google safe browsing privacy and security
play

Google Safe Browsing: Privacy and Security Amrit Kumar Univ. de - PowerPoint PPT Presentation

Mar 14, 2024 •376 likes •766 views

Google Safe Browsing: Privacy and Security Amrit Kumar Univ. de Grenoble Alpes & Privatics team, INRIA June 4, 2015 Kumar (Univ. de Grenoble Alpes) Google Safe Browsing June 4, 2015 1 Outline Google Safe Browsing 1 Privacy 2

  1. Google Safe Browsing: Privacy and Security Amrit Kumar Univ. de Grenoble Alpes & Privatics team, INRIA June 4, 2015 Kumar (Univ. de Grenoble Alpes) Google Safe Browsing June 4, 2015 1

  2. Outline Google Safe Browsing 1 Privacy 2 Security 3 Conclusion 4 Kumar (Univ. de Grenoble Alpes) Google Safe Browsing June 4, 2015 2

  3. Outline Google Safe Browsing 1 Privacy 2 Security 3 Conclusion 4 Kumar (Univ. de Grenoble Alpes) Google Safe Browsing June 4, 2015 3

  4. Google Safe Browsing Demo time ! d99q.cn Kumar (Univ. de Grenoble Alpes) Google Safe Browsing June 4, 2015 4

  5. Google Safe Browsing Started in 2008 by Google and used by : ◮ Google Chrome ◮ Mozilla Firefox ◮ Apple Safari ◮ Opera Impact : billions of users according to Google Goals : prevent users from visiting ◮ phishing sites ◮ malwares sites Methodology : blacklist API compatibility with C# , Python and PHP Cloned by Yandex . Kumar (Univ. de Grenoble Alpes) Google Safe Browsing June 4, 2015 5

  6. Safe Browsing Lookup API Google crawls the web to seek phishing and malwares URLs to feed a blacklist on their servers. How to use ? Ask Google ’s server using a simple HTTP GET request. https://sb-ssl.google.com/safebrowsing/api/lookup? Issues : • bad scaling • privacy issue Kumar (Univ. de Grenoble Alpes) Google Safe Browsing June 4, 2015 6

  7. The first blacklist Kumar (Univ. de Grenoble Alpes) Google Safe Browsing June 4, 2015 7

  8. 72 demons in the catalog Agares Aim Alloces Amdusias Amon Amy Andras Andrealphus Andromalius . . . Kumar (Univ. de Grenoble Alpes) Google Safe Browsing June 4, 2015 8

  9. Identifying demon Problem : Is a hand book. How to make it a pocket book ? Solution : Lossy compression. Ag Ai Al Am An . . . From 72 names to 50 prefixes (30% compression). From 518 characters to 100 (80% compression). Kumar (Univ. de Grenoble Alpes) Google Safe Browsing June 4, 2015 9

  10. False positives Hollande → Ho is not in the pocket book. Hollande isn’t a demon. Valls → Va is in the pocket book. But Valls isn’t in the complete catalog. ⇒ false positive ! If a prefix is in the compressed list : ◮ Inconclusive : requires a verification from the handbook ◮ For Va , we would have : Valefar , Vapula et Vassago . ◮ Check among the full words. Solution is interesting if false positives are small in number. Kumar (Univ. de Grenoble Alpes) Google Safe Browsing June 4, 2015 10

  11. Google Safe Browsing (GSB) API v3 The local lookups are done over these files : List name Description # prefixes goog-malware-shavar malware 317,807 googpub-phish-shavar phishing 312,621 goog-regtest-shavar test file 29,667 goog-whitedomain-shavar unused 1 Nearly ≈ 650000 entries overall. We are not working on URLs themselves but on their digests. We only use the first 4 bytes of SHA-256 digest. Prefix32(SHA256(www.example.com/))=0xd59cc9d3 Kumar (Univ. de Grenoble Alpes) Google Safe Browsing June 4, 2015 11

  12. GSB API v3 Non- Found no Start malicious prefixes ? client URL no yes Canonicalize Get full Found Update no URL and compute digests digest ? needed ? digests yes yes Update local database Malicious URL Kumar (Univ. de Grenoble Alpes) Google Safe Browsing June 4, 2015 12

