1 / 32

Protecting Users from Stateful Third-Party Web Tracking with TrackingFree Browser

Learn about TrackingFree, a browser that partitions client-side states to protect users from stateful third-party web tracking. This article covers the background, system design, evaluation, and summary of TrackingFree.

idellal
Download Presentation

Protecting Users from Stateful Third-Party Web Tracking with TrackingFree Browser

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. I Do Not Know What You Visited Last Summer: Protecting users from stateful third-party web tracking with TrackingFree browser Xiang Pan§, Yinzhi Cao†, Yan Chen§ § Northwestern University † Columbia University

  2. Roadmap • Background • System Design • Evaluation • Summary

  3. Tracker (doubleclick) User Referer : http://online.wsj.com/ Cookie : id = 12345 Referer : http://www.cnn.com/ Cookie : id = 12345 visit visit

  4. Web tracking is serious • Prevalent • More than 90% of Alexa Top 500 web sites [Roesner, NSDI 2012] • A web page usually has multiple tracking elements • “There is no such thing as anonymous online tracking” --- Arvind Narayanan • Not only browsing history, but also other sensitive information: location, name, email, … • Leaked out information can be correlated together 4

  5. No effective defense approach • Disable third-party cookie • Can be easily bypassed • Blacklist-based anti-tracking tools • Priori knowledge of tracking server • Do-not-track header • No enforcement 5

  6. TrackingFree Goals and Challenges • Anti-tracking Completeness • Functionality/compatbility • Performance Referer : http://online.wsj.com/ Cookie : id = 12345 Referer : http://www.cnn.com/ Cookie : id = 24578 Core Idea : TrackingFree partitions client-side states into multiple isolation units so that the identifiers still exists but not unique any more!

  7. Out-of-scope threats • TrackingFree doesn’t address following threats: • Within-Site Tracking. • Tracking by exploiting browser vulnerabilities • Stateless tracking.

  8. Roadmap • Background • System Design • Evaluation • Summary

  9. Architecture

  10. Contents Allocation Mechanism • Initial Contents Allocation • Handles those top frames that are navigated by users directly • Derivative Contents Allocation • Handles those frames that are generated due to the contents on other frames, which we call child frame 10

  11. Initial Contents Allocation 11

  12. Derivative Contents Allocation • Principal Switch • Should we switch principle for child frame? • Principal Selection • How to choose target principal? 12

  13. Principal Switch Same principal Different principal • The deficiencies of two intuitive yet extreme policies: • Not privacy-preserving (no switch) • Unnecessary overhead (too much switch) • Our solution: switch principal only if the following two conditions are met: • Cross-site • User-triggered 13

  14. Principal Selection • The deficiency of two intuitive yet extreme policies • Break compatibility (always create new principal) • Break anti-tracking capacity (create at most one principal for each domain) • Our solution: • Maintains an in-degree-bounded graph for principals • The in-degree of the graph is set to two 14

  15. Principal Communication • Explicit communication is widely used, but break the isolation mechanism. • Our solution: we restrict the use of explicit communication as follows: • Third-party elements in one principle can not explicitly communicate with other principals. • First-party elements can only explicitly communicate with the first-party elements placed in its neighbor principals 3119 4852 6 0 15

  16. Principal Communication • Implicit Communication • History Sharing • UI history manager • Accepts information from other managers • Only UI manager gets associated with browser UI • Communication through navigation URL 16

  17. Preference Configure • User preference can be abused to store tracking identifier. (e.g. strict transport security) • Completely isolating user preference affects user preference. • Our solution: • Isolate user preference. • Apply user-initiated changes to all of the principals. • Monitor GUI message to determine user-initiated preference change. 17

  18. Roadmap • Background • System Design • Evaluation • Summary

  19. Evaluation • Anti-tracking capability • Formal proof • Experiments with real world websites • Performance • Overhead (latency, memory, disk) • Compatibility

  20. Formal Proof • Use Alloy to formally analyzeTrackingFree ’s anti-tracking ability. • Alloy is the most popular formal proof system • Describe TrackingFree’s behaviors on an existing Alloy Web model [Akhawe et al. CSF 2010]. • Formally verified trackers can correlate TrackingFree user’s activities up to three principals without site collaboration. • Assumptions: • Non-tracking servers will not set tracking identifiers for third-party trackers. • On non-tracking host web sites, first-party elements will not send third-party tracking identifiers to other principals.

  21. Gathered tracking tokens on Alexa Top web sites by following the tracker detection of [Roesner et al. NSDI 2012]. • Detection based on the observation that each tracking request must contain the user’s globally unique identifier. • Some false negative, no false positive. Anti-tracking Capabilitywith Real World Web Sites 21

  22. Visit 2,032 valid URLsfrom Alexa Top 500 web sites. • Gathered 647 tracking tokens • TrackingFree eliminated all of them. Anti-tracking Capabilitywith Real World Web Sites Top 10 Tracking Hosts 22

  23. Performance Overall Overhead: ~3% - ~20% (2). Address Bar Navigation with Principal Avg. Overhead 3.36% (3). Cross Site Navigation Avg. Overhead 19.43% (4). Within-site Navigation Avg. Overhead 4.70% (1). Address Bar Navigation without Principal Avg. Overhead 8.29%

  24. Memory/Disk Overhead Memory Overhead on 12 Web Pages (~25MB/Principal) Disk Overhead on 12 Web Pages (~0.6MB/Principal)

  25. Compatibility • Manually tested TrackingFree’s compatibility on Alexa Top 50 websites • Compatibility on first-party websites • Results: 50/50 • Compatibility on third-party services • Cross-site online payments (1/1) • Cross-site content sharing (31/31) • Single sign-on (35/36) • Overall results: 67/68

  26. Case study: Logging Yahoo using Facebook Account 26

  27. Roadmap • Background • System Design • Evaluation • Summary 27

  28. Summary • We designed and implemented TrackingFree browser that completely protect users from third-party web tracking by isolating resources in different principals. • We theoretically and experimentally proved TrackingFree’s anti-tracking capability. • TrackingFree incurs affordable overhead and compatibility cost.

  29. Thanks & Questions?http://list.cs.northwestern.edu/WebSecurity

  30. Domain Data Manager • Backup slides…

  31. Related Work • Existing Anti-tracking Mechanisms • Do Not Track(DNT): almost useless • Blacklist-based Tool: require priori knowledge • Disabling Third-party Cookie: easy to bypass • Existing Multi-principal Browsers • No anti-tracking capability

  32. Related Work

More Related