Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Can we protect Privacy without breaking the web

luke crouch
March 25, 2019
Technology
0
97

Can we protect Privacy without breaking the web

The web is the biggest legacy application ever developed or supported by software engineers, and it's also blurring the line between the consumption of data and the leaking of personal details. Browser makers may be the only line of defense.

This deck was first presented at the 2019 Tulsa Cyber Summit. It's an expanded presentation of the material from:
"Can we build a privacy-preserving web browser we all deserve?"
XRDS: Crossroads, The ACM Magazine for Students - Pseudonimity and Anonymity
Volume 24 Issue 4, Summer 2018
Pages 40-44

luke crouch

March 25, 2019
Tweet

More Decks by luke crouch

See All by luke crouch
Cryptography: 500 BC to https
groovecoder
0
32
Mozilla Observatory First Draft
groovecoder
0
50
VPNs
groovecoder
0
20
Digital Privacy & Security
groovecoder
0
190
Cryptography: 500 BC to Quantum Computing
groovecoder
0
250
Just enough bitcoing to go cryptojacking with JavaScript
groovecoder
0
42
Hash Range Queries
groovecoder
0
35
Google Safe Browsing (High Level)
groovecoder
0
41
How to run your code on the dark web (full version)
groovecoder
1
360

Other Decks in Technology

See All in Technology
全ての準備が揃ったElixirへの入門7選 @ fukuoka.ex#53
piacerex
0
360
ChatGPT: Todo sobre la última gran revolución en Internet
imanolteran
PRO
0
230
電子辞書で学ぶ Linux のサスペンド
puhitaku
0
190
最先端の質問応答技術の研究開発と迅速な実用化ーStudio Ousiaでの取り組みー
ikuyamada
2
330
エンジニアのためのドキュメントライティング / Docs for Developers
iwashi86
18
5.2k
Exadata Database Cloud (Exadata Cloud Service) サービス技術詳細
oracle4engineer
PRO
0
26k
New Relic Lookoutはいいぞ!
kazumax55
0
170
世界一位の精度を獲得した意味に基づく映像検索技術
sbtechnight
PRO
0
280
Oracle Exadata Database Service on [email protected] X9M ([email protected]) 技術詳細
oracle4engineer
PRO
0
1.1k
AWS Engineer Meetsup 2023 登壇資料
takakuni
0
2.4k
layerx-bakuraku-how-to-handle-incoming-webhooks-with-difference-specifications-in-unified-way
shnjtk
1
470
大規模レガシーテストを 倒すための CI基盤の作り方 / #CICD2023
udzura
3
600

Featured

See All Featured
Bootstrapping a Software Product
garrettdimon
299
110k
GraphQLの誤解/rethinking-graphql
sonatard
39
8k
Code Reviewing Like a Champion
maltzj
508
38k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
657
120k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
152
13k
The Invisible Side of Design
smashingmag
292
49k
10 Git Anti Patterns You Should be Aware of
lemiorhan
643
55k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
109
16k
The Pragmatic Product Professional
lauravandoore
21
3.6k
How STYLIGHT went responsive
nonsquared
89
4.2k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
10
1.4k
Statistics for Hackers
jakevdp
785
210k

Transcript

  1. Can We
    Protect Privacy
    Without Breaking the Web?

    View Slide

  2. Leaked documents show that the NSA
    uses tracking cookies to select targets
    Image: The Intercept

    https://theintercept.com/2014/03/12/nsa-plans-infect-millions-computers-malware/

    View Slide

  3. View Slide

  4. Background on current
    web architecture

    View Slide

  5. “As a first line of defense to preserve user privacy,
    all major web browsers adhere to the guidelines of
    the same origin policy, which limits a website’s
    access to information.”

