upribox Zeroconfjg Adblocking ITSecX, St. Plten, 11/2015 Dr. - - PowerPoint PPT Presentation

upribox zeroconfjg adblocking
SMART_READER_LITE
LIVE PREVIEW

upribox Zeroconfjg Adblocking ITSecX, St. Plten, 11/2015 Dr. - - PowerPoint PPT Presentation

Jun 14, 2023 115 likes •437 views

upribox Zeroconfjg Adblocking ITSecX, St. Plten, 11/2015 Dr. Markus Huber htu tups:/ /upribox.org Online Advertisement htu tups:/ /upribox.org 3/31 Targeted Ads #epicfail htu tups:/ /upribox.org 4/31 4 htu tups:/

slide-1
SLIDE 1

upribox – Zeroconfjg Adblocking

ITSecX, St. Pölten, 11/2015

  • Dr. Markus Huber

htu tups:/ /upribox.org

slide-2
SLIDE 2

Online Advertisement

slide-3
SLIDE 3

htu tups:/ /upribox.org 3/31

slide-4
SLIDE 4

htu tups:/ /upribox.org 4/314

Targeted Ads #epicfail

slide-5
SLIDE 5

htu tups:/ /upribox.org 5/315

slide-6
SLIDE 6

htu tups:/ /upribox.org 6/316

slide-7
SLIDE 7

htu tups:/ /upribox.org 7/31

Gotta Block'Em All | CCC Camp 2015 | Markus Huber 7

Governmental Organizations #snowden

  • NSA piggybacks on Cookies / UUID
  • De-Anonymization of Tor users
  • Target selection for exploitation
slide-8
SLIDE 8

Ad/Tracker Blocker Arms Race

slide-9
SLIDE 9

htu tups:/ /upribox.org 9/31

Browser Extensions

slide-10
SLIDE 10

htu tups:/ /upribox.org 10/31

Browser Extensions for Advertjsement

  • AdBlock Plus (ABP)
  • “Acceptable Ads” program
  • Maintains EasyList block rules
  • ABP Fork: AdBlock Edge
  • AdBlock
  • Based on AdBlock Plus EasyList
  • Solution for Chrome, ABP were to slow
  • Joined Acceptable Ads in October/2015
  • uBlock
  • Based on EasyList, EasyPrivacy, Peter Lowe's List, Disconnect
  • Focus on performance and privacy
slide-11
SLIDE 11

htu tups:/ /upribox.org 11/31

Tracker Blocker

  • Ghostery

– Detectjon and blocking of trackers – Blocking is Opt-In

  • Disconnect.me

– Similar to Ghostery – Included in Firefox since v41

  • Privacy Badger

– Heuristjcs instead of fjlter rules

slide-12
SLIDE 12

htu tups:/ /upribox.org 12/31

Empirical Study

  • How efgectjve are these browser extensions?
  • Analysis of 200,000 websites (0.5 billion requests)

– Selenium + difgerent browser extensions – Collectjon of network traffjc with mitmproxy

  • Joined work with Georg Merzdovnik (SBA Research)
slide-13
SLIDE 13

htu tups:/ /upribox.org 13/31

Study Results

slide-14
SLIDE 14

Usable Privacy Box

@usableprivacy

slide-15
SLIDE 15

htu tups:/ /upribox.org 15/31

Motjvatjon

  • Browser extensions are effective
  • What about smartphones / tablets?

– Extensions for Android FF / Safari – In-App advertisement !

  • Make it even simpler than installing extensions ...
slide-16
SLIDE 16

htu tups:/ /upribox.org 16/31

In-App Ads

  • Malvertisement
  • Sensitive info
  • Leaks / Exploits
slide-17
SLIDE 17

htu tups:/ /upribox.org 17/31

upribox - Usable Privacy Box

  • Open Source Project

– Supported by the Internet Foundatjon Austria

  • Hardware

– Raspberry Pi 2 (ARM Cortex-A7) – Wifj: 150Mbit drafu N

  • Usable Privacy

– Make Privacy Tools accessible

slide-18
SLIDE 18

htu tups:/ /upribox.org 18/31

Main Features

  • Silent Mode

– Adblocking Wifj

  • Ninja Mode

– Adblocking + Tor Wifj

  • VPN Server

– Privacy with open access points

slide-19
SLIDE 19

htu tups:/ /upribox.org 19/31

DNS based blocking

  • DNS Blacklist (dnsmasq)

– EasyList, Easylist Germany, EasyPrivacy – Resets Cookies

news.com:80 content news.com:80 doubleclick.net:80 id=788087878 Expire 1.1.2020 empty document id=0 Expire 1.1.1970 google-analytics.com:443 id=788087878 Expire 1.1.2020 TCP RST

slide-20
SLIDE 20

htu tups:/ /upribox.org 20/31

URL Filtering / CSS

  • Transparent Proxy (privoxy)

– URI path fjlter – Rules based on EasyList, EasyList Privacy – Injects CSS header

  • CSS header

– Make blocked content invisble

slide-21
SLIDE 21

htu tups:/ /upribox.org 21/31

Network Blocking

  • Easy to set up == connect to upribox WiFi
  • Works with every device (e.g. old phones)
  • TLS (HTTPS)

– Actjve MiTM is a bad idea for a privacy tool – Certain trackers not blockable

slide-22
SLIDE 22

htu tups:/ /upribox.org 22/31

Onion Routjng (Tor)

  • Legacy devices
  • Circumvent censorship
  • Hide traffjc from your provider
  • upribox advice:

For best protectjon:

Download the Tor Browser Bundle!

slide-23
SLIDE 23

htu tups:/ /upribox.org 23/31

VPN

  • Based on OpenVPN (certjfjcate based)
  • IPSec with strongswan dropped
  • Surf secure when on the road
  • „Zero confjg“ tricky to set up

– UpnP, NAT-PMP – Dynamic IPs

slide-24
SLIDE 24

upribox alpha batch

slide-25
SLIDE 25

htu tups:/ /upribox.org 25/31

upribox alpha batch

  • alpha batch: fjrst 25 upriboxes
  • Deterministic builds
  • Raspbian Wheezy image customized with ansible
  • Rolling release
  • Updates via git repo + ansible
  • 3D printed case
  • Chance to win one tonight!
slide-26
SLIDE 26

htu tups:/ /upribox.org 26/31

upribox Community Image

  • Scheduled for December 2015
  • In-cooperate feedback from alpha batch
  • Reset crypto keys on fjrst boot
  • Updates on release: @usableprivacy
slide-27
SLIDE 27

htu tups:/ /upribox.org 27/31

upribox Team

Peter Judmaier, Gernot Rotuermanner (Usability) Lisa Gringl (Design), Bernhard Zeller (Web Development) Julian Rauchberger, Tobias Dam (Sofuware Development, Security, Confjguratjon Management) Aron Molnar, Anton Hinterleitner, Alex Kolmann (Network Security, Sofuware Prototype) Daniel Zeisner, Matuhias Borowski (Industrial Design)

slide-28
SLIDE 28

upribox demo

slide-29
SLIDE 29

Takeaways from this presentation ...

slide-30
SLIDE 30

htu tups:/ /upribox.org 30/31

  • We are entering an arms race between trackers

and blockers ...

  • Protection by browser extensions is efgective
  • Privacy Badger, Disconnect, uBlock
  • upriBox = Zero confjg
  • Soon you can turn your Raspberry Pi into an upribox
slide-31
SLIDE 31

stay tuned for the public release: @usableprivacy

contact me for questjons markus.huber@fistp.ac.at