Add accessed date to URLs
This commit is contained in:
parent
23efa86317
commit
a86556a64d
148
references.bib
148
references.bib
@ -16,7 +16,7 @@
|
|||||||
url = {https://adblockplus.org/en/},
|
url = {https://adblockplus.org/en/},
|
||||||
urldate = {2020-07-12},
|
urldate = {2020-07-12},
|
||||||
abstract = {Adblock Plus, the most popular ad blocker on Firefox, Chrome, Safari, Android and iOS. Block pop-ups and annoying ads on websites like Facebook and YouTube.},
|
abstract = {Adblock Plus, the most popular ad blocker on Firefox, Chrome, Safari, Android and iOS. Block pop-ups and annoying ads on websites like Facebook and YouTube.},
|
||||||
language = {en}
|
note = {Accessed 2020-07-12}
|
||||||
}
|
}
|
||||||
|
|
||||||
@misc{adobecorporatecommunicationsFlashFutureInteractive2017,
|
@misc{adobecorporatecommunicationsFlashFutureInteractive2017,
|
||||||
@ -38,6 +38,7 @@
|
|||||||
month = oct,
|
month = oct,
|
||||||
pages = {687--698},
|
pages = {687--698},
|
||||||
abstract = {Today, websites commonly use third party web analytics services t obtain aggregate information about users that visit their sites. This information includes demographics and visits to other sites as well as user behavior within their own sites. Unfortunately, to obtain this aggregate information, web analytics services track individual user browsing behavior across the web. This violation of user privacy has been strongly criticized, resulting in tools that block such tracking as well as anti-tracking legislation and standards such as Do-Not-Track. These efforts, while improving user privacy, degrade the quality of web analytics. This paper presents the first design of a system that provides web analytics without tracking. The system gives users differential privacy guarantees, can provide better quality analytics than current services, requires no new organizational players, and is practical to deploy. This paper describes and analyzes the design, gives performance benchmarks, and presents our implementation and deployment across several hundred users.},
|
abstract = {Today, websites commonly use third party web analytics services t obtain aggregate information about users that visit their sites. This information includes demographics and visits to other sites as well as user behavior within their own sites. Unfortunately, to obtain this aggregate information, web analytics services track individual user browsing behavior across the web. This violation of user privacy has been strongly criticized, resulting in tools that block such tracking as well as anti-tracking legislation and standards such as Do-Not-Track. These efforts, while improving user privacy, degrade the quality of web analytics. This paper presents the first design of a system that provides web analytics without tracking. The system gives users differential privacy guarantees, can provide better quality analytics than current services, requires no new organizational players, and is practical to deploy. This paper describes and analyzes the design, gives performance benchmarks, and presents our implementation and deployment across several hundred users.},
|
||||||
|
annote = {Tracking defense mechanisms. Analytics ohne Privatsph\"arengef\"ahrdung},
|
||||||
series = {{{CCS}} '12}
|
series = {{{CCS}} '12}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -47,7 +48,8 @@
|
|||||||
year = {2020},
|
year = {2020},
|
||||||
month = mar,
|
month = mar,
|
||||||
url = {https://w3c.github.io/IndexedDB/},
|
url = {https://w3c.github.io/IndexedDB/},
|
||||||
urldate = {2020-03-20}
|
urldate = {2020-03-20},
|
||||||
|
note = {Accessed 2020-03-20}
|
||||||
}
|
}
|
||||||
|
|
||||||
@article{aonghusaDontLetGoogle2016,
|
@article{aonghusaDontLetGoogle2016,
|
||||||
@ -93,7 +95,8 @@
|
|||||||
url = {https://ashkansoltani.org/2011/08/11/respawn-redux-flash-cookies/},
|
url = {https://ashkansoltani.org/2011/08/11/respawn-redux-flash-cookies/},
|
||||||
urldate = {2019-08-22},
|
urldate = {2019-08-22},
|
||||||
abstract = {A detailed technical followup to Flash Cookies and Privacy II, describing the mechanisms behind Hulu/KISSmetrics' respawning practices I thought I'd take the time to elaborate a bit fur\ldots},
|
abstract = {A detailed technical followup to Flash Cookies and Privacy II, describing the mechanisms behind Hulu/KISSmetrics' respawning practices I thought I'd take the time to elaborate a bit fur\ldots},
|
||||||
journal = {Ashkan Soltani}
|
journal = {Ashkan Soltani},
|
||||||
|
note = {Accessed 2019-08-22}
|
||||||
}
|
}
|
||||||
|
|
||||||
@techreport{ayensonFlashCookiesPrivacy2011,
|
@techreport{ayensonFlashCookiesPrivacy2011,
|
||||||
@ -106,6 +109,7 @@
|
|||||||
url = {https://papers.ssrn.com/abstract=1898390},
|
url = {https://papers.ssrn.com/abstract=1898390},
|
||||||
urldate = {2020-02-13},
|
urldate = {2020-02-13},
|
||||||
abstract = {In August 2009, we demonstrated that popular websites were using ``Flash cookies'' to track users. Some advertisers had adopted this technology because it allowed persistent tracking even where users had taken steps to avoid web profiling. We also demonstrated ``respawning'' on top sites with Flash technology. This allowed sites to reinstantiate HTTP cookies deleted by a user, making tracking more resistant to users' privacy-seeking behaviors.},
|
abstract = {In August 2009, we demonstrated that popular websites were using ``Flash cookies'' to track users. Some advertisers had adopted this technology because it allowed persistent tracking even where users had taken steps to avoid web profiling. We also demonstrated ``respawning'' on top sites with Flash technology. This allowed sites to reinstantiate HTTP cookies deleted by a user, making tracking more resistant to users' privacy-seeking behaviors.},
|
||||||
|
note = {Accessed 2020-02-13},
|
||||||
number = {ID 1898390},
|
number = {ID 1898390},
|
||||||
type = {{{SSRN Scholarly Paper}}}
|
type = {{{SSRN Scholarly Paper}}}
|
||||||
}
|
}
|
||||||
@ -129,7 +133,8 @@
|
|||||||
month = mar,
|
month = mar,
|
||||||
url = {https://dbaron.org/mozilla/visited-privacy},
|
url = {https://dbaron.org/mozilla/visited-privacy},
|
||||||
urldate = {2020-03-25},
|
urldate = {2020-03-25},
|
||||||
journal = {dbaron.org}
|
journal = {dbaron.org},
|
||||||
|
note = {Accessed 2020-03-25}
|
||||||
}
|
}
|
||||||
|
|
||||||
@techreport{barthHTTPStateManagement2011,
|
@techreport{barthHTTPStateManagement2011,
|
||||||
@ -142,6 +147,7 @@
|
|||||||
url = {https://www.rfc-editor.org/info/rfc6265},
|
url = {https://www.rfc-editor.org/info/rfc6265},
|
||||||
urldate = {2020-02-11},
|
urldate = {2020-02-11},
|
||||||
abstract = {This document defines the HTTP Cookie and Set-Cookie header fields. These header fields can be used by HTTP servers to store state (called cookies) at HTTP user agents, letting the servers maintain a stateful session over the mostly stateless HTTP protocol. Although cookies have many historical infelicities that degrade their security and privacy, the Cookie and Set-Cookie header fields are widely used on the Internet. This document obsoletes RFC 2965.},
|
abstract = {This document defines the HTTP Cookie and Set-Cookie header fields. These header fields can be used by HTTP servers to store state (called cookies) at HTTP user agents, letting the servers maintain a stateful session over the mostly stateless HTTP protocol. Although cookies have many historical infelicities that degrade their security and privacy, the Cookie and Set-Cookie header fields are widely used on the Internet. This document obsoletes RFC 2965.},
|
||||||
|
note = {Accessed 2020-02-11},
|
||||||
number = {6265},
|
number = {6265},
|
||||||
type = {{{RFC}}}
|
type = {{{RFC}}}
|
||||||
}
|
}
|
||||||
@ -164,9 +170,7 @@
|
|||||||
month = nov,
|
month = nov,
|
||||||
url = {http://arxiv.org/abs/1811.00920},
|
url = {http://arxiv.org/abs/1811.00920},
|
||||||
urldate = {2019-08-14},
|
urldate = {2019-08-14},
|
||||||
abstract = {Numerous surveys have shown that Web users are concerned about the loss of privacy associated with online tracking. Alarmingly, these surveys also reveal that people are also unaware of the amount of data sharing that occurs between ad exchanges, and thus underestimate the privacy risks associated with online tracking.},
