There is no new content.

» Go to the full list

Recent comments

» 2018.02.03. 18:24:02, Note for Firefox @ Preventing misuses and misapprehensions of FireGloves

» 2017.03.12. 20:02:46, Namrata Nayak @ Predicting anonymity with machine learning in social networks

» 2017.01.13. 20:51:19, anonymous @ Preventing misuses and misapprehensions of FireGloves

» 2016.06.12. 13:52:44, Dany_HackerVille @ Preventing misuses and misapprehensions of FireGloves

» 2014.08.29. 17:16:15, [anonymous] @ Preventing misuses and misapprehensions of FireGloves


2 results.

How Websites Can Identify You By Your Browser Extensions and Web Logins

| | 2017.04.05. 13:46:41  Gulyás Gábor  

This week we are excited to announce a new privacy-awareness raising project. We demonstrate how websites can detect two aspects of your online behavior:

  1. What extensions you have installed. For example, if you block ads by AdBlock Plus or whether you are trying to protect yourself from tracking using Ghostery or Disconnect.
  2. Which websites you are logged into. For example, websites can now whether you have entered your Gmail, Twitter or accessed your Facebook.

Websites may collect these pieces of information for various reasons; either to track you, or to learn more about you.

Fingerprinting beyond devices: your behavior

Why? Well, the main goal of online tracking is to identify website visitors across websites. Trackers recognize visitors by reading unique user’s identifier stored in cookies, or by identifying a unique collection of user’s device characteristics: this is called device fingerprinting. Such unique collection of device’s properties, or a fingerprint, can often uniquely identify the user who visited the website. Usually, fingerprint includes technical parameters like what browser and operating system a visitor is using, what timezone she is from or what fonts she has in her system.

Beyond pure technical characteristics, which are not explicitly chosen by the user, users can be identified by more “behavioral” characteristics, such as the browser extensions they installed and websites where they have logged in. Detecting extensions and website logins can clearly make a significant contribution to fingerprinting — and we would not like to arrive to the point, where websites can track us based on our behavior.

This would be especially worrisome for pro-privacy people: the more extensions you install to your browser, the more trackable you are.

There could be more reasons for detecting your extensions and logins, which are beyond tracking (as tracking is mostly used for behavioral advertising and dynamic pricing). For example, a website would like to learn more about you by spying on your extensions and learning whether you have installed an adblock or not. With the method we featured in our test, this can be done even if the extension is disabled for the given page.

A website could also learn about your behavior and (somewhat private) preferences, in case you are logged in specific shopping, dating or health-related websites. Another possible scenario is if you work at a society, institution or a company that you don’t want the world to know. However, if you log in to your company intranet, there is a chance, that it could be detected and your workplace be learned. (Like for people working for Inria this can be detected, at least at the time of writing.) You might also not want to share with arbitrary websites that you are logged in to certain shopping sites, or to more sensitive services concerned with dating or your health.

What could we do about this?

The goal of our experiment is to change the status-quo by spreading the word about these issues to as many people as possible. This might not happen from one day to another, but we hope it will happen eventually — similarly as it happened for technical fingerprinting attacks, against which regular browsers now take countermeasures.

So, if you are interested, you can check out demo, or you can read to know more about the details.

Browser Extension and Login-Leak Experiment:

Technical details on how it works

The extension detection technique exploits that websites can access browser extension resources. For example, a website can try to detect if Ghostery is installed in Chrome by trying to load its images (click to test) or if you have Adblock installed (click to test). These resources are called web accessible resources, and they are needed to provide a better user interface in the browser. In Chrome, extensions have less options to change the UI, thus more extensions use these resources (roughly 13k). In Firefox, extensions have more flexibility to the change the UI, making web accessible resources less common.

For the login detection we use two methods: redirection URL hijacking and we also use Content-Security-Policy violations. Let’s discuss them in this order.

Redirection URL hijacking. Usually, when you try to get access to a restricted page on a website, you are dropped to the login page if you are not logged in already. In order to make your life easier, these login pages remember the URL of the rejected page, and they plan to drop you there after logging in properly. This is where our attack comes in: we change this URL, so you’ll land on an image if already logged in.

