privacyscore org investiatni security and privacy
play

PRIVACYSCORE.ORG Investiatni security and privacy propertes of - PowerPoint PPT Presentation

Dec 27, 2022 •98 likes •352 views

PRIVACYSCORE.ORG Investiatni security and privacy propertes of reaated Web sites Tobias Mueaaer Universitt Hamburg with Pascal Wichmann (Uni Hamburg) Max Maa (TU Darmstadt) Henning Pridhl (Uni Bamberg) und Dominik Herrmann (Uni Bamberg)

  1. PRIVACYSCORE.ORG Investiatni security and privacy propertes of reaated Web sites Tobias Mueaaer Universität Hamburg with Pascal Wichmann (Uni Hamburg) Max Maaß (TU Darmstadt) Henning Pridöhl (Uni Bamberg) und Dominik Herrmann (Uni Bamberg)

  2. PRIVACYSCORE.ORG Tobias Mueaaer Universität Hamburg

  3. Motjvatjon 3

  4. Who knows that I’m interested in social welfare? ? THE NEW NORMAL? 4 4

  5. Existjng Scanning Services focus on single sites 5

  6. httqs:/0/0www.0ssllabs.0com/0ssltest/0 httqs:/0/0observatory.0mozilla.0org/0 – httqs:/0/0securityheaders.0io/0 – httq:/0/0urlscan.0io/0 6

  7. httqs:/0/0webbkoll.0dataskydd.0net/0en/0 httqs:/0/0www.0sit.0fraunhofer.0de/0de/0track-your-tracker/0 – httqs:/0/0httqs.0jqetzt/0 7

  8. Existni Scannini Servicest use tqre-defned ranking scheme target Web site otqerators Descripton Modifer HSTS tqreloaded 5 HSTS header max age ≥ 6 months 0 HSTS header max age < six months -10 HSTS header not imtqlemented -20 HSTS header cannot be set, as site -20 contains an invalid certjfcate chain httqs:/0/0github.0com/0mozilla/0httq-observatory/0blob/0master/0httqobs/0docs/0scoring.0md 8

  9. ? USER DEFINED PrivacyScore has a diferent focus: ATTRIBUTES: Idea: pubaic benchmarks for Are cites in the south incentvisini otqerators to introduce betuer than Hamburg tqrivacy friendly enhancements.0 (in the north)? Does the size of a hospital The tqublic can create aists have an infuence on the with tqrotqertjes and customise the ranking of its Web site? rankini (soon™).0 Are GNOME-based distros Free Sofware (GPLv3+) und Otqen Data more privacy friendly than KDE-based ones? Out of scope: Pentestjng, SQLi, XSS, … 9

  10. Seaected Lists 10

  11. Performed Checks Protecton Encrypton to Encrypton to No Trackini Aiainst Other Website Maiaserver Atacks HTTPS/0STARTTLS available? Third Partjes Informatjon leak Certjfcate: validity /0 key size Known Trackers Referer-Policy Insecure tqrotocols: SSLv3… Server Locatjons Security-Header Known vulnerabilitjes: Heartbleed… HSTS HPKP HTTPS redirectjon

  12. Ranking und Detailed Results 12

  13. Change order Public Ranking

  14. Detailed Results

  15. Typicaa informaton aeaks phpinfo.php test.php backup.sql server-info server-status .git .svn server.key <domain>.key … is the current version ‼️ 5.5.9-1ubuntu 4.22 httq:/0/0www.0xxxxxxxxxx.0bg/0tqhtqinfo.0tqhtq censored 15

  16. phpinfo.php test.php backup.sql server-info server-status .git .svn server.key <domain>.key … First compaaint in November 2017. Leiaa impaicatons Are we allowed to scan without tqermission? c.0f.0 arxiv.org/abs/1705.08889 (GI INFORMATIK 2017) TL;DR: yes Ethicaa impaicatons PrivacyScore is a Dual-Use-Tool.0 – Certain results are harder to acquire – Rate aimitni as DoS tqrotectjon – Baackaistni on demand 16

