privacy and security on the web part 1. agenda questions? stories? questions? stories? irb: i will...
Post on 19-Dec-2015
216 views
TRANSCRIPT
AgendaAgenda
Questions? Stories?Questions? Stories? IRB: I will review and hopefully IRB: I will review and hopefully
send tomorrow.send tomorrow. Proposals: I will grade by next Proposals: I will grade by next
TuesdayTuesday
In The Beginning…In The Beginning…
Man-in-the-middleMan-in-the-middle SniffingSniffing SSL solved theseSSL solved these Browser SSL indicatorsBrowser SSL indicators
– LocksLocks– KeysKeys– BordersBorders– URL barURL bar
Question: How would you show users that a secure connection exists?
Now Common Now Common Vulnerabilities Vulnerabilities ActiveX ControlsActiveX Controls Java applets (bypassing of sandbox’s Java applets (bypassing of sandbox’s
restrictions)restrictions) Cross-Site Scripting (mainly faults of web sites)Cross-Site Scripting (mainly faults of web sites) Cross-Zone and Cross-Domain VulnerabilitiesCross-Zone and Cross-Domain Vulnerabilities
– Prevention of a web site from accessing data in a Prevention of a web site from accessing data in a different domain (or zone) is brokendifferent domain (or zone) is broken
Malicious Scripting, Active Content, and HTMLMalicious Scripting, Active Content, and HTML Spoofing (faking various parts of the browser Spoofing (faking various parts of the browser
user interface)user interface)
Also PrivacyAlso Privacy
Users give personal information to get Users give personal information to get somethingsomething
creating accounts, completing real world creating accounts, completing real world transactions, etc.transactions, etc.
Cookies (usernames, sessionIDs, etc.)Cookies (usernames, sessionIDs, etc.) (which of course leads to phishing)(which of course leads to phishing)
Just part of visiting a siteJust part of visiting a site Tracking cookiesTracking cookies Web bugsWeb bugs Traffic logsTraffic logs
So what do users do?So what do users do?
Privacy practices paper results:Privacy practices paper results:– Users actions and stated Users actions and stated
preferences don’t always agreepreferences don’t always agree– Users do not understand current Users do not understand current
technologies relating to privacytechnologies relating to privacy– Judge “trustworthiness” on a variety Judge “trustworthiness” on a variety
of factorsof factors– Do not read privacy policies, but do Do not read privacy policies, but do
use their presence to judge trustuse their presence to judge trust
Implications?
Privacy policiesPrivacy policies
How to make one:How to make one:– http://www.the-dma.org/privacy/creating.shtml#for
m
Examples:– http://www.amazon.com/gp/help/customer/display.
html/102-1254057-3890544?ie=UTF8&nodeId=468496
What’s wrong with What’s wrong with them?them? Accessibility?Accessibility? Readability?Readability?
– Number of notices contain complex Number of notices contain complex language requiring college-level language requiring college-level knowledgeknowledge
Length (time)Length (time) ContentContentSee Jensen and Potts. Privacy policies as decision-making tools: an evaluation of online privacy notices. CHI 2004.
Proposed solution: P3PProposed solution: P3P
What is P3P?What is P3P? What do you think of P3P?What do you think of P3P? What happened to P3P?What happened to P3P?
Creating P3P policies:Creating P3P policies:– http://www.p3ptoolbox.org/tools/resources1.shtmlhttp://www.p3ptoolbox.org/tools/resources1.shtml
P3P and P3P user P3P and P3P user agentsagents What: machine readable privacy policy in XML What: machine readable privacy policy in XML
format. format. How does it work? How does it work?
– website encode their privacy policies in P3P formatwebsite encode their privacy policies in P3P format– User agents read the policy and parse it outUser agents read the policy and parse it out
Benefit: Offers an easy way for web sites to Benefit: Offers an easy way for web sites to communicate about their privacy policies in a communicate about their privacy policies in a standard machine-readable formatstandard machine-readable format
Privacy is visualized in the following ways: Privacy is visualized in the following ways: – Summarize privacy policiesSummarize privacy policies– Compare policies with user preferencesCompare policies with user preferences– Alert and advise usersAlert and advise users
Web Bugs and Traffic Web Bugs and Traffic LogsLogs Loading of remote image that doesn’t Loading of remote image that doesn’t
impact visual layout of pageimpact visual layout of page Set 3Set 3rdrd party cookie party cookie Remote server can log event of image Remote server can log event of image
load even if cookie is rejectedload even if cookie is rejected However, there are lots of cases where However, there are lots of cases where
we want our browsers to load images we want our browsers to load images and display them to usand display them to us
Can be difficult to tell when this action Can be difficult to tell when this action is beneficial and when it isn’tis beneficial and when it isn’t
P3P in IE6P3P in IE6
Privacy icon on status bar indicates that a cookie has been blocked – pop-up appears the first time the privacy icon appears
Automatic processing of compact policies only;third-party cookies without compact policies blocked by default
Users can click on privacy icon forlist of cookies; privacy summariesare available atsites that are P3P-enabled
What other tools are What other tools are out there?out there? Anti-spywareAnti-spyware Cookie managersCookie managers AnonymizersAnonymizers Password managers and protectorsPassword managers and protectors Anti-phishing toolbarsAnti-phishing toolbars Encryption toolsEncryption tools Disk wiping utilitiesDisk wiping utilities
What do you use?What do you use? What do you do manually to protect What do you do manually to protect
yourself?yourself?
Research questionResearch question
What privacy issues should What privacy issues should people be aware of on the people be aware of on the Internet?Internet?
How do we build tools to make How do we build tools to make people aware of these?people aware of these?