Tweet
Tweet

Slide 1

Slide 1 text

Can We Protect Privacy Without Breaking the Web?

Slide 2

Slide 2 text

Leaked documents show that the NSA uses tracking cookies to select targets Image: The Intercept https://theintercept.com/2014/03/12/nsa-plans-infect-millions-computers-malware/

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

Background on current web architecture

Slide 5

Slide 5 text

“As a first line of defense to preserve user privacy, all major web browsers adhere to the guidelines of the same origin policy, which limits a website’s access to information.”

Slide 6

Slide 6 text

Same-origin Policy http://www.lucadentella.it/en/2013/07/11/javascript-same-origin-policy-e-jsonp/

Slide 7

Slide 7 text

Cross-Origin Request code 7 http://www.evilcorp.com … new XMLHttpRequest().open( “GET”, “boss.bankofamerica.com/data.json” ); … https://speakerdeck.com/groovecoder/top-5-security-errors-we-see-from-firefox-and-how-to-fix-them

Slide 8

Slide 8 text

Cross-Origin Request Threats 8 https://speakerdeck.com/groovecoder/top-5-security-errors-we-see-from-firefox-and-how-to-fix-them Attacks •Steal data from other origins Attacker •Any Malicious Origin • Phishing & Malware Sites • Compromised CDNs • Untrusted First Parties

Slide 9

Slide 9 text

Same-origin Policy blocking a Cross-Origin Request

Slide 10

Slide 10 text

https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy#Definition_of_an_origin

Slide 11

Slide 11 text

https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy#Cross-origin_network_access

Slide 12

Slide 12 text

https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy#Cross-origin_network_access Embedding Resources
 from other Origins

Slide 13

Slide 13 text

http://clearcode.cc/2015/12/cookie-syncing/

Slide 14

Slide 14 text

600 HTTP requests

Slide 15

Slide 15 text

53 HTTP requests to techcrunch.com

Slide 16

Slide 16 text

http://clearcode.cc/2015/12/cookie-syncing/

Slide 17

Slide 17 text

547 HTTP requests to other origins

Slide 18

Slide 18 text

547 HTTP requests to other origins Google, Facebook, Yahoo, DoubleClick, DoubleVerify, advertising.com, parsely.com, scorecardresearch.com, moatads.com, wp.com, typekit.net, betrad.com, cloudfront.net, nr-data.net, atwola.com, bidswitch.net, npttech.com, krxd.net, simpli.fi, taboola.com, pswec.com, mathtag.com, ipredictive.com, 1rx.io, everesttech.net, casalemedia.com, pubmatic.com, adnxs.com, 2mdn.net, yimg.com, adentifi.com, gwallet.com, owneriq.net, adhigh.net, netmng.com, …

Slide 19

Slide 19 text

Embedded Cross-Origin Requests 19 http://techcrunch.com … </ iframe> … </html> https://speakerdeck.com/groovecoder/top-5-security-errors-we-see-from-firefox-and-how-to-fix-them

Slide 20

Slide 20 text

Embedded Cross-Origin Requests include Referers

Slide 21

Slide 21 text

Referers [sic] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer

Slide 22

Slide 22 text

Referer tells Google exact page I’m looking at: https://www.healthcare.gov/screener/medicaid-result.html

Slide 23

Slide 23 text

Note: in reality, most trackers don’t rely on Referer

Slide 24

Slide 24 text

Google JS also sends the exact page I’m looking at in a url parameter

Slide 25

Slide 25 text

Embedded Cross-Origin Requests include Cookies

Slide 26

Slide 26 text

Cookies

Slide 27

Slide 27 text

Cookies https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies

Slide 28

Slide 28 text

Cookies are a persistent identifier for my browser

Slide 29

Slide 29 text

How tracking works • “3rd parties” • visit social-example.com, get cookie • visit health-example.com, which embeds social-example.com • social-example.com receives Cookie and Referer value • social-example.com builds up a behavior profile

Slide 30

Slide 30 text

Lightbeam Demo

Slide 31

Slide 31 text

techcrunch.com cancercenter.com bankofamerica.com catholicmom.com facebook.com google.com

Slide 32

Slide 32 text

Privacy Protections built into web browsers

Slide 33

Slide 33 text

Browser protections • Clear cookies after every browsing session • No 3rd-party cookies • Except from visited sites (Like Safari ITP) • Strip paths from Referers to 3rd parties • Tracking Protection (Firefox, Safari, Tor) • First-Party Isolation (Firefox, Tor) • Resist Fingerprinting (Firefox, Tor)

