryption If a web site allows either, use encrypted communications Better if the web site only allows encrypted communications Can Your Web Browser Keep a Secret? 57

58 HIDE YOUR IDENTITY Use different browsers Use different computers Use different IP addresses Use fake identities if possible Fake your browser identification Can Your Web Browser Keep a Secret? 58

59 ENHANCING YOUR BROWSER Variety of additional software to add security and privacy support to browser  Adblock Plus  Ghostery  NoScript  Better Privacy  HTTPS Everywhere  Privacy Badger  Disconnect Can Your Web Browser Keep a Secret? 59

60 RESOURCES Web  Electronic Frontier Foundation  https://www.eff.org/ https://www.eff.org/  MediaSmarts  http://mediasmarts.ca http://mediasmarts.ca  Disconnect  https://disconnect.me/ https://disconnect.me/  Edward Snowden’s security hints  https://firstlook.org/theintercept/2014/10/28/smuggling- snowden-secrets/ https://firstlook.org/theintercept/2014/10/28/smuggling- snowden-secrets/  Freedom of the Press Foundation  https://freedom.press https://freedom.press Can Your Web Browser Keep a Secret? 60

61 RESOURCES Books  Dragnet Nation  Julia Angwin  The Smart Girl's Guide to Privacy  Violet Blue Television  United States of Secrets  http://www.pbs.org/wgbh/pages/frontline/united-states-of- secrets/ http://www.pbs.org/wgbh/pages/frontline/united-states-of- secrets/ Can Your Web Browser Keep a Secret? 61

62 INFORMATION SECURITY SERVICES IST team We will provide custom computer security training to your team or department Contact Terry Labach to discuss your security education needs Can Your Web Browser Keep a Secret? 62

63 TERRY LABACH terry.labach@uwaterloo.ca 519-888-4567 x45227 Slides and resources available at http://ist.uwaterloo.ca/~tlabach/ http://ist.uwaterloo.ca/~tlabach/ Can Your Web Browser Keep a Secret? 63

64 QUESTIONS? Can Your Web Browser Keep a Secret? 64

Download ppt "CAN YOUR WEB BROWSER KEEP A SECRET? Terry Labach."

Similar presentations

The Internet and the Web

The Internet and the Web
How to protect yourself, your computer, and others on the internet

How to protect yourself, your computer, and others on the internet
Unit 11 Using the Internet & Browsing the Web.  Define the Internet and the Web  Set up & troubleshoot an Internet connection  Categorize webs sites.

Unit 11 Using the Internet & Browsing the Web.  Define the Internet and the Web  Set up & troubleshoot an Internet connection  Categorize webs sites.
#watitis2014 watitis.uwaterloo.ca CAN YOUR WEB BROWSER KEEP A SECRET? Terry Labach.

#watitis2014 watitis.uwaterloo.ca CAN YOUR WEB BROWSER KEEP A SECRET? Terry Labach.
Breaking Trust On The Internet

Breaking Trust On The Internet
Netiquette Rules.

Netiquette Rules.
Chapter 7: The Web and E-mail1 The Web and E-mail Chapter 7.

Chapter 7: The Web and 1 The Web and Chapter 7.
ADMINISTRATION Sources of Information REVISION – BLOCK 6.

ADMINISTRATION Sources of Information REVISION – BLOCK 6.
Tracking, Privacy, You & The 21 st Century When you talk online the internet listens.

Tracking, Privacy, You & The 21 st Century When you talk online the internet listens.
Safer Web Browsing Terry Labach Information Security Services IST.

Safer Web Browsing Terry Labach Information Security Services IST.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 15: Internet Explorer and Remote Connectivity Tools.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 15: Internet Explorer and Remote Connectivity Tools.
FIRST COURSE Computer Concepts Internet and Email Microsoft Office Get to Know Your Computer.

FIRST COURSE Computer Concepts Internet and Microsoft Office Get to Know Your Computer.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.

Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.
Mohammed Saiyeedur Rahman.  E-commerce is buying and selling goods over the internet. This could include selling/buying mobile phones, clothes or DVD’s.

Mohammed Saiyeedur Rahman.  E-commerce is buying and selling goods over the internet. This could include selling/buying mobile phones, clothes or DVD’s.
How It Applies In A Virtual World

How It Applies In A Virtual World
With Internet Explorer 9 Getting Started© 2013 Pearson Education, Inc. Publishing as Prentice Hall1 Exploring the World Wide Web with Internet Explorer.

With Internet Explorer 9 Getting Started© 2013 Pearson Education, Inc. Publishing as Prentice Hall1 Exploring the World Wide Web with Internet Explorer.
March 14, 2011. Microsoft Microsoft officially announced the date and time that Internet Explorer 9 (IE9) will move away from a release candidate and.

March 14, Microsoft Microsoft officially announced the date and time that Internet Explorer 9 (IE9) will move away from a release candidate and.
CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. Emails. Safe browsing for shopping and online banks. Social media.

CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. s. Safe browsing for shopping and online banks. Social media.
Cyber Crimes.

Cyber Crimes.

Similar presentations

Ads by Google