PRIVACYSCORE.ORG Investiatni security and privacy propertes of reaated Web sites Tobias Mueaaer Universität Hamburg with Pascal Wichmann (Uni Hamburg) Max Maaß (TU Darmstadt) Henning Pridöhl (Uni Bamberg) und Dominik Herrmann (Uni Bamberg)
PRIVACYSCORE.ORG Tobias Mueaaer Universität Hamburg
Motjvatjon 3
Who knows that I’m interested in social welfare? ? THE NEW NORMAL? 4 4
Existjng Scanning Services focus on single sites 5
httqs:/0/0www.0ssllabs.0com/0ssltest/0 httqs:/0/0observatory.0mozilla.0org/0 – httqs:/0/0securityheaders.0io/0 – httq:/0/0urlscan.0io/0 6
httqs:/0/0webbkoll.0dataskydd.0net/0en/0 httqs:/0/0www.0sit.0fraunhofer.0de/0de/0track-your-tracker/0 – httqs:/0/0httqs.0jqetzt/0 7
Existni Scannini Servicest use tqre-defned ranking scheme target Web site otqerators Descripton Modifer HSTS tqreloaded 5 HSTS header max age ≥ 6 months 0 HSTS header max age < six months -10 HSTS header not imtqlemented -20 HSTS header cannot be set, as site -20 contains an invalid certjfcate chain httqs:/0/0github.0com/0mozilla/0httq-observatory/0blob/0master/0httqobs/0docs/0scoring.0md 8
? USER DEFINED PrivacyScore has a diferent focus: ATTRIBUTES: Idea: pubaic benchmarks for Are cites in the south incentvisini otqerators to introduce betuer than Hamburg tqrivacy friendly enhancements.0 (in the north)? Does the size of a hospital The tqublic can create aists have an infuence on the with tqrotqertjes and customise the ranking of its Web site? rankini (soon™).0 Are GNOME-based distros Free Sofware (GPLv3+) und Otqen Data more privacy friendly than KDE-based ones? Out of scope: Pentestjng, SQLi, XSS, … 9
Seaected Lists 10
Performed Checks Protecton Encrypton to Encrypton to No Trackini Aiainst Other Website Maiaserver Atacks HTTPS/0STARTTLS available? Third Partjes Informatjon leak Certjfcate: validity /0 key size Known Trackers Referer-Policy Insecure tqrotocols: SSLv3… Server Locatjons Security-Header Known vulnerabilitjes: Heartbleed… HSTS HPKP HTTPS redirectjon
Ranking und Detailed Results 12
Change order Public Ranking
Detailed Results
Typicaa informaton aeaks phpinfo.php test.php backup.sql server-info server-status .git .svn server.key <domain>.key … is the current version ‼️ 5.5.9-1ubuntu 4.22 httq:/0/0www.0xxxxxxxxxx.0bg/0tqhtqinfo.0tqhtq censored 15
phpinfo.php test.php backup.sql server-info server-status .git .svn server.key <domain>.key … First compaaint in November 2017. Leiaa impaicatons Are we allowed to scan without tqermission? c.0f.0 arxiv.org/abs/1705.08889 (GI INFORMATIK 2017) TL;DR: yes Ethicaa impaicatons PrivacyScore is a Dual-Use-Tool.0 – Certain results are harder to acquire – Rate aimitni as DoS tqrotectjon – Baackaistni on demand 16
Technical Details 17
Distributed infrastructure of virtuaa machines (currently atqtqrox.0 30 VMs) Redis Worker Threads PostgreSQL Worker 1 .0.0.0 Worker Threads RabbitMQ User Master Worker n 18 Master Slaves
Scan Moduaes and Checks while scanning while interpreting Scan Moduaes Checks network HTTPS available? testssl.0sh SSLv3 ofered? collect {Results} intertqret data otqenwtqm Known trackers? .0.0.0 … 19 otqenwtqm: Firefox ESR + Selenium
Stats 20
URL 3rd P Req 3rd P C Trackers https://eclipse.org/ 78 1 0 https://www.libreoffice.org/ 75 1 0 https://www.oreilly.com/ 64 11 5 https://www.python-fosdem.org/ 48 0 0 https://training.linuxfoundation.org/free-linux-training/ 46 9 4 https://grafana.com/grafana 46 3 0 https://summerofcode.withgoogle.com/ 45 4 1 https://www.owasp.org/index.php/Main_Page 41 4 1 https://www.openstack.org/ 39 12 5
URL 3rd P Req 3rd P C Trackers https://www.openstack.org/ 39 12 5 https://www.oreilly.com/ 64 11 5 https://training.linuxfoundation.org/free-linux-training/ 46 9 4 https://xenproject.org/ 23 8 2 https://summerofcode.withgoogle.com/ 45 4 1 https://www.owasp.org/index.php/Main_Page 41 4 1 https://www.automotivelinux.org/ 26 4 1 https://grafana.com/grafana 46 3 0 https://micropython.org/ 19 3 1
Median 9.5 Mean 15.69 Variance 331.92 Standard Deviation 18.21
PrivacyScore.ori: Surveyini security and privacy propertes of Web sites TODOs Edit lists, tqrivate lists, user management, … Ranking temtqlates, usable intertqretatjons, OCSP, OCSP statqling, browser fngertqrintjng, webatqtq versions Abuse handling, containment, … Send aists Send buis Send ideas! Send patches!!1 mueller@informatjk.0uni-hamburg.0de Follow us @tqrivascore
Recommend
More recommend