|
abstract = {Numerous surveys have shown that Web users are concerned about the loss of privacy associated with online tracking. Alarmingly, these surveys also reveal that people are also unaware of the amount of data sharing that occurs between ad exchanges, and thus underestimate the privacy risks associated with online tracking.}
|
||||||
archiveprefix = {arXiv},
|
|
||||||
eprintclass = {cs}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@misc{baumanEvercookieApplet2013,
|
@misc{baumanEvercookieApplet2013,
|
||||||
@ -176,7 +180,8 @@
|
|||||||
month = apr,
|
month = apr,
|
||||||
url = {https://github.com/gabrielbauman/evercookie-applet},
|
url = {https://github.com/gabrielbauman/evercookie-applet},
|
||||||
urldate = {2020-02-20},
|
urldate = {2020-02-20},
|
||||||
copyright = {BSD-2-Clause}
|
copyright = {BSD-2-Clause},
|
||||||
|
note = {Accessed 2020-02-20}
|
||||||
}
|
}
|
||||||
|
|
||||||
@article{beckVisualAnalysisDissemination2016,
|
@article{beckVisualAnalysisDissemination2016,
|
||||||
@ -223,6 +228,7 @@
|
|||||||
volume = {6},
|
volume = {6},
|
||||||
pages = {52779--52792},
|
pages = {52779--52792},
|
||||||
abstract = {As the usage of the Web increases, so do the threats an everyday user faces. One of the most pervasive threats a Web user faces is tracking, which enables an entity to gain unauthorized access to the user's personal data. Through the years, many client storage technologies, such as cookies, have been used for this purpose and have been extensively studied in the literature. The focus of this paper is on three newer client storage mechanisms, namely, Web Storage, Web SQL Database, and Indexed Database API. Initially, a large-scale analysis of their usage on the Web is conducted to appraise their usage in the wild. Then, this paper examines the extent that they are used for tracking purposes. The results suggest that Web Storage is the most used among the three technologies. More importantly, to the best of our knowledge, this paper is the first to suggest Web tracking as the main use case of these technologies. Motivated by these results, this paper examines whether popular desktop and mobile browsers protect their users from tracking mechanisms that use Web Storage, Web SQL Database, and Indexed Database. Our results uncover many cases where the relevant security controls are ineffective, thus making it virtually impossible for certain users to avoid tracking.},
|
abstract = {As the usage of the Web increases, so do the threats an everyday user faces. One of the most pervasive threats a Web user faces is tracking, which enables an entity to gain unauthorized access to the user's personal data. Through the years, many client storage technologies, such as cookies, have been used for this purpose and have been extensively studied in the literature. The focus of this paper is on three newer client storage mechanisms, namely, Web Storage, Web SQL Database, and Indexed Database API. Initially, a large-scale analysis of their usage on the Web is conducted to appraise their usage in the wild. Then, this paper examines the extent that they are used for tracking purposes. The results suggest that Web Storage is the most used among the three technologies. More importantly, to the best of our knowledge, this paper is the first to suggest Web tracking as the main use case of these technologies. Motivated by these results, this paper examines whether popular desktop and mobile browsers protect their users from tracking mechanisms that use Web Storage, Web SQL Database, and Indexed Database. Our results uncover many cases where the relevant security controls are ineffective, thus making it virtually impossible for certain users to avoid tracking.},
|
||||||
|
annote = {Survey von Web Storage, Web SQL Database und IndexedDB},
|
||||||
journal = {IEEE Access}
|
journal = {IEEE Access}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -236,6 +242,7 @@
|
|||||||
url = {https://www.rfc-editor.org/info/rfc1738},
|
url = {https://www.rfc-editor.org/info/rfc1738},
|
||||||
urldate = {2020-02-06},
|
urldate = {2020-02-06},
|
||||||
abstract = {This document specifies a Uniform Resource Locator (URL), the syntax and semantics of formalized information for location and access of resources via the Internet.},
|
abstract = {This document specifies a Uniform Resource Locator (URL), the syntax and semantics of formalized information for location and access of resources via the Internet.},
|
||||||
|
note = {Accessed 2020-02-06},
|
||||||
number = {1738},
|
number = {1738},
|
||||||
type = {{{RFC}}}
|
type = {{{RFC}}}
|
||||||
}
|
}
|
||||||
@ -250,6 +257,7 @@
|
|||||||
url = {https://www.rfc-editor.org/info/rfc1630},
|
url = {https://www.rfc-editor.org/info/rfc1630},
|
||||||
urldate = {2020-02-06},
|
urldate = {2020-02-06},
|
||||||
abstract = {This document defines the syntax used by the World-Wide Web initiative to encode the names and addresses of objects on the Internet. This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind.},
|
abstract = {This document defines the syntax used by the World-Wide Web initiative to encode the names and addresses of objects on the Internet. This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind.},
|
||||||
|
note = {Accessed 2020-02-06},
|
||||||
number = {1630},
|
number = {1630},
|
||||||
type = {{{RFC}}}
|
type = {{{RFC}}}
|
||||||
}
|
}
|
||||||
@ -354,7 +362,6 @@
|
|||||||
author = {Degeling, Martin and Utz, Christine and Lentzsch, Christopher and Hosseini, Henry and Schaub, Florian and Holz, Thorsten},
|
author = {Degeling, Martin and Utz, Christine and Lentzsch, Christopher and Hosseini, Henry and Schaub, Florian and Holz, Thorsten},
|
||||||
year = {2019},
|
year = {2019},
|
||||||
abstract = {The European Union's General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Its privacy regulations apply to any service and company collecting or processing personal data in Europe. Many companies had to adjust their data handling processes, consent forms, and privacy policies to comply with the GDPR's transparency requirements. We monitored this rare event by analyzing changes on popular websites in all 28 member states of the European Union. For each country, we periodically examined its 500 most popular websites \textendash{} 6,579 in total \textendash{} for the presence of and updates to their privacy policy between December 2017 and October 2018. While many websites already had privacy policies, we find that in some countries up to 15.7 \% of websites added new privacy policies by May 25, 2018, resulting in 84.5 \% of websites having privacy policies. 72.6 \% of websites with existing privacy policies updated them close to the date. After May this positive development slowed down noticeably. Most visibly, 62.1 \% of websites in Europe now display cookie consent notices, 16 \% more than in January 2018. These notices inform users about a site's cookie use and user tracking practices. We categorized all observed cookie consent notices and evaluated 28 common implementations with respect to their technical realization of cookie consent. Our analysis shows that core web security mechanisms such as the same-origin policy pose problems for the implementation of consent according to GDPR rules, and opting out of third-party cookies requires the third party to cooperate. Overall, we conclude that the web became more transparent at the time GDPR came into force, but there is still a lack of both functional and usable mechanisms for users to consent to or deny processing of their personal data on the Internet.},
|
