Web Browser Privacy & Security Fan Du CMSC 818D Class - - PowerPoint PPT Presentation

web browser privacy security
SMART_READER_LITE
LIVE PREVIEW

Web Browser Privacy & Security Fan Du CMSC 818D Class - - PowerPoint PPT Presentation

Jun 03, 2023 45 likes •557 views

Web Browser Privacy & Security Fan Du CMSC 818D Class Presentation 4/16/2015 1 Outline Q1: How to Prevent Web Tracking ? Q2: How to Opt Out Online Behavioral Advertising ? Q3: How to Design Phishing Websites ? 2 Outline

slide-1
SLIDE 1

Web Browser Privacy & Security

Fan Du

CMSC 818D Class Presentation 4/16/2015

1

slide-2
SLIDE 2

Outline

  • Q1: How to Prevent Web Tracking?
  • Q2: How to Opt Out Online Behavioral Advertising?
  • Q3: How to Design Phishing Websites?

2

slide-3
SLIDE 3

Outline

  • Q1: How to Prevent Web Tracking?
  • ShareMeNot: Balancing Privacy and Functionality of Third-Party Social Widgets
  • Q2: How to Opt Out Online Behavioral Advertising?
  • Q3: How to Design Phishing Websites?

3

slide-4
SLIDE 4

4

source: www.addthis.com

slide-5
SLIDE 5

Social Widgets

5

source: Facebook, Google, Twitter, Linkedin

slide-6
SLIDE 6

Social Widgets

6

source: Facebook, Google, Twitter, Linkedin

slide-7
SLIDE 7

Your habits Your politics opinion Your browsing history Your identity

source: TL - Facebook, TR - http://iptv-work.at.ua, BL - http://pixshark.com/timeline-clipart-for-kids.htm, BR - CNN

slide-8
SLIDE 8

Vote

  • A - Social Widgets track me when I click on them.
  • B - Social Widgets track me even if I ignore them.

source: Facebook, Google, Twitter, Linkedin, http://www.gunslot.com/pictures/re-imagined-facebook-button

slide-9
SLIDE 9

How They Work?

source: Roesner, Franziska, et al. "Sharemenot: Balancing privacy and functionality of third-party social widgets." Usenix (2012).

slide-10
SLIDE 10

How They Work?

10

source: Roesner, Franziska, et al. "Sharemenot: Balancing privacy and functionality of third-party social widgets." Usenix (2012).

slide-11
SLIDE 11

How They Work?

11

source: Roesner, Franziska, et al. "Sharemenot: Balancing privacy and functionality of third-party social widgets." Usenix (2012).

slide-12
SLIDE 12

Hard to Defense

12

  • The cookie are “baked” from a 1st-party position

source: http://pixgood.com/facebook-cookies.html

slide-13
SLIDE 13

Hard to Defense

13

  • The cookie are “baked” from a 1st-party position
  • Do Not Track Header

source: http://amqueretaro.com/fotogalerias/2014/04/20/fotos-ir-en-contra-de-las-reglas-nunca-fue-tan-divertido

slide-14
SLIDE 14

Hard to Defense

14

  • The cookie are “baked” from a 1st-party position
  • Do Not Track Header
  • The functions are desired

source: http://i.kinja-img.com/gawker-media/image/upload/s--xGcq1y03--/ c_fit,fl_progressive,q_80,w_636/18rc5mwoft1d3jpg.jpg

slide-15
SLIDE 15

ShareMeNot

15

source: sharemenot.cs.washington.edu

slide-16
SLIDE 16

ShareMeNot

16

source: sharemenot.cs.washington.edu

slide-17
SLIDE 17

ShareMeNot

17

1. Identify HTTP requests for tracker buttons 2. Block the requests and insert replacement buttons 3. When users click the buttons, load the actual widget 4. Users need to click again to trigger the “like” function

source: sharemenot.cs.washington.edu

slide-18
SLIDE 18

18

source: sharemenot.cs.washington.edu

slide-19
SLIDE 19

19

source: sharemenot.cs.washington.edu

slide-20
SLIDE 20

20

source: CNN

slide-21
SLIDE 21

Evaluation

21

Top 20 Social Widgets # of Top Domains

source: Roesner, Franziska, et al. "Sharemenot: Balancing privacy and functionality of third-party social widgets." Usenix (2012).

slide-22
SLIDE 22

Evaluation

22

Tracker Without ShareMeNot With ShareMeNot Facebook 154 9 Google 149 15 Twitter 93 AddThis 34 YouTube 30 LinkedIn 22 Digg 8 Stumbleupon 6

source: Roesner, Franziska, et al. "Sharemenot: Balancing privacy and functionality of third-party social widgets." Usenix (2012).

slide-23
SLIDE 23

User Study

23

source: http://adsoftheworld.com/sites/default/files/media-vimeo/70533052.jpg

slide-24
SLIDE 24

Discussion

24

  • How would you

design a user study for ShareMeNot?

source: sharemenot.cs.washington.edu

slide-25
SLIDE 25

Outline

  • Q1: How to Prevent Web Tracking?
  • Q2: How to Opt Out Online Behavioral Advertising?
  • Why Johnny Can’t Opt Out: A Usability Evaluation of Tools to Limit Online

Behavioral Advertising

  • Q3: How to Design Phishing Websites?

