zenon/bachelorarbeit
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Use current template provided by the institute

Browse Source
This commit is contained in:
Tobias Eidelpes 2020-04-20 14:42:18 +02:00
parent 3eb33ae783
commit 634d48f0a6
24 changed files with 3007 additions and 906 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
Makefile Normal file
View File

@ -0,0 +1,63 @@
BASENAME=thesis
DISTNAME=thesis_latex
DISTFOLDER?=$(shell pwd)
CLASS=vutinfth
VIEWER=zathura
.PHONY: default all
default: clean compile
all: clean compile doc
doc:
pdflatex -shell-escape ${CLASS}.dtx
pdflatex -shell-escape ${CLASS}.dtx
makeindex -s gglo.ist -o ${CLASS}.gls ${CLASS}.glo
makeindex -s gind.ist -o ${CLASS}.ind ${CLASS}.idx
pdflatex -shell-escape ${CLASS}.dtx
pdflatex -shell-escape ${CLASS}.dtx
document-class: ${CLASS}.cls
${CLASS}.cls:
pdflatex ${CLASS}.ins
compile: document-class
pdflatex -shell-escape $(BASENAME)
# makeglossaries $(BASENAME)
pdflatex -shell-escape $(BASENAME)
# makeglossaries $(BASENAME)
bibtex $(BASENAME)
pdflatex -shell-escape $(BASENAME)
pdflatex -shell-escape $(BASENAME)
view:
$(VIEWER) $(VIEWER_OPTIONS) $(BASENAME).pdf
zip: clean compile doc
zip -9 -r --exclude=*.git* $(BASENAME).zip \
build-all.bat \
build-all.sh \
build-thesis.bat \
build-thesis.sh \
graphics \
intro.bib \
intro.tex \
lppl.txt \
Makefile \
README.txt \
README-vutinfth.txt \
thesis.tex \
thesis.pdf \
vutinfth.dtx \
vutinfth.ins
dist: zip
cp $(BASENAME).zip $(DISTFOLDER)/$(DISTNAME).zip
.PHONY: clean
clean:
find . -type f -not \( -name "${BASENAME}.tex" -o -name "*.backup" \) -name "${BASENAME}*" -delete -print
rm -f vutinfth.cls vutinfth.pdf
rm -f vutinfth.hd vutinfth.ind
find . -type f -name '*.aux' -delete -print
find . -type f -name '*.log' -delete -print
rm -f vutinfth.glo vutinfth.gls vutinfth.idx vutinfth.ilg vutinfth.out vutinfth.toc

158
abbrev/acronym.tex.aux
View File

@ -1,158 +0,0 @@
\relax
\providecommand\hyper@newdestlabel[2]{}
\@setckpt{abbrev/acronym.tex}{
\setcounter{page}{1}
\setcounter{equation}{0}
\setcounter{enumi}{0}
\setcounter{enumii}{0}
\setcounter{enumiii}{0}
\setcounter{enumiv}{0}
\setcounter{footnote}{0}
\setcounter{mpfootnote}{0}
\setcounter{part}{0}
\setcounter{chapter}{0}
\setcounter{section}{0}
\setcounter{subsection}{0}
\setcounter{subsubsection}{0}
\setcounter{paragraph}{0}
\setcounter{subparagraph}{0}
\setcounter{figure}{0}
\setcounter{table}{0}
\setcounter{parentequation}{0}
\setcounter{su@anzahl}{0}
\setcounter{LT@tables}{0}
\setcounter{LT@chunks}{0}
\setcounter{Item}{0}
\setcounter{Hfootnote}{0}
\setcounter{bookmark@seq@number}{0}
\setcounter{FancyVerbLine}{0}
\setcounter{linenumber}{1}
\setcounter{LN@truepage}{0}
\setcounter{FV@TrueTabGroupLevel}{0}
\setcounter{FV@TrueTabCounter}{0}
\setcounter{FV@HighlightLinesStart}{0}
\setcounter{FV@HighlightLinesStop}{0}
\setcounter{FancyVerbLineBreakLast}{0}
\setcounter{float@type}{16}
\setcounter{minted@FancyVerbLineTemp}{0}
\setcounter{minted@pygmentizecounter}{0}
\setcounter{listing}{0}
\setcounter{lstnumber}{1}
\setcounter{tabx@nest}{0}
\setcounter{listtotal}{0}
\setcounter{listcount}{0}
\setcounter{liststart}{0}
\setcounter{liststop}{0}
\setcounter{citecount}{0}
\setcounter{citetotal}{0}
\setcounter{multicitecount}{0}
\setcounter{multicitetotal}{0}
\setcounter{instcount}{0}
\setcounter{maxnames}{3}
\setcounter{minnames}{3}
\setcounter{maxitems}{3}
\setcounter{minitems}{1}
\setcounter{citecounter}{0}
\setcounter{maxcitecounter}{0}
\setcounter{savedcitecounter}{0}
\setcounter{uniquelist}{0}
\setcounter{uniquename}{0}
\setcounter{refsection}{0}
\setcounter{refsegment}{0}
\setcounter{maxextratitle}{0}
\setcounter{maxextratitleyear}{0}
\setcounter{maxextraname}{2}
\setcounter{maxextradate}{0}
\setcounter{maxextraalpha}{0}
\setcounter{abbrvpenalty}{50}
\setcounter{highnamepenalty}{50}
\setcounter{lownamepenalty}{25}
\setcounter{maxparens}{3}
\setcounter{parenlevel}{0}
\setcounter{mincomprange}{10}
\setcounter{maxcomprange}{100000}
\setcounter{mincompwidth}{1}
\setcounter{afterword}{0}
\setcounter{savedafterword}{0}
\setcounter{annotator}{0}
\setcounter{savedannotator}{0}
\setcounter{author}{0}
\setcounter{savedauthor}{0}
\setcounter{bookauthor}{0}
\setcounter{savedbookauthor}{0}
\setcounter{commentator}{0}
\setcounter{savedcommentator}{0}
\setcounter{editor}{0}
\setcounter{savededitor}{0}
\setcounter{editora}{0}
\setcounter{savededitora}{0}
\setcounter{editorb}{0}
\setcounter{savededitorb}{0}
\setcounter{editorc}{0}
\setcounter{savededitorc}{0}
\setcounter{foreword}{0}
\setcounter{savedforeword}{0}
\setcounter{holder}{0}
\setcounter{savedholder}{0}
\setcounter{introduction}{0}
\setcounter{savedintroduction}{0}
\setcounter{namea}{0}
\setcounter{savednamea}{0}
\setcounter{nameb}{0}
\setcounter{savednameb}{0}
\setcounter{namec}{0}
\setcounter{savednamec}{0}
\setcounter{translator}{0}
\setcounter{savedtranslator}{0}
\setcounter{shortauthor}{0}
\setcounter{savedshortauthor}{0}
\setcounter{shorteditor}{0}
\setcounter{savedshorteditor}{0}
\setcounter{labelname}{0}
\setcounter{savedlabelname}{0}
\setcounter{institution}{0}
\setcounter{savedinstitution}{0}
\setcounter{lista}{0}
\setcounter{savedlista}{0}
\setcounter{listb}{0}
\setcounter{savedlistb}{0}
\setcounter{listc}{0}
\setcounter{savedlistc}{0}
\setcounter{listd}{0}
\setcounter{savedlistd}{0}
\setcounter{liste}{0}
\setcounter{savedliste}{0}
\setcounter{listf}{0}
\setcounter{savedlistf}{0}
\setcounter{location}{0}
\setcounter{savedlocation}{0}
\setcounter{organization}{0}
\setcounter{savedorganization}{0}
\setcounter{origlocation}{0}
\setcounter{savedoriglocation}{0}
\setcounter{origpublisher}{0}
\setcounter{savedorigpublisher}{0}
\setcounter{publisher}{0}
\setcounter{savedpublisher}{0}
\setcounter{language}{0}
\setcounter{savedlanguage}{0}
\setcounter{origlanguage}{0}
\setcounter{savedoriglanguage}{0}
\setcounter{pageref}{0}
\setcounter{savedpageref}{0}
\setcounter{textcitecount}{0}
\setcounter{textcitetotal}{0}
\setcounter{textcitemaxnames}{0}
\setcounter{biburlbigbreakpenalty}{100}
\setcounter{biburlbreakpenalty}{200}
\setcounter{biburlnumpenalty}{0}
\setcounter{biburlucpenalty}{0}
\setcounter{biburllcpenalty}{0}
\setcounter{smartand}{1}
\setcounter{bbx:relatedcount}{0}
\setcounter{bbx:relatedtotal}{0}
\setcounter{cbx@tempcnta}{0}
\setcounter{cbx@tempcntb}{0}
\setcounter{section@level}{0}
\setcounter{lstlisting}{0}
}