More technically speaking, if we embed an <img> tag pointing to the login page with the changed URL redirection, two things can happen. If you are not logged in, this image will fail to load. However, if you are logged in, the image will load properly, and we can detect this, even though we are a third-party site here.

Abusing Content-Security-Policy violation for detection. Content-Security-Policy, or CSP in short, is a security feature designed to limit what the browser can load for a website. For example, CSP can be easily used to block injected scripts on forums. If there is an attempt like that, the resource will not load, and the browser can also be instructed to report such violation attempts to the server backend.

However, we can also use this mechanisms for login detection, if there are redirections between subdomains on the target site depending on whether you are logged in or not. Similarly, we can embed an <img> tag pointing to a specific subdomain (and page) on the target website, just wait if a redirection happens or not (which would violate our artificial CSP constraints).

Advices for self-protection

If you want to protect yourself from websites seeing which extensions you use, the only advice we can give for the moment is to switch to another browser. For example, in Firefox only few extensions are detectable. You could use other browsers too, but we can’t tell which one would be the best in terms of protection: it has not yet been evaluated.

The good news are: blocking login detections is easy — all you need to do is to disable third party cookies in your browser. Some tracking blocking extensions, such as Privacy Badger could also help — but don’t forget: the more extensions you install, the more trackable you’ll be.

I am thankful to Nataliia Bielova reviewing a draft version of this post.

Tags: web privacy, fingerprint, tracking, adblock


0 comment(s).

Where is privacy in the advertising wars?

| | 2016.03.02. 05:59:12  Gulyás Gábor  

I've recently read a very nice summary of the advertising wars by Steve Feldman (Stackoverflow), and if you are not up to date on the topic, here is an extract for you:

At this point, it’s pretty clear that ad blocking is a big deal. A recent study suggesting the advertising industry is set to lose over $22 billion in 2015 alone as a result of ad blockers is setting off alarm bells. That is a LOT of money. Companies are scrambling to ‘fix’ the ad blocking problem, as active users of ad blocking utilities hits nearly 200 million. But it’s not just that tiny stop sign in the toolbar raising alarms. Apple caused a panic when they announced that iOS9 would permit the use of ad blockers, as many see mobile ads are an important piece of revenue for the industry.

First, the ad industry went up in arms over ad blocking, offering suggestions like developing ways to deliver specific ads to users employing ad blockers. Then, they considered going after Apple when they announced iOS 9 would permit ad blockers. Later, they began asking users to turn off their ad blockers as a sign of good faith. That did not go so well for some. Finally, they prevented Ad Block Plus from attending an industry event. [...] But some in the industry do get it. Eyeo (the company behind Adblock Plus) outlined in their ‘Acceptable Ads Manifesto’ some strong ideas for how to improve digital advertising-- not to mention the iAB’s L.E.A.N Ads program. While there is criticism for both of these solutions, the positive takeaway is that powerful organizations are finally moving toward addressing the problem.

This looks like things started to change! People are now taking actions to solve the fundamental problems that are became part of the ad world over the years. For this reason, I think the Accaptable Ads Manifest and the LEAN Ads program are good initiatives, but I sense a fundamental problem: privacy concerning problems should be tackled more in details, especially tracking.

These are my proposals in order to fill the real gap:

  1. Transparency. Data collection and data processing should be transparent to data subjects. When data collection and use is happening, it should be noticeably and clearly communicated.
  2. Choice to opt-out from data collection. People should decide if they prefer behavioral or contextual ads (no tracking at all). As people might allow being tracked in some contexts, we need more granularity on this as well.
  3. Security. Over the last years, we heard about cases where malware was distributed through ads. Advertising companies need to be responsible for what they distribute; they should check the content first.

However, there is one more thing that I personally miss from this, which is granularity of payment. I like to read news from aggregated sources, instead of visiting news sites directly. For this reason, I'd really prefer to pay per news item that I'd like to read, rather then paying a couple of dollars per month to each media where I might read something. I hope there will be such branches, although there already some similar like Google Contributor or Mozilla Subscribe2Web.


This post originally appeared in the professional blog of Gábor Gulyás.

Tags: web privacy, tracking, adblock, bug, ads, ad industry, advertising wars


0 comment(s).

© International PET Portal, 2010 | Imprint | Terms of Use | Privacy Policy