Privacy and Security Privacy and Security on the Webon the Web

Part 1Part 1

AgendaAgenda

Questions? Stories?Questions? Stories? IRB: I will review and hopefully IRB: I will review and hopefully

send tomorrow.send tomorrow. Proposals: I will grade by next Proposals: I will grade by next

TuesdayTuesday

In The Beginning…In The Beginning…

Man-in-the-middleMan-in-the-middle SniffingSniffing SSL solved theseSSL solved these Browser SSL indicatorsBrowser SSL indicators

– LocksLocks– KeysKeys– BordersBorders– URL barURL bar

Question: How would you show users that a secure connection exists?

Now Common Now Common Vulnerabilities Vulnerabilities ActiveX ControlsActiveX Controls Java applets (bypassing of sandbox’s Java applets (bypassing of sandbox’s

restrictions)restrictions) Cross-Site Scripting (mainly faults of web sites)Cross-Site Scripting (mainly faults of web sites) Cross-Zone and Cross-Domain VulnerabilitiesCross-Zone and Cross-Domain Vulnerabilities

– Prevention of a web site from accessing data in a Prevention of a web site from accessing data in a different domain (or zone) is brokendifferent domain (or zone) is broken

Malicious Scripting, Active Content, and HTMLMalicious Scripting, Active Content, and HTML Spoofing (faking various parts of the browser Spoofing (faking various parts of the browser

user interface)user interface)

Also PrivacyAlso Privacy

Users give personal information to get Users give personal information to get somethingsomething

creating accounts, completing real world creating accounts, completing real world transactions, etc.transactions, etc.

Cookies (usernames, sessionIDs, etc.)Cookies (usernames, sessionIDs, etc.) (which of course leads to phishing)(which of course leads to phishing)

Just part of visiting a siteJust part of visiting a site Tracking cookiesTracking cookies Web bugsWeb bugs Traffic logsTraffic logs

So what do users do?So what do users do?

Privacy practices paper results:Privacy practices paper results:– Users actions and stated Users actions and stated

preferences don’t always agreepreferences don’t always agree– Users do not understand current Users do not understand current

technologies relating to privacytechnologies relating to privacy– Judge “trustworthiness” on a variety Judge “trustworthiness” on a variety

of factorsof factors– Do not read privacy policies, but do Do not read privacy policies, but do

use their presence to judge trustuse their presence to judge trust

Implications?

Privacy policiesPrivacy policies

How to make one:How to make one:– http://www.the-dma.org/privacy/creating.shtml#for

m

Examples:– http://www.amazon.com/gp/help/customer/display.

html/102-1254057-3890544?ie=UTF8&nodeId=468496

What’s wrong with What’s wrong with them?them? Accessibility?Accessibility? Readability?Readability?

– Number of notices contain complex Number of notices contain complex language requiring college-level language requiring college-level knowledgeknowledge

Length (time)Length (time) ContentContentSee Jensen and Potts. Privacy policies as decision-making tools: an evaluation of online privacy notices. CHI 2004.

Proposed solution: P3PProposed solution: P3P

What is P3P?What is P3P? What do you think of P3P?What do you think of P3P? What happened to P3P?What happened to P3P?

Creating P3P policies:Creating P3P policies:– http://www.p3ptoolbox.org/tools/resources1.shtmlhttp://www.p3ptoolbox.org/tools/resources1.shtml

P3P and P3P user P3P and P3P user agentsagents What: machine readable privacy policy in XML What: machine readable privacy policy in XML

format. format. How does it work? How does it work?

– website encode their privacy policies in P3P formatwebsite encode their privacy policies in P3P format– User agents read the policy and parse it outUser agents read the policy and parse it out

Benefit: Offers an easy way for web sites to Benefit: Offers an easy way for web sites to communicate about their privacy policies in a communicate about their privacy policies in a standard machine-readable formatstandard machine-readable format

Privacy is visualized in the following ways: Privacy is visualized in the following ways: – Summarize privacy policiesSummarize privacy policies– Compare policies with user preferencesCompare policies with user preferences– Alert and advise usersAlert and advise users

Privacy Bird: demoPrivacy Bird: demo

Opinions on Privacy Bird?Opinions on Privacy Bird?

Web Bugs and Traffic Web Bugs and Traffic LogsLogs Loading of remote image that doesn’t Loading of remote image that doesn’t

impact visual layout of pageimpact visual layout of page Set 3Set 3rdrd party cookie party cookie Remote server can log event of image Remote server can log event of image

load even if cookie is rejectedload even if cookie is rejected However, there are lots of cases where However, there are lots of cases where

we want our browsers to load images we want our browsers to load images and display them to usand display them to us

Can be difficult to tell when this action Can be difficult to tell when this action is beneficial and when it isn’tis beneficial and when it isn’t

Bugnosis: A demoBugnosis: A demo

Thoughts?Thoughts?

P3P in IE6P3P in IE6

Privacy icon on status bar indicates that a cookie has been blocked – pop-up appears the first time the privacy icon appears

Automatic processing of compact policies only;third-party cookies without compact policies blocked by default

Users can click on privacy icon forlist of cookies; privacy summariesare available atsites that are P3P-enabled

Privacy summary report isgenerated automaticallyfrom full P3P policy

What other tools are What other tools are out there?out there? Anti-spywareAnti-spyware Cookie managersCookie managers AnonymizersAnonymizers Password managers and protectorsPassword managers and protectors Anti-phishing toolbarsAnti-phishing toolbars Encryption toolsEncryption tools Disk wiping utilitiesDisk wiping utilities

What do you use?What do you use? What do you do manually to protect What do you do manually to protect

yourself?yourself?

Research questionResearch question

What privacy issues should What privacy issues should people be aware of on the people be aware of on the Internet?Internet?

How do we build tools to make How do we build tools to make people aware of these?people aware of these?

Next weekNext week

More Security/Privacy and the More Security/Privacy and the InternetInternet

Heuristic eval of Firefox Heuristic eval of Firefox extensionsextensions

Test prepTest prep Exam: 2 weeks from todayExam: 2 weeks from today