Slide 34

Slide 34 text

Private/Incognito Browsing

Slide 35

Slide 35 text

Private/Incognito Browsing • Designed for local adversaries • Doesn’t remember search & browsing history • Doesn’t remember form input • Clears cookies on exit

Slide 36

Slide 36 text

Clear your cookies

Slide 37

Slide 37 text

Cookie Re-spawning

Slide 38

Slide 38 text

Re-spawning/“Supercookies”

Slide 39

Slide 39 text

Using Flash

Slide 40

Slide 40 text

HTML localStorage

Slide 41

Slide 41 text

ETag

Slide 42

Slide 42 text

Cookie Re-spawning is “Illegal” Or, at least, companies have been sued for it

Slide 43

Slide 43 text

Block all 3rd-Party Cookies

Slide 44

Slide 44 text

Safari ITP 2.1 blocks
 most 3rd-party Cookies by default

Slide 45

Slide 45 text

Blocking all 3rd-party cookies is good …

Slide 46

Slide 46 text

But fingerprinting attacks! more on this later …

Slide 47

Slide 47 text

Stripping Referers

Slide 48

Slide 48 text

https://www.eff.org/deeplinks/2015/01/healthcare.gov-sends-personal-data

Slide 49

Slide 49 text

Firefox Private Browsing strips paths from Referer by default

Slide 50

Slide 50 text

Referer:
 https://www.reddit.com/ r/privacy/comments/ Preventing_data_leaks_by _stripping_path_informat ion_in_HTTP_Referrers/ Referer: https:// www.healthcare.gov/see- plans/85601/results/? county=04019&age=40&smok er=1&pregnant=1&zip=8560 1&state=AZ&income=35000 Referer:
 https://www.reddit.com/ Referer:
 https://www.healthcare.gov/

Slide 51

Slide 51 text

More Referer Protections in Firefox https://www.privacytools.io/#about_config

Slide 52

Slide 52 text

#reduced-referrer-granularity 
 in chrome://flags

Slide 53

Slide 53 text

Tracking Protection blocks data to trackers

Slide 54

Slide 54 text

Firefox Private Browsing includes Tracking Protection by default

Slide 55

Slide 55 text

You can enable Tracking Protection for all of Firefox

Slide 56

Slide 56 text

Safari includes Tracking Protection by default

Slide 57

Slide 57 text

Tracking Protection
 Add-ons and Extensions uBlock Origin

Slide 58

Slide 58 text

Tracking Protection is good … … but what if trackers evade the block-lists?

Slide 59

Slide 59 text

First-Party Isolation Only in Firefox and Tor

Slide 60

Slide 60 text

No content

Slide 61

Slide 61 text

No content

Slide 62

Slide 62 text

Isolating all 3rd-party cookies is good …

Slide 63

Slide 63 text

But fingerprinting attacks! more on this NOW!

Slide 64

Slide 64 text

No content

Slide 65

Slide 65 text

Passive Fingerprints Don’t require code execution

Slide 66

Slide 66 text

User-Agent, IP, Accept-Language, etc.

Slide 67

Slide 67 text

Active Fingerprints JavaScript code executes on your device

Slide 68

Slide 68 text

Plugin Enumeration

Slide 69

Slide 69 text

Okay but … … enumeration is still possible via sniffing, like …

Slide 70

Slide 70 text

Font Enumeration http://www.lalit.org/lab/javascript-css-font-detect/

Slide 71

Slide 71 text

Measure default fonts

Slide 72

Slide 72 text

Measure dictionary of fonts

Slide 73

Slide 73 text

Canvas Fingerprint

Slide 74

Slide 74 text

No content

Slide 75

Slide 75 text

No content

Slide 76

Slide 76 text

WebGL Fingerprinting http://cseweb.ucsd.edu/~hovav/dist/canvas.pdf

Slide 77

Slide 77 text

AudioContext

Slide 78

Slide 78 text

No content

Slide 79

Slide 79 text

https://webtransparency.cs.princeton.edu/webcensus/#audio-fp

Slide 80

Slide 80 text

WebRTC

Slide 81

Slide 81 text

WebRTC Local Addressing

Slide 82

Slide 82 text

No content

Slide 83

Slide 83 text

WebVR “eyeprinting”

