From 51f79405b1b49b286de6629f55af49f086e04d51 Mon Sep 17 00:00:00 2001 From: Tobias Eidelpes Date: Mon, 10 Aug 2020 18:00:18 +0200 Subject: [PATCH] Add additional references --- methods.tex | 67 ++++++++++++++++++++++++++------------------------ references.bib | 41 +++++++++++++++++++++++++++--- 2 files changed, 72 insertions(+), 36 deletions(-) diff --git a/methods.tex b/methods.tex index f253288..8496c2d 100644 --- a/methods.tex +++ b/methods.tex @@ -89,26 +89,28 @@ web. \subsection{Hidden Form Fields} \label{subsec:hidden form fields} -The \gls{HTML} provides a specification for form elements, which allows users to -submit information (e.g., for authentication) to the server via POST or GET -methods. Normally, a user would input data into a form and on clicking -\emph{submit} the input would be sent to the server. Sometimes it is necessary -to include additional information that the user did not enter. For this reason -there exist \emph{hidden} web forms. Hidden web forms do not show on the web site -and therefore the user cannot enter any information. Similarly to \gls{URL} -parameters, the value parameter in a hidden field contains additional -information like the user's preferred language for example. Since almost -anything can be sent in a value parameter, hidden form fields present another -way to maintain a session. A parameter containing a unique identifier will be -sent with the data the user has submitted to the server. The server can then -match the action the user took with the identifier. In case the server already -knows that specific identifier from a previous interaction with the user, the -gained information can now be added to the user's browsing profile. An example -of a hidden web form is given in Listing~\ref{lst:hidden web form}, which has -been adapted from \cite{InputFormInput}. In Line 15 a hidden web field is -created and the \texttt{value} field is set by the server to contain a unique -user identifier. Once the \emph{submit} button has been clicked, the identifier -is sent to the server along with the data the user has filled in. +The \gls{HTML} provides a specification for form elements +\cite{whatwgFormsHTMLStandard2020}, which allows users to submit information +(e.g., for authentication) to the server via POST or GET methods. Normally, a +user would input data into a form and on clicking \emph{submit} the input would +be sent to the server. Sometimes it is necessary to include additional +information that the user did not enter. For this reason there exist +\emph{hidden} web forms \cite{whatwgHiddenStateHTML2020}. Hidden web forms do +not show on the web site and therefore the user cannot enter any information. +Similarly to \gls{URL} parameters, the value parameter in a hidden field +contains additional information like the user's preferred language for example. +Since almost anything can be sent in a value parameter, hidden form fields +present another way to maintain a session. A parameter containing a unique +identifier will be sent with the data the user has submitted to the server. The +server can then match the action the user took with the identifier. In case the +server already knows that specific identifier from a previous interaction with +the user, the gained information can now be added to the user's browsing +profile. An example of a hidden web form is given in Listing~\ref{lst:hidden web +form}, which has been adapted from \cite{InputFormInput}. In Line 15 a hidden +web field is created and the \texttt{value} field is set by the server to +contain a unique user identifier. Once the \emph{submit} button has been +clicked, the identifier is sent to the server along with the data the user has +filled in. \begin{listing} \inputminted[frame=lines,framesep=2mm,bgcolor=light-gray,baselinestretch=1.2,fontsize=\scriptsize,linenos]{html}{code/hidden-web-form.html} @@ -124,18 +126,19 @@ is sent to the server along with the data the user has filled in. Providers of web services often want to know where visitors to their web site come from to understand more about their users and their browsing habits. The \gls{HTTP} specification accounts for this by introducing the \emph{\gls{HTTP} -Referer field} [\emph{sic}] in the header. By checking the referrer, the server -can see where the request came from. In practice, a user clicks on a link on a -web page and the current web page is sent as a \gls{URL} in the \gls{HTTP} -Referer field. The header with the referrer information gets attached to the -\gls{HTTP} request which is sent to the server. The server responds with the -requested web