    View Slide

  6. Same-origin Policy
    http://www.lucadentella.it/en/2013/07/11/javascript-same-origin-policy-e-jsonp/

    View Slide

  7. Cross-Origin Request code
    7
    http://www.evilcorp.com


    <br/>new XMLHttpRequest().open(<br/>“GET”, “boss.bankofamerica.com/data.json”<br/>);<br/>


    https://speakerdeck.com/groovecoder/top-5-security-errors-we-see-from-firefox-and-how-to-fix-them

    View Slide

  8. Cross-Origin Request Threats
    8
    https://speakerdeck.com/groovecoder/top-5-security-errors-we-see-from-firefox-and-how-to-fix-them
    Attacks
    •Steal data from other origins
    Attacker
    •Any Malicious Origin
    • Phishing & Malware Sites
    • Compromised CDNs
    • Untrusted First Parties

    View Slide

  9. Same-origin Policy blocking
    a Cross-Origin Request

    View Slide

  10. https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy#Definition_of_an_origin

    View Slide

  11. https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy#Cross-origin_network_access

    View Slide

  12. https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy#Cross-origin_network_access
    Embedding Resources

    from other Origins

    View Slide

  13. http://clearcode.cc/2015/12/cookie-syncing/

    View Slide

  14. 600 HTTP requests

    View Slide

  15. 53 HTTP requests to techcrunch.com

    View Slide

  16. http://clearcode.cc/2015/12/cookie-syncing/

    View Slide

  17. 547 HTTP requests to other origins

    View Slide

  18. 547 HTTP requests to other origins
    Google, Facebook, Yahoo, DoubleClick, DoubleVerify, advertising.com, parsely.com, scorecardresearch.com,
    moatads.com, wp.com, typekit.net, betrad.com, cloudfront.net, nr-data.net, atwola.com, bidswitch.net, npttech.com,
    krxd.net, simpli.fi, taboola.com, pswec.com, mathtag.com, ipredictive.com, 1rx.io, everesttech.net, casalemedia.com,
    pubmatic.com, adnxs.com, 2mdn.net, yimg.com, adentifi.com, gwallet.com, owneriq.net, adhigh.net, netmng.com, …

    View Slide

  19. Embedded Cross-Origin Requests
    19
    http://techcrunch.com


    en_US/fbevents.js">
    googleads.g.doubleclick.net/xbbe/match?
    rmxinit=1&xid=7JwNU2U1TE1_TTIc6ggpZi3A">
    iframe>


    https://speakerdeck.com/groovecoder/top-5-security-errors-we-see-from-firefox-and-how-to-fix-them

    View Slide

  20. Embedded
    Cross-Origin Requests
    include Referers

    View Slide

  21. Referers [sic]
    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer

    View Slide

  22. Referer tells Google exact page I’m looking at:
    https://www.healthcare.gov/screener/medicaid-result.html

    View Slide

  23. Note: in reality, most
    trackers don’t rely on
    Referer

    View Slide

  24. Google JS also sends the exact page I’m looking at
    in a url parameter

    View Slide

  25. Embedded
    Cross-Origin Requests
    include Cookies

    View Slide

  26. Cookies

    View Slide

  27. Cookies
    https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies

    View Slide

  28. Cookies are a persistent identifier for my browser

    View Slide

  29. How tracking works
    • “3rd parties”

    • visit social-example.com, get cookie

    • visit health-example.com, which embeds social-example.com

    • social-example.com receives Cookie and Referer value

    • social-example.com builds up a behavior profile

    View Slide

  30. Lightbeam Demo

    View Slide

  31. techcrunch.com
    cancercenter.com bankofamerica.com
    catholicmom.com
    facebook.com
    google.com

    View Slide

  32. Privacy Protections
    built into web browsers

    View Slide

  33. Browser protections
    • Clear cookies after every browsing session

    • No 3rd-party cookies

    • Except from visited sites (Like Safari ITP)

    • Strip paths from Referers to 3rd parties

    • Tracking Protection (Firefox, Safari, Tor)

    • First-Party Isolation (Firefox, Tor)

    • Resist Fingerprinting (Firefox, Tor)