abstract = {The European Union's General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Its privacy regulations apply to any service and company collecting or processing personal data in Europe. Many companies had to adjust their data handling processes, consent forms, and privacy policies to comply with the GDPR's transparency requirements. We monitored this rare event by analyzing changes on popular websites in all 28 member states of the European Union. For each country, we periodically examined its 500 most popular websites \textendash{} 6,579 in total \textendash{} for the presence of and updates to their privacy policy between December 2017 and October 2018. While many websites already had privacy policies, we find that in some countries up to 15.7 \% of websites added new privacy policies by May 25, 2018, resulting in 84.5 \% of websites having privacy policies. 72.6 \% of websites with existing privacy policies updated them close to the date. After May this positive development slowed down noticeably. Most visibly, 62.1 \% of websites in Europe now display cookie consent notices, 16 \% more than in January 2018. These notices inform users about a site's cookie use and user tracking practices. We categorized all observed cookie consent notices and evaluated 28 common implementations with respect to their technical realization of cookie consent. Our analysis shows that core web security mechanisms such as the same-origin policy pose problems for the implementation of consent according to GDPR rules, and opting out of third-party cookies requires the third party to cooperate. Overall, we conclude that the web became more transparent at the time GDPR came into force, but there is still a lack of both functional and usable mechanisms for users to consent to or deny processing of their personal data on the Internet.},
|
||||||
archiveprefix = {arXiv},
|
|
||||||
journal = {Proc. 2019 Netw. Distrib. Syst. Secur. Symp.}
|
journal = {Proc. 2019 Netw. Distrib. Syst. Secur. Symp.}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -362,7 +369,8 @@
|
|||||||
title = {Tor's Protocol Specifications - {{Path Specification}}},
|
title = {Tor's Protocol Specifications - {{Path Specification}}},
|
||||||
author = {Dingledine, Roger and Mathewson, Nick},
|
author = {Dingledine, Roger and Mathewson, Nick},
|
||||||
url = {https://gitweb.torproject.org/torspec.git/tree/path-spec.txt},
|
url = {https://gitweb.torproject.org/torspec.git/tree/path-spec.txt},
|
||||||
urldate = {2020-07-14}
|
urldate = {2020-07-14},
|
||||||
|
note = {Accessed 2020-07-14}
|
||||||
}
|
}
|
||||||
|
|
||||||
@misc{DuckDuckGoa,
|
@misc{DuckDuckGoa,
|
||||||
@ -371,13 +379,14 @@
|
|||||||
urldate = {2020-07-10},
|
urldate = {2020-07-10},
|
||||||
abstract = {The Internet privacy company that empowers you to seamlessly take control of your personal information online, without any tradeoffs.},
|
abstract = {The Internet privacy company that empowers you to seamlessly take control of your personal information online, without any tradeoffs.},
|
||||||
journal = {DuckDuckGo},
|
journal = {DuckDuckGo},
|
||||||
language = {en\_US}
|
note = {Accessed 2020-07-10}
|
||||||
}
|
}
|
||||||
|
|
||||||
@misc{EasyList,
|
@misc{EasyList,
|
||||||
title = {{{EasyList}}},
|
title = {{{EasyList}}},
|
||||||
url = {https://easylist.to/},
|
url = {https://easylist.to/},
|
||||||
urldate = {2020-07-12}
|
urldate = {2020-07-12},
|
||||||
|
note = {Accessed 2020-07-12}
|
||||||
}
|
}
|
||||||
|
|
||||||
@article{enckTaintDroidInformationFlowTracking2014,
|
@article{enckTaintDroidInformationFlowTracking2014,
|
||||||
@ -435,6 +444,9 @@
|
|||||||
year = {2000},
|
year = {2000},
|
||||||
month = nov,
|
month = nov,
|
||||||
pages = {25--32},
|
pages = {25--32},
|
||||||
|
annote = {DNS cache timing attacks
|
||||||
|
\par
|
||||||
|
Web cache timing attacks},
|
||||||
series = {{{CCS}} '00}
|
series = {{{CCS}} '00}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -534,7 +546,8 @@
|
|||||||
year = {2010},
|
year = {2010},
|
||||||
month = nov,
|
month = nov,
|
||||||
url = {https://www.w3.org/TR/webdatabase/},
|
url = {https://www.w3.org/TR/webdatabase/},
|
||||||
urldate = {2020-03-20}
|
urldate = {2020-03-20},
|
||||||
|
note = {Accessed 2020-03-20}
|
||||||
}
|
}
|
||||||
|
|
||||||
@misc{hillGorhillUBlock2020,
|
@misc{hillGorhillUBlock2020,
|
||||||
@ -545,7 +558,8 @@
|
|||||||
url = {https://github.com/gorhill/uBlock},
|
url = {https://github.com/gorhill/uBlock},
|
||||||
urldate = {2020-07-12},
|
urldate = {2020-07-12},
|
||||||
abstract = {uBlock Origin},
|
abstract = {uBlock Origin},
|
||||||
copyright = {GPL-3.0 License , GPL-3.0 License}
|
copyright = {GPL-3.0 License , GPL-3.0 License},
|
||||||
|
note = {Accessed 2020-07-12}
|
||||||
}
|
}
|
||||||
|
|
||||||
@article{huCharacterisingThirdParty2019,
|
@article{huCharacterisingThirdParty2019,
|
||||||
@ -554,7 +568,6 @@
|
|||||||
year = {2019},
|
year = {2019},
|
||||||
pages = {137--141},
|
pages = {137--141},
|
||||||
abstract = {The recently introduced General Data Protection Regulation (GDPR) requires that when obtaining information online that could be used to identify individuals, their consents must be obtained. Among other things, this affects many common forms of cookies, and users in the EU have been presented with notices asking their approvals for data collection. This paper examines the prevalence of third party cookies before and after GDPR by using two datasets: accesses to top 500 websites according to Alexa.com, and weekly data of cookies placed in users' browsers by websites accessed by 16 UK and China users across one year.},
|
abstract = {The recently introduced General Data Protection Regulation (GDPR) requires that when obtaining information online that could be used to identify individuals, their consents must be obtained. Among other things, this affects many common forms of cookies, and users in the EU have been presented with notices asking their approvals for data collection. This paper examines the prevalence of third party cookies before and after GDPR by using two datasets: accesses to top 500 websites according to Alexa.com, and weekly data of cookies placed in users' browsers by websites accessed by 16 UK and China users across one year.},
|
||||||
archiveprefix = {arXiv},
|
|
||||||
journal = {Proc. 10th ACM Conf. Web Sci. - WebSci 19}
|
journal = {Proc. 10th ACM Conf. Web Sci. - WebSci 19}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -567,8 +580,6 @@
|
|||||||
url = {http://arxiv.org/abs/1603.06289},
|
url = {http://arxiv.org/abs/1603.06289},
|
||||||
urldate = {2019-08-14},
|
urldate = {2019-08-14},
|
||||||
abstract = {Numerous tools have been developed to aggressively block the execution of popular JavaScript programs in Web browsers. Such blocking also affects functionality of webpages and impairs user experience. As a consequence, many privacy preserving tools that have been developed to limit online tracking, often executed via JavaScript programs, may suffer from poor performance and limited uptake. A mechanism that can isolate JavaScript programs necessary for proper functioning of the website from tracking JavaScript programs would thus be useful. Through the use of a manually labelled dataset composed of 2,612 JavaScript programs, we show how current privacy preserving tools are ineffective in finding the right balance between blocking tracking JavaScript programs and allowing functional JavaScript code. To the best of our knowledge, this is the first study to assess the performance of current web privacy preserving tools.},
|
abstract = {Numerous tools have been developed to aggressively block the execution of popular JavaScript programs in Web browsers. Such blocking also affects functionality of webpages and impairs user experience. As a consequence, many privacy preserving tools that have been developed to limit online tracking, often executed via JavaScript programs, may suffer from poor performance and limited uptake. A mechanism that can isolate JavaScript programs necessary for proper functioning of the website from tracking JavaScript programs would thus be useful. Through the use of a manually labelled dataset composed of 2,612 JavaScript programs, we show how current privacy preserving tools are ineffective in finding the right balance between blocking tracking JavaScript programs and allowing functional JavaScript code. To the best of our knowledge, this is the first study to assess the performance of current web privacy preserving tools.},
|
||||||
archiveprefix = {arXiv},
|
|
||||||
eprintclass = {cs},
|
|
||||||
language = {English}
|
language = {English}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -578,7 +589,7 @@
