1 / 42

An Analysis of Private Browsing Modes in Modern Browsers

An Analysis of Private Browsing Modes in Modern Browsers. Gaurav Aggarwal and Elie Bursztein , Collin Jackson, Dan Boneh , USENIX (Aug.,2010) . Outline. Introduction Private browsing: goal and threat model A survey of private browsing in modern browsers Usage measurement

anneke
Download Presentation

An Analysis of Private Browsing Modes in Modern Browsers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Analysis of Private Browsing Modes in Modern Browsers GauravAggarwal and ElieBursztein, Collin Jackson, Dan Boneh, USENIX (Aug.,2010)

  2. Outline • Introduction • Private browsing: goal and threat model • A survey of private browsing in modern browsers • Usage measurement • Weaknesses in current implementations • Browser addons • Conclusions

  3. Outline • Introduction • Private browsing: goal and threat model • A survey of private browsing in modern browsers • Usage measurement • Weaknesses in current implementations • Browser addons • Conclusions

  4. Introduction • The four major browsers (IE, Firefox, Chrome and Safari) recently added private browsing modes to their user interfaces - Sites visited while browsing in private mode should leave no trace on the user’s computer - Users may want to hide their identity from web sites they visit by

  5. Introduction • While all major browsers support private browsing, there is a great deal of inconsistency in the type of privacy provided by the different browsers • Even within a single browser there are inconsistencies

  6. Introduction • Even if a browser adequately implements private browsing, an extension or plug-ins cancompletely undermine its privacy guarantees

  7. Outline • Introduction • Private browsing: goal and threat model • A survey of private browsing in modern browsers • Usage measurement • Weaknesses in current implementations • Browser addons • Conclusions

  8. Private browsing:goal and threat model • Defined two types of attackers: 1. An attacker who controls the user’s machine (a local attacker) 2. An attacker who controls web sites that the user visits (a web attacker)

  9. Local Attacker • Security against a local attacker means that an attacker who takes control of the machine after the user exits private browsing can learn nothing about the user’s actions while in private browsing • Limitation: local attacker has no access to the user’s machine before the user exits private browsing

  10. Local Attacker • We need adequately erase persistent state changes during a private browsing session 1. Changes initiated by a web site without any user interaction 2. Changes initiated by a web site, but requiring userinteraction 3. Changes initiated by the user. 4. Non-user-specific state changes

  11. Local Attacker:Security Model • Attacker’s capabilities 1. The attacker does nothing until the user leaves private browsing mode 2. While active, the attacker cannot communicate with network elements that contain information about the user’s activities while in private mode

  12. Local Attacker:Security Model • Attacker’s goal - For a set S of HTTP requests of the attacker’s choosing, determine if the browser issued any of those requests while in private browsing mode

  13. Local Attacker:Security Model • Challenge - The browser will need to ensure that all DNS queries while in private mode do not affect the system’s DNS cache: no entries should be added or removed - Operating system can swap memory pages to the swap partition on disk which can leave traces of the user’s activity.

  14. Local Attacker:Security Model • Solution? - VMM(Virtual Machine Monitor) - User profile backup - Not recording certain date in private mode

  15. Web Attacker • Goal 1. A web site cannot link a user visitingin private mode to the same user visiting in public mode 2.A web site cannot link a user in one privatesession to the same user in another private session 3. A web site should not be able to determine whether the browser is currently in private browsing mode

  16. Outline • Introduction • Private browsing: goal and threat model • A survey of private browsing in modern browsers • Usage measurement • Weaknesses in current implementations • Browser addons • Conclusions

  17. survey of private browsing in modern browsers • User Interface

  18. survey of private browsing in modern browsers • User Interface

  19. survey of private browsing in modern browsers • Internal behavior

  20. survey of private browsing in modern browsers • Internal behavior

  21. survey of private browsing in modern browsers • Internal behavior

  22. survey of private browsing in modern browsers • Initial privacy violation examples 1. Custom Handler Protocol - Custom protocol handlers(CPH) 2. Client Certificate - SSL client certification

  23. Outline • Introduction • Private browsing: goal and threat model • A survey of private browsing in modern browsers • Usage measurement • Weaknesses in current implementations • Browser addons • Conclusions

  24. Usage measurement:Design • Ad network- Ran two simultaneous one-day campaigns: targeted adult sites, gift shopping sites and news sites

  25. Usage measurement:Result • Private browsing was more popular at adult web sites than at gift shopping sites and news sites • Private browsing was more commonly used in browsers that displayed subtle private browsing indicators

  26. Outline • Introduction • Private browsing: goal and threat model • A survey of private browsing in modern browsers • Usage measurement • Weaknesses in current implementations • Browser addons • Conclusions

  27. Weaknesses in current implementations • Manual code review - Firefox keeps all the state related to the user’s browsing activity including preferences, history, cookies, text entered in forms fields, search queries, etc. in a Profile folder on disk

  28. Weaknesses in current implementations • Manual code review 1.nsIFile- A cross-platform representation of a location in the file system used to read or write to files 2.Storage - A SQLite database API that can be used by other Firefox components and extensions to manipulate SQLite database files

  29. Weaknesses in current implementations • Security certificate settings(stored in file cert8.db) - Stores all security certificate settings and any SSL

  30. Weaknesses in current implementations • Site-specific preferences (stored in file permissions.sqlite) - Stores many of Firefox permissions that are decided on a per-site basis.

  31. Weaknesses in current implementations • Download actions (stored in file mimeTypes.rdf) - Stores the user’s preferences with respect to what Firefox does when it comes across known file types like pdf or avi.

  32. Weaknesses in current implementations • An automated private browsing test using unit tests - All major browsers have a collection of unit tests for testing browser features before a release - MozMill, a Fire fox user-interface test automation tool

  33. Weaknesses in current implementations • Use fs usage to output the name of the system call used to access thefilesystem and the file descriptor being acted upon • Also use the “last modified time” for files in the profile directory to identity those files that are changed during the test.

  34. Weaknesses in current implementations • Search Plugins (stored in search.sqlite andsearch.json)

  35. Outline • Introduction • Private browsing: goal and threat model • A survey of private browsing in modern browsers • Usage measurement • Weaknesses in current implementations • Browser addons • Conclusions

  36. Browser addons • Browser addons (extensions and plug-ins) pose a privacyrisk to private browsing because they can persist state todisk about a user’s behavior in private mode

  37. Browser addons • Internet Explorer -Defaultsetextensions disabled, but plugins are still functional. • Firefox - Both are enable in private mode • Google Chrome - Disables most extension functionality in private mode, but plugins are enabled • Safari - Does not have a supported extension API

  38. Browser addons • URL whitelist/blocklist/queues • URL Mappings • Timestamp

  39. Browser addons • Manual check- Extensions that opt-in to running inprivate browsing mode • Disallow writes - Prevent extensions from changingany local state while in private browsing mode • Override option- Discard changes made by extensions to local state while in private browsingmode, unless the extension explicitly indicates thatthe write should persist beyond private browsingmode

  40. Browser addons • ExtensionBlocker in JavaScript - Disable all extensions that are not safe for private mode.

  41. Outline • Introduction • Private browsing: goal and threat model • A survey of private browsing in modern browsers • Usage measurement • Weaknesses in current implementations • Browser addons • Conclusions

  42. Conclusion • Manual review and automatedtesting tool pointed out several weaknesses in existingimplementations • Performed the first measurement study of private browsing usage in different browsers andon different sites • Keeping browser extensions and plug-ins from undoing the goals of private browsing

More Related