42
Gaurav Aggarwal and Elie Bursztein, Collin Jackson, Dan Boneh, USENIX (Aug.,2010) AN ANALYSIS OF PRIVATE BROWSING MODES IN MODERN BROWSERS 1
1
Gaurav Aggarwal and Elie Bursztein, Collin Jackson, Dan Boneh, USENIX (Aug.,2010)
AN ANALYSIS OF PRIVATE BROWSING MODES IN MODERN BROWSERS
2 OUTLINE
Introduction
Private browsing: goal and threat model
A survey of private browsing in modern browsers
Usage measurement
Weaknesses in current implementations
Browser addons
Conclusions
3 OUTLINE
Introduction
Private browsing: goal and threat model
A survey of private browsing in modern browsers
Usage measurement
Weaknesses in current implementations
Browser addons
Conclusions
4 INTRODUCTION
The four major browsers (IE, Firefox, Chrome and Safari) recently added private browsing modes to their user interfaces
- Sites visited while browsing in private mode should leave no trace on the user’s computer
- Users may want to hide their identity from web sites they visit by
5 INTRODUCTION
While all major browsers support private browsing, there is a great deal of inconsistency in the type of privacy provided by the different browsers
Even within a single browser there are inconsistencies
6 INTRODUCTION
Even if a browser adequately implements private browsing, an extension or plug-ins can completely undermine its privacy guarantees
7 OUTLINE
Introduction
Private browsing: goal and threat model
A survey of private browsing in modern browsers
Usage measurement
Weaknesses in current implementations
Browser addons
Conclusions
8
PRIVATE BROWSING: GOAL AND THREAT MODEL
Defined two types of attackers:
1. An attacker who controls the user’s machine (a local attacker)
2. An attacker who controls web sites that the user visits (a web attacker)
9 LOCAL ATTACKER
Security against a local attacker means that an attacker who takes control of the machine after the user exits private browsing can learn nothing about the user’s actions while in private browsing
Limitation: local attacker has no access to the user’s machine before the user exits private browsing
10 LOCAL ATTACKER
We need adequately erase persistent state changes during a private browsing session
1. Changes initiated by a web site without any user interaction 2. Changes initiated by a web site, but requiring user interaction 3. Changes initiated by the user. 4. Non-user-specific state changes
11LOCAL ATTACKER:SECURITY MODEL
Attacker’s capabilities
1. The attacker does nothing until the user leaves private browsing mode 2. While active, the attacker cannot communicate with network elements that contain information
about the user’s activities while in private mode
12LOCAL ATTACKER:SECURITY MODEL
Attacker’s goal
- For a set S of HTTP requests of the attacker’s choosing, determine if the browser issued any of those requests while in private browsing mode
13LOCAL ATTACKER:SECURITY MODEL
Challenge
- The browser will need to ensure that all DNS queries while in private mode do not affect the system’s DNS cache: no entries should be added or removed
- Operating system can swap memory pages to the
swap partition on disk which can leave traces of the user’s activity.
14LOCAL ATTACKER:SECURITY MODEL
Solution?
