Fresh

There is no new content.

» Go to the full list

Recent comments

» 2018.02.03. 18:24:02, Note for Firefox @ Preventing misuses and misapprehensions of FireGloves

» 2017.03.12. 20:02:46, Namrata Nayak @ Predicting anonymity with machine learning in social networks

» 2017.01.13. 20:51:19, anonymous @ Preventing misuses and misapprehensions of FireGloves

» 2016.06.12. 13:52:44, Dany_HackerVille @ Preventing misuses and misapprehensions of FireGloves

» 2014.08.29. 17:16:15, [anonymous] @ Preventing misuses and misapprehensions of FireGloves

Search

4 results.

How Websites Can Identify You By Your Browser Extensions and Web Logins

| | 2017.04.05. 13:46:41  Gulyás Gábor  

This week we are excited to announce a new privacy-awareness raising project. We demonstrate how websites can detect two aspects of your online behavior:

  1. What extensions you have installed. For example, if you block ads by AdBlock Plus or whether you are trying to protect yourself from tracking using Ghostery or Disconnect.
  2. Which websites you are logged into. For example, websites can now whether you have entered your Gmail, Twitter or accessed your Facebook.

Websites may collect these pieces of information for various reasons; either to track you, or to learn more about you.

Fingerprinting beyond devices: your behavior

Why? Well, the main goal of online tracking is to identify website visitors across websites. Trackers recognize visitors by reading unique user’s identifier stored in cookies, or by identifying a unique collection of user’s device characteristics: this is called device fingerprinting. Such unique collection of device’s properties, or a fingerprint, can often uniquely identify the user who visited the website. Usually, fingerprint includes technical parameters like what browser and operating system a visitor is using, what timezone she is from or what fonts she has in her system.

Beyond pure technical characteristics, which are not explicitly chosen by the user, users can be identified by more “behavioral” characteristics, such as the browser extensions they installed and websites where they have logged in. Detecting extensions and website logins can clearly make a significant contribution to fingerprinting — and we would not like to arrive to the point, where websites can track us based on our behavior.

This would be especially worrisome for pro-privacy people: the more extensions you install to your browser, the more trackable you are.

There could be more reasons for detecting your extensions and logins, which are beyond tracking (as tracking is mostly used for behavioral advertising and dynamic pricing). For example, a website would like to learn more about you by spying on your extensions and learning whether you have installed an adblock or not. With the method we featured in our test, this can be done even if the extension is disabled for the given page.

A website could also learn about your behavior and (somewhat private) preferences, in case you are logged in specific shopping, dating or health-related websites. Another possible scenario is if you work at a society, institution or a company that you don’t want the world to know. However, if you log in to your company intranet, there is a chance, that it could be detected and your workplace be learned. (Like for people working for Inria this can be detected, at least at the time of writing.) You might also not want to share with arbitrary websites that you are logged in to certain shopping sites, or to more sensitive services concerned with dating or your health.

What could we do about this?

The goal of our experiment is to change the status-quo by spreading the word about these issues to as many people as possible. This might not happen from one day to another, but we hope it will happen eventually — similarly as it happened for technical fingerprinting attacks, against which regular browsers now take countermeasures.

So, if you are interested, you can check out demo, or you can read to know more about the details.

Browser Extension and Login-Leak Experiment: https://extensions.inrialpes.fr

Technical details on how it works

The extension detection technique exploits that websites can access browser extension resources. For example, a website can try to detect if Ghostery is installed in Chrome by trying to load its images (click to test) or if you have Adblock installed (click to test). These resources are called web accessible resources, and they are needed to provide a better user interface in the browser. In Chrome, extensions have less options to change the UI, thus more extensions use these resources (roughly 13k). In Firefox, extensions have more flexibility to the change the UI, making web accessible resources less common.

For the login detection we use two methods: redirection URL hijacking and we also use Content-Security-Policy violations. Let’s discuss them in this order.

Redirection URL hijacking. Usually, when you try to get access to a restricted page on a website, you are dropped to the login page if you are not logged in already. In order to make your life easier, these login pages remember the URL of the rejected page, and they plan to drop you there after logging in properly. This is where our attack comes in: we change this URL, so you’ll land on an image if already logged in.

More technically speaking, if we embed an <img> tag pointing to the login page with the changed URL redirection, two things can happen. If you are not logged in, this image will fail to load. However, if you are logged in, the image will load properly, and we can detect this, even though we are a third-party site here.

Abusing Content-Security-Policy violation for detection. Content-Security-Policy, or CSP in short, is a security feature designed to limit what the browser can load for a website. For example, CSP can be easily used to block injected scripts on forums. If there is an attempt like that, the resource will not load, and the browser can also be instructed to report such violation attempts to the server backend.

However, we can also use this mechanisms for login detection, if there are redirections between subdomains on the target site depending on whether you are logged in or not. Similarly, we can embed an <img> tag pointing to a specific subdomain (and page) on the target website, just wait if a redirection happens or not (which would violate our artificial CSP constraints).