    View Slide

  34. Private/Incognito Browsing

    View Slide

  35. Private/Incognito Browsing
    • Designed for local adversaries

    • Doesn’t remember search & browsing history

    • Doesn’t remember form input

    • Clears cookies on exit

    View Slide

  36. Clear your cookies

    View Slide

  37. Cookie Re-spawning

    View Slide

  38. Re-spawning/“Supercookies”

    View Slide

  39. Using Flash

    View Slide

  40. HTML localStorage

    View Slide

  41. ETag

    View Slide

  42. Cookie Re-spawning
    is “Illegal”
    Or, at least, companies have been sued for it

    View Slide

  43. Block all 3rd-Party Cookies

    View Slide

  44. Safari ITP 2.1 blocks

    most 3rd-party Cookies by default

    View Slide

  45. Blocking all 3rd-party
    cookies is good …

    View Slide

  46. But fingerprinting
    attacks!
    more on this later …

    View Slide

  47. Stripping Referers

    View Slide

  48. https://www.eff.org/deeplinks/2015/01/healthcare.gov-sends-personal-data

    View Slide

  49. Firefox Private Browsing strips
    paths from Referer by default

    View Slide

  50. Referer:

    https://www.reddit.com/
    r/privacy/comments/
    Preventing_data_leaks_by
    _stripping_path_informat
    ion_in_HTTP_Referrers/
    Referer: https://
    www.healthcare.gov/see-
    plans/85601/results/?
    county=04019&age=40&smok
    er=1&pregnant=1&zip=8560
    1&state=AZ&income=35000
    Referer:

    https://www.reddit.com/
    Referer:

    https://www.healthcare.gov/

    View Slide

  51. More Referer
    Protections in Firefox
    https://www.privacytools.io/#about_config

    View Slide

  52. #reduced-referrer-granularity 

    in chrome://flags

    View Slide

  53. Tracking Protection
    blocks data to trackers

    View Slide

  54. Firefox Private Browsing includes
    Tracking Protection by default

    View Slide

  55. You can enable Tracking
    Protection for all of Firefox

    View Slide

  56. Safari includes
    Tracking Protection by default

    View Slide

  57. Tracking Protection

    Add-ons and Extensions
    uBlock Origin

    View Slide

  58. Tracking Protection is
    good …
    … but what if trackers evade the block-lists?

    View Slide

  59. First-Party Isolation
    Only in Firefox and Tor

    View Slide

  60. View Slide

  61. View Slide

  62. Isolating all 3rd-party
    cookies is good …

    View Slide

  63. But fingerprinting
    attacks!
    more on this NOW!

    View Slide

  64. View Slide

  65. Passive Fingerprints
    Don’t require code execution

    View Slide

  66. User-Agent, IP,
    Accept-Language, etc.

    View Slide

  67. Active Fingerprints
    JavaScript code executes on your device

    View Slide

  68. Plugin Enumeration

    View Slide

  69. Okay but …
    … enumeration is still possible via sniffing, like …

    View Slide

  70. Font Enumeration
    http://www.lalit.org/lab/javascript-css-font-detect/

    View Slide

  71. Measure default fonts

    View Slide

  72. Measure dictionary of fonts

    View Slide

  73. Canvas Fingerprint

    View Slide

  74. View Slide

  75. View Slide

  76. WebGL Fingerprinting
    http://cseweb.ucsd.edu/~hovav/dist/canvas.pdf

    View Slide

  77. AudioContext

    View Slide

  78. View Slide

  79. https://webtransparency.cs.princeton.edu/webcensus/#audio-fp

    View Slide

  80. WebRTC

    View Slide

  81. WebRTC Local Addressing

    View Slide

  82. View Slide

  83. WebVR “eyeprinting”

    View Slide

  84. Resist Fingerprinting
    Only in Firefox & Tor

    View Slide

  85. Resist Fingerprinting
    • Fake browser responses to common fingerprinting calls

    • Normalize aspects of the browser

    View Slide

  86. Tor Implementation:
    Cross-Origin
    Fingerprinting
    Unlinkability

    View Slide

  87. https://gitweb.torproject.org/tor-browser.git/tree/browser/app/profile/000-tor-browser.js?h=tor-browser-52.2.0esr-7.5-1&id=dda0385cc49240f8bd115476c870d61863741f4c
    Minimal WebGL
    No
    Gamepads
    Popups open into
    new tabs
    UTC timezone
    No device sensors
    No WebAudio
    Windows 7

