diff --git a/acronym.tex b/acronym.tex index 550d770..60a13d4 100644 --- a/acronym.tex +++ b/acronym.tex @@ -36,3 +36,4 @@ \newacronym {DNT} {DNT} {Do Not Track} \newacronym {TPL} {TPL} {Tracking Protection List} \newacronym {EFF} {EFF} {Electronic Frontier Foundation} +\newacronym {MITM} {MITM} {man-in-the-middle} diff --git a/defenses.tex b/defenses.tex index 7ef10f4..b4f4fa3 100644 --- a/defenses.tex +++ b/defenses.tex @@ -343,3 +343,67 @@ tracking by \citet{kleinDNSCacheBasedUser2019}, the Tor network uses one therefore difficult. \gls{TLS} session resumption is mitigated by disabling \gls{TLS} session tickets. This happens by default within Tor browser. Additionally, they are limited to the current \gls{URL} bar domain. + +\subsection{Virtual Private Network} +\label{subsec:virtual private network} + +\glspl{VPN} are known for increasing privacy and anonymity by tunneling the +traffic through a \gls{VPN} provider's network. One side effect of this +tunneling results in masking the original requesting \gls{IP} address from +potentially malicious web site owners. \gls{VPN} providers additionally require +communication to be encrypted with \gls{TLS} before it is sent to their servers. +Messages encrypted with \gls{TLS} are therefore safe from prying eyes seeking to +intercept communication (\gls{MITM}) in most cases. This is especially useful if +a user is connected to the Internet through a public access point which is open +for everyone and thus does not inhibit \gls{MITM} attacks. Furthermore, +\gls{VPN} clients often use their own \gls{DNS} resolver to resolve \gls{IP} +addresses into domain names and vice versa. An \gls{ISP} interested in knowing +what kind of pages their customers visit is therefore not able to look at their +\gls{DNS} records to obtain a browsing history for individual \gls{IP} +addresses. Besides masking \gls{IP} addresses, \glspl{VPN} are effective tools +for accessing content that is not available in one country. Netflix-hosted +content for example is not the same for different countries and users in Germany +might be able to access content only available in the United States by using a +\gls{VPN} which gives an american \gls{IP} address. + +Even though \glspl{VPN} have the aforementioned benefits, their tracking +protection capabilities are limited. \citet{papadopoulosExclusiveHowSynced2018} +demonstrate how correctly secured \gls{VPN} sessions can be breached via Cookie +Synchronization (section~\ref{subsec:cookie synchronization}). +Figure~\ref{fig:cookie-synchronization-vpns} shows their attack model, resulting +in a snooping \gls{ISP} receiving identifying information despite an encrypted +\gls{VPN} session. Every form of session-based tracking still applies to +sessions over \glspl{VPN} with the difference that the unique identifiers set +within the browser do not correspond to the original \gls{IP} address but the +one given by the \gls{VPN} service. Even storage-based and cache-based tracking +methods are unencumbered by \glspl{VPN}. All of these methods work without +knowing the correct \gls{IP} address. Tying tracking information to a particular +user might be more difficult because the \gls{IP} address is not the same but as +soon as there is enough identifying information about one user and across +sessions, these events can be correlated with each other to form a complete +personal profile. + +Unfortunately, \gls{VPN} services have left the impression that they are +generally privacy-protecting online on many non-technical people. While the Tor +network (section~\ref{subsec:tor}) provides a much more comprehensive defense +against tracking mechanisms, it appears too technical and complicated for the +average user. \glspl{VPN} appear to be a set-and-forget solution to protecting +ones privacy online. \citet{khanEmpiricalAnalysisCommercial2018} show, however, +that choosing a \gls{VPN} is