Web Browser Privacy & Security Fan Du CMSC 818D Class - PowerPoint PPT Presentation

Web Browser Privacy & Security Fan Du CMSC 818D Class Presentation 4/16/2015 1

Outline • Q1: How to Prevent Web Tracking ? • Q2: How to Opt Out Online Behavioral Advertising ? • Q3: How to Design Phishing Websites ? 2

Outline • Q1: How to Prevent Web Tracking ? ShareMeNot: Balancing Privacy and Functionality of Third-Party Social Widgets • • Q2: How to Opt Out Online Behavioral Advertising ? • Q3: How to Design Phishing Websites ? 3

source: www.addthis.com 4

Social Widgets source: Facebook, Google, Twitter, Linkedin 5

Social Widgets source: Facebook, Google, Twitter, Linkedin 6

Your identity Your browsing history Your politics opinion Your habits source: TL - Facebook, TR - http://iptv-work.at.ua, BL - http://pixshark.com/timeline-clipart-for-kids.htm, BR - CNN

Vote • A - Social Widgets track me when I click on them . • B - Social Widgets track me even if I ignore them . source: Facebook, Google, Twitter, Linkedin, http://www.gunslot.com/pictures/re-imagined-facebook-button

How They Work? source: Roesner, Franziska, et al. "Sharemenot: Balancing privacy and functionality of third-party social widgets." Usenix (2012).

How They Work? source: Roesner, Franziska, et al. "Sharemenot: Balancing privacy and functionality of third-party social widgets." 10 Usenix (2012).

How They Work? source: Roesner, Franziska, et al. "Sharemenot: Balancing privacy and functionality of third-party social widgets." 11 Usenix (2012).

Hard to Defense • The cookie are “baked” from a 1st-party position source: http://pixgood.com/facebook-cookies.html 12

Hard to Defense • The cookie are “baked” from a 1st-party position • Do Not Track Header source: http://amqueretaro.com/fotogalerias/2014/04/20/fotos-ir-en-contra-de-las-reglas-nunca-fue-tan-divertido 13

Hard to Defense • The cookie are “baked” from a 1st-party position • Do Not Track Header • The functions are desired source: http://i.kinja-img.com/gawker-media/image/upload/s--xGcq1y03--/ 14 c_fit,fl_progressive,q_80,w_636/18rc5mwoft1d3jpg.jpg

ShareMeNot source: sharemenot.cs.washington.edu 15

ShareMeNot source: sharemenot.cs.washington.edu 16

ShareMeNot 1. Identify HTTP requests for tracker buttons 2. Block the requests and insert replacement buttons 3. When users click the buttons, load the actual widget 4. Users need to click again to trigger the “like” function source: sharemenot.cs.washington.edu 17

source: sharemenot.cs.washington.edu 18

source: sharemenot.cs.washington.edu 19

source: CNN 20

Evaluation # of Top Domains Top 20 Social Widgets source: Roesner, Franziska, et al. "Sharemenot: Balancing privacy and functionality of third-party social widgets." 21 Usenix (2012).

Evaluation Tracker Without ShareMeNot With ShareMeNot Facebook 154 9 Google 149 15 Twitter 93 0 AddThis 34 0 YouTube 30 0 LinkedIn 22 0 Digg 8 0 Stumbleupon 6 0 source: Roesner, Franziska, et al. "Sharemenot: Balancing privacy and functionality of third-party social widgets." 22 Usenix (2012).

User Study source: http://adsoftheworld.com/sites/default/files/media-vimeo/70533052.jpg 23

Discussion • How would you design a user study for ShareMeNot? source: sharemenot.cs.washington.edu 24

Outline • Q1: How to Prevent Web Tracking? • Q2: How to Opt Out Online Behavioral Advertising ? • Why Johnny Can’t Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising • Q3: How to Design Phishing Websites? 25

Your identity Your browsing history Social Widgets Your politics opinion Your habits source: TL - Facebook, TR - http://iptv-work.at.ua, BL - http://pixshark.com/timeline-clipart-for-kids.htm, BR - CNN

Your identity Your browsing history Social Widgets Your politics opinion Your habits source: TL - Facebook, TR - http://iptv-work.at.ua, BL - http://pixshark.com/timeline-clipart-for-kids.htm, BR - 27 CNN, CENTER - http://www.gunslot.com/pictures/re-imagined-facebook-button