|
|||||||
urldate = {2020-02-08},
|
urldate = {2020-02-08},
|
||||||
abstract = {input elements of type "hidden" let web developers include data that cannot be seen or modified by users when a form is submitted. For example, the ID of the content that is currently being ordered or edited, or a unique security token. Hidden inputs are completely invisible in the rendered page, and there is no way to make it visible in the page's content.},
|
abstract = {input elements of type "hidden" let web developers include data that cannot be seen or modified by users when a form is submitted. For example, the ID of the content that is currently being ordered or edited, or a unique security token. Hidden inputs are completely invisible in the rendered page, and there is no way to make it visible in the page's content.},
|
||||||
journal = {MDN Web Docs},
|
journal = {MDN Web Docs},
|
||||||
language = {en}
|
note = {Accessed 2020-02-08}
|
||||||
}
|
}
|
||||||
|
|
||||||
@inproceedings{iordanouTracingCrossBorder2018,
|
@inproceedings{iordanouTracingCrossBorder2018,
|
||||||
@ -599,9 +610,7 @@
|
|||||||
month = aug,
|
month = aug,
|
||||||
url = {http://arxiv.org/abs/1908.02261},
|
url = {http://arxiv.org/abs/1908.02261},
|
||||||
urldate = {2019-08-14},
|
urldate = {2019-08-14},
|
||||||
abstract = {We turn our a ention to the elephant in the room of data protection, which is none other than the simple and obvious question: ``Who's tracking sensitive domains?''. Despite a fast-growing amount of work on more complex facets of the interplay between privacy and the business models of the Web, the obvious question of who collects data on domains where most people would prefer not be seen, has received rather limited a ention. First, we develop a methodology for automatically annotating websites that belong to a sensitive category, e.g., as de ned by the General Data Protection Regulation (GDPR). en, we extract the third party tracking services included directly, or via recursive inclusions, by the above mentioned sites. Having analyzed around 30k sensitive domains, we show that such domains are tracked, albeit less intensely than the mainstream ones. Looking in detail at the tracking services operating on them, we nd well known names, as well as some less known ones, including some specializing on speci c sensitive categories.},
|
abstract = {We turn our a ention to the elephant in the room of data protection, which is none other than the simple and obvious question: ``Who's tracking sensitive domains?''. Despite a fast-growing amount of work on more complex facets of the interplay between privacy and the business models of the Web, the obvious question of who collects data on domains where most people would prefer not be seen, has received rather limited a ention. First, we develop a methodology for automatically annotating websites that belong to a sensitive category, e.g., as de ned by the General Data Protection Regulation (GDPR). en, we extract the third party tracking services included directly, or via recursive inclusions, by the above mentioned sites. Having analyzed around 30k sensitive domains, we show that such domains are tracked, albeit less intensely than the mainstream ones. Looking in detail at the tracking services operating on them, we nd well known names, as well as some less known ones, including some specializing on speci c sensitive categories.}
|
||||||
archiveprefix = {arXiv},
|
|
||||||
eprintclass = {cs}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@article{iqbalAdGraphGraphBasedApproach2018,
|
@article{iqbalAdGraphGraphBasedApproach2018,
|
||||||
@ -612,9 +621,7 @@
|
|||||||
month = may,
|
month = may,
|
||||||
url = {http://arxiv.org/abs/1805.09155},
|
url = {http://arxiv.org/abs/1805.09155},
|
||||||
urldate = {2019-08-14},
|
urldate = {2019-08-14},
|
||||||
abstract = {User demand for blocking advertising and tracking online is large and growing. Existing tools, both deployed and described in research, have proven useful, but lack either the completeness or robustness needed for a general solution. Existing detection approaches generally focus on only one aspect of advertising or tracking (e.g. URL patterns, code structure), making existing approaches susceptible to evasion.},
|
abstract = {User demand for blocking advertising and tracking online is large and growing. Existing tools, both deployed and described in research, have proven useful, but lack either the completeness or robustness needed for a general solution. Existing detection approaches generally focus on only one aspect of advertising or tracking (e.g. URL patterns, code structure), making existing approaches susceptible to evasion.}
|
||||||
archiveprefix = {arXiv},
|
|
||||||
eprintclass = {cs}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@inproceedings{iqbalAdWarsRetrospective2017,
|
@inproceedings{iqbalAdWarsRetrospective2017,
|
||||||
@ -637,6 +644,13 @@
|
|||||||
month = may,
|
month = may,
|
||||||
pages = {737--744},
|
pages = {737--744},
|
||||||
abstract = {Through a variety of means, including a range of browser cache methods and inspecting the color of a visited hyperlink, client-side browser state can be exploited to track users against their wishes. This tracking is possible because persistent, client-side browser state is not properly partitioned on per-site basis in current browsers. We address this problem by refining the general notion of a "same-origin" policy and implementing two browser extensions that enforce this policy on the browser cache and visited links.We also analyze various degrees of cooperation between sites to track users, and show that even if long-term browser state is properly partitioned, it is still possible for sites to use modern web features to bounce users between sites and invisibly engage in cross-domain tracking of their visitors. Cooperative privacy attacks are an unavoidable consequence of all persistent browser state that affects the behavior of the browser, and disabling or frequently expiring this state is the only way to achieve true privacy against colluding parties.},
|
abstract = {Through a variety of means, including a range of browser cache methods and inspecting the color of a visited hyperlink, client-side browser state can be exploited to track users against their wishes. This tracking is possible because persistent, client-side browser state is not properly partitioned on per-site basis in current browsers. We address this problem by refining the general notion of a "same-origin" policy and implementing two browser extensions that enforce this policy on the browser cache and visited links.We also analyze various degrees of cooperation between sites to track users, and show that even if long-term browser state is properly partitioned, it is still possible for sites to use modern web features to bounce users between sites and invisibly engage in cross-domain tracking of their visitors. Cooperative privacy attacks are an unavoidable consequence of all persistent browser state that affects the behavior of the browser, and disabling or frequently expiring this state is the only way to achieve true privacy against colluding parties.},
|
||||||
|
annote = {Cache control directives (ETags)
|
||||||
|
\par
|
||||||
|
Cache timing attacks
|
||||||
|
\par
|
||||||
|
Cached content
|
||||||
|
\par
|
||||||
|
Using web caches to circumvent same-origin policy},
|
||||||
series = {{{WWW}} '06}
|
series = {{{WWW}} '06}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -648,6 +662,9 @@
|
|||||||
year = {2010},
|
year = {2010},
|
||||||
pages = {215--231},
|
pages = {215--231},
|
||||||