Slide 84

Slide 84 text

Resist Fingerprinting Only in Firefox & Tor

Slide 85

Slide 85 text

Resist Fingerprinting • Fake browser responses to common fingerprinting calls • Normalize aspects of the browser

Slide 86

Slide 86 text

Tor Implementation: Cross-Origin Fingerprinting Unlinkability

Slide 87

Slide 87 text

https://gitweb.torproject.org/tor-browser.git/tree/browser/app/profile/000-tor-browser.js?h=tor-browser-52.2.0esr-7.5-1&id=dda0385cc49240f8bd115476c870d61863741f4c Minimal WebGL No Gamepads Popups open into new tabs UTC timezone No device sensors No WebAudio Windows 7

Slide 88

Slide 88 text

So, those protections … • Clear cookies after every browsing session • No 3rd-party cookies • Except from visited sites (Like Safari ITP) • Strip paths from Referers to 3rd parties • Tracking Protection (Firefox, Safari, Tor) • First-Party Isolation (Firefox, Tor) • Resist Fingerprinting (Firefox, Tor)

Slide 89

Slide 89 text

Won’t that break a ton of websites?

Slide 90

Slide 90 text

https://blog.mozilla.org/data/2018/01/26/improving-privacy-without-breaking-the-web/

Slide 91

Slide 91 text

https://speakerdeck.com/groovecoder/firefox-privacy-settings-breakage-study

Slide 92

Slide 92 text

https://speakerdeck.com/groovecoder/firefox-privacy-settings-breakage-study

Slide 93

Slide 93 text

https://speakerdeck.com/groovecoder/firefox-privacy-settings-breakage-study

Slide 94

Slide 94 text

https://speakerdeck.com/groovecoder/firefox-privacy-settings-breakage-study

Slide 95

Slide 95 text

https://speakerdeck.com/groovecoder/firefox-privacy-settings-breakage-study

Slide 96

Slide 96 text

https://speakerdeck.com/groovecoder/firefox-privacy-settings-breakage-study

Slide 97

Slide 97 text

https://speakerdeck.com/groovecoder/firefox-privacy-settings-breakage-study

Slide 98

Slide 98 text

https://speakerdeck.com/groovecoder/firefox-privacy-settings-breakage-study

Slide 99

Slide 99 text

Privacy Protections Breakage Study • 19,000+ Users • 1 control group; 8 study groups • 2,100+ users in each group • 4 weeks • Up to 8,500 active users per day

Slide 100

Slide 100 text

https://speakerdeck.com/groovecoder/firefox-privacy-settings-breakage-study

Slide 101

Slide 101 text

https://speakerdeck.com/groovecoder/firefox-privacy-settings-breakage-study

Slide 102

Slide 102 text

https://speakerdeck.com/groovecoder/firefox-privacy-settings-breakage-study

Slide 103

Slide 103 text

Tracking Protection may actually fix websites by blocking tracking elements that break/slow them down

Slide 104

Slide 104 text

Can’t go into all the details … but …

Slide 105

Slide 105 text

https://speakerdeck.com/groovecoder/firefox-privacy-settings-breakage-study

Slide 106

Slide 106 text

https://speakerdeck.com/groovecoder/firefox-privacy-settings-breakage-study

Slide 107

Slide 107 text

https://speakerdeck.com/groovecoder/firefox-privacy-settings-breakage-study

Slide 108

Slide 108 text

https://speakerdeck.com/groovecoder/firefox-privacy-settings-breakage-study

Slide 109

Slide 109 text

https://speakerdeck.com/groovecoder/firefox-privacy-settings-breakage-study

Slide 110

Slide 110 text

Strip paths from Referers to 3rd parties • Reduces details sent to trackers • Very few login failures • Very few email failures • Does not block all ads • Referers are used to guarantee ad policies

Slide 111

Slide 111 text

Tracking Protection • Blocks known trackers completely • Performance Boost • Very little email failures • Blocks all ads • Triggers ad-blocker-blockers

Slide 112

Slide 112 text

Session-Only 3rd-Party Cookies • Limits duration of tracking • Very little email failures • Some login failures • Does not block ads

Slide 113

Slide 113 text

Why do we care about this?