0
abbrev/acronym.tex → acronym.tex
View File

31
build-all.sh Executable file
View File

@ -0,0 +1,31 @@
#!/bin/sh
# Copyright (C) 2014-2020 by Thomas Auzinger <thomas@auzinger.name>
CLASS=vutinfth
SOURCE=thesis
# Build vutinfth documentation
pdflatex -shell-escape $CLASS.dtx
pdflatex -shell-escape $CLASS.dtx
makeindex -s gglo.ist -o $CLASS.gls $CLASS.glo
makeindex -s gind.ist -o $CLASS.ind $CLASS.idx
pdflatex -shell-escape $CLASS.dtx
pdflatex -shell-escape $CLASS.dtx
# Build the vutinfth class file
pdflatex -shell-escape $CLASS.ins
# Build the vutinfth example document
pdflatex -shell-escape $SOURCE
bibtex $SOURCE
pdflatex -shell-escape $SOURCE
pdflatex -shell-escape $SOURCE
makeindex -t $SOURCE.glg -s $SOURCE.ist -o $SOURCE.gls $SOURCE.glo
makeindex -t $SOURCE.alg -s $SOURCE.ist -o $SOURCE.acr $SOURCE.acn
makeindex -t $SOURCE.ilg -o $SOURCE.ind $SOURCE.idx
pdflatex -shell-escape $SOURCE
pdflatex -shell-escape $SOURCE
echo
echo
echo Class file and example document compiled.

20
build-thesis.sh Executable file
View File

@ -0,0 +1,20 @@
#!/bin/sh
# Copyright (C) 2014-2020 by Thomas Auzinger <thomas@auzinger.name>
# Replace the 'x' in the next line with the name of the thesis' main LaTeX document without the '.tex' extension
SOURCE=thesis
# Build the thesis document
pdflatex -shell-escape $SOURCE
bibtex $SOURCE
pdflatex -shell-escape $SOURCE
pdflatex -shell-escape $SOURCE
makeindex -t $SOURCE.glg -s $SOURCE.ist -o $SOURCE.gls $SOURCE.glo
makeindex -t $SOURCE.alg -s $SOURCE.ist -o $SOURCE.acr $SOURCE.acn
makeindex -t $SOURCE.ilg -o $SOURCE.ind $SOURCE.idx
pdflatex -shell-escape $SOURCE
pdflatex -shell-escape $SOURCE
echo
echo
echo Thesis document compiled.

35
chapters/abstract-de.tex
View File

@ -1,35 +0,0 @@
\documentclass[../main.tex]{subfiles}
\begin{document}
\chapter*{Kurzfassung}
\emph{Über diese Vorlage:}
Dieses Template dient als Vorlage für die Erstellung einer wissenschaftlichen
Arbeit am INSO. Individuelle Erweiterungen, Strukturanpassungen und
Layout-Veränderungen können und sollen selbstverständlich nach persönlichem
Ermessen und in Rücksprache mit Ihrem Betreuer vorgenommen werden.
\emph{Aufbau}:
In der Kurzfassung werden auf einer 3/4 bis maximal einer Seite die Kernaussagen
der Diplomarbeit zusammengefasst. Dabei sollte zunächst die Motivation/der
Kontext der vorliegenden Arbeit dargestellt werden, und dann kurz die
Frage-/Problemstellung erläutert werden, max. 1 Absatz! Im nächsten Absatz auf
die Methode/Verfahrensweise/das konkrete Fallbeispiel eingehen, mit deren Hilfe
die Ergebnisse erzielt wurden. Im Zentrum der Kurzfassung stehen die zentralen
eigenen Ergebnisse der Arbeit, die den Wert der vorliegenden wissenschaftlichen
Arbeit ausmachen. Hier auch, wenn vorhanden, eigene Publikationen erwähnen.
\emph{Wichtig: Verständlichkeit!}
Die Kurzfassung soll für Leser verständlich sein, denen das Gebiet der
Arbeit fremd ist. Deshalb Abkürzungen immer zuerst ausschreiben, in Klammer
dazu die Erklärung: z.B: \enquote{Im Rahmen der vorliegenden Arbeit werden
Non Governmental-Organisationen (NGOs) behandelt, \ldots}. In \LaTeX wird
diese bereits automatisch durch verwenden des Befehls \verb|\ac| erreicht.
Für Details siehe Paket \texttt{glossaries}.
\bigskip
\section*{Schlüsselwörter}
\end{document}

29
chapters/abstract-en.tex
View File

@ -1,29 +0,0 @@
\documentclass[../main.tex]{subfiles}
\begin{document}
\chapter*{Abstract}
\emph{About this template}:
This template helps writing a scientific document at INSO. Users of this
template are welcome to make individual modifications, extensions, and changes
to layout and typography in accordance with their advisor.
\emph{Writing an abstract}: The abstract summarizes the most important
information within less than one page. Within the first paragraph, present the
motivation and context for your work, followed by the specific aims. In the next
paragraph, describe your methodology / approach, and / or the specific case you
are working on. The third paragraph describes the results and the contribution
of your work.
\emph{Comprehensibility}: People with different backgrounds who are novel to
your area of work should be able to understand the abstract. Therefore, acronyms
should only be used after their full definition has given. E.g., ``This work
relates to non-governmental organizations (NGOs), \ldots''.
\bigskip
\section*{Keywords}
%Keyword, important, SubjectOfMyPaper, FieldOfWork.
\end{document}

7
chapters/conclusion.tex
View File

@ -1,7 +0,0 @@
\documentclass[../main.tex]{subfiles}
\begin{document}
\chapter{Conclusion}
\end{document}

8
chapters/defences.tex
View File

@ -1,8 +0,0 @@
\documentclass[../main.tex]{subfiles}
\begin{document}
\chapter{Defences against Tracking}
\label{chap:defences against tracking}
\end{document}

7
chapters/developments.tex
View File

@ -1,7 +0,0 @@
\documentclass[../main.tex]{subfiles}
\begin{document}
\chapter{Future Tracking Ecosystem Developments}
\end{document}

29
chapters/erklaerung.tex
View File

@ -1,29 +0,0 @@
\documentclass[../main.tex]{subfiles}
\begin{document}
\chapter*{Erklärung zur Verfassung der Arbeit}
\textsf{Tobias Eidelpes} \\
Hiermit erkläre ich, dass ich diese Arbeit selbständig verfasst habe, dass ich
die verwendeten Quellen und Hilfsmittel vollständig angegeben habe und dass
ich die Stellen der Arbeit---einschließlich Tabellen, Karten und Abbildungen---,
die anderen Werken oder dem Internet im Wortlaut oder dem Sinn nach entnommen
sind, auf jeden Fall unter Angabe der Quelle als Entlehnung kenntlich gemacht habe.
\vspace{2cm}
\bigskip
\begin{minipage}{0.55\textwidth}
\textsf{Wien, 31. März 2020} \\
\end{minipage}
\begin{minipage}{0.45\textwidth}
\begin{tabular}{c}
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ \\
\textsf{Tobias Eidelpes}
\end{tabular}
\end{minipage}
\end{document}

7
chapters/implications.tex
View File

@ -1,7 +0,0 @@
\documentclass[../main.tex]{subfiles}
\begin{document}
\chapter{Implications of Tracking}
\end{document}

16
chapters/introduction.tex
View File

@ -1,16 +0,0 @@
\documentclass[../main.tex]{subfiles}
\begin{document}
\chapter{Introduction}
\section{Terms and Scope}
\label{sec:Terms and Scope}
\section{Background and Related Work}
\label{sec:Background and Related Work}
\section{Structure of the Thesis}
\label{sec:Structure of the Thesis}
\end{document}

BIN
chapters/titlepage.pdf
View File

Binary file not shown.