page and can establish a link from the original web page to the -new web page. When applied to a majority of the requests on a site, the -resulting data can be analyzed for promotional and statistical purposes. -\citet{malandrinoPrivacyAwarenessInformation2013} have shown that the -\gls{HTTP} Referer is one of the most critical factors in leaking \gls{PII}, -because leakage of information relating to user's health has been identified as -the most severe in terms of identifiability of users on the web. +Referer field} [\emph{sic}] \cite{fieldingHTTPSemanticsContent2014} in the +header. By checking the referrer, the server can see where the request came +from. In practice, a user clicks on a link on a web page and the current web +page is sent as a \gls{URL} in the \gls{HTTP} Referer field. The header with the +referrer information gets attached to the \gls{HTTP} request which is sent to +the server. The server responds with the requested web page and can establish a +link from the original web page to the new web page. When applied to a majority +of the requests on a site, the resulting data can be analyzed for promotional +and statistical purposes. \citet{malandrinoPrivacyAwarenessInformation2013} +have shown that the \gls{HTTP} Referer is one of the most critical factors in +leaking \gls{PII}, because leakage of information relating to user's health has +been identified as the most severe in terms of identifiability of users on the +web. \subsection{Explicit Authentication} \label{subsec:explicit authentication} diff --git a/references.bib b/references.bib index a3eb5f1..e2f6b35 100644 --- a/references.bib +++ b/references.bib @@ -37,7 +37,8 @@ url = {https://theblog.adobe.com/adobe-flash-update/}, urldate = {2020-02-17}, abstract = {Adobe has long played a leadership role in advancing interactivity and creative content \textendash{} from video, to games and more \textendash{} on the web. Where we've seen a need to pus...}, - journal = {Adobe Blog} + journal = {Adobe Blog}, + note = {Accessed 2020-08-10} } @inproceedings{akkusNontrackingWebAnalytics2012, @@ -103,10 +104,10 @@ year = {2011}, month = aug, url = {https://ashkansoltani.org/2011/08/11/respawn-redux-flash-cookies/}, - urldate = {2019-08-22}, + urldate = {2020-08-10}, abstract = {A detailed technical followup to Flash Cookies and Privacy II, describing the mechanisms behind Hulu/KISSmetrics' respawning practices I thought I'd take the time to elaborate a bit fur\ldots}, journal = {Ashkan Soltani}, - note = {Accessed 2019-08-22} + note = {Accessed 2020-08-10} } @techreport{ayensonFlashCookiesPrivacy2011, @@ -469,6 +470,17 @@ Web cache timing attacks}, series = {{{CCS}} '00} } +@misc{fieldingHTTPSemanticsContent2014, + title = {{{HTTP}}: {{Semantics}} and {{Content}} - {{Referer}}}, + shorttitle = {Hypertext {{Transfer Protocol}} ({{HTTP}}/1.1)}, + author = {Fielding, Roy and Reschke, Julian}, + year = {2014}, + month = jun, + url = {https://tools.ietf.org/html/rfc7231\#section-5.5.2}, + urldate = {2020-08-10}, + note = {Accessed 2020-08-10} +} + @article{frankenExposingCookiePolicy2019, title = {Exposing {{Cookie Policy Flaws Through}} an {{Extensive Evaluation}} of {{Browsers}} and {{Their Extensions}}}, author = {Franken, Gertjan and Van Goethem, Tom and Joosen, Wouter}, @@ -1494,6 +1506,26 @@ The goal of the DOM specification is to define a programmatic interface for XML note = {Accessed 2020-02-09} } +@misc{whatwgFormsHTMLStandard2020, + title = {Forms - {{HTML Standard}}}, + author = {WHATWG}, + year = {2020}, + month = aug, + url = {https://html.spec.whatwg.org/multipage/forms.html}, + urldate = {2020-08-10}, + note = {Accessed 2020-08-10} +} + +@misc{whatwgHiddenStateHTML2020, + title = {Hidden {{State}} - {{HTML Standard}}}, + author = {WHATWG}, + year = {2020}, + month = aug, + url = {https://html.spec.whatwg.org/multipage/input.html\#hidden-state-(type\%3Dhidden)}, + urldate = {2020-08-10}, + note = {Accessed 2020-08-10} +} + @misc{whatwgHTMLStandard2020, title = {{{HTML Standard}}}, author = {WHATWG}, @@ -1545,7 +1577,8 @@ The goal of the DOM specification is to define a programmatic interface for XML url = {https://youtube-eng.googleblog.com/2015/01/youtube-now-defaults-to-html5_27.html}, urldate = {2020-02-17}, abstract = {Four years ago, we wrote about YouTube's early support for the HTML5 {$<$}video{$>$} tag and how it performed compared to Flash. At the time, there...}, - journal = {YouTube Engineering and Developers Blog} + journal = {YouTube Engineering and Developers Blog}, + note = {Accessed 2020-08-10} } @inproceedings{yuTrackingTrackers2016,