  17. Technical Details 17

  18. Distributed infrastructure of virtuaa machines (currently atqtqrox.0 30 VMs) Redis Worker Threads PostgreSQL Worker 1 .0.0.0 Worker Threads RabbitMQ User Master Worker n 18 Master Slaves

  19. Scan Moduaes and Checks while scanning while interpreting Scan Moduaes Checks network HTTPS available? testssl.0sh SSLv3 ofered? collect {Results} intertqret data otqenwtqm Known trackers? .0.0.0 … 19 otqenwtqm: Firefox ESR + Selenium

  20. Stats 20

  21. URL 3rd P Req 3rd P C Trackers https://eclipse.org/ 78 1 0 https://www.libreoffice.org/ 75 1 0 https://www.oreilly.com/ 64 11 5 https://www.python-fosdem.org/ 48 0 0 https://training.linuxfoundation.org/free-linux-training/ 46 9 4 https://grafana.com/grafana 46 3 0 https://summerofcode.withgoogle.com/ 45 4 1 https://www.owasp.org/index.php/Main_Page 41 4 1 https://www.openstack.org/ 39 12 5

  22. URL 3rd P Req 3rd P C Trackers https://www.openstack.org/ 39 12 5 https://www.oreilly.com/ 64 11 5 https://training.linuxfoundation.org/free-linux-training/ 46 9 4 https://xenproject.org/ 23 8 2 https://summerofcode.withgoogle.com/ 45 4 1 https://www.owasp.org/index.php/Main_Page 41 4 1 https://www.automotivelinux.org/ 26 4 1 https://grafana.com/grafana 46 3 0 https://micropython.org/ 19 3 1

  23. Median 9.5 Mean 15.69 Variance 331.92 Standard Deviation 18.21

  24. PrivacyScore.ori: Surveyini security and privacy propertes of Web sites TODOs Edit lists, tqrivate lists, user management, … Ranking temtqlates, usable intertqretatjons, OCSP, OCSP statqling, browser fngertqrintjng, webatqtq versions Abuse handling, containment, … Send aists Send buis Send ideas! Send patches!!1 mueller@informatjk.0uni-hamburg.0de Follow us @tqrivascore

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security in Healthcare Li Xiong Healthcare security and privacy HIPAA overview Research survey on information security and privacy in healthcare

1.05k views • 57 slides
Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B.

Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B.

5/18/2016 Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B. Authentication 12C. Authorization Security and Privacy 12D. Trust 12E. At-Rest Encryption Mark Kampe (markk@cs.ucla.edu) Security and Privacy

116 views • 8 slides
SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY Christian Kaestner with slides from Eunsuk Kang Required reading: Hulten, Geoff. &quot;Building Intelligent Systems: A Guide to Machine Learning

1.95k views • 113 slides
S &amp; P SECURITY &amp; PRIVACY GROUP Security and Privacy for Payment Channel Networks

S &amp; P SECURITY &amp; PRIVACY GROUP Security and Privacy for Payment Channel Networks

FAKULTT FR !NFORMATIK Faculty of Informatics S &amp; P SECURITY &amp; PRIVACY GROUP Security and Privacy for Payment Channel Networks Pedro Moreno-Sanchez Blockchain Summer School BDLT19 Vienna, Sep 2nd 2019 Blockchain Research

1.41k views • 73 slides
Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much

Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much

Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much easier if there were someone we could all TRUST with our data Be8er data mining -- using MORE data, while respec@ng users PRIVACY

888 views • 35 slides
Web Privacy Professor Adam Bates Fall 2018 Security &amp; Privacy Research at Illinois (SPRAI)

Web Privacy Professor Adam Bates Fall 2018 Security &amp; Privacy Research at Illinois (SPRAI)