1
cookie-syncing.drawio Normal file
View File

@ -0,0 +1 @@
<mxfile host="www.draw.io" modified="2020-02-21T15:49:32.124Z" agent="Mozilla/5.0 (X11; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0" etag="B-xuoaF9nph0aC_kFL44" version="12.7.3" type="device"><diagram name="Page-1" id="822b0af5-4adb-64df-f703-e8dfc1f81529">7Vxbc6M2FP41flwPkrg+xpdst7Od7mza2Zm+ZGSQsRqMKODEu7++EjeDAOMkBjyxySSxJXFkzjnfuYInaL7dfw5xsPmDOcSbQMXZT9BiAiFUgcb/iZGf6YgFjHTADamTDoHDwAP9RbJBJRvdUYdElYUxY15Mg+qgzXyf2HFlDIche6kuWzOvumuAXVIbeLCxVx/9QZ14k40CRTlM/Eaou8m2NrVsYoXtJzdkOz/bbwLROjnS6S3OaWXrow122EtpCC0naB4yFqevtvs58QRvc7al5923zBafOyR+fMoJDzNtMQf3GnK/LlXlX/Y3/vOfTxmVZ+ztSH4ZyYeNf+YMChj1YxIun/k+gtdggmbFtSj8jYOjDXGyN5t46+WL4pA9kTnzWMhHfOZzgrM19bx8iHNMU8QPH/fwinjfWERjynw+ZxOxKZ94JmFMubi+SgtWLI7ZtrTgzqOumIhZwEfZLvaoz3fPtUZsgrMlBXF+HYG4zO3eFdo9Zes1tcl0F5EwSv7yNRmH+C5k38p6UAiUA4WwLYnDn3xJjhIrw0SGEZSpxMtB4VQ9HdqUVC3XNJypuFsQPoiZv8gk/Qqpq91SJ75zJ9AluOXhKKJ2Vbhr5scZmAEsuEScGtg6eVRiQn7BTUwIiYdj+lwl38SZbIdvQm0PIkC6UhGBLvE2YrvQJtlJZRRJdHTzOJ0Yhy6Ja3QSMRUX/XbJaQ2S0z3OqtmKv3DFCzDNh/gOxSg/6fPyr4mwEffUd8h+mghTFjvX8bgq6BpmZLxtqeOI02chiegvvEpICbQlhiNhizabaAtBaxdzAKdK06pD70KaqmtVpBk1pAHQoGWwL6jp3VDDUZCaqDXdCzs6O6/FPbdl7TSi28jGZJrMBiGNyPSFrDhx8ugSn4SJIZG8gLEQP/1ohG5JGqHXNKLJ7KhqTwphtCJYXHxFM/T/diyf+JTi5o4vsIL9YS7Hd8ZjMLW56A74T2nmJuCDgd2AVdGCOtiNIbFudmOdbpNwtMzzBJ+zIpgswSILJ9EsO2tBty7/YB7lVv3e9mjwiEMu3XufxC8sfKK+mJ17bOc8PpCQs/YRQHPPf6cBn+pFBKbkVs16ZGM2iMDsSwTWeJEN3ySJIbqdQRojdCnSWJGScaZIyYRVOsawkRJoSm1Su+jQ54NNlKIn2BY9eQw7/N/v+Bk/2CEN4tK6CsFLMrIhi3Hm1aFyJqOrwap61P3psBEWgBeN+VGxrElYljPKU7EsZ0+y/e4by6gVywVEURtw54w90Sx0Ein9l4XIggQRBUCkXixgtfPgVUNV0QEF1AHbpIL9Abap/HCGEDip11xJ6AtbgF0SKhpUpk2FiVueO2KeC/L3YyW64ITSx622/H5LINWWgTVycRn0VOG4LvMOKkKFoO60h7XvJ9Q2PnrLAAJzmmc7r24bGNbUKh1mJ+W+Q+qmSokUUqu3TkLZro6d6OaEeyodw+sqHatV6Roj145he4p7rFyldZSrVpjHKIXbXIUyoWsrXskmHdaDZGtQsY/Yij+heJWndZ0V65SPo5WsVfWYd0XWVFFAccC3uXBTO+rCDe7CASwONKg3hyek3x+99cTFXMPyoL0n2JTwnsE/24Kta48z5po8tKVKdUtQz2uH9dA95bUuY6531aKFeh25+qCiHTG7PcELj+tcdVCVFkKSGN7aRIKqRKhvJ3lCyqu/oYt0N5svLgujPXSRoFSQ0usFqWG7SKgpG5aEcOs4DHpnnTbyrXXodjf7KHeza3VbMGjHAcF+IrNr7jggA9aEOmjHATUVxAaKyS6l44AMa6rrSnFIBM/TfOjYpOegDDUVwKSgzLj1IcrWduxHGlD7Qyjn6EOga0qF5T4EQmZNuoNWOVB7EetYH8J89W2zt16EJhl7c+wGI2qqcF1OGSQPPzqbEWjc++ePNiNURem/GaEia8RmBLo9ByPEXAPzoM0IVC92yX2EC7GvVj9FZbXhIetBPal6QoFqTGs6qpGUi8qq9cbcRk6Z1IHzF7X9MaMiDLLagqPvy8WX78u5SGLKXaByOoPus2qz0ACRLOl4m9QKk7/BbuXRaCPAuaiGzxcC7p7K0UWslEs9x1a5BAUHRXtTDerKnJ42ttNT22+iurVo3+VNtQZvOmiLVm2qEw3mTTtTjhT+o9UN5dhHFsOp3tRQjqYVhjUFxliVQvWU7z5RXlMq/GC+9WwVx7yPlou94aF+dKZeAH97+AasVFMOXzOGlv8D</diagram></mxfile>

BIN
graphics/Logo-schwarz.pdf Normal file
View File

Binary file not shown.

BIN
graphics/Logo_INSO_Infor_TU.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
graphics/TU_INF_Logo_partial.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.1 KiB

135
main.tex
View File

@ -1,135 +0,0 @@
\documentclass[a4paper,12pt,oneside]{scrreport}
\usepackage[utf8]{inputenc}
\usepackage[T1]{fontenc}
\usepackage[scaled]{helvet}
\usepackage{times}
\usepackage{subfiles}
\usepackage[english]{babel}
\usepackage[includeheadfoot,left=3.4cm,right=2.4cm,bottom=1.5cm,top=1.7cm]{geometry}
\usepackage{graphicx}
\usepackage{microtype}
\usepackage{setspace}
\usepackage{fancyhdr}
\usepackage[hidelinks]{hyperref}
\usepackage{xcolor}
\usepackage{minted}
\usepackage{listings}
\usepackage{csquotes}
\usepackage{xr}
\usepackage[acronym]{glossaries}
\usepackage{lastpage}
\usepackage{pdfpages}
\glsenablehyper
\setlength{\marginparwidth}{2cm}
\setlength{\parindent}{0pt}
\setlength{\parskip}{0.5em}
\usepackage{todonotes}
\fancypagestyle{frontmatter}{%
\fancyhead{}
\fancyfoot{}
\fancyfoot[C]{\thepage}
\renewcommand{\headrulewidth}{0pt}
\renewcommand{\footrulewidth}{0pt}
}
\definecolor{light-gray}{gray}{0.95}
\RedeclareSectionCommand[beforeskip=0.5cm,afterskip=1.5cm]{chapter}
\addtokomafont{chapter}{\normalfont\sffamily\huge}
\addtokomafont{section}{\normalfont\sffamily\Large}
\addtokomafont{subsection}{\normalfont\sffamily\large}
\usepackage[backend=biber,style=ieee,urldate=iso,date=iso,seconds=true]{biblatex}
\addbibresource{bibliography/references.bib}
\hypersetup{
linkcolor=black,
urlcolor=black,
citecolor=black,
breaklinks=true,
colorlinks=true,
frenchlinks=true,
linktoc = all,
pdftitle = {Stateful Web Tracking: Techniques and Countermeasures},
pdfauthor = {Tobias Eidelpes}
}
\pagestyle{fancy}
\renewcommand{\chaptermark}[1]{\markboth{\chaptername\ \thechapter.\ #1}{}}
\renewcommand{\sectionmark}[1]{\markright{\arabic{chapter}.\arabic{section}.\ #1}}
\renewcommand {\headrulewidth}{0.4pt} % unterdruecken der Linie
\renewcommand {\footrulewidth}{0.4pt} % unterdruecken der Linie
\fancyhead{}
\fancyhead[L]{\leftmark}
\fancyhead[R]{\rightmark}
\fancyfoot{}
\fancyfoot[L]{Stateful Web Tracking: Techniques and Countermeasures}
\fancyfoot[R]{\thepage \ / \pageref{LastPage}}
\fancypagestyle{plain}{}
\graphicspath{{figures/}{../figures/}}
\setstretch{1.1}
\makeglossaries
\begin{document}
\input{abbrev/acronym.tex}
\includepdf[pages=-]{chapters/titlepage.pdf}
\newpage
\pagenumbering{roman}
\subfile{chapters/erklaerung.tex}
\thispagestyle{frontmatter}
\subfile{chapters/abstract-de}
\thispagestyle{frontmatter}
\subfile{chapters/abstract-en}
\thispagestyle{frontmatter}
\tableofcontents
\thispagestyle{frontmatter}
\listoffigures
\thispagestyle{frontmatter}
\listoflistings
\thispagestyle{frontmatter}
\printglossary
\printglossary[type=\acronymtype]
\thispagestyle{frontmatter}
\subfile{chapters/introduction}
\pagenumbering{arabic}
\subfile{chapters/methods}
\subfile{chapters/defences}
\subfile{chapters/implications}
\subfile{chapters/developments}
\subfile{chapters/conclusion}
\printbibliography
\end{document}