Advices for self-protection

If you want to protect yourself from websites seeing which extensions you use, the only advice we can give for the moment is to switch to another browser. For example, in Firefox only few extensions are detectable. You could use other browsers too, but we can’t tell which one would be the best in terms of protection: it has not yet been evaluated.

The good news are: blocking login detections is easy — all you need to do is to disable third party cookies in your browser. Some tracking blocking extensions, such as Privacy Badger could also help — but don’t forget: the more extensions you install, the more trackable you’ll be.

I am thankful to Nataliia Bielova reviewing a draft version of this post.

Tags: web privacy, fingerprint, tracking, adblock

Permalink: https://pet-portal.eu/blog/read/713/2017-04-05-How-Websites-Can-Identify-You-By-Your-Browser-Extensi...

0 comment(s).





Device fingerprinting by font-rendering differences

| | 2015.07.21. 05:51:39  Gulyás Gábor  

In 2012, we demonstrated that the OS can be fingerprinted by checking the presence of a greater variety of front (hey, we also have a paper on that). In addition, we showed this by using JavaScript only that was running from a website. This project seems to have more detailed results on this issue, as the authors went further than checking the presence of of a font: they checked how characters are rendered with a given font in different browser. This surely gives more details than 0/1, and according to their results they could use this information solely to make 34% of their submissions uniquely identifiable:

We describe a web browser fingerprinting technique based on measuring the onscreen dimensions of font glyphs. Font rendering in web browsers is affected by many factors—browser version, what fonts are installed, and hinting and antialiasing settings, to name a few— that are sources of fingerprintable variation in end-user systems. We show that even the relatively crude tool of measuring glyph bounding boxes can yield a strong fingerprint, and is a threat to users' privacy. Through a user experiment involving over 1,000 web browsers and an exhaustive survey of the allocated space of Unicode, we find that font metrics are more diverse than User-Agent strings, uniquely identifying 34% of participants, and putting others into smaller anonymity sets. Fingerprinting is easy and takes only milliseconds. We show that of the over 125,000 code points examined, it suffices to test only 43 in order to account for all the variation seen in our experiment. Font metrics, being orthogonal to many other fingerprinting techniques, can augment and sharpen those other techniques.

We seek ways for privacy-oriented web browsers to reduce the effectiveness of font metric–based fingerprinting, without unduly harming usability. As part of the same user experiment of 1,000 web browsers, we find that whitelisting a set of standard font files has the potential to more than quadruple the size of anonymity sets on average, and reduce the fraction of users with a unique font fingerprint below 10%. We discuss other potential countermeasures.

You can find the paper here.

Tags: web bug, fingerprint, tracking, font, device identifier

Permalink: https://pet-portal.eu/blog/read/665/2015-07-21-Device-fingerprinting-by-font-rendering-differences.p...

0 comment(s).





Tracking users on the web – reaching your devices and beyond

| | 2013.09.30. 05:41:17  Gulyás Gábor  

What are cookies, and why do marketers need them?

In the last ten years online advertising has grown tremendously, especially personalized advertisements concerning user behavior, called behavioral advertising. According to the estimation of the Interactive Adtvertising Bureau just in the United States internet advertising revenues reached $36.6 billion in 2012. In parallel, a myriad of techniques emerged allowing to detect the identity of surfing webizens in order to profile their preferences and interests. The simplest and yet most widespread identification method uses web bugs and tracking cookies, when a tracker service places unnoticeable small detectors on several websites allowing him to store and read identifiers from the computers of the visitors. Application of cookies allows servers to deliver a page tailored to a particular user, or the page itself can contain some script which is aware of the data in the cookie and so is able to carry information from one visit to the website to the next.

Owing to the large scale deployment of web bugs, user consciousness has also risen: many users set their browsers to reject cookies or quickly extinguish them. Other trends like the expansion of smart phones phones, which are taking an increasing part of the Web usage, also caused problem for marketers, since smart phones do not use cookies.

Digital fingerprints – emergence of technology in tracking

These changes are forcing trackers to develop novel techniques, such as fingerprinting, i.e. when characteristic attributes are used for identification rather than storing identifiers on user-side. In the academic era, the Panopticlick project was the first in 2010 to show that by using Flash or Java plugins browsers can be precisely fingerprinted. Later in 2011, Hungarian researchers pointed out that plugins are not even necessary for tracking, as font list can be detected from the browser directly, and the list is browser-independent for both Windows and Mac OSes (you can test the underlying principles on your own computers).

The tracking market also went along a similar direction quite rapidly. In the beginning of 2012, one of the leading fingerprint-based trackers advertised itself for the European market with device fingerprinting, emphasizing that their method is compatible with local law making the use of tracking cookies difficult (as it doesn’t need cookies at all). Today, leading fingerprinting companies offer services that go even beyond device fingerprinting: they recognize and connect devices that are likely to belong the same person, such as smart phones, tablets and laptops.

A recent paper that appeared at the IEEE Symposium on Security & Privacy reveals more details on the penetration and functionality of these companies. One of the most interesting finding is a rather low utilization rate on top sites, namely 0.4% in the Alexa top 10,000. However, the authors still found thousands of less relevant sites utilizing fingerprinting techniques, from which most were categorized as malicious, or spam (though one could expect regular business sites to do so).