abstract = {Web browser history detection using CSS visited styles has long been dismissed as an issue of marginal impact. However, due to recent changes in Web usage patterns, coupled with browser performance improvements, the long-standing issue has now become a significant threat to the privacy of Internet users.In this paper we analyze the impact of CSS-based history detection and demonstrate the feasibility of conducting practical attacks with minimal resources. We analyze Web browser behavior and detectability of content loaded via standard protocols and with various HTTP response codes. We develop an algorithm for efficient examination of large link sets and evaluate its performance in modern browsers. Compared to existing methods our approach is up to 6 times faster, and is able to detect up to 30,000 visited links per second.We present a novel Web application capable of effectively detecting clients' browsing histories and discuss real-world results obtained from 271,576 Internet users. Our results indicate that at least 76\% of Internet users are vulnerable to history detection, including over 94\% of Google Chrome users; for a test of most popular Internet websites we were able to detect, on average, 62.6 (median 22) visited locations per client. We also demonstrate the potential to profile users based on social news stories they visited, and to detect private data such as zipcodes or search queries typed into online forms.},
|
abstract = {Web browser history detection using CSS visited styles has long been dismissed as an issue of marginal impact. However, due to recent changes in Web usage patterns, coupled with browser performance improvements, the long-standing issue has now become a significant threat to the privacy of Internet users.In this paper we analyze the impact of CSS-based history detection and demonstrate the feasibility of conducting practical attacks with minimal resources. We analyze Web browser behavior and detectability of content loaded via standard protocols and with various HTTP response codes. We develop an algorithm for efficient examination of large link sets and evaluate its performance in modern browsers. Compared to existing methods our approach is up to 6 times faster, and is able to detect up to 30,000 visited links per second.We present a novel Web application capable of effectively detecting clients' browsing histories and discuss real-world results obtained from 271,576 Internet users. Our results indicate that at least 76\% of Internet users are vulnerable to history detection, including over 94\% of Google Chrome users; for a test of most popular Internet websites we were able to detect, on average, 62.6 (median 22) visited locations per client. We also demonstrate the potential to profile users based on social news stories they visited, and to detect private data such as zipcodes or search queries typed into online forms.},
|
||||||
|
annote = {Analysis of CSS :visited selector
|
||||||
|
\par
|
||||||
|
Impact of CSS-based history detection},
|
||||||
series = {Lecture {{Notes}} in {{Computer Science}}}
|
series = {Lecture {{Notes}} in {{Computer Science}}}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -660,8 +677,6 @@
|
|||||||
url = {http://arxiv.org/abs/1908.03503},
|
url = {http://arxiv.org/abs/1908.03503},
|
||||||
urldate = {2019-08-14},
|
urldate = {2019-08-14},
|
||||||
abstract = {We introduce a new perspective on the evaluation of privacy, where rights of the data subjects, privacy principles, and usability criteria are intertwined. This new perspective is visually represented through a cube where each of its three axes of variability captures, respectively: principles, rights, and usability criteria. In this way, our model, called Usable Privacy Cube (or UP Cube), brings out two perspectives on privacy: that of the data subjects and that of the controllers/processors. In the long run, the UP Cube is meant to be the model behind a new certification methodology capable of evaluating the usability of privacy. Our research builds on the criteria proposed by the EuroPriSe certification scheme by adding usability criteria to their evaluation. We slightly reorganize the criteria of EuroPriSe to fit with the UP Cube model, i.e., we show how the EuroPriSe can be viewed as a combination of only principles and rights, forming the basis of the UP Cube. Usability criteria are defined based on goals that we extract from the data protection regulations, at the same time considering the needs, goals and characteristics of different types of users and their context of use. The criteria are designed to produce measurements of the level of usability with which the privacy goals of the data protection are reached. Considering usability criteria allows for greater business differentiation, beyond GDPR compliance.},
|
abstract = {We introduce a new perspective on the evaluation of privacy, where rights of the data subjects, privacy principles, and usability criteria are intertwined. This new perspective is visually represented through a cube where each of its three axes of variability captures, respectively: principles, rights, and usability criteria. In this way, our model, called Usable Privacy Cube (or UP Cube), brings out two perspectives on privacy: that of the data subjects and that of the controllers/processors. In the long run, the UP Cube is meant to be the model behind a new certification methodology capable of evaluating the usability of privacy. Our research builds on the criteria proposed by the EuroPriSe certification scheme by adding usability criteria to their evaluation. We slightly reorganize the criteria of EuroPriSe to fit with the UP Cube model, i.e., we show how the EuroPriSe can be viewed as a combination of only principles and rights, forming the basis of the UP Cube. Usability criteria are defined based on goals that we extract from the data protection regulations, at the same time considering the needs, goals and characteristics of different types of users and their context of use. The criteria are designed to produce measurements of the level of usability with which the privacy goals of the data protection are reached. Considering usability criteria allows for greater business differentiation, beyond GDPR compliance.},
|
||||||
archiveprefix = {arXiv},
|
|
||||||
eprintclass = {cs},
|
|
||||||
language = {English}
|
language = {English}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -695,7 +710,8 @@
|
|||||||
year = {2010},
|
year = {2010},
|
||||||
month = sep,
|
month = sep,
|
||||||
url = {https://samy.pl/evercookie/},
|
url = {https://samy.pl/evercookie/},
|
||||||
urldate = {2020-02-20}
|
urldate = {2020-02-20},
|
||||||
|
note = {Accessed 2020-02-20}
|
||||||
}
|
}
|
||||||
|
|
||||||
@misc{kamkarSamykEvercookie2020,
|
@misc{kamkarSamykEvercookie2020,
|
||||||
@ -705,7 +721,8 @@
|
|||||||
month = feb,
|
month = feb,
|
||||||
url = {https://github.com/samyk/evercookie},
|
url = {https://github.com/samyk/evercookie},
|
||||||
urldate = {2020-02-27},
|
urldate = {2020-02-27},
|
||||||
abstract = {Produces persistent, respawning \"super\" cookies in a browser, abusing over a dozen techniques. Its goal is to identify users after they\&\#39;ve removed standard cookies and other privacy d...}
|
abstract = {Produces persistent, respawning \"super\" cookies in a browser, abusing over a dozen techniques. Its goal is to identify users after they\&\#39;ve removed standard cookies and other privacy d...},
|
||||||
|
note = {Accessed 2020-02-27}
|
||||||
}
|
}
|
||||||
|
|
||||||
@article{karajWhoTracksMeShedding2019,
|
@article{karajWhoTracksMeShedding2019,
|
||||||
@ -717,6 +734,7 @@
|
|||||||
url = {http://arxiv.org/abs/1804.08959},
|
url = {http://arxiv.org/abs/1804.08959},
|
||||||
urldate = {2020-02-05},
|
urldate = {2020-02-05},
|
||||||
abstract = {Online tracking has become of increasing concern in recent years, however our understanding of its extent to date has been limited to snapshots from web crawls. Previous attempts to measure the tracking ecosystem, have been done using instrumented measurement platforms, which are notable to accurately capture how people interact with the web. In this work we present a method for the measurement of tracking in the web through a browser extension, as well as a method for the aggregation and collection of this information which protects the privacy of participants. We deployed this extension to more than 5 million users, enabling measurement across multiple countries, ISPs and browser configurations, to give an accurate picture of real-world tracking. The result is the largest and longest measurement of online tracking to date based on real users, covering 1.5 billion page loads gathered over 12 months. The data, detailing tracking behaviour over a year, is made publicly available to help drive transparency around online tracking practices.},