363
chapters/methods.tex → methods.tex
View File

@ -1,8 +1,3 @@
\documentclass[../main.tex]{subfiles}
\externaldocument{defences}
\begin{document}
\chapter{Tracking Methods}
\label{chap:tracking methods}
@ -81,15 +76,15 @@ with the same unique identifier leaves a trail behind that can be used to
compile a browsing history. Sharing information with other parties is not only
limited to unique identifiers. \gls{URL} parameters can also be used to pass the
referrer of a web page containing a query that has been submitted by the user.
\citeauthor{falahrastegarTrackingPersonalIdentifiers2016} demonstrate such an
\citet{falahrastegarTrackingPersonalIdentifiers2016} demonstrate such an
example where an advertisement tracker logs a user's browsing history by storing
the referrer into a \texttt{(key,value)} pair
\cite[p.~37]{falahrastegarTrackingPersonalIdentifiers2016}. Other possibilities
include encoding geographical data, network properties, user information (e.g.,
e-mails) and authentication credentials.
\citeauthor{westMeasuringPrivacyDisclosures2014} conducted a survey concerning
\citet{westMeasuringPrivacyDisclosures2014} conducted a survey concerning
the use of \gls{URL} Query Strings and found it to be in widespread use on the
web \cite{westMeasuringPrivacyDisclosures2014}.
web.
\subsection{Hidden Form Fields}
\label{subsec:hidden form fields}
@ -137,18 +132,17 @@ Referer field. The header with the referrer information gets attached to the
requested web page and can establish a link from the original web page to the
new web page. When applied to a majority of the requests on a site, the
resulting data can be analyzed for promotional and statistical purposes.
\citeauthor{malandrinoPrivacyAwarenessInformation2013} have shown that the
\gls{HTTP} Referer is one of the most critical factors in leaking \gls{PII}
\cite{malandrinoPrivacyAwarenessInformation2013}, because leakage of information
relating to user's health has been identified as the most severe in terms of
identifiability of users on the web.
\citet{malandrinoPrivacyAwarenessInformation2013} have shown that the
\gls{HTTP} Referer is one of the most critical factors in leaking \gls{PII},
because leakage of information relating to user's health has been identified as
the most severe in terms of identifiability of users on the web.
\subsection{Explicit Authentication}
\label{subsec:explicit authentication}
Explicit authentication requires a user to \emph{explicitly} log in or register
to the web site. This way, specific resources are only available to the user when
he or she has authenticated themselves to the service. Actions taken on an
to the web site. This way, specific resources are only available to the user
when he or she has authenticated themselves to the service. Actions taken on an
authenticated user account are tied to that account and crafting a personal
profile is more or less a built-in function in this case. Since merely asking a
user to authenticate is a simple method, the extent to which it can be used is
@ -159,27 +153,25 @@ always requiring a logged in state can be a tiring task for users, because they
have to be authenticated every time they visit a particular service. This can
potentially pose a usability problem where users simply stop using the service
or go to considerable lengths to avoid logging in. This largely depends on a
cost-benefit analysis the users subconsciously undertake \cite{}. The third
factor where this method is lacking, concerns the awareness of the user being
tracked. Since tracking users depends on them actively logging in to the
service, tracking them transparently is impossible. Even though most tracking
efforts are not detected by the average user \cite{}, it is known that actions
taken on an account are logged to provide better service through service
optimization and profile personalization.
cost-benefit analysis the users subconsciously undertake. The third factor
where this method is lacking, concerns the awareness of the user being tracked.
Since tracking users depends on them actively logging in to the service,
tracking them transparently is impossible. Even though most tracking efforts
are not detected by the average user, it is known that actions taken on an
account are logged to provide better service through service optimization and
profile personalization.
Making an account on a web site to use their services to their full extent, can
be beneficial in some cases. Facebook for example, allows their users to
configure what they want to share with the public and their friends. Research
has shown however, that managing which posts get shown to whom is not as
straightforward as one might think.
\citeauthor{liuAnalyzingFacebookPrivacy2011}
\cite{liuAnalyzingFacebookPrivacy2011} conducted a survey where they asked
Facebook users about their desired privacy and visibility settings and
cross-checked them with the actual settings they have used for their posts. The
results showed that in only 37\% of cases the users' expectations match the
reality. Additionally, 36\% of content is left on the default privacy settings
which set the visibility of posts to public, meaning that any Facebook user can
view them.
straightforward as one might think. \citet{liuAnalyzingFacebookPrivacy2011}
conducted a survey where they asked Facebook users about their desired privacy
and visibility settings and cross-checked them with the actual settings they
have used for their posts. The results showed that in only 37\% of cases the
users' expectations match the reality. Additionally, 36\% of content is left on
the default privacy settings which set the visibility of posts to public,
meaning that any Facebook user can view them.
\subsection{window.name DOM Property}
\label{subsec:window.name dom property}
@ -296,27 +288,26 @@ policy applies to cookies, disallowing access by other domains.
Distinguishing tracking and non-tracking cookies can be done with high accuracy
by observing their expiration time and the length of the value field.
\citeauthor{liTrackAdvisorTakingBack2015} \cite{liTrackAdvisorTakingBack2015}
demonstrate a supervised learning approach to detecting tracking cookies with
their tool \emph{TrackAdvisor}. They found that tracking cookies generally have
a longer expiration time than non-tracking cookies and they need to have a
sufficiently long value field carrying the unique identifier. Using this method,
they found that only 10\% of tracking cookies have a lifetime of a single day or
less while 80\% of non-tracking cookies expire before a day is over.
Additionally, a length of more than 35 characters in the value field applies to
80\% of tracking cookies and a value field of less than 35 characters applies to
80\% of non-tracking cookies. \emph{Cookie Chunking}, where a cookie of larger
length is split into multiple cookies with smaller length, did not appear to
affect detection by their method negatively. They also present a site
measurement of the Alexa Top 10,000 web sites, finding that 46\% of web sites use
third party tracking. More recent research
\cite{gonzalezCookieRecipeUntangling2017} has shown that tracking cookies do not
have to be long lasting to accumulate data about users. Some cookies---like the
\texttt{\_\_utma} cookie from Google Analytics for example---save a timestamp of
the current visit with the unique identifier, thereby allowing to use cookies
which last a short time but can be afterwards used in series to complete the
whole picture. \citeauthor{gonzalezCookieRecipeUntangling2017}
\cite{gonzalezCookieRecipeUntangling2017} have also found 20\% of observed
\citet{liTrackAdvisorTakingBack2015} demonstrate a supervised learning approach
to detecting tracking cookies with their tool \emph{TrackAdvisor}. They found
that tracking cookies generally have a longer expiration time than non-tracking
cookies and they need to have a sufficiently long value field carrying the
unique identifier. Using this method, they found that only 10\% of tracking
cookies have a lifetime of a single day or less while 80\% of non-tracking
cookies expire before a day is over. Additionally, a length of more than 35
characters in the value field applies to 80\% of tracking cookies and a value
field of less than 35 characters applies to 80\% of non-tracking cookies.
\emph{Cookie Chunking}, where a cookie of larger length is split into multiple
cookies with smaller length, did not appear to affect detection by their method
negatively. They also present a site measurement of the Alexa Top 10,000 web
sites, finding that 46\% of web sites use third party tracking. More recent
research \cite{gonzalezCookieRecipeUntangling2017} has shown that tracking
