PRIVACYSCORE.ORG Investiatni security and privacy propertes of - - PowerPoint PPT Presentation

privacyscore org investiatni security and privacy
SMART_READER_LITE
LIVE PREVIEW

PRIVACYSCORE.ORG Investiatni security and privacy propertes of - - PowerPoint PPT Presentation

Dec 27, 2022 98 likes •356 views

PRIVACYSCORE.ORG Investiatni security and privacy propertes of reaated Web sites Tobias Mueaaer Universitt Hamburg with Pascal Wichmann (Uni Hamburg) Max Maa (TU Darmstadt) Henning Pridhl (Uni Bamberg) und Dominik Herrmann (Uni Bamberg)

slide-1
SLIDE 1

Investiatni security and privacy propertes of reaated Web sites

Tobias Mueaaer Universität Hamburg with Pascal Wichmann (Uni Hamburg) Max Maaß (TU Darmstadt) Henning Pridöhl (Uni Bamberg) und Dominik Herrmann (Uni Bamberg)

PRIVACYSCORE.ORG

slide-2
SLIDE 2

PRIVACYSCORE.ORG

Tobias Mueaaer Universität Hamburg

slide-3
SLIDE 3

Motjvatjon

3

slide-4
SLIDE 4

Who knows that I’m interested in social welfare?

4 4

THE NEW NORMAL?

?

slide-5
SLIDE 5

Existjng Scanning Services

focus on single sites

5

slide-6
SLIDE 6

httqs:/0/0www.0ssllabs.0com/0ssltest/0 httqs:/0/0observatory.0mozilla.0org/0 – httqs:/0/0securityheaders.0io/0 – httq:/0/0urlscan.0io/0

6

slide-7
SLIDE 7

httqs:/0/0webbkoll.0dataskydd.0net/0en/0 httqs:/0/0www.0sit.0fraunhofer.0de/0de/0track-your-tracker/0 – httqs:/0/0httqs.0jqetzt/0

7

slide-8
SLIDE 8

8

target Web site otqerators use tqre-defned ranking scheme

Descripton Modifer HSTS tqreloaded 5 HSTS header max age ≥ 6 months HSTS header max age < six months

  • 10

HSTS header not imtqlemented

  • 20

HSTS header cannot be set, as site contains an invalid certjfcate chain

  • 20

httqs:/0/0github.0com/0mozilla/0httq-observatory/0blob/0master/0httqobs/0docs/0scoring.0md

Existni Scannini Servicest

slide-9
SLIDE 9

PrivacyScore has a diferent focus: Idea: pubaic benchmarks for incentvisini otqerators to introduce tqrivacy friendly enhancements.0 The tqublic can create aists with tqrotqertjes and customise the rankini (soon™).0 Free Sofware (GPLv3+) und Otqen Data

USER DEFINED ATTRIBUTES: Are cites in the south betuer than Hamburg (in the north)? Does the size of a hospital have an infuence on the ranking of its Web site? Are GNOME-based distros more privacy friendly than KDE-based ones?

?

9

Out of scope: Pentestjng, SQLi, XSS, …

slide-10
SLIDE 10

Seaected Lists

10

slide-11
SLIDE 11

Performed Checks

Encrypton to Website No Trackini Encrypton to Maiaserver Protecton Aiainst Other Atacks Third Partjes Known Trackers Server Locatjons HTTPS/0STARTTLS available? Certjfcate: validity /0 key size Insecure tqrotocols: SSLv3… Known vulnerabilitjes: Heartbleed… HSTS HPKP HTTPS redirectjon Informatjon leak Referer-Policy Security-Header

slide-12
SLIDE 12

Ranking und Detailed Results

12

slide-13
SLIDE 13

Public Ranking

Change order

slide-14
SLIDE 14

Detailed Results

slide-15
SLIDE 15

15

Typicaa informaton aeaks 5.5.9-1ubuntu4.22 is the current version ‼️

.git .svn server.key <domain>.key phpinfo.php backup.sql server-status server-info test.php httq:/0/0www.0xxxxxxxxxx.0bg/0tqhtqinfo.0tqhtq

censored

slide-16
SLIDE 16

16

Leiaa impaicatons

.git .svn server.key <domain>.key phpinfo.php backup.sql server-status server-info test.php

Ethicaa impaicatons

Are we allowed to scan without tqermission? c.0f.0 arxiv.org/abs/1705.08889 (GI INFORMATIK 2017) TL;DR: yes PrivacyScore is a Dual-Use-Tool.0 – Certain results are harder to acquire – Rate aimitni as DoS tqrotectjon – Baackaistni on demand

First compaaint in November 2017.

slide-17
SLIDE 17

Technical Details

17

slide-18
SLIDE 18

18

Distributed infrastructure of virtuaa machines

(currently atqtqrox.0 30 VMs)

User Master RabbitMQ PostgreSQL Redis Worker Threads Worker Threads Master Slaves

.0.0.0

Worker 1 Worker n

slide-19
SLIDE 19

19

testssl.0sh network

  • tqenwtqm

.0.0.0 Known trackers? SSLv3 ofered? … HTTPS available?

{Results}

Scan Moduaes and Checks

collect data intertqret Scan Moduaes Checks

while scanning while interpreting

  • tqenwtqm: Firefox ESR + Selenium
slide-20
SLIDE 20

Stats

20

slide-21
SLIDE 21

URL 3rd P Req 3rd P C Trackers https://eclipse.org/ 78 1 https://www.libreoffice.org/ 75 1 https://www.oreilly.com/ 64 11 5 https://www.python-fosdem.org/ 48 https://training.linuxfoundation.org/free-linux-training/ 46 9 4 https://grafana.com/grafana 46 3 https://summerofcode.withgoogle.com/ 45 4 1 https://www.owasp.org/index.php/Main_Page 41 4 1 https://www.openstack.org/ 39 12 5

slide-22
SLIDE 22

URL 3rd P Req 3rd P C Trackers https://www.openstack.org/ 39 12 5 https://www.oreilly.com/ 64 11 5 https://training.linuxfoundation.org/free-linux-training/ 46 9 4 https://xenproject.org/ 23 8 2 https://summerofcode.withgoogle.com/ 45 4 1 https://www.owasp.org/index.php/Main_Page 41 4 1 https://www.automotivelinux.org/ 26 4 1 https://grafana.com/grafana 46 3 https://micropython.org/ 19 3 1

slide-23
SLIDE 23

Median 9.5 Mean 15.69 Variance 331.92 Standard Deviation 18.21

slide-24
SLIDE 24

PrivacyScore.ori: Surveyini security and privacy propertes of Web sites

mueller@informatjk.0uni-hamburg.0de Follow us @tqrivascore

TODOs Edit lists, tqrivate lists, user management, … Ranking temtqlates, usable intertqretatjons, OCSP, OCSP statqling, browser fngertqrintjng, webatqtq versions Abuse handling, containment, … Send aists Send ideas! Send patches!!1 Send buis