|
abstract = {Online tracking has become of increasing concern in recent years, however our understanding of its extent to date has been limited to snapshots from web crawls. Previous attempts to measure the tracking ecosystem, have been done using instrumented measurement platforms, which are notable to accurately capture how people interact with the web. In this work we present a method for the measurement of tracking in the web through a browser extension, as well as a method for the aggregation and collection of this information which protects the privacy of participants. We deployed this extension to more than 5 million users, enabling measurement across multiple countries, ISPs and browser configurations, to give an accurate picture of real-world tracking. The result is the largest and longest measurement of online tracking to date based on real users, covering 1.5 billion page loads gathered over 12 months. The data, detailing tracking behaviour over a year, is made publicly available to help drive transparency around online tracking practices.},
|
||||||
|
annote = {Comment: 15 pages, 12 figures},
|
||||||
archivePrefix = {arXiv},
|
archivePrefix = {arXiv},
|
||||||
journal = {arXiv:1804.08959 [cs]},
|
journal = {arXiv:1804.08959 [cs]},
|
||||||
primaryClass = {cs}
|
primaryClass = {cs}
|
||||||
@ -783,6 +801,7 @@
|
|||||||
url = {https://www.rfc-editor.org/info/rfc2109},
|
url = {https://www.rfc-editor.org/info/rfc2109},
|
||||||
urldate = {2020-02-11},
|
urldate = {2020-02-11},
|
||||||
abstract = {This document specifies a way to create a stateful session with HTTP requests and responses. It describes two new headers, Cookie and Set- Cookie, which carry state information between participating origin servers and user agents. The method described here differs from Netscape's Cookie proposal, but it can interoperate with HTTP/1.0 user agents that use Netscape's method.},
|
abstract = {This document specifies a way to create a stateful session with HTTP requests and responses. It describes two new headers, Cookie and Set- Cookie, which carry state information between participating origin servers and user agents. The method described here differs from Netscape's Cookie proposal, but it can interoperate with HTTP/1.0 user agents that use Netscape's method.},
|
||||||
|
note = {Accessed 2020-02-11},
|
||||||
number = {2109},
|
number = {2109},
|
||||||
type = {{{RFC}}}
|
type = {{{RFC}}}
|
||||||
}
|
}
|
||||||
@ -797,6 +816,7 @@
|
|||||||
url = {https://www.rfc-editor.org/info/rfc2965},
|
url = {https://www.rfc-editor.org/info/rfc2965},
|
||||||
urldate = {2020-02-11},
|
urldate = {2020-02-11},
|
||||||
abstract = {This document specifies a way to create a stateful session with Hypertext Transfer Protocol (HTTP) requests and responses.},
|
abstract = {This document specifies a way to create a stateful session with Hypertext Transfer Protocol (HTTP) requests and responses.},
|
||||||
|
note = {Accessed 2020-02-11},
|
||||||
number = {2965},
|
number = {2965},
|
||||||
type = {{{RFC}}}
|
type = {{{RFC}}}
|
||||||
}
|
}
|
||||||
@ -937,7 +957,8 @@
|
|||||||
year = {2020},
|
year = {2020},
|
||||||
month = feb,
|
month = feb,
|
||||||
url = {http://www.man7.org/linux/man-pages/man1/strace.1.html},
|
url = {http://www.man7.org/linux/man-pages/man1/strace.1.html},
|
||||||
urldate = {2020-02-20}
|
urldate = {2020-02-20},
|
||||||
|
note = {Accessed 2020-02-20}
|
||||||
}
|
}
|
||||||
|
|
||||||
@article{mugheesDetectingAdBlockersWild2017,
|
@article{mugheesDetectingAdBlockersWild2017,
|
||||||
@ -956,7 +977,8 @@
|
|||||||
year = {2010},
|
year = {2010},
|
||||||
month = may,
|
month = may,
|
||||||
url = {https://web.archive.org/web/20100529122655/http://netflix.mediaroom.com/index.php?s=43\&item=288},
|
url = {https://web.archive.org/web/20100529122655/http://netflix.mediaroom.com/index.php?s=43\&item=288},
|
||||||
urldate = {2020-02-20}
|
urldate = {2020-02-20},
|
||||||
|
note = {Accessed 2020-02-20}
|
||||||
}
|
}
|
||||||
|
|
||||||
@article{oatesTurtlesLocksBathrooms2018,
|
@article{oatesTurtlesLocksBathrooms2018,
|
||||||
@ -1022,14 +1044,16 @@
|
|||||||
year = {2018},
|
year = {2018},
|
||||||
month = jun,
|
month = jun,
|
||||||
url = {https://2019.www.torproject.org/projects/torbrowser/design/},
|
url = {https://2019.www.torproject.org/projects/torbrowser/design/},
|
||||||
urldate = {2020-07-15}
|
urldate = {2020-07-15},
|
||||||
|
note = {Accessed 2020-07-15}
|
||||||
}
|
}
|
||||||
|
|
||||||
@misc{PersistenceServiceJNLPAPI2015,
|
@misc{PersistenceServiceJNLPAPI2015,
|
||||||
title = {{{PersistenceService}} ({{JNLP API Reference}} 1.7.0\_95)},
|
title = {{{PersistenceService}} ({{JNLP API Reference}} 1.7.0\_95)},
|
||||||
year = {2015},
|
year = {2015},
|
||||||
url = {https://docs.oracle.com/javase/7/docs/jre/api/javaws/jnlp/javax/jnlp/PersistenceService.html},
|
url = {https://docs.oracle.com/javase/7/docs/jre/api/javaws/jnlp/javax/jnlp/PersistenceService.html},
|
||||||
urldate = {2020-02-20}
|
urldate = {2020-02-20},
|
||||||
|
note = {Accessed 2020-02-20}
|
||||||
}
|
}
|
||||||
|
|
||||||
@inproceedings{pujolAnnoyedUsersAds2015,
|
@inproceedings{pujolAnnoyedUsersAds2015,
|
||||||
@ -1051,7 +1075,7 @@
|
|||||||
urldate = {2020-02-08},
|
urldate = {2020-02-08},
|
||||||
abstract = {There are privacy and security risks associated with the Referer HTTP header. This article describes them, and offers advice on mitigating those risks.},
|
abstract = {There are privacy and security risks associated with the Referer HTTP header. This article describes them, and offers advice on mitigating those risks.},
|
||||||
journal = {MDN Web Docs},
|
journal = {MDN Web Docs},
|
||||||
language = {en}
|
note = {Accessed 2020-02-08}
|
||||||
}
|
}
|
||||||
|
|
||||||
@inproceedings{reznichenkoAuctionsDonottrackCompliant2011,
|
@inproceedings{reznichenkoAuctionsDonottrackCompliant2011,
|
||||||
@ -1094,6 +1118,7 @@
|
|||||||
year = {2009},
|
year = {2009},
|
||||||
pages = {86--103},
|
pages = {86--103},
|
||||||
abstract = {This paper explores the problem of tracking information flow in dynamic tree structures. Motivated by the problem of manipulating the Document Object Model (DOM) trees by browser-run client-side scripts, we address the dynamic nature of interactions via tree structures. We present a runtime enforcement mechanism that monitors this interaction and prevents a range of attacks, some of them missed by previous approaches, that exploit the tree structure in order to transfer sensitive information. We formalize our approach for a simple language with DOM-like tree operations and show that the monitor prevents scripts from disclosing secrets.},
|
abstract = {This paper explores the problem of tracking information flow in dynamic tree structures. Motivated by the problem of manipulating the Document Object Model (DOM) trees by browser-run client-side scripts, we address the dynamic nature of interactions via tree structures. We present a runtime enforcement mechanism that monitors this interaction and prevents a range of attacks, some of them missed by previous approaches, that exploit the tree structure in order to transfer sensitive information. We formalize our approach for a simple language with DOM-like tree operations and show that the monitor prevents scripts from disclosing secrets.},
|
||||||
|
annote = {M\"oglicherweise interessant f\"ur window.name Property und allgemeines tracking mit dem Document Object Model},
|
||||||
series = {Lecture {{Notes}} in {{Computer Science}}}
|
series = {Lecture {{Notes}} in {{Computer Science}}}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1117,6 +1142,7 @@
|
|||||||
month = dec,
|
month = dec,
|
||||||
pages = {478--488},
|
pages = {478--488},
|
||||||
