upribox zeroconfjg adblocking
play

upribox Zeroconfjg Adblocking ITSecX, St. Plten, 11/2015 Dr. - PowerPoint PPT Presentation

upribox Zeroconfjg Adblocking ITSecX, St. Plten, 11/2015 Dr. Markus Huber htu tups:/ /upribox.org Online Advertisement htu tups:/ /upribox.org 3/31 Targeted Ads #epicfail htu tups:/ /upribox.org 4/31 4 htu tups:/


  1. upribox – Zeroconfjg Adblocking ITSecX, St. Pölten, 11/2015 Dr. Markus Huber htu tups:/ /upribox.org

  2. Online Advertisement

  3. htu tups:/ /upribox.org 3/31

  4. Targeted Ads #epicfail htu tups:/ /upribox.org 4/31 4

  5. htu tups:/ /upribox.org 5/31 5

  6. htu tups:/ /upribox.org 6/31 6

  7. Governmental Organizations #snowden  NSA piggybacks on Cookies / UUID  De-Anonymization of Tor users  Target selection for exploitation htu tups:/ /upribox.org 7/31 Gotta Block'Em All | CCC Camp 2015 | Markus Huber 7

  8. Ad/Tracker Blocker Arms Race

  9. Browser Extensions htu tups:/ /upribox.org 9/31

  10. Browser Extensions for Advertjsement  AdBlock Plus (ABP) • “Acceptable Ads” program • Maintains EasyList block rules • ABP Fork: AdBlock Edge  AdBlock • Based on AdBlock Plus EasyList • Solution for Chrome, ABP were to slow • Joined Acceptable Ads in October/2015  uBlock Based on EasyList, EasyPrivacy, Peter Lowe's List, Disconnect ● Focus on performance and privacy ● htu tups:/ /upribox.org 10/31

  11. Tracker Blocker ● Ghostery – Detectjon and blocking of trackers – Blocking is Opt-In ● Disconnect.me – Similar to Ghostery – Included in Firefox since v41 ● Privacy Badger – Heuristjcs instead of fjlter rules htu tups:/ /upribox.org 11/31

  12. Empirical Study ● How efgectjve are these browser extensions? ● Analysis of 200,000 websites (0.5 billion requests) – Selenium + difgerent browser extensions – Collectjon of network traffjc with mitmproxy ● Joined work with Georg Merzdovnik (SBA Research) htu tups:/ /upribox.org 12/31

  13. Study Results htu tups:/ /upribox.org 13/31

  14. Usable Privacy Box @usableprivacy

  15. Motjvatjon ● Browser extensions are effective ● What about smartphones / tablets? – Extensions for Android FF / Safari – In-App advertisement ! ● Make it even simpler than installing extensions ... htu tups:/ /upribox.org 15/31

  16. In-App Ads ● Malvertisement ● Sensitive info ● Leaks / Exploits htu tups:/ /upribox.org 16/31

  17. upribox - Usable Privacy Box ● Open Source Project – Supported by the Internet Foundatjon Austria ● Hardware – Raspberry Pi 2 (ARM Cortex-A7) – Wifj: 150Mbit drafu N ● Usable Privacy – Make Privacy Tools accessible htu tups:/ /upribox.org 17/31

  18. Main Features ● Silent Mode – Adblocking Wifj ● Ninja Mode – Adblocking + Tor Wifj ● VPN Server – Privacy with open access points htu tups:/ /upribox.org 18/31

  19. DNS based blocking ● DNS Blacklist (dnsmasq) – EasyList, Easylist Germany, EasyPrivacy – Resets Cookies news.com:80 content news.com:80 doubleclick.net:80 id=788087878 Expire 1.1.2020 empty document id=0 Expire 1.1.1970 google-analytics.com:443 id=788087878 Expire 1.1.2020 TCP RST htu tups:/ /upribox.org 19/31

  20. URL Filtering / CSS ● Transparent Proxy (privoxy) – URI path fjlter – Rules based on EasyList, EasyList Privacy – Injects CSS header ● CSS header – Make blocked content invisble htu tups:/ /upribox.org 20/31

  21. Network Blocking ● Easy to set up == connect to upribox WiFi ● Works with every device (e.g. old phones) ● TLS (HTTPS) – Actjve MiTM is a bad idea for a privacy tool – Certain trackers not blockable htu tups:/ /upribox.org 21/31

  22. Onion Routjng (Tor) ● Legacy devices ● Circumvent censorship ● Hide traffjc from your provider ● upribox advice: For best protectjon: – Download the Tor Browser Bundle! – htu tups:/ /upribox.org 22/31

  23. VPN ● Based on OpenVPN (certjfjcate based) ● IPSec with strongswan dropped ● Surf secure when on the road ● „Zero confjg“ tricky to set up – UpnP, NAT-PMP – Dynamic IPs htu tups:/ /upribox.org 23/31

  24. upribox alpha batch

  25. upribox alpha batch  alpha batch: fjrst 25 upriboxes  Deterministic builds Raspbian Wheezy image customized with ansible •  Rolling release Updates via git repo + ansible •  3D printed case  Chance to win one tonight! htu tups:/ /upribox.org 25/31

  26. upribox Community Image  Scheduled for December 2015  In-cooperate feedback from alpha batch  Reset crypto keys on fjrst boot  Updates on release: @usableprivacy htu tups:/ /upribox.org 26/31

  27. upribox Team Peter Judmaier, Gernot Rotuermanner (Usability) Lisa Gringl (Design), Bernhard Zeller (Web Development) Julian Rauchberger, Tobias Dam (Sofuware Development, Security, Confjguratjon Management) Aron Molnar, Anton Hinterleitner, Alex Kolmann (Network Security, Sofuware Prototype) Daniel Zeisner, Matuhias Borowski (Industrial Design) htu tups:/ /upribox.org 27/31

  28. upribox demo

  29. Takeaways from this presentation ...

  30.  We are entering an arms race between trackers and blockers .. .  Protection by browser extensions is efgective • Privacy Badger, Disconnect, uBlock  upriBox = Zero confjg  Soon you can turn your Raspberry Pi into an upribox htu tups:/ /upribox.org 30/31

  31. stay tuned for the public release: @usableprivacy contact me for questjons markus.huber@fistp.ac.at

More recommend