  13. Yandex Safe Browsing (YSB) Google ’s Evil Twin Kumar (Univ. de Grenoble Alpes) Google Safe Browsing June 4, 2015 13

  14. Yandex Safe Browsing API List name Description # prefixes goog-malware-shavar malware 283,211 goog-mobile-only-malware-shavar mobile malware 2,107 goog-phish-shavar phishing 31,593 ydx-adult-shavar adult website 434 ydx-adult-testing-shavar test file 535 ydx-imgs-shavar malicious image 0 ydx-malware-shavar malware 283,211 ydx-mitb-masks-shavar man-in-the-browser 87 ydx-mobile-only-malware-shavar malware 2,107 ydx-phish-shavar phishing 31,593 ydx-porno-hosts-top-shavar pornography 99,990 ydx-sms-fraud-shavar sms fraud 10,609 ydx-test-shavar test file 0 ydx-yellow-shavar shocking content 209 ydx-yellow-testing-shavar test file 370 ydx-badcrxids-digestvar .crx file ids * ydx-badbin-digestvar malicious binary * ydx-mitb-uids man-in-the-browser * ydx-badcrxids-testing-digestvar test file * Kumar (Univ. de Grenoble Alpes) Google Safe Browsing June 4, 2015 14

  15. Why 32-bit prefixes ? Optmization Data structure (MB) SHA-256 Raw data (MB) size Compr. prefix (bits) 32 2. 5 1.3 1.9 64 5.1 3.9 1.3 80 6.4 5.1 1.2 128 10.2 8.9 1.1 256 20.3 19.1 1 Kumar (Univ. de Grenoble Alpes) Google Safe Browsing June 4, 2015 15

  16. Why 32-bit prefixes ? Privacy Year # unique URLs ( Google ) # of domains 2008 1 Billion 177 Million 2012 30 Billion 252 Million 2013 60 Billion 271 Million M for URLs M for domain ℓ (bits) 2008 2012 2013 2008 2012 2013 2 28 2 28 2 29 16 253 363 388 32 443 7541 14757 2 3 3 64 2 2 2 1 1 1 96 1 1 1 1 1 1 Kumar (Univ. de Grenoble Alpes) Google Safe Browsing June 4, 2015 16

  17. Outline Google Safe Browsing 1 Privacy 2 Security 3 Conclusion 4 Kumar (Univ. de Grenoble Alpes) Google Safe Browsing June 4, 2015 17

  18. Highlights Google Chrome Privacy Notice on Safe Browsing. “ Google cannot determine the real URL from this information. ” (to be read prefixes) This statement is re-iterated in GSB usage in Mozilla Firefox. Conclusion : GSB must provide the same level of privacy than a private information retrieval algorithm . Really ? Kumar (Univ. de Grenoble Alpes) Google Safe Browsing June 4, 2015 18

  19. Re-identification URL 32-bit prefix https://persyval-lab.org/content/edition/ 0x2929f0b1 https://persyval-lab.org/content/ 0xc99584e3 https://persyval-lab.org/ 0x192af851 Problem with the false-positives : 1 match : 0x2929f0b1 → no privacy issue. 2 matches : 0xc99584e3 and 0x192af851 → Problem . Sending several prefixes is indeed the case. More problem with temporal correlation : URL 32-bit prefix https://persyval-lab.org/phd/appel-2015/depot/ 0x6e2abf0a https://persyval-lab.org/phd/appel-2015/ 0x79f13238 Kumar (Univ. de Grenoble Alpes) Google Safe Browsing June 4, 2015 19

  20. Interesting URLs URL matching decomposition prefix fr.xhamster.com/ 0xe4fdd86c http ://fr.xhamster.com/user/video xhamster.com/ 0x3074e021 nl.xhamster.com/ 0xa95055ff http ://nl.xhamster.com/user/video xhamster.com/ 0x3074e021 m.mofos.com/ 0x6e961650 http ://m.mofos.com/user/login mofos.com/ 0x00354501 m.mofos.com/ 0x6e961650 http ://m.mofos.com/user/logout mofos.com/ 0x00354501 mobile.teenslovehugecocks.com/ 0x585667a5 http ://mobile.teenslovehugecocks.com/user/join teenslovehugecocks.com/ 0x92824b5c fr.xhamster.com/ 0xe4fdd86c http ://fr.xhamster.com/user/kmille xhamster.com/ 0x3074e021 de.xhamster.com/ 0x0215bac9 http ://de.xhamster.com/user/video xhamster.com/ 0x3074e021 nl.xhamster.com/ 0xa95055ff http ://nl.xhamster.com/user/ppbbg xhamster.com/ 0x3074e021 nl.xhamster.com/ 0xa95055ff http ://nl.xhamster.com/user/photo xhamster.com/ 0x3074e021 Kumar (Univ. de Grenoble Alpes) Google Safe Browsing June 4, 2015 20