cookies do not have to be long lasting to accumulate data about users. Some
cookies---like the \texttt{\_\_utma} cookie from Google Analytics for
example---save a timestamp of the current visit with the unique identifier,
thereby allowing to use cookies which last a short time but can be afterwards
used in series to complete the whole picture.
\citet{gonzalezCookieRecipeUntangling2017} have also found 20\% of observed
cookies to be \gls{URL} or base64 encoded, making decoding of cookies a
necessary step for analysis. Furthermore---and contrary to previous work---,
cookie values are found in much more varieties than is assumed by approaches
@ -350,34 +341,33 @@ the Flash Player runtime to get rid of them. Trackers were searching for a new
way to store identifiers because users became increasingly aware of the dangers
posed by \gls{HTTP} cookies and reacted by taking countermeasures.
\citeauthor{soltaniFlashCookiesPrivacy2009}
\cite{soltaniFlashCookiesPrivacy2009} were the first to report on the usage of
\citet{soltaniFlashCookiesPrivacy2009} were the first to report on the usage of
Flash cookies by advertisers and popular web sites. While surveying the top 100
web sites at the time, they found that 54\% of them used Flash cookies. Some
web sites were setting Flash cookies as well as \gls{HTTP} cookies with the same
values, suggesting that Flash cookies serve as backup to \gls{HTTP} cookies.
Several web sites were found using Flash cookies to respawn already deleted
\gls{HTTP} cookies, even across domains. \citeauthor{acarWebNeverForgets2014}
\cite{acarWebNeverForgets2014} automated detecting Flash cookies and access to
web sites were setting Flash cookies as well as \gls{HTTP} cookies with the
same values, suggesting that Flash cookies serve as backup to \gls{HTTP}
cookies. Several web sites were found using Flash cookies to respawn already
deleted \gls{HTTP} cookies, even across domains.
\citet{acarWebNeverForgets2014} automated detecting Flash cookies and access to
them by monitoring file access with the GNU/Linux \emph{strace} tool
\cite{michaelStraceLinuxManual2020}. This allowed them to acquire data about
Flash cookies respawning \gls{HTTP} cookies. Their results show that six of the
top 100 sites use Flash cookies for respawning.
Even though Flash usage has declined during the last few years thanks to the
development of the HTML5 standard, \citeauthor{buhovFLASH20thCentury2018}
\cite{buhovFLASH20thCentury2018} have shown that despite major security flaws,
Flash content is still served by 7.5\% of the top one million web sites (2017).
The W3Techs Web Technology Survey shows a similar trend and also offers an
up-to-date measurement of 2.7\% of the top ten million web sites for the year
2020 \cite{w3techsHistoricalYearlyTrends2020}. Due to the security concerns with
using Flash, Google's popular video sharing platform YouTube switched by default
to the HTML5 <video> tag in January of 2015
\cite{youtubeengineeringYouTubeNowDefaults2015}. In 2017 Adobe announced that they
will end-of-life Flash at the end of 2020, stopping updates and distribution
\cite{adobecorporatecommunicationsFlashFutureInteractive2017}. Consequently,
Chrome 76 and Firefox 69 disabled Flash by default and will drop support
entirely in 2020.
development of the HTML5 standard, \citet{buhovFLASH20thCentury2018} have shown
that despite major security flaws, Flash content is still served by 7.5\% of
the top one million web sites (2017). The W3Techs Web Technology Survey shows
a similar trend and also offers an up-to-date measurement of 2.7\% of the top
ten million web sites for the year 2020
\cite{w3techsHistoricalYearlyTrends2020}. Due to the security concerns with
using Flash, Google's popular video sharing platform YouTube switched by
default to the HTML5 <video> tag in January of 2015
\cite{youtubeengineeringYouTubeNowDefaults2015}. In 2017 Adobe announced that
they will end-of-life Flash at the end of 2020, stopping updates and
distribution \cite{adobecorporatecommunicationsFlashFutureInteractive2017}.
Consequently, Chrome 76 and Firefox 69 disabled Flash by default and will drop
support entirely in 2020.
Similarly to Flash, Java also provides a way of storing data locally on the
user's computer via the PersistenceService \gls{API}
@ -404,11 +394,9 @@ evercookie is therefore not easy to do. Additionally, it is reported on the
project's github page that it might cause severe performance issues in browsers.
Evercookie has been proposed and implemented by
\citeauthor{kamkarEvercookieVirtuallyIrrevocable2010} in
\cite{kamkarEvercookieVirtuallyIrrevocable2010}. Multiple surveys have tried to
quantify the use of evercookie in the wild.
\citeauthor{acarWebNeverForgets2014} provide a heuristic for detecting
evercookies stored on the user's computer \cite{acarWebNeverForgets2014} and
\citet{kamkarEvercookieVirtuallyIrrevocable2010}. Multiple surveys have tried
to quantify the use of evercookie in the wild. \citet{acarWebNeverForgets2014}
provide a heuristic for detecting evercookies stored on the user's computer and
analyze evercookie usage in conjunction with cookie respawning.
\subsection{Cookie Synchronization}
@ -426,7 +414,7 @@ necessarily having to know the web site the user visits.
\begin{figure}[ht]
\centering
\includegraphics[width=1\textwidth]{cookiesyncing}
\includegraphics[width=1\textwidth]{../figures/cookiesyncing.pdf}
\label{fig:cookie synchronization}
\caption{Cookie Synchronization in practice between two trackers
\emph{cloudflare.com} and \emph{google.com}.}
@ -467,24 +455,22 @@ knowing.
Cookie Synchronization has seen widespread adoption especially in \gls{RTB}
based auctions \cite{olejnikSellingPrivacyAuction2014}.
\citeauthor{papadopoulosCookieSynchronizationEverything2019}
\cite{papadopoulosCookieSynchronizationEverything2019} recorded and analyzed the
browsing habits of 850 users over a time period of one year and found that 97\%
of users with regular browsing activity were exposed to Cookie Synchronization
at least once. Furthermore, they found that ``[...] the average user receives
around 1 synchronization per 68 requests''
\citet{papadopoulosCookieSynchronizationEverything2019} recorded and analyzed
the browsing habits of 850 users over a time period of one year and found that
97\% of users with regular browsing activity were exposed to Cookie
Synchronization at least once. Furthermore, they found that ``[...] the average
user receives around 1 synchronization per 68 requests''
\cite[p.~7]{papadopoulosCookieSynchronizationEverything2019}. In
\cite{englehardtOnlineTracking1MillionSite2016} the authors crawl the top
100,000 sites and find that 45 of the top 50 (90\%) third parties and 460 of the
top 1000 (46\%) use Cookie Synchronization with at least one other party.
\emph{Doubleclick.net} being at the top sharing 108 cookies with 118 other third
parties. \citeauthor{papadopoulosExclusiveHowSynced2018} show in
\cite{papadopoulosExclusiveHowSynced2018} the threat that Cookie Synchronization
poses to encrypted \gls{TLS} sessions by performing the cookie-syncing over
unencrypted \gls{HTTP} even though the original request to the web site was
encrypted. This highlights the serious privacy implications for users of
\gls{VPN} services trying to safeguard their traffic from a potentially
malicious \gls{ISP}.
100,000 sites and find that 45 of the top 50 (90\%) third parties and 460 of
the top 1000 (46\%) use Cookie Synchronization with at least one other party.
\emph{Doubleclick.net} being at the top sharing 108 cookies with 118 other
third parties. \citet{papadopoulosExclusiveHowSynced2018} show the threat
that Cookie Synchronization poses to encrypted \gls{TLS} sessions by performing
the cookie-syncing over unencrypted \gls{HTTP} even though the original request
to the web site was encrypted. This highlights the serious privacy implications
for users of \gls{VPN} services trying to safeguard their traffic from a
potentially malicious \gls{ISP}.
\subsection{Silverlight Isolated Storage}
\label{subsec:silverlight isolated storage}
@ -545,14 +531,12 @@ storage.
HTML5 Web Storage can be used for tracking in the same way that cookies are
used: by storing unique identifiers which are read on subsequent visits.
\citeauthor{ayensonFlashCookiesPrivacy2011}
\cite{ayensonFlashCookiesPrivacy2011} found that 17 of the top 100 web sites
\citet{ayensonFlashCookiesPrivacy2011} found that 17 of the top 100 web sites
used HTML5 Web Storage with some of them using it for cookie respawing (see
section~\ref{subsec:evercookie}). A recent survey by
\citeauthor{belloroKnowWhatYou2018} \cite{belloroKnowWhatYou2018} looks at Web
Storage usage in general and found that 83.09\% of the top 10K Alexa web sites