abstract = {Cookies were originally introduced as a way to provide state awareness to websites, and are now one of the backbones of the current web. However, their use is not limited to store the login information or to save the current state of user browsing. In several cases, third-party cookies are deliberately used for web tracking, user analytics, and for online advertisement, with the subsequent privacy loss for the end users. However, cookies are not the only technique capable of retrieving the users' browsing history. In fact, history sniffing techniques are capable of tracking the users' browsing history without relying on any specific code in a third-party website, but only on code executed within the visited site. Many sniffing techniques have been proposed to date, but they usually have several limitations and they are not able to differentiate between multiple possible states within the target application. In this paper we propose BakingTimer, a new history sniffing technique based on timing the execution of server-side request processing code. This method is capable of retrieving partial or complete user browsing history, it does not require any permission, and it can be performed through both first and third-party scripts. We studied the impact of our timing side-channel attack to detect prior visits to websites, and discovered that it was capable of detecting the users state in more than half of the 10K websites analyzed, which is the largest test performed to date to test this type of techniques. We additionally performed a manual analysis to check the capabilities of the attack to differentiate between three states: never accessed, accessed and logged in. Moreover, we performed a set of stability tests, to verify that our time measurements are robust with respect to changes both in the network RTT and in the servers workload.},
|
abstract = {Cookies were originally introduced as a way to provide state awareness to websites, and are now one of the backbones of the current web. However, their use is not limited to store the login information or to save the current state of user browsing. In several cases, third-party cookies are deliberately used for web tracking, user analytics, and for online advertisement, with the subsequent privacy loss for the end users. However, cookies are not the only technique capable of retrieving the users' browsing history. In fact, history sniffing techniques are capable of tracking the users' browsing history without relying on any specific code in a third-party website, but only on code executed within the visited site. Many sniffing techniques have been proposed to date, but they usually have several limitations and they are not able to differentiate between multiple possible states within the target application. In this paper we propose BakingTimer, a new history sniffing technique based on timing the execution of server-side request processing code. This method is capable of retrieving partial or complete user browsing history, it does not require any permission, and it can be performed through both first and third-party scripts. We studied the impact of our timing side-channel attack to detect prior visits to websites, and discovered that it was capable of detecting the users state in more than half of the 10K websites analyzed, which is the largest test performed to date to test this type of techniques. We additionally performed a manual analysis to check the capabilities of the attack to differentiate between three states: never accessed, accessed and logged in. Moreover, we performed a set of stability tests, to verify that our time measurements are robust with respect to changes both in the network RTT and in the servers workload.},
|
||||||
|
annote = {Timing attack using processing time on the server side},
|
||||||
series = {{{ACSAC}} '19}
|
series = {{{ACSAC}} '19}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1153,9 +1179,7 @@
|
|||||||
month = jul,
|
month = jul,
|
||||||
url = {http://arxiv.org/abs/1607.07403},
|
url = {http://arxiv.org/abs/1607.07403},
|
||||||
urldate = {2019-08-14},
|
urldate = {2019-08-14},
|
||||||
abstract = {We perform a large-scale analysis of third-party trackers on the World Wide Web. We extract third-party embeddings from more than 3.5 billion web pages of the CommonCrawl 2012 corpus, and aggregate those to a dataset containing more than 140 million third-party embeddings in over 41 million domains. To the best of our knowledge, this constitutes the largest empirical web tracking dataset collected so far, and exceeds related studies by more than an order of magnitude in the number of domains and web pages analyzed.},
|
abstract = {We perform a large-scale analysis of third-party trackers on the World Wide Web. We extract third-party embeddings from more than 3.5 billion web pages of the CommonCrawl 2012 corpus, and aggregate those to a dataset containing more than 140 million third-party embeddings in over 41 million domains. To the best of our knowledge, this constitutes the largest empirical web tracking dataset collected so far, and exceeds related studies by more than an order of magnitude in the number of domains and web pages analyzed.}
|
||||||
archiveprefix = {arXiv},
|
|
||||||
eprintclass = {cs}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@misc{SilverlightEndSupport2015,
|
@misc{SilverlightEndSupport2015,
|
||||||
@ -1163,7 +1187,8 @@
|
|||||||
year = {2015},
|
year = {2015},
|
||||||
month = jul,
|
month = jul,
|
||||||
url = {https://support.microsoft.com/en-us/help/4511036/silverlight-end-of-support},
|
url = {https://support.microsoft.com/en-us/help/4511036/silverlight-end-of-support},
|
||||||
urldate = {2020-02-20}
|
urldate = {2020-02-20},
|
||||||
|
note = {Accessed 2020-02-20}
|
||||||
}
|
}
|
||||||
|
|
||||||
@inproceedings{sirurAreWeThere2018,
|
@inproceedings{sirurAreWeThere2018,
|
||||||
@ -1185,9 +1210,7 @@
|
|||||||
month = jul,
|
month = jul,
|
||||||
url = {http://arxiv.org/abs/1907.12860},
|
url = {http://arxiv.org/abs/1907.12860},
|
||||||
urldate = {2019-08-14},
|
urldate = {2019-08-14},
|
||||||
abstract = {Websites are constantly adapting the methods used, and intensity with which they track online visitors. However, the wide-range enforcement of GDPR since one year ago (May 2018) forced websites serving EU-based online visitors to eliminate or at least reduce such tracking activity, given they receive proper user consent. erefore, it is important to record and analyze the evolution of this tracking activity and assess the overall ``privacy health'' of the Web ecosystem and if it is be er a er GDPR enforcement. is work makes a significant step towards this direction. In this paper, we analyze the online ecosystem of 3rd-parties embedded in top websites which amass the majority of online tracking through 6 time snapshots taken every few months apart, in the duration of the last 2 years. We perform this analysis in three ways: 1) by looking into the network activity that 3rd-parties impose on each publisher hosting them, 2) by constructing a bipartite graph of ``publisher-to-tracker'', connecting 3rd parties with their publishers, 3) by constructing a ``tracker-to-tracker'' graph connecting 3rd-parties who are commonly found in publishers. We record significant changes through time in number of trackers, traffic induced in publishers (incoming vs. outgoing), embeddedness of trackers in publishers, popularity and mixture of trackers across publishers. We also report how such measures compare with the ranking of publishers based on Alexa. On the last level of our analysis, we dig deeper and look into the connectivity of trackers with each other and how this relates to potential cookie synchronization activity.},
|