Regarding their functionality, they found that tracker services use Flash and JavaScript for font detection, plus use Flash for additional tasks, such as obtaining system information, multi-screen resolution, or even for circumventing proxy protection in order to reveal the real IP address of the visitor. Some trackers go even further, using custom DLLs to gather more information from the registry (being a bit spyware-like), while others encrypt client identifiers to put themselves into a central, unavoidable position.

Future of fingerprinting

While fingerprinting is not widely adopted yet, and serious development is missing for protective technologies, the cat-and-mouse game seems to have begun in the area: tracking companies will likely outrun protective technologies as they get to the current level of the state-of-the-art fingerprinting techniques. Researchers predict that in the near future a shift is expected from the tech-based fingerprinting to biometric fingerprinting, opening new challenges for the privacy-enhancing research community.

This post originally appeared in the Tresorit Blog.

Tags: fingerprint, web tracking, tracking cookie

Permalink: https://pet-portal.eu/blog/read/546/2013-09-30-Tracking-users-on-the-web-8211-reaching-your-devices-...

0 comment(s).





Preventing misuses and misapprehensions of FireGloves

| | 2013.08.26. 14:12:37  Gulyás Gábor  

This post is about the story of FireGloves. If you don't have time to read it, the short summary is: FireGloves will not protect your privacy from being fingerprinted. For the details, please continue reading.


The history and background of FireGloves

FireGloves is a demonstrational Firefox extension that was created by a small team of researchers at the Budapest University of Technology and Economics in order to show that it is possible to defeat system fingerprinting (if you are new to the topic, read about fingerprinting here and here). At the time being it was developed (started at the end of 2011), there were no tools, even no proposals how to defeat fingerprinting. We only had a few ideas how fingerprinting techniques could work, and there were a few companies offering fingerprint-based tracking services. So we decided to create a simple tool that can show that fingerprinting can be avoided with a little loss of user experience. That was FireGloves.

(For the sake of completeness, I must mention that the Tor Browser Bundle developer team also proposed a solution in parallel, which was later compiled into their product. It was rather a simple but long standing solution: they introduced some options to limit the number of fonts what a website can load. I also made a suggestion to enhance their proposal.)

In April 2012, we introduced a new fingerprinting test demonstrating the capabilities of these techniques at a press event. FireGloves was also shown, demonstrating that we were looking for a solution, and not interested in exploiting user privacy. (For the curious reader: recent research makes it clear that the fingerprint-based tracking industry went along the direction we suspected. We also have a recently published book chapter including further predictions becoming reality.) FireGloves was successful at that time: after testing it against one of the leading fingerprinting companies, it was able to circumvent tracking.

Recent changes

However, times changed. Our development team dissolved in September 2012, FireGloves was no longer developed. Although we clarified that FG is a plugin of demonstrational purposes, it had almost 2k users constantly, and we also received a few bug reporting and support-requesting emails every month. What really urged writing this post is the wide publicity FG gained in August 2013: many users adopted the plugin in the hope of getting some protection, making a false sense of privacy. However, I must mention that we are grateful for the sites writing about FireGloves, since this publicity also raised the awareness on a very important and unsolved issue. So: thank you! :-) [Links to some of these articles can be found on the Hungarian press coverage page.]

Blowing away the misapprehensions

One of the main things why FireGloves gained visibility, that it is the only known extension of its kind. This is because fighting fingerprinting is not easy, and several aspects of protection need to be considered. Which is perhaps too much for a single extension. Secondly, probably because the achievements of FG on fingerprinting tests can be misleading (both on the Panopticlick and Fingerprinting 2.0 tests). For instance, in this video it is demonstrated that FG decreases traceability greatly. In fact, what is shown is that it is possible to protect ourselves against the vulnerabilities what these tests (and fingerprinting trackers at those times) exploited. However, fingerprinting techniques evolved since these tests were created. Thus to have an up-to-date protection FG would have also needed to be upgraded constantly.

So, what should one do?

In my opinion, it is not pointless to fight fingerprinting. To the contrary: the more users support anti-fingerprinting, the better these solutions will get. But where to look? The greatest tools currently available are the Tor Browser Bundle and the JondoFox anonymous web browsers. These are made by professionals, and include customized portable Firefox browsers. These are even modified at the source level, and include the most important extensions that one would need. (Beware! If you use too much of extensions, you loose privacy. Check out our book chapter for details, and read about the anonymity paradox.)

Closing words

Thank you for reading so far, and I hope you find this writing useful. Meaningful comments are welcome.

Oh, and if you are motivated to continue developing FireGloves, you'll find the source code on GitHub! Please let us know if you have any modifications done! I’m sure it is worth the effort.

Tags: firefox, fingerprint, user tracking, firegloves

Permalink: https://pet-portal.eu/blog/read/533/2013-08-26-Preventing-misuses-and-misapprehensions-of-FireGloves...

7 comment(s).





© International PET Portal, 2010 | Imprint | Terms of Use | Privacy Policy