Analysis of privacy vulnerabilities in single sign-on mechanisms for multimedia websites

This paper studies the privacy risks for the users of two popular single sign-on platforms for web-based content access: OpenID and Facebook Connect. In particular we describe in detail a privacy vulnerability of the OpenID Authentication Protocol that leads to the exposure of the OpenID user identifier to third parties. We illustrate how OpenID agents leak the (potentially unique) OpenID identifiers of their users to third parties, like advertisement and traffic analysis corporations. This vulnerability is a real and widespread privacy risk for OpenID users. This paper also analyzes the privacy of Facebook Connect --the proprietary single sign-on platform that is gaining a lot of popularity recently-- and, we conclude that it is not affected by the same vulnerability but other important privacy issues remain. Finally, this paper studies the solution space of these problems and defines a number of possible countermeasures. In the case of the OpenID vulnerability, we propose three solutions to this problem: one for the long term to avoid the root cause of the vulnerability, and another two short-term mitigations.The work presented in this paper has been funded by the INDECT project (Ref 218086) of the 7th EU Framework Programme.Publicad

A LINDDUN-based framework for privacy threat analysis on identification and authentication processes

© . This manuscript version is made available under the CC-BY-NC-ND 4.0 license http://creativecommons.org/licenses/by-nc-nd/4.0/Identification and authentication (IA) are security procedures that are ubiquitous in our online life, and that constantly require disclosing personal, sensitive information to non-fully trusted service providers, or to fully trusted providers that unintentionally may fail to protect such information. Although user IA processes are extensively supported by heterogeneous software and hardware, the simultaneous protection of user privacy is an open problem. From a legal point of view, the European Union legislation requires protecting the processing of personal data and evaluating its impact on privacy throughout the whole IA procedure. Privacy Threat Analysis (PTA) is one of the pillars for the required Privacy Impact Assessment (PIA). Among the few existing approaches for conducting a PTA, LINDDUN is a very promising framework, although generic, in the sense that it has not been specifically conceived for IA. In this work, we investigate an extension of LINDDUN that allows performing a reliable and systematically-reproducible PTA of user IA processes, thereby contributing to one of the cornerstones of PIA. Specifically, we propose a high-level description of the IA verification process, which we illustrate with an UML use case. Then, we design an identification and authentication modelling framework, propose an extension of two critical steps of the LINDDUN scheme, and adapt and tailor the trust boundary concept applied in the original framework. Finally, we propose a systematic methodology aimed to help auditors apply the proposed improvements to the LINDDUN framework.The authors are thankful for the support through the research project “INRISCO”, ref. TEC2014-54335-C4-1-R, “MAGOS”, TEC2017-84197-C4-3-R, and the project “Sec-MCloud”, ref. TIN2016-80250-R. J. Parra-Arnau is the recipient of a Juan de la Cierva postdoctoral fellowship, IJCI-2016–28239, from the Spanish Ministry of Economy and Competitiveness. J. Parra-Arnau is with the UNESCO Chair in Data Privacy, but the views in this paper are his own and are not necessarily shared by UNESCO.Peer ReviewedPostprint (author's final draft

Riskmedvetenhet vid användning av sociala medier

Sociala medier utsätter dess användare för risker, i vissa fall kan det handla om enklare malware och i andra fall allvarligare angrepp som identitetsstöld och andra stöldförsök. I undersökningen har vi sett att användare av sociala medier har en bra medvetenhet om säkerhet och risker men att de inte alltid agerar utifrån detta när de använder medierna. I tidigare studier ser vi att ålder spelar in i hur medvetna användarna är och att användare i åldern 20-30 är mer medvetna än ungdomar som är 14-19 år. Uppsatsen tar också ett första steg i att försöka uppmana till vidare studier kring game scams på sociala medier. Nyckelord: Sociala media, Riskmedvetenhet, Game sca

Facebook: Where privacy concerns and social needs collide

Facebook is an integral part of today’s social landscape, but Facebook use involves compromising one’s privacy in relation to both other users and to the Facebook corporation and its affiliated businesses. This analysis explores respondents’ reasons for using Facebook together with their Facebook-related privacy concerns, and how these factors influence self-disclosures and privacy management strategies on the site. Also explored are respondents’ perceptions both of what the Facebook corporation ‘knows’ about them and with whom it shares their data. The research is based on the concepts of user-user and user-corporate privacy concerns versus the social needs of self-portrayal and belonging. Self-portrayal (inspired by Friedlander, 2011) is explored in the contexts of both strategic self-presentation and expression of the true self, and belonging is explored in the contexts of both intimacy and affiliation. These concepts have been drawn from a combination of psychological theories together with existing research on privacy concerns and social needs on social networking sites. Respondents completed an online questionnaire over a six week period from late August to early October 2014, and a focus group was held in November 2014. The questionnaire was largely quantitative but allowed for qualitative input via text boxes. There were 404 completed and valid responses, and of the demographic factors tested, gender was most strongly associated with Facebook-related privacy concerns and age was most strongly associated with reasons for using Facebook. Respondents indicated a clash between fulfilling their social needs on Facebook and their privacy concerns on the site. However, these concerns did not, for the most part, stop them using Facebook, although in certain instances respondents employed tactics to minimise their privacy concerns. This thesis argues that, when using Facebook, respondents resolved the privacy paradox to the best of their ability. It is anticipated that the findings of this thesis will contribute to the ongoing dialogue surrounding the benefits and drawbacks of social media use