Privacy and Security on the Web Part 1

Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review and hopefully send tomorrow. Proposals: I will grade by next Tuesday Proposals: I will grade by next Tuesday

In The Beginning… Man-in-the-middle Man-in-the-middle Sniffing Sniffing SSL solved these SSL solved these Browser SSL indicators Browser SSL indicators –Locks –Keys –Borders –URL bar Question: How would you show users that a secure connection exists?

Now Common Vulnerabilities ActiveX Controls ActiveX Controls Java applets (bypassing of sandbox’s restrictions) Java applets (bypassing of sandbox’s restrictions) Cross-Site Scripting (mainly faults of web sites) Cross-Site Scripting (mainly faults of web sites) Cross-Zone and Cross-Domain Vulnerabilities Cross-Zone and Cross-Domain Vulnerabilities –Prevention of a web site from accessing data in a different domain (or zone) is broken Malicious Scripting, Active Content, and HTML Malicious Scripting, Active Content, and HTML Spoofing (faking various parts of the browser user interface) Spoofing (faking various parts of the browser user interface)

Also Privacy Users give personal information to get something Users give personal information to get something creating accounts, completing real world transactions, etc. creating accounts, completing real world transactions, etc. Cookies (usernames, sessionIDs, etc.) Cookies (usernames, sessionIDs, etc.) (which of course leads to phishing) (which of course leads to phishing) Just part of visiting a site Just part of visiting a site Tracking cookies Tracking cookies Web bugs Web bugs Traffic logs Traffic logs

So what do users do? Privacy practices paper results: Privacy practices paper results: –Users actions and stated preferences don’t always agree –Users do not understand current technologies relating to privacy –Judge “trustworthiness” on a variety of factors –Do not read privacy policies, but do use their presence to judge trust Implications?

Privacy policies How to make one: How to make one: – – Examples: – – ?ie=UTF8&nodeId=468496http:// ?ie=UTF8&nodeId=468496

What’s wrong with them? Accessibility? Accessibility? Readability? Readability? –Number of notices contain complex language requiring college-level knowledge Length (time) Length (time) Content Content See Jensen and Potts. Privacy policies as decision-making tools: an evaluation of online privacy notices. CHI 2004.

Proposed solution: P3P What is P3P? What is P3P? What do you think of P3P? What do you think of P3P? What happened to P3P? What happened to P3P? Creating P3P policies: Creating P3P policies: –

P3P and P3P user agents What: machine readable privacy policy in XML format. What: machine readable privacy policy in XML format. How does it work? How does it work? –website encode their privacy policies in P3P format –User agents read the policy and parse it out Benefit: Offers an easy way for web sites to communicate about their privacy policies in a standard machine-readable format Benefit: Offers an easy way for web sites to communicate about their privacy policies in a standard machine-readable format Privacy is visualized in the following ways: Privacy is visualized in the following ways: –Summarize privacy policies –Compare policies with user preferences –Alert and advise users

Privacy Bird: demo Opinions on Privacy Bird? Opinions on Privacy Bird?

Web Bugs and Traffic Logs Loading of remote image that doesn’t impact visual layout of page Loading of remote image that doesn’t impact visual layout of page Set 3 rd party cookie Set 3 rd party cookie Remote server can log event of image load even if cookie is rejected Remote server can log event of image load even if cookie is rejected However, there are lots of cases where we want our browsers to load images and display them to us However, there are lots of cases where we want our browsers to load images and display them to us Can be difficult to tell when this action is beneficial and when it isn’t Can be difficult to tell when this action is beneficial and when it isn’t

Bugnosis: A demo Thoughts? Thoughts?

P3P in IE6 Privacy icon on status bar indicates that a cookie has been blocked – pop-up appears the first time the privacy icon appears Automatic processing of compact policies only; third-party cookies without compact policies blocked by default

Users can click on privacy icon for list of cookies; privacy summaries are available at sites that are P3P-enabled

Privacy summary report is generated automatically from full P3P policy

What other tools are out there? Anti-spyware Anti-spyware Cookie managers Cookie managers Anonymizers Anonymizers Password managers and protectors Password managers and protectors Anti-phishing toolbars Anti-phishing toolbars Encryption tools Encryption tools Disk wiping utilities Disk wiping utilities What do you use? What do you use? What do you do manually to protect yourself? What do you do manually to protect yourself?

Research question What privacy issues should people be aware of on the Internet? What privacy issues should people be aware of on the Internet? How do we build tools to make people aware of these? How do we build tools to make people aware of these?

Next week More Security/Privacy and the Internet More Security/Privacy and the Internet Heuristic eval of Firefox extensions Heuristic eval of Firefox extensions Test prep Test prep Exam: 2 weeks from today Exam: 2 weeks from today