  21. Am I paranoid ? Twitter Bitly Mail.ru Facebook Orbitum Firefox Chrome GSB WOT YSB Maxthon Chromium TRUSTe DuckDuckGo Yandex.Browser Opera Safari 65% of the browsers in use. Major social networks. Activated by default in some releases of Tor Browsers. Kumar (Univ. de Grenoble Alpes) Google Safe Browsing June 4, 2015 21

  22. Orphans #full hash per prefix list name 0 1 2 Total goog-malware-shavar 0.9% 99% 0.1% 317,807 Google googpub-phish-shavar 0.9% 99% 0.1% 312,621 ydx-malware-shavar 1.5% 98% 0.5% 283,211 ydx-adult-shavar 43% 57% 0 434 ydx-mobile-only-malware-shavar 6% 94% 0 2,107 ydx-phish-shavar 99% 1% 0 31,593 Yandex ydx-mitb-masks-shavar 100% 0 0 87 ydx-porno-hosts-top-shavar 1% 99% 0 99,990 ydx-sms-fraud-shavar 95% 5% 0 10,609 ydx-yellow-shavar 100% 0 0 209 Kumar (Univ. de Grenoble Alpes) Google Safe Browsing June 4, 2015 22

  23. Popular orphans #Coll. with TopAlexa list name 0 1 2 Total goog-malware-shavar 0 572 0 572 Google googpub-phish-shavar 0 88 0 88 ydx-malware-shavar 73 2,614 0 2,687 ydx-adult-shavar 38 43 0 81 ydx-mobile-only-malware-shavar 2 22 0 24 ydx-phish-shavar 22 0 0 22 Yandex ydx-mitb-masks-shavar 2 0 0 2 ydx-porno-hosts-top-shavar 43 17,541 0 17,584 ydx-sms-fraud-shavar 76 3 0 79 ydx-yellow-shavar 15 0 0 15 Kumar (Univ. de Grenoble Alpes) Google Safe Browsing June 4, 2015 23

  24. Conclusion Google and Yandex can track users. Mysterious files : Presence of large number of orphans. Accountability ? Private Information Retrieval is the definitive answer, but ... Kumar (Univ. de Grenoble Alpes) Google Safe Browsing June 4, 2015 24

  25. Outline Google Safe Browsing 1 Privacy 2 Security 3 Conclusion 4 Kumar (Univ. de Grenoble Alpes) Google Safe Browsing June 4, 2015 25

  26. Unsafe Browsing SB architecture is meaningful if false positive probability is low. Can an attacker increase the false positive probability ? ◮ Increase requests towards server. ◮ Increase responses towards client. ◮ Or both. Attack impact : ◮ Challenges the design rationale of the verification algorithm. ◮ Safe browsing can be potentially brought to its knees. ◮ Consumes bandwidth on client’s side. Goal is to mount a DoS attack. Kumar (Univ. de Grenoble Alpes) Google Safe Browsing June 4, 2015 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Google Privacy & Security interfaces Dominic Battr Robert Brauer Google Confidential and

Google Privacy & Security interfaces Dominic Battr Robert Brauer Google Confidential and

Google Privacy & Security interfaces Dominic Battr Robert Brauer Google Confidential and Proprietary Google Privacy Principles 1. Use information to provide our users with valuable products and services. 2. Develop products that

541 views • 13 slides
Clear Chrome Browsing Data 1. Click on the 3 dots on the Chrome Browser and select Settings 2.

Clear Chrome Browsing Data 1. Click on the 3 dots on the Chrome Browser and select Settings 2.

Clear Chrome Browsing Data 1. Click on the 3 dots on the Chrome Browser and select Settings 2. Scroll down to Privacy and security and click on Clear browsing data 3. Select the time frame, then Clear data Google Meet Grid View Issues If you are

297 views • 10 slides
A Safe and Stateless Platform - Introduction to Google Chrome OS Security model Google Chrome

A Safe and Stateless Platform - Introduction to Google Chrome OS Security model Google Chrome

A Safe and Stateless Platform - Introduction to Google Chrome OS Security model Google Chrome OS Speed Security - Verified boot Security - Reboot to recover Security for the internet age Current Operating Systems Chrome OS Apps have

