I Do Not Know What You Visited Last Summer: Protecting users from stateful third-party web tracking with TrackingFree browser Xiang Pan §, Yinzhi Cao †,

Slides:

Advertisements

Similar presentations

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Advertisements

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.

Expressive Privacy Control with Pseudonyms Seungyeop Han, Vincent Liu, Qifan Pu, Simon Peter, Thomas Anderson, Arvind Krishnamurthy, David Wetherall University.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

On the Privacy of Private Browsing Kiavash Satvat, Matt Forshaw, Feng Hao, Ehsan Toreini Newcastle University DPM’13.

Georgios Kontaxis, Michalis Polychronakis Angelos D. Keromytis, Evangelos P. Markatos Siddhant Ujjain (2009cs10219) Deepak Sharma (2009cs10185)

Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

On the Incoherencies in Web Browser Access Control Policies Authors: Kapil Singh, et al Presented by Yi Yang.

I Do Not Know What You Visited Last Summer: Protecting users from stateful third-party web tracking with TrackingFree browser Xiang Pan §, Yinzhi Cao †,

6/10/2015Cookies1 What are Cookies? 6/10/2015Cookies2 How did they do that?

Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.

XP Tutorial 9 New Perspectives on JavaScript, Comprehensive1 Working with Cookies Managing Data in a Web Site Using JavaScript Cookies.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

Naming Names in computer systems are used to share resources, to uniquely identify entities, to refer to locations and so on. An important issue with naming.

1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

Automated Tracking of Online Service Policies J. Trent Adams 1 Kevin Bauer 2 Asa Hardcastle 3 Dirk Grunwald 2 Douglas Sicker 2 1 The Internet Society 2.

Prof. Vishnuprasad Nagadevara Indian Institute of Management Bangalore

Sharing Resources Lesson 6. Objectives Manage NTFS and share permissions Determine effective permissions Configure Windows printing.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

JavaScript, Fourth Edition

Objectives  Testing Concepts for WebApps  Testing Process  Content Testing  User Interface Testing  Component-level testing  Navigation Testing.

©2008 Gotham Digital Science Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn.

Vulnerabilities in peer to peer communications Web Security Sravan Kunnuri.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

Chapter 8 Cookies And Security JavaScript, Third Edition.

Chapter 4 Realtime Widely Distributed Instrumention System.

Web Application Security Presented by Ben Lake. How the Web Works Hypertext Transfer Protocol (HTTP)  Application-level  Stateless Example  Web Browser.

Protecting Students on the School Computer Network Enfield High School.

SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.

Session and Cookie Management in.Net Sandeep Kiran Shiva UIN:

STATE MANAGEMENT.  Web Applications are based on stateless HTTP protocol which does not retain any information about user requests  The concept of state.

Georgios Kontaxis‡, Michalis Polychronakis‡, Angelos D. Keromytis‡, and Evangelos P.Markatos* ‡Columbia University and *FORTH-ICS USENIX-SEC (August, 2012)

1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.

COSC 513 Operating Systems Project Presentation: Internet Security Instructor: Dr. Anvari Student: Ying Zhou Spring 2003.

1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.

11 CLUSTERING AND AVAILABILITY Chapter 11. Chapter 11: CLUSTERING AND AVAILABILITY2 OVERVIEW  Describe the clustering capabilities of Microsoft Windows.

University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,

Vaibhav Rastogi and Yi Yang.  SOP is outdated  Netscape introduced this policy when most content on the Internet was static  Differences amongst different.

I Do Not Know What You Visited Last Summer: Protecting users from stateful third-party web tracking with TrackingFree browser Xiang Pan, Northwestern University.

Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.

Wireless and Mobile Security

Search Engine using Web Mining COMS E Web Enhanced Information Mgmt Prof. Gail Kaiser Presented By: Rupal Shah (UNI: rrs2146)

Xinyu Xing, Wei Meng, Dan Doozan, Georgia Institute of Technology Alex C. Snoeren, UC San Diego Nick Feamster, and Wenke Lee, Georgia Institute of Technology.

