Current state of the world II Privacy and Anonymity EU directive 2006 24 EC 3 year data retention For ALL traffic requires EU ISPs to record Sufficient information to identify endpoints both legal entities and natural persons Session duration but not session contents Dawn Song dawnsong cs berkeley edu Make available to law enforcement but penalties for transfer or other access to data For info on US privacy on the net privacy on the line by W Diffie and S Landau 1 Slides credit John Mitechell Vitaly Shmatikov 4 Anonymous web browsing Why 1 2 3 4 Discuss health issues or financial matters anonymously Bypass Internet censorship in parts of the world Conceal interaction with gambling sites Law enforcement Part 1 network layer privacy Two goals Goals Hide user identity from target web site 1 4 Hide browsing pattern from employer or ISP Stronger goal remailers 2 3 Hide user s IP address from target web site Hide browsing destinations from network mutual anonymity e g 2 5 1st attempt anonymizing proxy Current state of the world I ISPs tracking customer browsing habits HTTPS anonymizer com URL target Sell information to advertisers Embed targeted ads in web pages 1 3 Example MetroFi free wireless Web Tripwires Reis et al 2008 User1 SS L TP HT Several technologies used for tracking at ISP User2 NebuAd Phorm Front Porch Bring together advertisers publishers and ISPs At ISP inject targeted ads into non SSL pages User3 anonymizer com Web1 Web2 Web3 Tracking technologies at enterprise networks Vontu symantec Tablus RSA Vericept 3 6 MIX nets Anonymizing proxy security C 81 R5 R3 R1 Monitoring ONE link eavesdropper gets nothing Monitoring TWO links Eavesdropper can do traffic analysis More difficult if lots of traffic through proxy Trust R2 R4 g ms srvr Every router has public private key pair proxy is a single point of failure Sender knows all public keys Can be corrupt or subpoenaed Example R6 To send packet The Church of Scientology vs anon penet fi Pick random route R2 R3 R6 srvr Prepare onion packet Protocol issues Long lived cookies make connections to site linkable packet Epk2 R3 Epk3 R6 7 How proxy works Epk srvr msg 10 6 Eavesdropper s view at a single MIX Proxy rewrites all links in response from web site Ensures all subsequent clicks are anonymized Proxy rewrites removes cookies and some HTTP headers Ri user1 batch Updated links point to anonymizer com user2 user3 Eavesdropper observes incoming and outgoing traffic Proxy IP address if a single address could be blocked by site or ISP anonymizer com consists of 20 000 addresses Crypto prevents linking input output pairs Globally distributed registered to multiple domains Note chinese firewall blocks ALL anonymizer com addresses Assuming enough packets in incoming batch If variable length packets then must pad all to max len 8 Note router is stateless 11 Performance Main benefit Privacy as long as at least one honest router on path R2 2nd R3 Attempt MIX nets R6 srvr Problems Goal no single point of failure High latency lots of public key ops Inappropriate for interactive sessions May be OK for email No forward security Homework puzzle 9 how does server respond 12 hint user includes response onion in forward packet Effectiveness of 3rd party blocking Ineffective for improving privacy Web based user tracking 3rd party can become first party and then set cookie Flash cookies not controlled by browser cookie policy Browser provides many ways to track users 1 3rd party cookies Flash cookies 2 Tracking through the history file 3 Machine fingerprinting Better proposal Delete all browser state upon exit Supported as an option in IE7 13 16 3rd party cookies Tracking through the history file What they are E g site checks hyper link color for history User goes to site A com obtains page Page contains iframe src B com Browser goes to B com obtains page HTTP response contains cookie Applications Context aware phishing Cookie from B com is called a 3rd party cookie Tracking Phishing page tailored to victim Marketing Use browsing history as 2nd factor authentication User goes to site D com D com contains iframe src B com B com obtains cookie set when visited A com B com knows user visited A com and D com 14 17 1 Can we block 3rd party cookies Context aware Phishing Supported by most browsers IE and Safari Stanford students see block set write Ignore the Set Cookie HTTP header from 3rd parties Site sets cookie as a 1st party will be given cookie when contacted as a 3rd party Enabled by default in IE7 Cal students see Firefox and Opera block send read Always implement Set Cookie but never send cookies to 3rd party Breaks sess mgmt at several sites off by default 15 18 1 SafeHistory SafeCache Administravia JBBM 06 Office hour on Tue changed to 1 3pm due to schedule conflict Define Same Origin Policy for all long term browser state Additional office hour on Thu Fri afternoon to help students preparing the final history file and web cache Firefox extensions SafeHistory and SafeCache In class final Dec 10 306 Soda Example history Final review on Wed Color link as visited only when site can tell itself that user previously visited link Guest lecture on Mon real world experiences about breaking security systems A same site link or A cross site link previously visited from this site 19 22 1 Machine fingerprinting Tracking using machine fingerptings User connects to site A com De anonymizing data Site builds a fingerprint of user s machine Next time user visits A com site knows it is the same user 20 23 Machine fingerprints Khono et al 05 Problem statement Content and order of HTTP headers e g user agent header An organization collects private user data Mozilla 5 0 Windows U Windows NT 6 0 en US rv 1 8 1 14 Gecko 20080404 Firefox 2 0 0 14 Wishes to make data available for research Individual identities should be hidden Javascript and JVM can interrogate machine properties Timezone local time TCP timestamp Examples local IP address exploiting clock skew TCP timestamp option peer embeds 32 bit time in every packet header Accurate to 100ms fingerprint real time between packets timestamp between packets 21 Search queries over a 3 month period AOL Netflix movie rentals Census data Social networking data 24 De Anonymizing Netflix Records Incorrect approach Average subscriber has 214 dated ratings How many does the attacker need to know to identify his victim s record in the dataset Replace username or userID by random value Dan a56fd863ec John 87649dce63 Two is
View Full Document
Unlocking...