CS 563 - Advanced Computer Security: Web Privacy Professor Adam Bates Fall 2018 Security &amp; Privacy Research at Illinois (SPRAI) Administrative Learning Objectives : Consider the difference between security and privacy Discuss work

814 views • 43 slides
Privacy &amp; Security Matters: Privacy &amp; Security Matters: Protecting Personal Data

Privacy &amp; Security Matters: Privacy &amp; Security Matters: Protecting Personal Data

Privacy &amp; Security Matters: Privacy &amp; Security Matters: Protecting Personal Data Protecting Personal Data Privacy &amp; Security Project HIPAA: What it is Health Insurance Portability and Accountability Act of 1996 Also known as

445 views • 26 slides
Healthcare privacy and security Li Xiong CS573 Data Privacy and Security Patients Are Concerned

Healthcare privacy and security Li Xiong CS573 Data Privacy and Security Patients Are Concerned

Healthcare privacy and security Li Xiong CS573 Data Privacy and Security Patients Are Concerned Did you know... 77 percent of all Americans feel their personal health information privacy is very important, and 84 percent said they

769 views • 50 slides
How Badly Broken is Privacy Legislation? And what can we do to fix it? 17th Annual Privacy and

How Badly Broken is Privacy Legislation? And what can we do to fix it? 17th Annual Privacy and

How Badly Broken is Privacy Legislation? And what can we do to fix it? 17th Annual Privacy and Security Conference Privacy and Security by Choice, not Chance Afternoon Workshop Wednesday February 3, 2016 Victoria, B.C. Canada Gerry Bliss

1.11k views • 63 slides
CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local

CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local

CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local Differential Privacy in Practice (Module 1) Graham Cormode, Somesh Jha, Tejas Kulkarni, Ninghui Li, Divesh Srivastava, and Tianhao Wang Differential

819 views • 38 slides
Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

CISPA Center for IT Security, Privacy and Accountabiltiy Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when,

573 views • 26 slides
Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks; Security and Cooperation in Wireless Networks Georg-August University Gttingen Chapter outline 1 Important privacy related

1.12k views • 33 slides
The Vital Need for Privacy and Security by Design Ann Cavoukian, Ph.D. Executive Director

The Vital Need for Privacy and Security by Design Ann Cavoukian, Ph.D. Executive Director

The Vital Need for Privacy and Security by Design Ann Cavoukian, Ph.D. Executive Director Global Privacy &amp; Security by Design Centre Technion Summer School on Cyber Security Haifa, Israel September 9, 2020 Lets Dispel The Myths

929 views • 55 slides
CS573 Data Privacy and Security Location Privacy Location Privacy Yonghui (Yohu) Xiao htt //

CS573 Data Privacy and Security Location Privacy Location Privacy Yonghui (Yohu) Xiao htt //

CS573 Data Privacy and Security Location Privacy Location Privacy Yonghui (Yohu) Xiao htt // http://yxiao.info i i f Outline Outline What is Location Privacy Basic Techniques Private Information Retrieval Probabilistic

415 views • 24 slides
Security and Privacy at WINLAB Security and Privacy at WINLAB Wade Trappe Overview and Lead-

Security and Privacy at WINLAB Security and Privacy at WINLAB Wade Trappe Overview and Lead-

Security and Privacy at WINLAB Security and Privacy at WINLAB Wade Trappe Overview and Lead- -In In Overview and Lead Security has been one of the great detractors for wireless technologies WINLABs security initiatives:

642 views • 13 slides
Admin Today: finish web privacy, start mobile security Friday: Lab #2 due (8pm)

Admin Today: finish web privacy, start mobile security Friday: Lab #2 due (8pm)

CSE 484 / CSE M 584: Computer Security and Privacy Web Privacy [finish] Mobile Platform Security [start] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner,

535 views • 29 slides
Robust Defenses for Cross-Site Request Forgery Tsampanaki Nikoleta Lilitsis Prodromos Gigis

Robust Defenses for Cross-Site Request Forgery Tsampanaki Nikoleta Lilitsis Prodromos Gigis