Security Architecture of qmail and Postfix Authors: Munawar Hafiz Ralph E. Johnson Prepared by Geoffrey Foote CSC 593 Secure Software Engineering Seminar.

Bloom Cookies: Web Search Personalization without User Tracking Authors: Nitesh Mor, Oriana Riva, Suman Nath, and John Kubiatowicz Presented by Ben Summers.

ACM Conference on Computer and Communications Security 2006 Puppetnet: Misusing web browsers as a distributed attack infrastructure Network Seminar Presenter:

Family Connection Collaborative Webs A Tool for Creating and Managing Web sites.

Better web privacy through automation Umesh Shankar Berkeley EECS.

1 Trustworthy Browsing Ian Moulster Software + Services Lead Microsoft Ltd.

Introduction Web analysis includes the study of users’ behavior on the web Traffic analysis – Usage analysis Behavior at particular website or across.

Protecting your search privacy A lesson plan created & presented by Maria Bernhey (MLS) Adjunct Information Literacy Instructor

The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites Paper by Sooel Son and Vitaly Shmatikov, The University of Texas.

1 Web Technologies Website Publishing/Going Live! Copyright © Texas Education Agency, All rights reserved.

CS 115: COMPUTING FOR THE SOCIO-TECHNO WEB TECHNOLOGIES FOR PRIVATE (AND NOT-SO-PRIVATE) COMMUNICATIONS.

Customer Profile: If you have tech savvy customers, having your site secured for mobile users is recommended. Business Needs: With the growing number.

The Invisible Trail: Third-Party Tracking on the Web

Client / Session Identification Cookies

Cross-Site Request Forgeries: Exploitation and Prevention

What is Cookie? Cookie is small information stored in text file on user’s hard drive by web server. This information is later used by web browser to retrieve.

Web Privacy Chapter 6 – pp 125 – /12/9 Y K Choi.

Mobile Security Evangelos Markatos FORTH-ICS and University of Crete

Cross Site Request Forgery (CSRF)

Presentation transcript:

I Do Not Know What You Visited Last Summer: Protecting users from stateful third-party web tracking with TrackingFree browser Xiang Pan §, Yinzhi Cao †, Yan Chen § Presenter: Fan Luo College of William and Mary

Roadmap Introduction Previous work & Novelty System Design Evaluation Summary

Web Tracking Record the client’s behavior -Identifier -Private information Prevalent - More than 90% of Alexa Top 500 web sites [Roesner, NSDI 2012] - A web page usually has multiple tracking elements

Research problem Protecting users from stateful third-party web tracking First party: host web server Second party: user Third party: tracking we server visit User Referer : Cookie : id = Referer : Cookie : id = Tracker

Goals Complete blocking High function preservation Low performance overhead

Out-of-scope Goals Doesn’t address following threats: Within-Site Tracking Tracking by exploiting browser vulnerabilities Stateless tracking

Roadmap Introduction Previous work & Novelty System Design Evaluation Summary

Previous Work 8 No effective defense approach Disable third-party identifiers Can be easily bypassed Blacklist third-party requests Priori knowledge of tracking server Do-not-track header No enforcement

Novelty TrackingFree ： First anti-tracking browser by mitigating unique identifiers. Main idea: Partition client-side states into multiple isolation units Identifiers still exist but are not unique Cut off the tracking chain

Roadmap Introduction Previous work & Novelty System Design Evaluation Summary

System Design Profile based isolation mechanism Principal Communication Content allocation mechanism Flexibility of domain specification

Content allocation mechanism Initial Contents Allocation Top frame: navigated by users directly Derivative Contents Allocation Child frame: frames generated due to the contents on other frames

Initial Contents Allocation Granularity （  ） All the subdomains of a registered domain will be grouped together. Different domains are put in different principals. One Principal per Domain (  ) For the web pages opened through address bar and command line arguments, they will be put in one principal if and only if they have the same domain.