    View Slide

  88. So, those protections …
    • Clear cookies after every browsing session

    • No 3rd-party cookies

    • Except from visited sites (Like Safari ITP)

    • Strip paths from Referers to 3rd parties

    • Tracking Protection (Firefox, Safari, Tor)

    • First-Party Isolation (Firefox, Tor)

    • Resist Fingerprinting (Firefox, Tor)

    View Slide

  89. Won’t that break a
    ton of websites?

    View Slide

  90. https://blog.mozilla.org/data/2018/01/26/improving-privacy-without-breaking-the-web/

    View Slide

  91. https://speakerdeck.com/groovecoder/firefox-privacy-settings-breakage-study

    View Slide

  92. https://speakerdeck.com/groovecoder/firefox-privacy-settings-breakage-study

    View Slide

  93. https://speakerdeck.com/groovecoder/firefox-privacy-settings-breakage-study

    View Slide

  94. https://speakerdeck.com/groovecoder/firefox-privacy-settings-breakage-study

    View Slide

  95. https://speakerdeck.com/groovecoder/firefox-privacy-settings-breakage-study

    View Slide

  96. https://speakerdeck.com/groovecoder/firefox-privacy-settings-breakage-study

    View Slide

  97. https://speakerdeck.com/groovecoder/firefox-privacy-settings-breakage-study

    View Slide

  98. https://speakerdeck.com/groovecoder/firefox-privacy-settings-breakage-study

    View Slide

  99. Privacy Protections
    Breakage Study
    • 19,000+ Users

    • 1 control group; 8 study groups

    • 2,100+ users in each group

    • 4 weeks

    • Up to 8,500 active users per day

    View Slide

  100. https://speakerdeck.com/groovecoder/firefox-privacy-settings-breakage-study

    View Slide

  101. https://speakerdeck.com/groovecoder/firefox-privacy-settings-breakage-study

    View Slide

  102. https://speakerdeck.com/groovecoder/firefox-privacy-settings-breakage-study

    View Slide

  103. Tracking Protection
    may actually fix websites by
    blocking tracking elements that
    break/slow them down

    View Slide

  104. Can’t go into all the
    details … but …

    View Slide

  105. https://speakerdeck.com/groovecoder/firefox-privacy-settings-breakage-study

    View Slide

  106. https://speakerdeck.com/groovecoder/firefox-privacy-settings-breakage-study

    View Slide

  107. https://speakerdeck.com/groovecoder/firefox-privacy-settings-breakage-study

    View Slide

  108. https://speakerdeck.com/groovecoder/firefox-privacy-settings-breakage-study

    View Slide

  109. https://speakerdeck.com/groovecoder/firefox-privacy-settings-breakage-study

    View Slide

  110. Strip paths from
    Referers to 3rd parties
    • Reduces details sent to trackers

    • Very few login failures

    • Very few email failures

    • Does not block all ads

    • Referers are used to guarantee ad policies

    View Slide

  111. Tracking Protection
    • Blocks known trackers completely

    • Performance Boost

    • Very little email failures

    • Blocks all ads

    • Triggers ad-blocker-blockers

    View Slide

  112. Session-Only
    3rd-Party Cookies
    • Limits duration of tracking

    • Very little email failures

    • Some login failures

    • Does not block ads

    View Slide

  113. Why do we care
    about this?

    View Slide

  114. http://www.slate.com/articles/technology/future_tense/2017/07/women_young_people_experience_the_chilling_effects_of_surveillance_at_higher.html

    View Slide

  115. –Glenn Greenwald, “Why Privacy Matters” @ TED 2014
    “There are dozens of psychological studies that
    prove that when somebody knows that they
    might be watched, the behavior they engage in
    is vastly more conformist and compliant.”
    https://www.ted.com/talks/glenn_greenwald_why_privacy_matters

    View Slide

  116. –Glenn Greenwald, “Why Privacy Matters” @ TED 2014
    https://www.ted.com/talks/glenn_greenwald_why_privacy_matters
    “This realization was exploited most powerfully
    for pragmatic ends by the 18th-century
    philosopher Jeremy Bentham, who set out to
    resolve an important problem ushered in by the
    industrial age. Where, for the first time,
    institutions had become so large and
    centralized that they were no longer able to
    monitor and therefore control each one of their
    individual members.
    And the solution that he devised was an
    architectural design - originally intended to be
    implemented in prisons - that he called the
    panopticon.”

