ARE YOU SURE YOU WANT TO CONTACT US? On the privacy risks at website contact pages UISGCON, December 2015 Alex Starov Privacy is a Trend in Security with Age Secure computation protocols for partial information games are from late 1970s The adversary is not an outsider (an eavesdropper) but rather the collaborating parties themselves (Moti Yungs keynote, CSS 2015) 2 What is Privacy? Privacy is an individuals right to control what happens with her personal and confidential data Five Fair Information Practice Principles (FTC, 1998): Minimize collection Minimize sharing Protect what you collect Post and follow a privacy policy Give users choice and access Anonymous and untrackable web browsing 3 Privacy Intrusion on Web Pages Privacy Intrusion PII LeaksAccidentalPurposefulTrackingBrowserStatelessStatefulNetwork (Astoria, NDSS 2016) How much Private Information should be revealed via Contact Pages? Web Browsing / Window Shopping Accepting Service / Buying 5 Contact Page is a Gateway 6 Anonymous Pseudonymous (tracked) Eponymous ( , name...) Pseudonymous Tracking is Fragile Ways of being identified (Narayanan, 2011): The third party is sometimes a first party Leakage of identifiers from first-party to third-party sites The third party buys your identity Hacks (the third party uses a security exploit) Continuous re-identification! 7 PII Leakage: Accidental 8 PII Leakage: Intentional 9 PII Leakage: Postponed 10 PII Leakage: Unsuspected 11 How much information do you share with locally popular websites? Drive-by-login attack: the end of the safe web (High-Tech Bridge Security Research, 2015) On the Privacy Practices of Just Plain Sites (Our work at CommerceNet, presented at WPES 2015) 12 OUR STUDY Measurements 13 Measuring potential leakage Characterizing Insecure JavaScript Practices on the Web (Yue et al., 2011) 66.4% websites include JavaScript from external domains into the top-level documents of their webpages You Are What You Include: Large-scale Evaluation of Remote JavaScript Inclusions (Nikiforakis et al., 2012) 14 15 Contact Us: Remote JS Inclusion Measuring actual PII Leakage PaperTargetSampleMeasurement (Krishnamurthy et al., 2006) Hidden PII aggregation Top ~1000Automated by tools (Jensen et al., 2007) Online data practices Top ~25,000Own iWatch web crawler (Krishnamurthy et al., 2009) PII leakage12 popular OSNsManually (Krishnamurthy et al., 2009) Longitudinal study of PII aggregation Top ~1000Extension + Proxy (Krishnamurthy et al., 2011) PII leakageTop 100 non-OSNAutomation + Manual Analysis (Chaabane et al, 2014) PII leakageAll ~1500 apps for specific OSN Own platform (Englehardt et al, 2015) Web privacy measurement (specific studies)The OpenWPM platform 16 WANTED: Full Web Automation! 17 like in the Matrix Movie To trigger any actions on websites Lower bounds only limited by CAPTCHAs Contact Us: PhantomJS-based Crawler PhantomJS-based crawler that: Finds the web page containing a contact form Locates the contact form within the page Fills and submits the form with valid data Detects (or infers) the PII leakage in the traffic Identifying PII in HTTP traffic: Looking forbeing sent to 3 rd -party in the clear Repeating 3 submissions (one with changed) & comparing sent parameters to infer obfuscation 18 Contact Us: Key Results 6.1% Leak PII Intentionally via different marketing solutions via 3 rd -party form builders 2.5% Leak PII Accidentally with a great cascading effect 19 Running large-scale study on the top 100,000 websites, we found that 17% have contact forms, out of which: Contact Us: Leakage via Referer 20 Contact Us: Weblead Scripts 21 Contact Us: Weblead Providers 22 Contact Us: More on Webleads Indeed, over the duration of our experiment we received 309s from third parties, that is, domains which our crawler never contacted Leakage prevalently occur on submit, but in some cases even during filling a form! 23 Webleads were Reported to GHOSTERY 24 Contact Us: By Category 25 WEB TRACKING Pseudonymous identifiers 26 Stateful Tracking: 3 rd -party Cookies 27 Stateful Tracking: Evercookies Flash Cookies and Privacy (Soltani et al., 2009) 30% of websites copy HTTP cookies in Flash cookies, 4 cases of restoring deleted HTTP cookies detected JavaScript library evercookie (Samy Kamkar, 2010) Extensively replicating cookie values in a user's browser Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning (Ayenson et al., 2011) ETags cache cookies work even in Private Browsing Mode The Web never forgets: Persistent tracking mechanisms in the wild (Acar et al., 2014) Trackers can receive more than 30 IDs via cookie syncing 28 Stateless Tracking: Fingerprinting A website may query the browser for different properties (features) Browser properties together can form a (nearly) unique ID 29 Features for Fingerprinting ACTIVE Time zone Screen resolution Installed fonts Installed plugins Enabled plugins Supported MIME types Cookies enabled Flash enabled PASSIVE IP address User Agent Language HTTP accept headers Operating system 30 How Unique Is Your Web Browser? (Eckersley, 2010) 31 Anticipated Threat of Fingerprinting Plugins are becoming obsolete: Mozilla Firefox only shows a partial list of plugins for scripts Google Chrome is to block plugins built on NPAPI architecture In 2010 Apple decided to not support Flash for security Extensions may serve as a new feature for fingerprinting! E.g., user-agent spoofing extensions (Cookieless monster, Nikiforakis et al., 2013) 32 OUR STUDY Protection 33 COUNTERMEASURES Policy-based Technologies Opt-Out Cookies, Do-Not-Track Header Privacy-preserving Browsers Tor Browser, Multi-principal proposals Privacy-protecting Tools Blocking or Deception 34 Privacy-protecting Tools ToolTargetDetectionProtection Adblock Plus AdsBlacklistingBlocking AdNauseam Ads-Unlinkability Chameleon FingerprintingMonitoringUnification FormLock Web Forms(not yet)Blocking Ghostery TrackersCrowdsourcingBlocking Privacy Badger TrackersLearningBlocking PriVaricator Fingerprinting-Unlinkability TorButton Fingerprinting-Unification TrackMeNot Search queries-Unlinkability 35 Deception = Unification or Unlinkability Crowdsourcing Business approach becomes a research strategy Challenges: How to preserve privacy? How to deal with poisoned data? Semi-automatic analysis? 36 Contact Us: FormLock Extension Form Warning If the method of form submission is GET If the target of a form is a third-party website or the whole form is a widget If the protocol is HTTP Form Locking Allows only requests to the first-party and target websites Upon releasing the lock removes all new browsing data Reloads the page with removed URL parameters 37 Contact Us: FormLock Extension 38 Contact Us: FormLock Extension 39 Thank You! Questions? 40 Oleksii StarovPhillipa GillNick Nikiforakis