Online Behavior Advertising Trackers Social Widgets source: http://adsoftheworld.com/media/print/dicks_sporting_goods_nike_cleat, http://s.petrolicious.com/2015/ vintage-friday/01-jan/Mens%20Shaving%20Posters/vf-mens-shaving-posters-6.jpg, http://www.ideyab.com/ 28 images/contents/0123230525-galleries.jpg

“I would not allow advertisers to track my information” – 87% participants of a 2009 study (Turow et al.) 29

“Targeted Ads are invasive” – 64% participants of a 2009 study (Turow et al.) 30

Privacy Tools • Opt-out tools source: www.privacyfix.com/start/install 31

Privacy Tools • Opt-out tools • Browsers’ built-in settings source: FireFox 32

Privacy Tools • Opt-out tools • Browsers’ built-in settings • Blocking tools source: AdBlockPlus 33

Study • 45 participants between-subjects lab study. • Each participant tested one of nine privacy tools. • All non-technical and not knowledgable about privacy tools. source: Leon, Pedro, et al. "Why Johnny can't opt out: a usability evaluation of tools to limit online behavioral 34 advertising." Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2012.

Study 1. Journal Video -> attitudes towards behavioral advertising 2. Installation -> understanding of the tool 3. Configuration -> survey and verbal questions source: Leon, Pedro, et al. "Why Johnny can't opt out: a usability evaluation of tools to limit online behavioral 35 advertising." Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2012.

Study 1. Journal Video -> attitudes towards behavioral advertising 2. Installation -> understanding of the tool 3. Configuration -> survey and verbal questions 4. Resolve Problems -> usability questionnaire source: Leon, Pedro, et al. "Why Johnny can't opt out: a usability evaluation of tools to limit online behavioral 36 advertising." Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2012.

Results • Users can’t distinguish between trackers source: AdBlockPlus 37

Results • Users can’t distinguish between trackers • Inappropriate defaults source: FireFox 38

Results • Users can’t distinguish between trackers • Inappropriate defaults • Communication problems source: AdBlockPlus 39

Results • Users can’t distinguish between trackers • Inappropriate defaults • Communication problems • Need for feedback source: http://habrahabr.ru/hub/javascript/page7/ 40

Results • Users can’t distinguish between trackers • Inappropriate defaults • Communication problems • Need for feedback • Breaking websites source: http://facebookcommentimages.com/wp-content/uploads/2014/01/like.png 41

Feedback source: FireFox 42

Outline • Q1: How to Prevent Web Tracking? • Q2: How to Opt Out Online Behavioral Advertising? • Q3: How to Design Phishing Websites ? • Why Phishing Works 43

Phishing Websites source: https://www.eff.org/files/images_insert/april_11_copy.png

Strategies Lack of Knowledge • Domain names (www.ebay-members.com) • Security indicators (SSL certificate) • source: https://www.thesslstore.com/images/img-green-addressbar.png 45

Strategies Visual Deception • Domain names (www.paypai.com) • Logo and design • source: https://www.eff.org/files/images_insert/april_11_copy.png 46

Strategies Bounded Attention • Absence of security indicators (SSL certificate) • 47

Study • 22 participants • 20 websites • Within-subjects: every participant saw every website source: Dhamija, Rachna, J. Doug Tygar, and Marti Hearst. "Why phishing works." Proceedings of the SIGCHI 48 conference on Human Factors in computing systems. ACM, 2006.

“Imagine that you receive an email message that asks you to click on one of the following links. Imagine that you decide to click on the link to see if it is legitimate website or a spoof” – Senario source: Dhamija, Rachna, J. Doug Tygar, and Marti Hearst. "Why phishing works." Proceedings of the SIGCHI 49 conference on Human Factors in computing systems. ACM, 2006.

Results Good phishing websites fooled 90% of participants • 23% participants did not look at the address bar, status bar or the • security indicators Participants on average made mistakes 40% of the time • 68% participants proceeded without hesitation when presented • with popup warnings Education, age, sex, previous experience, hours of computer use • are all not significantly correlated with vulnerability to phishing source: Dhamija, Rachna, J. Doug Tygar, and Marti Hearst. "Why phishing works." Proceedings of the SIGCHI 50 conference on Human Factors in computing systems. ACM, 2006.

Thank you! • Q1: How to Prevent Web Tracking ? • Q2: How to Opt Out Online Behavioral Advertising ? • Q3: How to Design Phishing Websites ? 51