- VMM(Virtual Machine Monitor)
- User profile backup
- Not recording certain date in private mode
15 WEB ATTACKER
Goal
1. A web site cannot link a user visiting in private mode to the same user visiting in public mode
2. A web site cannot link a user in one private session to the same user in another private session
3. A web site should not be able to determine whether the browser is currently in private browsing mode
16 OUTLINE
Introduction
Private browsing: goal and threat model
A survey of private browsing in modern browsers
Usage measurement
Weaknesses in current implementations
Browser addons
Conclusions
17
SURVEY OF PRIVATE BROWSING IN MODERN BROWSERS
User Interface
18
SURVEY OF PRIVATE BROWSING IN MODERN BROWSERS
User Interface
19
SURVEY OF PRIVATE BROWSING IN MODERN BROWSERS
Internal behavior
20
SURVEY OF PRIVATE BROWSING IN MODERN BROWSERS
Internal behavior
21
SURVEY OF PRIVATE BROWSING IN MODERN BROWSERS
Internal behavior
22
SURVEY OF PRIVATE BROWSING IN MODERN BROWSERS
Initial privacy violation examples
1. Custom Handler Protocol - Custom protocol handlers(CPH)
2. Client Certificate - SSL client certification
23 OUTLINE
Introduction
Private browsing: goal and threat model
A survey of private browsing in modern browsers
Usage measurement
Weaknesses in current implementations
Browser addons
Conclusions
24USAGE MEASUREMENT:DESIGN
Ad network- Ran two simultaneous one-day campaigns: targeted adult sites, gift shopping sites and news sites
25USAGE MEASUREMENT:RESULT
Private browsing was more popular at adult web sites than at gift shopping sites and news sites
Private browsing was more commonly used in browsers that displayed subtle private browsing indicators
26 OUTLINE
Introduction
Private browsing: goal and threat model
A survey of private browsing in modern browsers
Usage measurement
Weaknesses in current implementations
Browser addons
Conclusions
27WEAKNESSES IN CURRENT IMPLEMENTATIONS
Manual code review
- Firefox keeps all the state related to the user’s browsing activity including preferences, history, cookies, text entered in forms fields, search queries, etc. in a Profile folder on disk
28WEAKNESSES IN CURRENT IMPLEMENTATIONS
Manual code review
1. nsIFile - A cross-platform representation of a location in the file system used to read or write to files
2. Storage - A SQLite database API that can be used by other Firefox components and extensions to manipulate SQLite database files
29WEAKNESSES IN CURRENT IMPLEMENTATIONS
Security certificate settings(stored in file cert8.db)
- Stores all security certificate settings and any SSL
30WEAKNESSES IN CURRENT IMPLEMENTATIONS
Site-specific preferences (stored in file permissions.sqlite)
- Stores many of Firefox permissions that are decided on a per-site basis.
31WEAKNESSES IN CURRENT IMPLEMENTATIONS
Download actions (stored in file mimeTypes.rdf)
- Stores the user’s preferences with respect to what Firefox does when it comes across known file types like pdf or avi.
32WEAKNESSES IN CURRENT IMPLEMENTATIONS
An automated private browsing test using unit tests
- All major browsers have a collection of unit tests for testing browser features before a release
- MozMill, a Fire fox user-interface test automation tool
33WEAKNESSES IN CURRENT IMPLEMENTATIONS
Use fs usage to output the name of the system call used to access the filesystem and the file descriptor being acted upon
Also use the “last modified time” for files in the profile directory to identity those files that are changed during the test.
34WEAKNESSES IN CURRENT IMPLEMENTATIONS
Search Plugins (stored in search.sqlite and search.json)
35 OUTLINE
Introduction
Private browsing: goal and threat model
A survey of private browsing in modern browsers
Usage measurement
Weaknesses in current implementations
Browser addons
Conclusions
36 BROWSER ADDONS
Browser addons (extensions and plug-ins) pose a privacy risk to private browsing because they can persist state to disk about a user’s behavior in private mode
37 BROWSER ADDONS
Internet Explorer
- Default set extensions disabled, but plugins are still functional.
Firefox
- Both are enable in private mode
Google Chrome
- Disables most extension functionality in private mode, but plugins are enabled
Safari
- Does not have a supported extension API
38 BROWSER ADDONS
URL whitelist/blocklist/queues
URL Mappings
Timestamp
39 BROWSER ADDONS
Manual check- Extensions that opt-in to running in private browsing mode
Disallow writes - Prevent extensions from changing any local state while in private browsing mode
Override option- Discard changes made by extensions to local state while in private browsing mode, unless the extension explicitly indicates that the write should persist beyond private browsing mode
40 BROWSER ADDONS
ExtensionBlocker in JavaScript
- Disable all extensions that are not safe for private mode.
41 OUTLINE
Introduction
Private browsing: goal and threat model
A survey of private browsing in modern browsers
Usage measurement
Weaknesses in current implementations
Browser addons
Conclusions
42 CONCLUSION
Manual review and automated testing tool pointed out several weaknesses in existing implementations
Performed the first measurement study of private browsing usage in different browsers and on different sites
Keeping browser extensions and plug-ins from undoing the goals of private browsing