    View Slide

  117. –Glenn Greenwald, “Why Privacy Matters” @ TED 2014
    https://www.ted.com/talks/glenn_greenwald_why_privacy_matters
    “The primary attribute of which was the
    construction of an enormous tower in the center
    of the institution where whoever controlled the
    institution could, at any moment, watch any of
    the inmates, although they couldn’t watch all of
    them at all times.
    And crucial to this design was that the inmates
    could not see into the panopticon, into the
    tower, and so they never knew if they were
    being watched.”

    View Slide

  118. –Glenn Greenwald, “Why Privacy Matters” @ TED 2014
    https://www.ted.com/talks/glenn_greenwald_why_privacy_matters
    “And what made him so excited about this
    discovery was that would mean the prisoners
    would have to assume that they were being
    watched at any given moment, which would be
    the ultimate enforcer for obedience and
    compliance.”

    View Slide

  119. –Glenn Greenwald, “Why Privacy Matters” @ TED 2014
    https://www.ted.com/talks/glenn_greenwald_why_privacy_matters
    “The 20th-century French philosopher Michel
    Foucault realized that model could be used not
    just for prisons but for every institution that
    seeks to control human behavior - schools,
    hospitals, factories, workplaces.”

    View Slide

  120. –Glenn Greenwald, “Why Privacy Matters” @ TED 2014
    https://www.ted.com/talks/glenn_greenwald_why_privacy_matters
    “And what he said was that this mindset, this
    framework discovered by Bentham, was the key
    means of societal control for modern western
    societies which no longer need the overt
    weapons of tyranny - punishing or imprisoning
    or killing dissidents; or legally compelling
    loyalty to a particular party … because mass
    surveillance creates a prison in the mind that is
    a much more subtle but much more effective
    means of fostering compliance … much more
    effective than brute force could ever be.”

    View Slide

  121. “There’s a strong physiological basis for
    privacy. Biologist Peter Watts makes the point
    that a desire for privacy is innate: mammals in
    particular don’t respond well to surveillance. We
    consider it a physical threat, because animals
    in the natural world are surveilled by predators.
    –Data and Goliath, by Bruce Schneier

    View Slide

  122. “Surveillance makes us feel like prey, just as it
    makes surveyors act like predators.”
    –Data and Goliath, by Bruce Schneier

    View Slide

  123. Surveillance is not just
    about free speech 

    and privacy

    View Slide

  124. Behavior Profiling

    can be racist
    https://newrepublic.com/article/144644/turns-algorithms-racist

    View Slide

  125. Behavior profiling, or
    Behavior Manipulation?
    https://motherboard.vice.com/en_us/article/mg9vvn/how-our-likes-helped-trump-win

    View Slide

  126. “Surveillance Capitalism” can make
    corporations more powerful than
    governments
    https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2594754

    View Slide

  127. I’m not a perfectionist

    View Slide

  128. If Google, the NSA, or the FBI
    want to watch me specifically,
    they will, and I can’t stop them

    View Slide

  129. I’m a realist who doesn’t
    want to be sucked up
    into the digital dragnet

    View Slide

  130. What’s next?

    View Slide

  131. What’s next?
    • DNS-over-HTTPS / Trusted Recursive Resolver

    • Do Not Track v2 ?

    • Policy by Electronic Frontier Foundation

    • Single Trust & Same Origin Policy v2 ?

    • proposed by Apple to WebAppSec Working Group

    View Slide

  132. Questions?
    • Clear cookies after every browsing session

    • No 3rd-party cookies

    • Except from visited sites (Like Safari ITP)

    • Strip paths from Referers to 3rd parties

    • Tracking Protection (Firefox, Safari, Tor)

    • First-Party Isolation (Firefox, Tor)

    • Resist Fingerprinting (Firefox, Tor)
    • DNS-over-HTTPS

    • Do Not Track v2

    • Same Origin Policy v2 & Single Trust

    View Slide