a difficult task by itself and that many services +do not manage to live up to their promises. In some cases \glspl{VPN} allegedly +intercept traffic and track users themselves (Hotspot Shield Free \gls{VPN} +\cite{centerfordemocracytechnologyComplaintRequestInvestigation2017}). Choosing +a \gls{VPN} is more difficult still because recommendations online happen +usually through affiliate programs, further confusing unknowledgeable users. + +\begin{figure} + \includegraphics[width=1\textwidth]{figures/cookie-syncing-vpns.png} + \caption{Breaching a \gls{TLS}-encrypted \gls{VPN} session via Cookie + Synchronization. A user accesses a website \texttt{example.com} over a + correctly secured \gls{VPN} and \gls{TLS}. \texttt{tracker1.com} receives a + cookie and performs cookie synchronization over \gls{HTTP} with + \texttt{tracker2.com}. The snooping \gls{ISP} can identify the user even + through the \gls{VPN} and across sessions by reading the synced \gls{HTTP} + cookie \cite[p.~2]{papadopoulosExclusiveHowSynced2018}.} + \label{fig:cookie-synchronization-vpns} +\end{figure} diff --git a/figures/cookie-syncing-vpns.png b/figures/cookie-syncing-vpns.png new file mode 100644 index 0000000..145445c Binary files /dev/null and b/figures/cookie-syncing-vpns.png differ diff --git a/references.bib b/references.bib index fe00318..162de23 100644 --- a/references.bib +++ b/references.bib @@ -331,6 +331,15 @@ series = {{{ASONAM}} '16} } +@misc{centerfordemocracytechnologyComplaintRequestInvestigation2017, + title = {Complaint, {{Request}} for {{Investigation}}, {{Injunction}}, and {{Other Relief}}: {{AnchorFree}}, {{Inc}}. {{Hotspot Shield VPN}}}, + author = {{Center for Democracy \& Technology}}, + year = {2017}, + month = aug, + url = {https://cdt.org/wp-content/uploads/2017/08/FTC-CDT-VPN-complaint-8-7-17.pdf}, + note = {Accessed 2020-08-10} +} + @inproceedings{chaabaneBigFriendWatching2012, title = {Big {{Friend}} Is {{Watching You}}: {{Analyzing Online Social Networks Tracking Capabilities}}}, shorttitle = {Big {{Friend}} Is {{Watching You}}}, @@ -740,6 +749,18 @@ Impact of CSS-based history detection}, primaryClass = {cs} } +@inproceedings{khanEmpiricalAnalysisCommercial2018, + title = {An {{Empirical Analysis}} of the {{Commercial VPN Ecosystem}}}, + booktitle = {Proceedings of the {{Internet Measurement Conference}} 2018}, + author = {Khan, Mohammad Taha and DeBlasio, Joe and Voelker, Geoffrey M. and Snoeren, Alex C. and Kanich, Chris and {Vallina-Rodriguez}, Narseo}, + year = {2018}, + month = oct, + pages = {443--456}, + address = {{New York, NY, USA}}, + abstract = {Global Internet users increasingly rely on virtual private network (VPN) services to preserve their privacy, circumvent censorship, and access geo-filtered content. Due to their own lack of technical sophistication and the opaque nature of VPN clients, however, the vast majority of users have limited means to verify a given VPN service's claims along any of these dimensions. We design an active measurement system to test various infrastructural and privacy aspects of VPN services and evaluate 62 commercial providers. Our results suggest that while commercial VPN services seem, on the whole, less likely to intercept or tamper with user traffic than other, previously studied forms of traffic proxying, many VPNs do leak user traffic---perhaps inadvertently---through a variety of means. We also find that a non-trivial fraction of VPN providers transparently proxy traffic, and many misrepresent the physical location of their vantage points: 5--30\% of the vantage points, associated with 10\% of the providers we study, appear to be hosted on servers located in countries other than those advertised to users.}, + series = {{{IMC}} '18} +} + @article{kitchenhamProceduresPerformingSystematic, title = {Procedures for {{Performing Systematic Reviews}}}, author = {Kitchenham, Barbara},