use it. The authors flagged 63.88\% of those usages as coming from known
tracking domains.
\citet{belloroKnowWhatYou2018} looks at Web Storage usage in general and found
that 83.09\% of the top 10K Alexa web sites use it. The authors flagged 63.88\%
of those usages as coming from known tracking domains.
\subsection{HTML5 Indexed Database API}
\label{subsec:html5 indexed database api}
@ -580,16 +564,15 @@ an editors draft until it is ready for recommendation.
HTML5 IndexedDB has been added to the evercookie library (see
section~\ref{subsec:evercookie}) by
\citeauthor{kamkarEvercookieVirtuallyIrrevocable2010}, providing redundancy for
\gls{HTTP} cookies. \citeauthor{acarWebNeverForgets2014}
\cite{acarWebNeverForgets2014} have shown that only 20 of 100.000 surveyed sites
use the IndexedDB storage vector with one of them (\texttt{weibo.com}) using it
for respawning \gls{HTTP} cookies. A more recent study by
\citeauthor{belloroKnowWhatYou2018} \cite{belloroKnowWhatYou2018} paints a
different picture: On a dataset provided by the \gls{HTTP} Archive project
\citet{kamkarEvercookieVirtuallyIrrevocable2010}, providing redundancy for
\gls{HTTP} cookies. \citet{acarWebNeverForgets2014} have shown that only 20 of
100.000 surveyed sites use the IndexedDB storage vector with one of them
(\texttt{weibo.com}) using it for respawning \gls{HTTP} cookies. A more recent
study by \citet{belloroKnowWhatYou2018} paints a different picture: On a
dataset provided by the \gls{HTTP} Archive project
\cite{soudersAnnouncingHTTPArchive2011}, they found that 5.56\% of observed
sites use IndexedDB. Of those that use IndexedDB, 31.87\% of usages appear to be
coming from domains that are flagged as `trackers'.
sites use IndexedDB. Of those that use IndexedDB, 31.87\% of usages appear to
be coming from domains that are flagged as trackers.
\subsection{Web SQL Database}
\label{subsec:web sql database}
@ -613,11 +596,11 @@ affiliated with the origin but have a different name (e.g. subdomains).
Due to the W3C abandoning the Web SQL Database standard, not many reports on
usage for tracking purposes exist. The method has been added, however, to the
evercookie library by \citeauthor{kamkarEvercookieVirtuallyIrrevocable2010} (see
evercookie library by \citet{kamkarEvercookieVirtuallyIrrevocable2010} (see
section~\ref{subsec:evercookie}) to add another layer of redundancy for storing
unique identifiers and respawning deleted ones. By performing static analysis on
a dataset provided by the \gls{HTTP} Archive project
\cite{soudersAnnouncingHTTPArchive2011}, \citeauthor{belloroKnowWhatYou2018}
\cite{soudersAnnouncingHTTPArchive2011}, \citet{belloroKnowWhatYou2018}
found that 1.34\% of the surveyed web sites use Web SQL Database in one of their
subresources. 53.59\% of Web SQL Database usage are considered to be coming from
known tracking domains. This ratio is lower for the first 10K web sites as
@ -656,27 +639,24 @@ colour, compare it with the colour that has been set for visited and non-visited
web sites and see if a web site has already been visited or not.
A solution to the problem has been proposed and subsequently implemented by
\citeauthor{baronPreventingAttacksUser2010}
\cite{baronPreventingAttacksUser2010} in 2010, making
\citet{baronPreventingAttacksUser2010} in 2010, making
\texttt{getComputedStyle()} and similar functions lie about the state of the
visited links and marking them as unvisited. Another solution has been developed
by \citeauthor{jacksonProtectingBrowserState2006}
\cite{jacksonProtectingBrowserState2006} in form of a browser extension that
enforces the same-origin policy for browser histories as well. Although their
approach limits access to a user's browsing history by third parties, first
parties are unencumbered by the same-origin policy. Their browser extension
does, however, thwart the attack carried out by
\citeauthor{jancWebBrowserHistory2010} in \cite{jancWebBrowserHistory2010} where
the authors were able to check for up to 30.000 links per second.
visited links and marking them as unvisited. Another solution has been
developed by \citet{jacksonProtectingBrowserState2006} in form of a browser
extension that enforces the same-origin policy for browser histories as well.
Although their approach limits access to a user's browsing history by third
parties, first parties are unencumbered by the same-origin policy. Their
browser extension does, however, thwart the attack carried out by
\citet{jancWebBrowserHistory2010} where the authors were able to check for up
to 30.000 links per second.
\citeauthor{wondracekPracticalAttackDeanonymize2010}
\cite{wondracekPracticalAttackDeanonymize2010} demonstrate the severity of
\citet{wondracekPracticalAttackDeanonymize2010} demonstrate the severity of
history stealing attacks (e.g. visited link differentiation) on user privacy by
probing for \glspl{URL} that encode user information such as group membership in
social networks. By constructing a set of group memberships for each user, the
results can uniquely identify a person. Furthermore, information that is not yet
attributed to a single user but to a group as a whole can be used to more
accurately identify members of said group.
probing for \glspl{URL} that encode user information such as group membership
in social networks. By constructing a set of group memberships for each user,
the results can uniquely identify a person. Furthermore, information that is
not yet attributed to a single user but to a group as a whole can be used to
more accurately identify members of said group.
Other ways of utilizing a web browser's cache to track users are tracking
whether a web site asset (e.g., an image or script) has already been cached by
@ -731,45 +711,43 @@ to circumvent because caches exist solely for that purpose. Countermeasures
either cause a massive slowdown when browsing the web due to the ubiquity of
caches, or imply a substantial change in user agent design.
\citeauthor{feltenTimingAttacksWeb2000} \cite{feltenTimingAttacksWeb2000} were
the first to conduct a study on the feasibility of cache timing attacks and
concluded that accuracy in determining whether a file has been loaded from cache
or downloaded from a server is generally very high ($>95$\%). Furthermore, they
evaluated a host of countermeasures such as turning off caching, altering hit or
miss performance and turning off Java and JavaScript but concluded that they
were unattractive or at worst ineffective. They propose a partial remedy for
cache timing by introducing \emph{Domain Tagging} which requires that resources
are tagged with the domain they have initially been loaded from. Once another
web site wants to determine whether a user has visited a site before by
cross-loading a resource, the domain does not match the tagged domain on the
resource. If that is the case, the initial cache hit gets transformed into a
cache miss and the resource has to be downloaded again, fooling the attacker
into believing that the origin web site has not been visited before. It is
necessary to mention that at the time (2000) \glspl{CDN} were not as widely
used as today. Since web sites rely on \glspl{CDN} to cache resources that are
used on multiple sites and can thus be served much faster from cache, domain
tagging would effectively nullify the performance boost a \gls{CDN} provides by
converting every cache hit into a cache miss. The authors themselves question
the effectiveness of such an approach.
\citet{feltenTimingAttacksWeb2000} were the first to conduct a study on the
feasibility of cache timing attacks and concluded that accuracy in determining
whether a file has been loaded from cache or downloaded from a server is
generally very high ($>95$\%). Furthermore, they evaluated a host of
countermeasures such as turning off caching, altering hit or miss performance
and turning off Java and JavaScript but concluded that they were unattractive
or at worst ineffective. They propose a partial remedy for cache timing by
introducing \emph{Domain Tagging} which requires that resources are tagged with
the domain they have initially been loaded from. Once another web site wants to
determine whether a user has visited a site before by cross-loading a resource,
the domain does not match the tagged domain on the resource. If that is the
case, the initial cache hit gets transformed into a cache miss and the resource
has to be downloaded again, fooling the attacker into believing that the origin
web site has not been visited before. It is necessary to mention that at the
time (2000) \glspl{CDN} were not as widely used as today. Since web sites rely
on \glspl{CDN} to cache resources that are used on multiple sites and can thus
