Presentation is loading. Please wait.

Presentation is loading. Please wait.

ARE YOU SURE YOU WANT TO CONTACT US? On the privacy risks at website contact pages UISGCON, December 2015 Alex Starov.

Published byHollie Wilkerson Modified over 9 years ago

Similar presentations

Presentation on theme: "ARE YOU SURE YOU WANT TO CONTACT US? On the privacy risks at website contact pages UISGCON, December 2015 Alex Starov."— Presentation transcript:

1 ARE YOU SURE YOU WANT TO CONTACT US? On the privacy risks at website contact pages UISGCON, December 2015 Alex Starov

2 Privacy is a Trend in Security with Age Secure computation protocols for “partial information games” are from late 1970’s “The adversary is not an outsider (an eavesdropper) but rather the collaborating parties themselves” (Moti Yung’s keynote, CSS 2015) 2

3 What is Privacy? Privacy is an individual’s right to control what happens with her personal and confidential data Five Fair Information Practice Principles (FTC, 1998): ① Minimize collection ② Minimize sharing ③ Protect what you collect ④ Post and follow a privacy policy ⑤ Give users choice and access Anonymous and untrackable web browsing 3

4 Privacy Intrusion on Web Pages Privacy Intrusion PII LeaksAccidentalPurposefulTrackingBrowserStatelessStatefulNetwork 4 1 2 (Astoria, NDSS 2016)

5 How much Private Information should be revealed via Contact Pages? Web Browsing / Window Shopping Accepting Service / Buying 5

6 Contact Page is a Gateway 6 Anonymous Pseudonymous (tracked) Eponymous (email, name...)

7 Pseudonymous Tracking is Fragile Ways of being identified (Narayanan, 2011): The third party is sometimes a first party Leakage of identifiers from first-party to third-party sites The third party buys your identity Hacks (the third party uses a security exploit) Continuous re-identification! 7

8 PII Leakage: Accidental 8

9 PII Leakage: Intentional 9

10 PII Leakage: Postponed 10

11 PII Leakage: Unsuspected 11

12 How much information do you share with locally popular websites? Drive-by-login attack: the end of the safe web (High-Tech Bridge Security Research, 2015) “On the Privacy Practices of Just Plain Sites” (Our work at CommerceNet, presented at WPES 2015) 12

13 OUR STUDY Measurements 13

14 Measuring «potential» leakage Characterizing Insecure JavaScript Practices on the Web (Yue et al., 2011)  66.4% websites include JavaScript from external domains into the top-level documents of their webpages You Are What You Include: Large-scale Evaluation of Remote JavaScript Inclusions (Nikiforakis et al., 2012) 14

15 15 Contact Us: Remote JS Inclusion

16 Measuring «actual» PII Leakage PaperTargetSampleMeasurement (Krishnamurthy et al., 2006) Hidden PII aggregation Top ~1000Automated by tools (Jensen et al., 2007) Online data practices Top ~25,000Own iWatch web crawler (Krishnamurthy et al., 2009) PII leakage12 popular OSNsManually (Krishnamurthy et al., 2009) Longitudinal study of PII aggregation Top ~1000Extension + Proxy (Krishnamurthy et al., 2011) PII leakageTop 100 non-OSNAutomation + Manual Analysis (Chaabane et al, 2014) PII leakageAll ~1500 apps for specific OSN Own platform (Englehardt et al, 2015) Web privacy measurement (specific studies)The OpenWPM platform 16

17 WANTED: Full Web Automation! 17 …like in the Matrix Movie To trigger any actions on websites Lower bounds only limited by CAPTCHAs

18 Contact Us: PhantomJS-based Crawler PhantomJS-based crawler that: ① Finds the web page containing a contact form ② Locates the contact form within the page ③ Fills and submits the form with valid data ④ Detects (or infers) the PII leakage in the traffic Identifying PII in HTTP traffic: ① Looking for email being sent to 3 rd -party in the clear ② Repeating 3 submissions (one with changed email) & comparing sent parameters to infer obfuscation 18

19 Contact Us: Key Results 6.1% Leak PII Intentionally via different marketing solutions via 3 rd -party form builders 2.5% Leak PII Accidentally with a great «cascading» effect 19 Running large-scale study on the top 100,000 websites, we found that 17% have contact forms, out of which:

20 Contact Us: Leakage via Referer 20

21 Contact Us: Weblead Scripts 21

22 Contact Us: Weblead Providers 22

23 Contact Us: More on Webleads Indeed, over the duration of our experiment we received 309 emails from third parties, that is, domains which our crawler never contacted Leakage prevalently occur on submit, but in some cases – even during filling a form! 23

24 Webleads were Reported to GHOSTERY 24

25 Contact Us: By Category 25

26 WEB TRACKING Pseudonymous identifiers 26

27 Stateful Tracking: 3 rd -party Cookies 27

28 Stateful Tracking: Evercookies Flash Cookies and Privacy (Soltani et al., 2009)  30% of websites copy HTTP cookies in Flash cookies, 4 cases of restoring deleted HTTP cookies detected JavaScript library “evercookie” (Samy Kamkar, 2010)  Extensively replicating cookie values in a user's browser Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning (Ayenson et al., 2011)  ETags cache cookies work even in Private Browsing Mode The Web never forgets: Persistent tracking mechanisms in the wild (Acar et al., 2014)  Trackers can receive more than 30 IDs via “cookie syncing” 28

29 Stateless Tracking: Fingerprinting A website may query the browser for different properties (features) Browser properties together can form a (nearly) unique ID 29

