205 research outputs found
Control What You Include! Server-Side Protection against Third Party Web Tracking
Third party tracking is the practice by which third parties recognize users
accross different websites as they browse the web. Recent studies show that 90%
of websites contain third party content that is tracking its users across the
web. Website developers often need to include third party content in order to
provide basic functionality. However, when a developer includes a third party
content, she cannot know whether the third party contains tracking mechanisms.
If a website developer wants to protect her users from being tracked, the only
solution is to exclude any third-party content, thus trading functionality for
privacy. We describe and implement a privacy-preserving web architecture that
gives website developers a control over third party tracking: developers are
able to include functionally useful third party content, the same time ensuring
that the end users are not tracked by the third parties
Fingerprinting in Style: Detecting Browser Extensions via Injected Style Sheets
International audienceBrowser extensions enhance the web experience and have seen great adoption from users in the past decade. At the same time, past research has shown that online trackers can use various techniques to infer the presence of installed extensions and abuse them to track users as well as uncover sensitive information about them. In this work we present a novel extension-fingerprinting vector showing how style modifications from browser extensions can be abused to identify installed extensions. We propose a pipeline that analyzes extensions both statically and dynamically and pinpoints their injected style sheets. Based on these, we craft a set of triggers that uniquely identify browser extensions from the context of the visited page. We analyzed 116K extensions from Chrome's Web Store and report that 6,645 of them inject style sheets on any website that users visit. Our pipeline has created triggers that uniquely identify 4,446 of these extensions, 1,074 (24%) of which could not be fingerprinted with previous techniques. Given the power of this new extension-fingerprinting vector, we propose specific countermeasures against style fingerprinting that have minimal impact on the overall user experience
Beyond Cookie Monster Amnesia:Real World Persistent Online Tracking
Browser fingerprinting is a relatively new method of uniquely identifying
browsers that can be used to track web users. In some ways it is more
privacy-threatening than tracking via cookies, as users have no direct control
over it. A number of authors have considered the wide variety of techniques
that can be used to fingerprint browsers; however, relatively little
information is available on how widespread browser fingerprinting is, and what
information is collected to create these fingerprints in the real world. To
help address this gap, we crawled the 10,000 most popular websites; this gave
insights into the number of websites that are using the technique, which
websites are collecting fingerprinting information, and exactly what
information is being retrieved. We found that approximately 69\% of websites
are, potentially, involved in first-party or third-party browser
fingerprinting. We further found that third-party browser fingerprinting, which
is potentially more privacy-damaging, appears to be predominant in practice. We
also describe \textit{FingerprintAlert}, a freely available browser extension
we developed that detects and, optionally, blocks fingerprinting attempts by
visited websites
Our fingerprints don't fade from the Apps we touch: Fingerprinting the Android WebView
Numerous studies demonstrated that browser fingerprinting is detrimental to
users' security and privacy. However, little is known about the effects of
browser fingerprinting on Android hybrid apps -- where a stripped-down Chromium
browser is integrated into an app. These apps expand the attack surface by
employing two-way communication between native apps and the web. This paper
studies the impact of browser fingerprinting on these embedded browsers. To
this end, we instrument the Android framework to record and extract information
leveraged for fingerprinting. We study over 20,000 apps, including the most
popular apps from the Google play store. We exemplify security flaws and severe
information leaks in popular apps like Instagram. Our study reveals that
fingerprints in hybrid apps potentially contain account-specific and
device-specific information that identifies users across multiple devices
uniquely. Besides, our results show that the hybrid app browser does not always
adhere to standard browser-specific privacy policies
On the Web Platform Cornucopia
Peer reviewe
Control What You Include! Server-Side Protection Against Third Party Web Tracking
International audienceThird party tracking is the practice by which third parties recognize users accross different websites as they browse the web. Recent studies show that more than 90% of Alexa top 500 websites [38] contain third party content that is tracking its users across the web. Website developers often need to include third party content in order to provide basic functionality. However, when a developer includes a third party content , she cannot know whether the third party contains tracking mechanisms. If a website developer wants to protect her users from being tracked, the only solution is to exclude any third-party content, thus trading functionality for privacy. We describe and implement a privacy-preserving web architecture that gives website developers a control over third party tracking: developers are able to include functionally useful third party content, the same time ensuring that the end users are not tracked by the third parties
- …