Derivative Contents Allocation Principal Switch Should we switch principle for child frame? Principal Selection How to choose target principal?

Principal Switch Two intuitive yet extreme switch algorithm: No switch : privacy issue Switch all : unnecessary overhead Solution: switch if and only if both of the following conditions are met Cross-site Main frame navigation OR User-triggered

Two intuitive yet extreme selection algorithm: Always create new principal : compatibility issues Always reuse existing principal: privacy issue Solution: in-degree-bounded principal selection policy Maintain a graph of all the principals Maximum in-degree number = 2 Principal Selection

Graph of Principals Node ： principal Edge ： at least one frame has switched

Principal Communication Two intuitive yet extreme communicational algorithm : Unconditional enable : privacy issue Completely disable : functionality issue Solution: adopt different policies for different channel Explicit communication : messaging among different frames by browser APIs Implicit communication : history sharing, communication through navigation

Explicit communication Problem : break the isolation mechanism Solution: use following restrictive conditions Third-party elements can only explicitly communicate with the first-party elements in its principals. First-party elements can only explicitly communicate with the first-party elements placed in its neighbor principals

Example

Implicit Communication History Sharing Why? Browsing history is isolated How? Public history manager Secure? Principle can only write, can not read Communication through navigation Problem : tracker can put tracking identifier on cross-site URLs Compromised solution : Clear the query strings on non-navigation third party requests’ refer headers

Preference Configure Problem ： User preference is isolated, causing user experience issues Solution: Apply user-initiated changes in each principal to all existing principals. Monitor GUI message to determine user-initiated preference change. Synchronize with new created principal

Domain Data Manager why? Decrease the number of principals how? Transient principal for each regular principal Domain Data Synchronization why? Improve user experience how? Synchronize data belonging to specified domains

Roadmap Introduction Previous work & Novelty System Design Evaluation Summary

Evaluation Anti-tracking capability Formal proof Experiments with real world websites Performance Overhead (latency, memory, disk) Compatibility

Formal Proof Formally analyze TrackingFree ’s anti-tracking ability: give alloy an assertion alloy try to search the space to find the counter example Formally verified : without site collaboration, trackers can correlate user’s activities up to three principals.

Experiments with Real World Web Sites Visit 2,032 valid URLs from Alexa Top 500 web sites Gathered 647 tracking tokens TrackingFree eliminated all of them

Performance: Latency

Performance: Memory & Disk overhead MemoryChromiumTrackingFreeIncrease 1 Principal477.1(MB)505(MB)27.9(MB) 4 Principals623.6(MB)702.8(MB)79.2(MB) 12 Principals434.6(MB)642.5(MB)297.9(MB) MemoryChromiumTrackingFreeIncrease 1 Principal21.3(MB)21.8(MB)0.5(MB) 4 Principals22.5(MB)25.9MB)3.4(MB) 12 Principals23.7(MB)29.4(MB)5.7(MB) Disk Overhead on 12 Web Pages (~0.6MB/Principal) Memory Overhead on 12 Web Pages (~25MB/Principal)

Compatibility Teste on Alexa Top 50 websites Compatibility on first-party websites : 50/50 Compatibility on third-party services - Cross-site online payments (1/1) - Cross-site content sharing (31/31) - Single sign-on (35/36) - Overall results: 67/68

Roadmap Introduction Previous work & Novelty System Design Evaluation Summary

Research Problem : Protecting users from stateful third-party web tracking Solution: Isolating resources in different principals. Designed and implemented TrackingFree browser Evaluation: Theoretically and experimentally proved anti-tracking capability Affordable overhead and compatibility cost.

Questions 1. Why utilize profile based isolation mechanism to isolate different principals? 2. For principal selection, why the maximum in-degree number is set to be 2 ? 3. What are the two methods for dealing with the inconsistency of multiple principals for a single site?