Title: Better web privacy through automation
1Better web privacy through automation
- Umesh Shankar
- Berkeley EECS
2Configuration everywhere
- Home wireless access
- Operating System
- Web Browser
3Correct configuration is difficult
- We have high-level goals
- Allow my computers onto my network and no
others - but low-level configuration languages
- Did I get the settings right?
- Not always obvious how to express goals in policy
terms or to see if they are met
4Insecurity ensues
- When policies are too difficult to configure,
people disable or bypass them - Browser, firewall, OS policy are set to defaults
- We lose the benefit of configurability policy
reflecting our specific needs - Functionality wins over security by default
- Must retain security subject to users patience
5Browser cookie recap
Client
Server
GET /index.html
index.html
CartID1234
Cookies
CartID1234
GET /cart.jsp
cart.jsp
Your cart 1234 contains"
6Cookie types
- Four classes based on context and lifetime
(First party, Third party) ? (Session,
Persistent) - First cookies from same site as in URL bar
- Third cookies from other sites (e.g., ads)
- Session cookie lasts until browser is closed
- Persistent cookie lasts until expiration date
- All cookies only sent to originating site
7Cookies and privacy
- Problem The same third party cookie can appear
on multiple sites gt you can be tracked - If anyone knows who you are, everyone does
Tracking cookie
Tracking cookie
Advertiser Database about you
8The sad state of the art
- Two unpalatable options
- Global policy for all sites
- Constant barrage of dialogs
- Sufficiently annoying that people accept defaults
- Functionality trumps privacy concerns
- Individually tailored policies eliminated
9Existing approaches
- Browser bars
- Expose site cookies to the user
- Collect user choices for collaborative filtering
- Violates user privacy (could be fixed)
- P3P interface
- A good start
- P3P still unreliable
10A new way of thinking
- Observations
- People dont care about cookies, they care about
privacy and functionality - People are equipped to make high-level decisions
- Mistakes happen error recovery should be easy
- Solutions
- Automated optimization browser forking
- Easy, high-level choices side-by-side comparison
- Recovery mechanism backtrack replay
11The ideal policy
- Allow the set of cookies that maximizes the net
benefit to the user - Net benefit Benefit Cost
Functionality Privacy Loss - Having an objective function allows us to start
to measure policy quality - With a default-deny policy, each user-initiated
change represents a unit of error
12Challenges
- Benefit is not revealed until after cookie is
taken - Cost only revealed through hidden P3P policy
- Making informed decisions is difficult
13Determining benefit
- Observation If a cookie has no benefit, we can
reject it outright - Idea Fork the browser
- One fork takes the cookie, one doesnt
- Maintain fork for a few pages
- If no difference in the output, assume reject
- Encode the decision into the policy
14Forking the browser (cookies not needed)
VISIBLE Amazon.com (cookies off)
Home page
Item page
Cart
View book
Add to cart
. . .
DENY policy assumed because no difference
HIDDEN, FORKED Amazon.com (cookies on)
Home page
Item page
Cart
View book
Add to cart
15Forking the browser (cookies needed)
VISIBLE VerizonWireless.com (cookies off)
Home page
Enter ZIP
Error page
View plans
94720
Switch to other window?
HIDDEN, FORKED VerizonWireless.com (cookies on)
Home page
Enter ZIP
List of plans
View plans
94720
16User choice
- Last line of defense
- Idea Expose cost and benefit to the user
- Show side-by-side output from forking technique,
highlighting differences (benefit) - Show relevant P3P information (cost)
- User can simply decide if with-cookie is better
than without-cookie
17Semantic comparison of web pages
- Necessary for forking and side-by-side
highlighting - Difficult problem on its own
- Sources of error
- Advertisements
- Natural nondeterminism (click trackers, news
feeds) - For now, coarse comparison (viz., page title)
18Dealing with errors
- Errors are inevitable
- Prediction algorithm wont always guess right
- Humans make mistakes or change their minds
- Recovery should be easy and automated
19This site requires cookies
- The nightmare page
- Important Note This section of the site requires
the use of cookies. Cookies allow us to keep
track of who you are and your placement choices
Once you have changed your browser to accept
cookies, please go back to the placement area
home page and begin making your choices - Select "Preferences" from the Edit menu.
- Click on the "Advanced" selector.
- Click the "Cookies" option.
- Scroll down to the "Cookies" section.
- To enable
- Select "Enable all cookies."
- Click "OK."
20Fix Me
Cookies Off (due to prior policy)
Home page
Item page
Empty cart
Item page
View Item
Show cart
Add item
Click Fix Me
Home page
Item page
Cart page
View Item (Automatic)
Add item (Automatic)
Session Cookies On(automatic)
Replay stops because page is different
21Notes on Backtracking replaying
- How far to go back?
- Typically start of site
- Which cookies to enable?
- Perform an expanding search, start with FP
session - When to stop?
- When there is a difference from the history
- If no difference, expand cookie search retry
- Dont replay through POSTs (non-idempotent)
22Why replaying is OK
- No formal proof possible server can take
arbitrary actions in response to a request - In practice, server state is the problem
- Without state, most sites are repeatable
- Lack of state (cookies) is why we are replaying!
- Empirically, most problems show up early, so not
much to replay
23Engineering challenges
- Web is dynamic and nondeterministic
- We handle most Javascript
- Heuristics are good in practice at matching
elements - Browsing is nonlinear (e.g., tabs, back button)
- Still working on multiple tabs
- Back button is emulated
- Firefox is an immature platform
24Progress report
- Done
- Improved on default mechanism in Firefox
- Replay Backtrack work for most sites
- Most interesting Javascript supported
- Still to do
- Comparison algorithm
- Heuristics for how far back/forward to replay
- Heuristics for which cookies to enable with Fix
Me - Multiple tabs