Better web privacy through automation - PowerPoint PPT Presentation

1 / 23

About This Presentation

Title:

Better web privacy through automation

Description:

Not always obvious how to express goals in policy terms or to see if they are met ... Don't replay through POSTs (non-idempotent) Why replaying is OK ... – PowerPoint PPT presentation

Number of Views:32

Avg rating:3.0/5.0

Slides: 24

Provided by: umes6

Learn more at: http://www.truststc.org

Category:

more less

Transcript and Presenter's Notes

Title: Better web privacy through automation

1
Better web privacy through automation

Umesh Shankar
Berkeley EECS

2
Configuration everywhere

Home wireless access
Operating System
Web Browser

3
Correct configuration is difficult

We have high-level goals
Allow my computers onto my network and no
others
but low-level configuration languages
Did I get the settings right?
Not always obvious how to express goals in policy
terms or to see if they are met

4
Insecurity ensues

When policies are too difficult to configure,
people disable or bypass them
Browser, firewall, OS policy are set to defaults
We lose the benefit of configurability policy
reflecting our specific needs
Functionality wins over security by default
Must retain security subject to users patience

5
Browser cookie recap
Client
Server
GET /index.html
index.html
CartID1234

Cookies
CartID1234
GET /cart.jsp
cart.jsp
Your cart 1234 contains"
6
Cookie types

Four classes based on context and lifetime
(First party, Third party) ? (Session,
Persistent)
First cookies from same site as in URL bar
Third cookies from other sites (e.g., ads)
Session cookie lasts until browser is closed
Persistent cookie lasts until expiration date
All cookies only sent to originating site

7
Cookies and privacy

Problem The same third party cookie can appear
on multiple sites gt you can be tracked
If anyone knows who you are, everyone does

Tracking cookie
Tracking cookie
Advertiser Database about you
8
The sad state of the art

Two unpalatable options
Global policy for all sites
Constant barrage of dialogs
Sufficiently annoying that people accept defaults
Functionality trumps privacy concerns
Individually tailored policies eliminated

9
Existing approaches

Browser bars
Expose site cookies to the user
Collect user choices for collaborative filtering
Violates user privacy (could be fixed)
P3P interface
A good start
P3P still unreliable

10
A new way of thinking

Observations
People dont care about cookies, they care about
privacy and functionality
People are equipped to make high-level decisions
Mistakes happen error recovery should be easy
Solutions
Automated optimization browser forking
Easy, high-level choices side-by-side comparison
Recovery mechanism backtrack replay

11
The ideal policy

Allow the set of cookies that maximizes the net
benefit to the user
Net benefit Benefit Cost
Functionality Privacy Loss
Having an objective function allows us to start
to measure policy quality
With a default-deny policy, each user-initiated
change represents a unit of error

12
Challenges

Benefit is not revealed until after cookie is
taken
Cost only revealed through hidden P3P policy
Making informed decisions is difficult

13
Determining benefit

Observation If a cookie has no benefit, we can
reject it outright
Idea Fork the browser
One fork takes the cookie, one doesnt
Maintain fork for a few pages
If no difference in the output, assume reject
Encode the decision into the policy

14
Forking the browser (cookies not needed)
VISIBLE Amazon.com (cookies off)
Home page
Item page
Cart
View book
Add to cart
. . .
DENY policy assumed because no difference
HIDDEN, FORKED Amazon.com (cookies on)
Home page
Item page
Cart
View book
Add to cart
15
Forking the browser (cookies needed)
VISIBLE VerizonWireless.com (cookies off)
Home page
Enter ZIP
Error page
View plans
94720
Switch to other window?
HIDDEN, FORKED VerizonWireless.com (cookies on)
Home page
Enter ZIP
List of plans
View plans
94720
16
User choice

Last line of defense
Idea Expose cost and benefit to the user
Show side-by-side output from forking technique,
highlighting differences (benefit)
Show relevant P3P information (cost)
User can simply decide if with-cookie is better
than without-cookie

17
Semantic comparison of web pages

Necessary for forking and side-by-side
highlighting
Difficult problem on its own
Sources of error
Advertisements
Natural nondeterminism (click trackers, news
feeds)
For now, coarse comparison (viz., page title)

18
Dealing with errors

Errors are inevitable
Prediction algorithm wont always guess right
Humans make mistakes or change their minds
Recovery should be easy and automated

19
This site requires cookies

The nightmare page
Important Note This section of the site requires
the use of cookies. Cookies allow us to keep
track of who you are and your placement choices
Once you have changed your browser to accept
cookies, please go back to the placement area
home page and begin making your choices
Select "Preferences" from the Edit menu.
Click on the "Advanced" selector.
Click the "Cookies" option.
Scroll down to the "Cookies" section.
To enable
Select "Enable all cookies."
Click "OK."

20
Fix Me
Cookies Off (due to prior policy)
Home page
Item page
Empty cart
Item page
View Item
Show cart
Add item
Click Fix Me
Home page
Item page
Cart page
View Item (Automatic)
Add item (Automatic)
Session Cookies On(automatic)
Replay stops because page is different
21
Notes on Backtracking replaying

How far to go back?
Typically start of site
Which cookies to enable?
Perform an expanding search, start with FP
session
When to stop?
When there is a difference from the history
If no difference, expand cookie search retry
Dont replay through POSTs (non-idempotent)

22
Why replaying is OK

No formal proof possible server can take
arbitrary actions in response to a request
In practice, server state is the problem
Without state, most sites are repeatable
Lack of state (cookies) is why we are replaying!
Empirically, most problems show up early, so not
much to replay

23
Engineering challenges