30 Features for Fingerprinting ACTIVE Time zone Screen resolution Installed fonts Installed plugins Enabled plugins Supported MIME types Cookies enabled Flash enabled PASSIVE IP address User Agent Language HTTP accept headers Operating system 30

31 How Unique Is Your Web Browser? (Eckersley, 2010) 31

32 Anticipated Threat of Fingerprinting Plugins are becoming obsolete:  Mozilla Firefox only shows a partial list of plugins for scripts  Google Chrome is to block plugins built on NPAPI architecture  In 2010 Apple decided to not support Flash for security Extensions may serve as a new feature for fingerprinting!  E.g., user-agent spoofing extensions (Cookieless monster, Nikiforakis et al., 2013) 32

33 OUR STUDY Protection 33

34 COUNTERMEASURES Policy-based Technologies Opt-Out Cookies, Do-Not-Track Header Privacy-preserving Browsers Tor Browser, Multi-principal proposals Privacy-protecting Tools Blocking or Deception 34

35 Privacy-protecting Tools ToolTargetDetectionProtection Adblock Plus AdsBlacklistingBlocking AdNauseam Ads-Unlinkability Chameleon FingerprintingMonitoringUnification FormLock Web Forms(not yet)Blocking Ghostery TrackersCrowdsourcingBlocking Privacy Badger TrackersLearningBlocking PriVaricator Fingerprinting-Unlinkability TorButton Fingerprinting-Unification TrackMeNot Search queries-Unlinkability 35 Deception = Unification or Unlinkability

36 Crowdsourcing Business approach becomes a research strategy Challenges:  How to preserve privacy?  How to deal with poisoned data?  Semi-automatic analysis? 36

37 Contact Us: FormLock Extension Form Warning If the method of form submission is GET If the target of a form is a third-party website or the whole form is a widget If the protocol is HTTP Form Locking Allows only requests to the first-party and target websites Upon releasing the lock removes all new browsing data Reloads the page with removed URL parameters 37

38 Contact Us: FormLock Extension 38

39 Contact Us: FormLock Extension 39

40 Thank You! Questions? 40 https://github.com/ostarov/Formlock ostarov@cs.stonybrook.edu @o_starov Oleksii StarovPhillipa GillNick Nikiforakis

Download ppt "ARE YOU SURE YOU WANT TO CONTACT US? On the privacy risks at website contact pages UISGCON, December 2015 Alex Starov."

Similar presentations

SOCIAL WEB MEDIA privacy and data mining part 2 4/12/2010.

SOCIAL WEB MEDIA privacy and data mining part 2 4/12/2010.
Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
Expressive Privacy Control with Pseudonyms Seungyeop Han, Vincent Liu, Qifan Pu, Simon Peter, Thomas Anderson, Arvind Krishnamurthy, David Wetherall University.

Expressive Privacy Control with Pseudonyms Seungyeop Han, Vincent Liu, Qifan Pu, Simon Peter, Thomas Anderson, Arvind Krishnamurthy, David Wetherall University.
Browser Comparisons Internet Explorer 8 & 9, Chrome 11 and Firefox 4 Security, Privacy, Add-ons & Convenience.

Browser Comparisons Internet Explorer 8 & 9, Chrome 11 and Firefox 4 Security, Privacy, Add-ons & Convenience.
Google Docs is a free, web-based office suite offered by Google within its Google Drive service. It was formerly a storage service as well, but has since.

Google Docs is a free, web-based office suite offered by Google within its Google Drive service. It was formerly a storage service as well, but has since.
Georgios Kontaxis, Michalis Polychronakis Angelos D. Keromytis, Evangelos P. Markatos Siddhant Ujjain (2009cs10219) Deepak Sharma (2009cs10185)

Georgios Kontaxis, Michalis Polychronakis Angelos D. Keromytis, Evangelos P. Markatos Siddhant Ujjain (2009cs10219) Deepak Sharma (2009cs10185)
Third Party Web Tracking Policy and Technology based on the paper of Jonathan R. Mayer and John C. Mitchell Stanford University Stanford, CA

Third Party Web Tracking Policy and Technology based on the paper of Jonathan R. Mayer and John C. Mitchell Stanford University Stanford, CA
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.
By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.

By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.
APPLAUS: A Privacy-Preserving Location Proof Updating System for Location-based Services Zhichao Zhu and Guohong Cao Department of Computer Science and.

APPLAUS: A Privacy-Preserving Location Proof Updating System for Location-based Services Zhichao Zhu and Guohong Cao Department of Computer Science and.
Safer Web Browsing Terry Labach Information Security Services IST.

Safer Web Browsing Terry Labach Information Security Services IST.
The Internet 8th Edition Tutorial 1 Browser Basics.

The Internet 8th Edition Tutorial 1 Browser Basics.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Automated Tracking of Online Service Policies J. Trent Adams 1 Kevin Bauer 2 Asa Hardcastle 3 Dirk Grunwald 2 Douglas Sicker 2 1 The Internet Society 2.

Automated Tracking of Online Service Policies J. Trent Adams 1 Kevin Bauer 2 Asa Hardcastle 3 Dirk Grunwald 2 Douglas Sicker 2 1 The Internet Society 2.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
The World-Wide Web. Why we care? How much of your personal info was released to the Internet each time you view a Web page? How much of your personal.

The World-Wide Web. Why we care? How much of your personal info was released to the Internet each time you view a Web page? How much of your personal.
IT 210 The Internet & World Wide Web introduction.

IT 210 The Internet & World Wide Web introduction.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

Similar presentations

Ads by Google