be served much faster from cache, domain tagging would effectively nullify the
performance boost a \gls{CDN} provides by converting every cache hit into a
cache miss. The authors themselves question the effectiveness of such an
approach.
Because the attack presented by \citeauthor{feltenTimingAttacksWeb2000} relies
on being able to accurately time resource loading, a reliable network is needed.
Because the attack presented by \citet{feltenTimingAttacksWeb2000} relies on
being able to accurately time resource loading, a reliable network is needed.
Today a sizeable portion of internet activity comes from mobile devices which
are often not connected via cable but wirelessly.
\citeauthor{vangoethemClockStillTicking2015}
\cite{vangoethemClockStillTicking2015} have therefore proposed four new methods
to accurately time resource loading over unstable networks. By using these
improved methods, they managed to determine whether a user is a member of a
particular age group (in this case between 23 and 32). The authors also ran
\citet{vangoethemClockStillTicking2015} have therefore proposed four new
methods to accurately time resource loading over unstable networks. By using
these improved methods, they managed to determine whether a user is a member of
a particular age group (in this case between 23 and 32). The authors also ran
their attacks against other social networks (LinkedIn, Twitter, Google and
Amazon), successfully extracting sensitive information on users. The research
discussed so far has not tackled the problem through a quantitative perspective
but instead focused on individual cases. Due to this missing piece,
\citeauthor{sanchez-rolaBakingTimerPrivacyAnalysis2019}
\cite{sanchez-rolaBakingTimerPrivacyAnalysis2019} conducted a survey on 10K
web sites to determine how feasible it is to perform a history sniffing attack on
a large scale. Their tool \textsc{BakingTimer} collects timing information on
\gls{HTTP} requests, checking for logged in status and sensitive data. Their
\citet{sanchez-rolaBakingTimerPrivacyAnalysis2019} conducted a survey on 10K
web sites to determine how feasible it is to perform a history sniffing attack
on a large scale. Their tool \textsc{BakingTimer} collects timing information
on \gls{HTTP} requests, checking for logged in status and sensitive data. Their
results show that 71.07\% of the surveyed web sites are vulnerable to the
attack.
@ -796,17 +774,16 @@ an \gls{HTTP} 304 Not-Modified status. Otherwise, the answer contains a full
therefore improve performance and cache consistency while at the same time
reducing bandwidth usage.
As with most other tracking methods, unique identifiers can be stored inside the
\gls{ETag} header because it offers a storage capacity of 81864 bits. Once the
identifier has been placed in the \gls{ETag} header, the server can answer
As with most other tracking methods, unique identifiers can be stored inside
the \gls{ETag} header because it offers a storage capacity of 81864 bits. Once
the identifier has been placed in the \gls{ETag} header, the server can answer
requests to check for an updated resource always with an \gls{HTTP} 301
Not-Modified header, effectively persisting the unique identifier in the
client's cache. During their 2011 survey of QuantCast.com's top 100 U.S. based
web sites \citeauthor{ayensonFlashCookiesPrivacy2011}
\cite{ayensonFlashCookiesPrivacy2011} found \texttt{hulu.com} to be using
\glspl{ETag} as backup for tracking cookies that are set by \texttt{KISSmetrics}
(an analytics platform). This allowed cookies to be respawned once they had been
cleared by checking the \gls{ETag} header.
web sites \citet{ayensonFlashCookiesPrivacy2011} found \texttt{hulu.com} to be
using \glspl{ETag} as backup for tracking cookies that are set by
\texttt{KISSmetrics} (an analytics platform). This allowed cookies to be
respawned once they had been cleared by checking the \gls{ETag} header.
\subsection{DNS Cache}
\label{subsec:dns cache}
@ -826,14 +803,14 @@ operating system has it's own cache that applications can ask for name
resolution. Some applications introduce another layer of caching by having their
own cache (e.g., browsers).
\citeauthor{kleinDNSCacheBasedUser2019} \cite{kleinDNSCacheBasedUser2019}
demonstrated a tracking method which is using \gls{DNS} caches to assign unique
identifiers to client machines. In order for the technique to work, the tracker
has to have control over one web server (or multiple) as well as an
authoritative \gls{DNS} server which associates the web servers with a domain
name under the control of the tracker. The tracking process starts once a user
agent requests a web site which loads a script from one of the web servers the
attacker is controlling. The process can then be sketched out as follows (see
\citet{kleinDNSCacheBasedUser2019} demonstrated a tracking method which is
using \gls{DNS} caches to assign unique identifiers to client machines. In
order for the technique to work, the tracker has to have control over one web
server (or multiple) as well as an authoritative \gls{DNS} server which
associates the web servers with a domain name under the control of the tracker.
The tracking process starts once a user agent requests a web site which loads a
script from one of the web servers the attacker is controlling. The process
can then be sketched out as follows (see
\cite[p.~5]{kleinDNSCacheBasedUser2019} for a detailed description).
\begin{enumerate}
@ -857,7 +834,7 @@ is unique and thus allows identification of not only the browser but the client
machine itself.
Advantages of this tracking method are that it works across browsers in most
cases. \citeauthor{kleinDNSCacheBasedUser2019} found that it survives browser
cases. \citet{kleinDNSCacheBasedUser2019} found that it survives browser
restarts and is resistant to the privacy mode employed by modern browsers.
Futhermore, \glspl{VPN} do not affect the method and it works with different
protocols (\gls{HTTPS}, \gls{IPv6}, \gls{DNSSEC}).
@ -901,25 +878,23 @@ identity provides a mechanism by which information associated with a secure
connection (certificates, keys) can be restored.
Because resuming a connection reuses information that has been exchanged before
to establish secure communication, individual sessions can be linked together to
form a history of information exchanges. This tracking method is described by
\citeauthor{syTrackingUsersWeb2018} in \cite{syTrackingUsersWeb2018}. Even
though \gls{TLS} session resumption can be mitigated by restarting the browser
because that clears the cache, the authors argue that due to mobile devices
being online without restarts for long periods the attack remains viable.
Futhermore, despite browsers imposing limits on the lifetime of session
identifiers and \glspl{PSK}, it is possible to maintain a session indefinitely
by carrying out a \emph{prolongation attack}. \citeauthor{syTrackingUsersWeb2018}
define a prolongation attack as an attack where the client asks for a session
resumption by sending the identifier of a previously initiated connection and
the server responds with a new handshake instead of resuming the old one. This
effectively resets the time limit as long as the user is initiating new (or
trying to resume old) connections to the server within the imposed time limit.
to establish secure communication, individual sessions can be linked together
to form a history of information exchanges. This tracking method is described
by \citet{syTrackingUsersWeb2018}. Even though \gls{TLS} session resumption can
be mitigated by restarting the browser because that clears the cache, the
authors argue that due to mobile devices being online without restarts for long
periods the attack remains viable. Futhermore, despite browsers imposing
limits on the lifetime of session identifiers and \glspl{PSK}, it is possible
to maintain a session indefinitely by carrying out a \emph{prolongation
attack}. \citet{syTrackingUsersWeb2018} define a prolongation attack as an
attack where the client asks for a session resumption by sending the identifier
of a previously initiated connection and the server responds with a new
handshake instead of resuming the old one. This effectively resets the time
limit as long as the user is initiating new (or trying to resume old)
connections to the server within the imposed time limit.
The authors present an empirical evaluation of server and browser configurations
with respect to session resumption lifetime by crawling the top 1M web sites as
determined by Alexa. Their results indicate that only 4\% of those sites do not
allow session resumption at all, while the majority (78\%) allows session
identifiers as well as tickets.
\end{document}