424 views • 8 slides
On the Privacy of Private Browsing Kiavash Satvat, Ma8

On the Privacy of Private Browsing Kiavash Satvat, Ma8

On the Privacy of Private Browsing Kiavash Satvat, Ma8 Forshaw, Feng Hao, Ehsan Toreini Newcastle University DPM13 IntroducGon 2005, Safari first

996 views • 19 slides
The Price of Privacy In Untrusted Recommendation Engines Siddhartha Banerjee, Nidhi Hegde &

The Price of Privacy In Untrusted Recommendation Engines Siddhartha Banerjee, Nidhi Hegde &

The Price of Privacy In Untrusted Recommendation Engines Siddhartha Banerjee, Nidhi Hegde & Laurent Massouli UT Austin Technicolor Privacy efficiency trade-offs q Google & FaceBook track online browsing behaviour q Apple

610 views • 27 slides
CUJO - Safe Browsing with Lua Lourival Vieira Neto <lourival.neto@getcujo.com> Introduction

CUJO - Safe Browsing with Lua Lourival Vieira Neto <lourival.neto@getcujo.com> Introduction

CUJO - Safe Browsing with Lua Lourival Vieira Neto <lourival.neto@getcujo.com> Introduction CUJO Smart Firewall Safe Browsing Parental Controls Introduction CUJO Firmware Team Gabriel Ligneul Iruat

603 views • 31 slides
CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security in Healthcare Li Xiong Healthcare security and privacy HIPAA overview Research survey on information security and privacy in healthcare

1.05k views • 57 slides
Forced/forceful browsing sws2 1 Forced browsing (not in book!) Supplying a URL directly

Forced/forceful browsing sws2 1 Forced browsing (not in book!) Supplying a URL directly

Software and Web Security 2 Forced/forceful browsing sws2 1 Forced browsing (not in book!) Supplying a URL directly (forcing the URL) rather than by accessing it by following links from other pages Modify (numerical) value in known

1.16k views • 38 slides
Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B.

Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B.

5/18/2016 Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B. Authentication 12C. Authorization Security and Privacy 12D. Trust 12E. At-Rest Encryption Mark Kampe (markk@cs.ucla.edu) Security and Privacy

116 views • 8 slides
Attacking Machine Learning: On the Security and Privacy of Neural Networks Nicholas Carlini

Attacking Machine Learning: On the Security and Privacy of Neural Networks Nicholas Carlini

SESSION ID: MLAI-W03 Attacking Machine Learning: On the Security and Privacy of Neural Networks Nicholas Carlini Research Scientist, Google Brain #RSAC Act I: On the Security and Privacy of Neural Networks #RSAC Let's play a game

1.07k views • 103 slides
SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY Christian Kaestner with slides from Eunsuk Kang Required reading: Hulten, Geoff. "Building Intelligent Systems: A Guide to Machine Learning

1.95k views • 113 slides
Improving Web Performance on Mobile Browsers bengr@google.com Desktop browsing is fast,

Improving Web Performance on Mobile Browsers bengr@google.com Desktop browsing is fast,

Improving Web Performance on Mobile Browsers bengr@google.com Desktop browsing is fast, relatively speaking. Desktops and laptops are over-provisioned to display web pages The have GBs of RAM, fast processors, fast networks

316 views • 19 slides
SECURITY AND PRIVACY OF MACHINE LEARNING Ian Goodfellow Staff Research Scientist Google Brain

SECURITY AND PRIVACY OF MACHINE LEARNING Ian Goodfellow Staff Research Scientist Google Brain

#RSAC SESSION ID: SECURITY AND PRIVACY OF MACHINE LEARNING Ian Goodfellow Staff Research Scientist Google Brain @goodfellow_ian Machine Learning and Security #RSAC Machine Learning for Security Security against Machine Learning h 1 h 1 y

347 views • 30 slides
S & P SECURITY & PRIVACY GROUP Security and Privacy for Payment Channel Networks

S & P SECURITY & PRIVACY GROUP Security and Privacy for Payment Channel Networks

FAKULTT FR !NFORMATIK Faculty of Informatics S & P SECURITY & PRIVACY GROUP Security and Privacy for Payment Channel Networks Pedro Moreno-Sanchez Blockchain Summer School BDLT19 Vienna, Sep 2nd 2019 Blockchain Research

1.41k views • 73 slides
Security and Privacy in Machine Learning Nicolas Papernot Pennsylvania State University &

Security and Privacy in Machine Learning Nicolas Papernot Pennsylvania State University &