Slide 114

Slide 114 text

http://www.slate.com/articles/technology/future_tense/2017/07/women_young_people_experience_the_chilling_effects_of_surveillance_at_higher.html

Slide 115

Slide 115 text

–Glenn Greenwald, “Why Privacy Matters” @ TED 2014 “There are dozens of psychological studies that prove that when somebody knows that they might be watched, the behavior they engage in is vastly more conformist and compliant.” https://www.ted.com/talks/glenn_greenwald_why_privacy_matters

Slide 116

Slide 116 text

–Glenn Greenwald, “Why Privacy Matters” @ TED 2014 https://www.ted.com/talks/glenn_greenwald_why_privacy_matters “This realization was exploited most powerfully for pragmatic ends by the 18th-century philosopher Jeremy Bentham, who set out to resolve an important problem ushered in by the industrial age. Where, for the first time, institutions had become so large and centralized that they were no longer able to monitor and therefore control each one of their individual members. And the solution that he devised was an architectural design - originally intended to be implemented in prisons - that he called the panopticon.”

Slide 117

Slide 117 text

–Glenn Greenwald, “Why Privacy Matters” @ TED 2014 https://www.ted.com/talks/glenn_greenwald_why_privacy_matters “The primary attribute of which was the construction of an enormous tower in the center of the institution where whoever controlled the institution could, at any moment, watch any of the inmates, although they couldn’t watch all of them at all times. And crucial to this design was that the inmates could not see into the panopticon, into the tower, and so they never knew if they were being watched.”

Slide 118

Slide 118 text

–Glenn Greenwald, “Why Privacy Matters” @ TED 2014 https://www.ted.com/talks/glenn_greenwald_why_privacy_matters “And what made him so excited about this discovery was that would mean the prisoners would have to assume that they were being watched at any given moment, which would be the ultimate enforcer for obedience and compliance.”

Slide 119

Slide 119 text

–Glenn Greenwald, “Why Privacy Matters” @ TED 2014 https://www.ted.com/talks/glenn_greenwald_why_privacy_matters “The 20th-century French philosopher Michel Foucault realized that model could be used not just for prisons but for every institution that seeks to control human behavior - schools, hospitals, factories, workplaces.”

Slide 120

Slide 120 text

–Glenn Greenwald, “Why Privacy Matters” @ TED 2014 https://www.ted.com/talks/glenn_greenwald_why_privacy_matters “And what he said was that this mindset, this framework discovered by Bentham, was the key means of societal control for modern western societies which no longer need the overt weapons of tyranny - punishing or imprisoning or killing dissidents; or legally compelling loyalty to a particular party … because mass surveillance creates a prison in the mind that is a much more subtle but much more effective means of fostering compliance … much more effective than brute force could ever be.”

Slide 121

Slide 121 text

“There’s a strong physiological basis for privacy. Biologist Peter Watts makes the point that a desire for privacy is innate: mammals in particular don’t respond well to surveillance. We consider it a physical threat, because animals in the natural world are surveilled by predators. –Data and Goliath, by Bruce Schneier

Slide 122

Slide 122 text

“Surveillance makes us feel like prey, just as it makes surveyors act like predators.” –Data and Goliath, by Bruce Schneier

Slide 123

Slide 123 text

Surveillance is not just about free speech 
 and privacy

Slide 124

Slide 124 text

Behavior Profiling
 can be racist https://newrepublic.com/article/144644/turns-algorithms-racist

Slide 125

Slide 125 text

Behavior profiling, or Behavior Manipulation? https://motherboard.vice.com/en_us/article/mg9vvn/how-our-likes-helped-trump-win

Slide 126

Slide 126 text

“Surveillance Capitalism” can make corporations more powerful than governments https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2594754

Slide 127

Slide 127 text

I’m not a perfectionist

Slide 128

Slide 128 text

If Google, the NSA, or the FBI want to watch me specifically, they will, and I can’t stop them

Slide 129

Slide 129 text

I’m a realist who doesn’t want to be sucked up into the digital dragnet

Slide 130

Slide 130 text

What’s next?

Slide 131

Slide 131 text

What’s next? • DNS-over-HTTPS / Trusted Recursive Resolver • Do Not Track v2 ? • Policy by Electronic Frontier Foundation • Single Trust & Same Origin Policy v2 ? • proposed by Apple to WebAppSec Working Group

Slide 132

Slide 132 text

Questions? • Clear cookies after every browsing session • No 3rd-party cookies • Except from visited sites (Like Safari ITP) • Strip paths from Referers to 3rd parties • Tracking Protection (Firefox, Safari, Tor) • First-Party Isolation (Firefox, Tor) • Resist Fingerprinting (Firefox, Tor) • DNS-over-HTTPS • Do Not Track v2 • Same Origin Policy v2 & Single Trust