Robust Defenses for Cross-Site Request Forgery Tsampanaki Nikoleta Lilitsis Prodromos Gigis Petros Paper Authors: Adam Barth, Collin Jackson, John C. Mitchell Outline What is CSRF attack? What is a login CSRF attack? Whats the

846 views • 30 slides
Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency

Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency

Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency Requirements of performance, availability, and disconnected operation require us to relax the goal of semantic transparency. - HTTP 1.1 specification

598 views • 13 slides
Apache Traffic Server &amp; Lua Kit Chan (kichan@yahoo-inc.com) Agenda Intro Rationale

Apache Traffic Server &amp; Lua Kit Chan (kichan@yahoo-inc.com) Agenda Intro Rationale

Apache Traffic Server &amp; Lua Kit Chan (kichan@yahoo-inc.com) Agenda Intro Rationale Details Security Future 11/16/2014 2 Apache Traffic Server Fast, scalable and extensible HTTP/1.1 compliant caching proxy server

1.52k views • 45 slides
DIMVA 2019 On the Perils of Leaking Referrers in Online Collaboration Services Authors: Beliz

DIMVA 2019 On the Perils of Leaking Referrers in Online Collaboration Services Authors: Beliz

DIMVA 2019 On the Perils of Leaking Referrers in Online Collaboration Services Authors: Beliz Kaleli Manuel Egele Gianluca Stringhini bkaleli@bu.edu megele@bu.edu gian@bu.edu Online Collaboration Services (OCSs)

636 views • 46 slides
whoami Name: Pepe Vila ( @cgvwzq ) Location: Spain Work: - before: pentester at EY - current:

whoami Name: Pepe Vila ( @cgvwzq ) Location: Spain Work: - before: pentester at EY - current:

A XSSmas carol by pepe vila whoami Name: Pepe Vila ( @cgvwzq ) Location: Spain Work: - before: pentester at EY - current: PhD student at IMDEA Software Interests: - try to understand browsers, XSS challenges , CTFs, computationalism, space

481 views • 36 slides
JavaScript Security &amp; HTML5 ( a n d P r i v a c y ) Mike Shema RVAsec May 31,

JavaScript Security &amp; HTML5 ( a n d P r i v a c y ) Mike Shema RVAsec May 31,

JavaScript Security &amp; HTML5 ( a n d P r i v a c y ) Mike Shema RVAsec May 31, 2013 Weve Been Here Before A Definition Ja va Script | jv skript | invective . 1 A vendor-neutral, cross-platform liability for

583 views • 42 slides
HIPSTER BINGO - OR HOW TO USE DOCKER/KUBERNETES/CRI-O TO DEPLOY LIBREOFFICE ONLINE WITH STYLE

HIPSTER BINGO - OR HOW TO USE DOCKER/KUBERNETES/CRI-O TO DEPLOY LIBREOFFICE ONLINE WITH STYLE

HIPSTER BINGO - OR HOW TO USE DOCKER/KUBERNETES/CRI-O TO DEPLOY LIBREOFFICE ONLINE WITH STYLE CIB SOFTWARE GMBH LIBREOFFICE CONFERENCE ROME OCTOBER 11TH, 2017 I HAVE 30 MINUTES TO SETUP LOOL The problem? &gt; multiple server instances

215 views • 17 slides
1 Common Response Code Triton Cluster at San Diego Supercomputer Center 200 - OK 256

1 Common Response Code Triton Cluster at San Diego Supercomputer Center 200 - OK 256

Example line of the log file Optional HW2: Data Mining from Web Server Logs 66.249.64.13 - - [18/Sep/2004:11:07:48 +1000] &quot;GET / HTTP/1.0&quot; 200 6433 &quot;-&quot; &quot;Googlebot/2.1&quot; 10.32.1.43 - - [06/Feb/2013:00:07:00]

501 views • 4 slides

More recommend