Security and Privacy in Machine Learning Nicolas Papernot Pennsylvania State University & Google Brain Lecture for Prof. Trent Jaegers CSE 543 Computer Security Class November 2017 - Penn State Thank you to my collaborators Patrick

635 views • 59 slides
Basic internet privacy/security tips and alternatives Crisis Mirror, 27 March 2018 Common tasks

Basic internet privacy/security tips and alternatives Crisis Mirror, 27 March 2018 Common tasks

Basic internet privacy/security tips and alternatives Crisis Mirror, 27 March 2018 Common tasks we will try to cover Internet searches (replacing google search) Google settings Chatting, calls, etc (replacing messenger/skype)

304 views • 14 slides
The Next 700 Syntactic Models of Type Theory Simon Boulier 1 Pierre-Marie Pdrot 2 Nicolas

The Next 700 Syntactic Models of Type Theory Simon Boulier 1 Pierre-Marie Pdrot 2 Nicolas

. . . . . . . . . . . . . . The Next 700 Syntactic Models of Type Theory Simon Boulier 1 Pierre-Marie Pdrot 2 Nicolas Tabareau 1 CPP 17th January 2017 Pdrot & al. (INRIA & U. Ljubljana) The Next 700 Syntactic Models

1.18k views • 47 slides
Concerns: Rates of change, Ocean acidification, modeling 1. Recap of climate variables and past

Concerns: Rates of change, Ocean acidification, modeling 1. Recap of climate variables and past

Earths Climate: Past, Present and Future; Concerns and Solutions week 5 continuation of Week 4 (4/13): Thursday, April 27, 2016 Paul Belanger Concerns: Rates of change, Ocean acidification, modeling 1. Recap of climate variables and

719 views • 37 slides
String theory compactifications with sources Alessandro Tomasiello PRIN Kicko ff Meeting, SNS

String theory compactifications with sources Alessandro Tomasiello PRIN Kicko ff Meeting, SNS

String theory compactifications with sources Alessandro Tomasiello PRIN Kicko ff Meeting, SNS Pisa, 19.10.2019 Introduction For de Sitter solutions in string theory, we need to break supersymmetry, and to consider higher - derivative

583 views • 17 slides
Outline Previous e-cash and techniques CSci 5271 Bitcoin design Introduction to Computer

Outline Previous e-cash and techniques CSci 5271 Bitcoin design Introduction to Computer

Outline Previous e-cash and techniques CSci 5271 Bitcoin design Introduction to Computer Security Day 26: Electronic cash and Bitcoin Announcements Stephen McCamant University of Minnesota, Computer Science & Engineering Bitcoin

365 views • 7 slides
ors a tale of two special events which one? Who is this guy? And why does he think he knows

ors a tale of two special events which one? Who is this guy? And why does he think he knows

How How to to Cre Create te Uni Uniqu que e Fun Fundr drais isin ing g Ev Even ents ts tha that t Ex Exci cite te You Your r Don Donor ors a tale of two special events which one? Who is this guy? And why does he think

1.03k views • 72 slides
The RedAwning Portal, App, & New Content Sync 1 The RedAwning App FOR GUESTS Property

The RedAwning Portal, App, & New Content Sync 1 The RedAwning App FOR GUESTS Property

The RedAwning Portal, App, & New Content Sync 1 The RedAwning App FOR GUESTS Property Search & Book Explore all of our properties no login required Filter, sort, select dates, view in list or via map Make reservations

551 views • 18 slides
SAY IT RIGHT The Power of Coaching Tasneem Minadakis @tazneemiandevil 2002 2005 2014 2015

SAY IT RIGHT The Power of Coaching Tasneem Minadakis @tazneemiandevil 2002 2005 2014 2015

SAY IT RIGHT The Power of Coaching Tasneem Minadakis @tazneemiandevil 2002 2005 2014 2015 What makes a great leader? DEVELOPS & BUILDS TRUST COACHES DELIVERS RESULTS GROWS & SETS VISION ADAPTS Who do you trust and why? THE

671 views • 34 slides
Strategies for Replacing Lost Event Revenue Objectives for Today Once you cancel, postpone, or

Strategies for Replacing Lost Event Revenue Objectives for Today Once you cancel, postpone, or

Strategies for Replacing Lost Event Revenue Objectives for Today Once you cancel, postpone, or change the format of an event, you may need a plan to recover lost revenue Part I: Short-Term Strategies Part II: Long-Term Strategies

536 views • 41 slides

More recommend