25

slide-26
SLIDE 26

Your habits Your politics opinion Your browsing history Your identity

Social Widgets

source: TL - Facebook, TR - http://iptv-work.at.ua, BL - http://pixshark.com/timeline-clipart-for-kids.htm, BR - CNN

slide-27
SLIDE 27

27

Your habits Your politics opinion Your browsing history Your identity

Social Widgets

source: TL - Facebook, TR - http://iptv-work.at.ua, BL - http://pixshark.com/timeline-clipart-for-kids.htm, BR - CNN, CENTER - http://www.gunslot.com/pictures/re-imagined-facebook-button

slide-28
SLIDE 28

Online Behavior Advertising

28

Trackers

Social Widgets

source: http://adsoftheworld.com/media/print/dicks_sporting_goods_nike_cleat, http://s.petrolicious.com/2015/ vintage-friday/01-jan/Mens%20Shaving%20Posters/vf-mens-shaving-posters-6.jpg, http://www.ideyab.com/ images/contents/0123230525-galleries.jpg

slide-29
SLIDE 29

– 87% participants of a 2009 study (Turow et al.)

“I would not allow advertisers to track my information”

29

slide-30
SLIDE 30

– 64% participants of a 2009 study (Turow et al.)

“Targeted Ads are invasive”

30

slide-31
SLIDE 31

Privacy Tools

31

  • Opt-out tools

source: www.privacyfix.com/start/install

slide-32
SLIDE 32

Privacy Tools

32

  • Opt-out tools
  • Browsers’ built-in settings

source: FireFox

slide-33
SLIDE 33

Privacy Tools

33

  • Opt-out tools
  • Browsers’ built-in settings
  • Blocking tools

source: AdBlockPlus

slide-34
SLIDE 34

Study

  • 45 participants between-subjects lab study.
  • Each participant tested one of nine privacy tools.
  • All non-technical and not knowledgable about privacy tools.

34

source: Leon, Pedro, et al. "Why Johnny can't opt out: a usability evaluation of tools to limit online behavioral advertising." Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2012.

slide-35
SLIDE 35

Study

  • 1. Journal Video -> attitudes towards behavioral advertising
  • 2. Installation -> understanding of the tool
  • 3. Configuration -> survey and verbal questions

35

source: Leon, Pedro, et al. "Why Johnny can't opt out: a usability evaluation of tools to limit online behavioral advertising." Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2012.

slide-36
SLIDE 36

Study

  • 1. Journal Video -> attitudes towards behavioral advertising
  • 2. Installation -> understanding of the tool
  • 3. Configuration -> survey and verbal questions
  • 4. Resolve Problems -> usability questionnaire

36

source: Leon, Pedro, et al. "Why Johnny can't opt out: a usability evaluation of tools to limit online behavioral advertising." Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2012.

slide-37
SLIDE 37

Results

37

  • Users can’t distinguish between trackers

source: AdBlockPlus

slide-38
SLIDE 38

Results

  • Users can’t distinguish between trackers
  • Inappropriate defaults

38

source: FireFox

slide-39
SLIDE 39

Results

39

  • Users can’t distinguish between trackers
  • Inappropriate defaults
  • Communication problems

source: AdBlockPlus

slide-40
SLIDE 40

Results

40

  • Users can’t distinguish between trackers
  • Inappropriate defaults
  • Communication problems
  • Need for feedback

source: http://habrahabr.ru/hub/javascript/page7/

slide-41
SLIDE 41

Results

41

  • Users can’t distinguish between trackers
  • Inappropriate defaults
  • Communication problems
  • Need for feedback
  • Breaking websites

source: http://facebookcommentimages.com/wp-content/uploads/2014/01/like.png

slide-42
SLIDE 42

Feedback

42

source: FireFox

slide-43
SLIDE 43

Outline

  • Q1: How to Prevent Web Tracking?
  • Q2: How to Opt Out Online Behavioral Advertising?
  • Q3: How to Design Phishing Websites?
  • Why Phishing Works

43

slide-44
SLIDE 44

Phishing Websites

source: https://www.eff.org/files/images_insert/april_11_copy.png

slide-45
SLIDE 45

Strategies

45

  • Lack of Knowledge
  • Domain names (www.ebay-members.com)
  • Security indicators (SSL certificate)

source: https://www.thesslstore.com/images/img-green-addressbar.png

slide-46
SLIDE 46

Strategies

46

  • Visual Deception
  • Domain names (www.paypai.com)
  • Logo and design

source: https://www.eff.org/files/images_insert/april_11_copy.png

slide-47
SLIDE 47

Strategies

47

  • Bounded Attention
  • Absence of security indicators (SSL certificate)
slide-48
SLIDE 48

Study

  • 22 participants
  • 20 websites
  • Within-subjects: every participant saw every website

48

source: Dhamija, Rachna, J. Doug Tygar, and Marti Hearst. "Why phishing works." Proceedings of the SIGCHI conference on Human Factors in computing systems. ACM, 2006.

slide-49
SLIDE 49

– Senario

“Imagine that you receive an email message that asks you to click on one of the following

  • links. Imagine that you decide to click on the

link to see if it is legitimate website or a spoof”

49

source: Dhamija, Rachna, J. Doug Tygar, and Marti Hearst. "Why phishing works." Proceedings of the SIGCHI conference on Human Factors in computing systems. ACM, 2006.

slide-50
SLIDE 50

Results

  • Good phishing websites fooled 90% of participants
  • 23% participants did not look at the address bar, status bar or the

security indicators

  • Participants on average made mistakes 40% of the time
  • 68% participants proceeded without hesitation when presented

with popup warnings

  • Education, age, sex, previous experience, hours of computer use

are all not significantly correlated with vulnerability to phishing

50

source: Dhamija, Rachna, J. Doug Tygar, and Marti Hearst. "Why phishing works." Proceedings of the SIGCHI conference on Human Factors in computing systems. ACM, 2006.

slide-51
SLIDE 51

Thank you!

  • Q1: How to Prevent Web Tracking?
  • Q2: How to Opt Out Online Behavioral Advertising?
  • Q3: How to Design Phishing Websites?

51