684
bibliography/references.bib → references.bib
View File

File diff suppressed because it is too large Load Diff

149
thesis.tex Normal file
View File

@ -0,0 +1,149 @@
% Copyright (C) 2014-2020 by Thomas Auzinger <thomas@auzinger.name>
\documentclass[draft,final]{vutinfth} % Remove option 'final' to obtain debug information.
% Load packages to allow in- and output of non-ASCII characters.
\usepackage{lmodern} % Use an extension of the original Computer Modern font to minimize the use of bitmapped letters.
\usepackage[T1]{fontenc} % Determines font encoding of the output. Font packages have to be included before this line.
\usepackage[utf8]{inputenc} % Determines encoding of the input. All input files have to use UTF8 encoding.
% Extended LaTeX functionality is enables by including packages with \usepackage{...}.
\usepackage{amsmath} % Extended typesetting of mathematical expression.
\usepackage{amssymb} % Provides a multitude of mathematical symbols.
\usepackage{mathtools} % Further extensions of mathematical typesetting.
\usepackage{microtype} % Small-scale typographic enhancements.
\usepackage[inline]{enumitem} % User control over the layout of lists (itemize, enumerate, description).
\usepackage{multirow} % Allows table elements to span several rows.
\usepackage{booktabs} % Improves the typesettings of tables.
\usepackage{subcaption} % Allows the use of subfigures and enables their referencing.
\usepackage[ruled,linesnumbered,algochapter]{algorithm2e} % Enables the writing of pseudo code.
\usepackage[usenames,dvipsnames,table]{xcolor} % Allows the definition and use of colors. This package has to be included before tikz.
\usepackage{nag} % Issues warnings when best practices in writing LaTeX documents are violated.
\usepackage{todonotes} % Provides tooltip-like todo notes.
\usepackage{listings}
\usepackage{minted}
\usepackage[numbers]{natbib}
\usepackage{hyperref} % Enables cross linking in the electronic document version. This package has to be included second to last.
\usepackage[acronym,toc]{glossaries} % Enables the generation of glossaries and lists fo acronyms. This package has to be included last.
% Define convenience functions to use the author name and the thesis title in the PDF document properties.
\newcommand{\authorname}{Tobias Eidelpes} % The author name without titles.
\newcommand{\thesistitle}{Stateful Web Tracking: Techniques and Countermeasures} % The title of the thesis. The English version should be used, if it exists.
% Set PDF document properties
\hypersetup{
pdfpagelayout = TwoPageRight, % How the document is shown in PDF viewers (optional).
linkbordercolor = {Melon}, % The color of the borders of boxes around crosslinks (optional).
pdfauthor = {\authorname}, % The author's name in the document properties (optional).
pdftitle = {\thesistitle}, % The document's title in the document properties (optional).
pdfsubject = {Web Tracking}, % The document's subject in the document properties (optional).
pdfkeywords = {Stateful, Web, Tracking, Survey} % The document's keywords in the document properties (optional).
}
\setpnumwidth{2.5em} % Avoid overfull hboxes in the table of contents (see memoir manual).
\setsecnumdepth{subsection} % Enumerate subsections.
\definecolor{light-gray}{gray}{0.95} % Define colour for minted code snippets
\nonzeroparskip % Create space between paragraphs (optional).
\setlength{\parindent}{0pt} % Remove paragraph identation (optional).
\makeindex % Use an optional index.
\makeglossaries % Use an optional glossary.
%\glstocfalse % Remove the glossaries from the table of contents.
% Set persons with 4 arguments:
% {title before name}{name}{title after name}{gender}
% where both titles are optional (i.e. can be given as empty brackets {}).
\setauthor{}{\authorname}{}{male}
\setauthorextra
\setadvisor{}{Thomas Grechenig}{}{male}
% For bachelor and master theses:
\setfirstassistant{}{Karl Pinter}{}{male}
% Required data.
\setregnumber{01527193}
\setdate{31}{03}{2020} % Set date with 3 arguments: {day}{month}{year}.
\settitle{\thesistitle}{Stateful Web Tracking: Techniques and Countermeasures} % Sets English and German version of the title (both can be English or German). If your title contains commas, enclose it with additional curvy brackets (i.e., {{your title}}) or define it as a macro as done with \thesistitle.
% Select the thesis type: bachelor / master / doctor / phd-school.
% Bachelor:
\setthesis{bachelor}
% For bachelor and master:
\setcurriculum{Software \& Information Engineering}{Software \& Information Engineering} % Sets the English and German name of the curriculum.
\input{acronym.tex}
\begin{document}
\frontmatter % Switches to roman numbering.
% The structure of the thesis has to conform to the guidelines at
% https://informatics.tuwien.ac.at/study-services
\addtitlepage{naustrian} % German title page (not for dissertations at the PhD School).
\addtitlepage{english} % English title page.
\addinsotitlepage{naustrian}
\addstatementpage
\begin{acknowledgements*}
\todo{Enter your text here.}
\end{acknowledgements*}
\begin{kurzfassung}
\todo{Ihr Text hier.}
\end{kurzfassung}
\begin{abstract}
\todo{Enter your text here.}
\end{abstract}
% Select the language of the thesis, e.g., english or naustrian.
\selectlanguage{english}
% Add a table of contents (toc).
\tableofcontents % Starred version, i.e., \tableofcontents*, removes the self-entry.
% Switch to arabic numbering and start the enumeration of chapters in the table of content.
\mainmatter
% Include introduction.tex
% Include methods.tex
\input{methods.tex}
% Include defences.tex
% Include developments
% Include conclusion
% Remove following line for the final thesis.
%\input{intro.tex} % A short introduction to LaTeX.
\backmatter
% Use an optional list of figures.
\listoffigures % Starred version, i.e., \listoffigures*, removes the toc entry.
% Use an optional list of tables.
\cleardoublepage % Start list of tables on the next empty right hand page.
\listoftables % Starred version, i.e., \listoftables*, removes the toc entry.
% Use an optional list of alogrithms.
\listofalgorithms
\addcontentsline{toc}{chapter}{List of Algorithms}
% Add an index.
\printindex
% Add a glossary.
\printglossaries
% Add a bibliography.
\bibliographystyle{plainnat}
\bibliography{references}
\end{document}

2107
vutinfth.dtx Normal file
View File

File diff suppressed because it is too large Load Diff

64
vutinfth.ins Normal file
View File

@ -0,0 +1,64 @@
%% vutinfth.ins
%% Copyright (C) 2014-2020 by Thomas Auzinger <thomas@auzinger.name>
%%
%% This work may be distributed and/or modified under the
%% conditions of the LaTeX Project Public License, either version 1.3
%% of this license or (at your option) any later version.
%% The latest version of this license is in
%% http://www.latex-project.org/lppl.txt
%% and version 1.3 or later is part of all distributions of LaTeX
%% version 2005/12/01 or later.
%%
%% This work has the LPPL maintenance status `maintained'.
%%
%% The Current Maintainer of this work is Thomas Auzinger.
%%
%% This work consists of the files vutinfth.dtx and vutinfth.ins
%% and the derived file vutinfth.cls.
%% This work also consists of the file intro.tex.
%%
\input docstrip.tex
\keepsilent
\usedir{tex/latex/vutinfth}
\preamble
This is a generated file.
Copyright (C) 2014-2020 by Thomas Auzinger <thomas@auzinger.name>
This work may be distributed and/or modified under the
conditions of the LaTeX Project Public License, either version 1.3
of this license or (at your option) any later version.
The latest version of this license is in
http://www.latex-project.org/lppl.txt
and version 1.3 or later is part of all distributions of LaTeX
version 2005/12/01 or later.
This work has the LPPL maintenance status `maintained'.
The Current Maintainer of this work is Thomas Auzinger.
This work consists of the files vutinfth.dtx and vutinfth.ins
and the derived file vutinfth.cls.
This work also consists of the file intro.tex.
\endpreamble
\askforoverwritefalse
\generate{\file{vutinfth.cls}{\from{vutinfth.dtx}{class}}}
\Msg{*********************************************************}
\Msg{*}
\Msg{* To finish the installation you have to move the}
\Msg{* following file into a directory searched by TeX:}
\Msg{*}
\Msg{* \space\space vuinfth.cls}
\Msg{*}
\Msg{* To produce the documentation run the file vuinfth.dtx}
\Msg{* through LaTeX.}
\Msg{*}
\Msg{*********************************************************}
\endbatchfile