abstract = {Websites are constantly adapting the methods used, and intensity with which they track online visitors. However, the wide-range enforcement of GDPR since one year ago (May 2018) forced websites serving EU-based online visitors to eliminate or at least reduce such tracking activity, given they receive proper user consent. erefore, it is important to record and analyze the evolution of this tracking activity and assess the overall ``privacy health'' of the Web ecosystem and if it is be er a er GDPR enforcement. is work makes a significant step towards this direction. In this paper, we analyze the online ecosystem of 3rd-parties embedded in top websites which amass the majority of online tracking through 6 time snapshots taken every few months apart, in the duration of the last 2 years. We perform this analysis in three ways: 1) by looking into the network activity that 3rd-parties impose on each publisher hosting them, 2) by constructing a bipartite graph of ``publisher-to-tracker'', connecting 3rd parties with their publishers, 3) by constructing a ``tracker-to-tracker'' graph connecting 3rd-parties who are commonly found in publishers. We record significant changes through time in number of trackers, traffic induced in publishers (incoming vs. outgoing), embeddedness of trackers in publishers, popularity and mixture of trackers across publishers. We also report how such measures compare with the ranking of publishers based on Alexa. On the last level of our analysis, we dig deeper and look into the connectivity of trackers with each other and how this relates to potential cookie synchronization activity.}
|
||||||
archiveprefix = {arXiv},
|
|
||||||
eprintclass = {cs}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@techreport{soltaniFlashCookiesPrivacy2009,
|
@techreport{soltaniFlashCookiesPrivacy2009,
|
||||||
@ -1199,6 +1222,7 @@
|
|||||||
url = {https://papers.ssrn.com/abstract=1446862},
|
url = {https://papers.ssrn.com/abstract=1446862},
|
||||||
urldate = {2020-02-13},
|
urldate = {2020-02-13},
|
||||||
abstract = {This is a pilot study of the use of 'Flash cookies' by popular websites. We find that more than 50\% of the sites in our sample are using flash cookies to store information about the user. Some are using it to 'respawn' or re-instantiate HTTP cookies deleted by the user. Flash cookies often share the same values as HTTP cookies, and are even used on government websites to assign unique values to users. Privacy policies rarely disclose the presence of Flash cookies, and user controls for effectuating privacy preferences are lacking.},
|
abstract = {This is a pilot study of the use of 'Flash cookies' by popular websites. We find that more than 50\% of the sites in our sample are using flash cookies to store information about the user. Some are using it to 'respawn' or re-instantiate HTTP cookies deleted by the user. Flash cookies often share the same values as HTTP cookies, and are even used on government websites to assign unique values to users. Privacy policies rarely disclose the presence of Flash cookies, and user controls for effectuating privacy preferences are lacking.},
|
||||||
|
note = {Accessed 2020-02-13},
|
||||||
number = {ID 1446862},
|
number = {ID 1446862},
|
||||||
type = {{{SSRN Scholarly Paper}}}
|
type = {{{SSRN Scholarly Paper}}}
|
||||||
}
|
}
|
||||||
@ -1210,9 +1234,7 @@
|
|||||||
month = mar,
|
month = mar,
|
||||||
url = {http://arxiv.org/abs/1703.07578},
|
url = {http://arxiv.org/abs/1703.07578},
|
||||||
urldate = {2019-08-14},
|
urldate = {2019-08-14},
|
||||||
abstract = {Third party tracking is the practice by which third parties recognize users accross different websites as they browse the web. Recent studies show that 90\% of websites contain third party content that is tracking its users across the web. Website developers often need to include third party content in order to provide basic functionality. However, when a developer includes a third party content, she cannot know whether the third party contains tracking mechanisms. If a website developer wants to protect her users from being tracked, the only solution is to exclude any third-party content, thus trading functionality for privacy.},
|
abstract = {Third party tracking is the practice by which third parties recognize users accross different websites as they browse the web. Recent studies show that 90\% of websites contain third party content that is tracking its users across the web. Website developers often need to include third party content in order to provide basic functionality. However, when a developer includes a third party content, she cannot know whether the third party contains tracking mechanisms. If a website developer wants to protect her users from being tracked, the only solution is to exclude any third-party content, thus trading functionality for privacy.}
|
||||||
archiveprefix = {arXiv},
|
|
||||||
eprintclass = {cs}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@misc{soudersAnnouncingHTTPArchive2011,
|
@misc{soudersAnnouncingHTTPArchive2011,
|
||||||
@ -1223,6 +1245,7 @@
|
|||||||
url = {https://www.stevesouders.com/blog/2011/03/30/announcing-the-http-archive/},
|
url = {https://www.stevesouders.com/blog/2011/03/30/announcing-the-http-archive/},
|
||||||
urldate = {2020-03-22},
|
urldate = {2020-03-22},
|
||||||
journal = {stevesouders.com},
|
journal = {stevesouders.com},
|
||||||
|
note = {Accessed 2020-03-22},
|
||||||
type = {Blog}
|
type = {Blog}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1243,7 +1266,8 @@
|
|||||||
url = {https://www.startpage.com},
|
url = {https://www.startpage.com},
|
||||||
urldate = {2020-07-10},
|
urldate = {2020-07-10},
|
||||||
abstract = {Startpage.com delivers online tools that help you to stay in control of your personal information and protect your online privacy.},
|
abstract = {Startpage.com delivers online tools that help you to stay in control of your personal information and protect your online privacy.},
|
||||||
journal = {www.startpage.com}
|
journal = {www.startpage.com},
|
||||||
|
note = {Accessed 2020-07-10}
|
||||||
}
|
}
|
||||||
|
|
||||||
@misc{statcounterSearchEngineMarket,
|
@misc{statcounterSearchEngineMarket,
|
||||||
@ -1252,7 +1276,8 @@
|
|||||||
url = {https://gs.statcounter.com/search-engine-market-share},
|
url = {https://gs.statcounter.com/search-engine-market-share},
|
||||||
urldate = {2020-07-10},
|
urldate = {2020-07-10},
|
||||||
abstract = {This graph shows the market share of search engines worldwide based on over 10 billion monthly page views.},
|
abstract = {This graph shows the market share of search engines worldwide based on over 10 billion monthly page views.},
|
||||||
journal = {StatCounter Global Stats}
|
journal = {StatCounter Global Stats},
|
||||||
|
note = {Accessed 2020-07-10}
|
||||||
}
|
}
|
||||||
|
|
||||||
@article{syQUICLookWeb2019,
|
@article{syQUICLookWeb2019,
|
||||||
@ -1285,6 +1310,7 @@
|
|||||||
month = apr,
|
month = apr,
|
||||||
pages = {85--86},
|
pages = {85--86},
|
||||||
abstract = {Over the last decade, the number of devices per person has increased substantially. This poses a challenge for cookie-based personalization applications, such as online search and advertising, as it narrows the personalization signal to a single device environment. A key task is to find which cookies belong to the same person to recover a complete cross-device user journey. Recent work on the topic has shown the benefits of using unsupervised embeddings learned on user event sequences. In this paper, we extend this approach to a supervised setting and introduce the Siamese Cookie Embedding Network (SCEmNet), a siamese convolutional architecture that leverages the multi-modal aspect of sequences, and show significant improvement over the state-of-the-art.},
|
abstract = {Over the last decade, the number of devices per person has increased substantially. This poses a challenge for cookie-based personalization applications, such as online search and advertising, as it narrows the personalization signal to a single device environment. A key task is to find which cookies belong to the same person to recover a complete cross-device user journey. Recent work on the topic has shown the benefits of using unsupervised embeddings learned on user event sequences. In this paper, we extend this approach to a supervised setting and introduce the Siamese Cookie Embedding Network (SCEmNet), a siamese convolutional architecture that leverages the multi-modal aspect of sequences, and show significant improvement over the state-of-the-art.},
|
||||||
|
annote = {Verwendbar f\"ur Future Tracking Ecosystem Developments},
|
||||||
series = {{{WWW}} '18}
|
series = {{{WWW}} '18}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1296,7 +1322,8 @@
|
|||||||
url = {https://github.com/asciimoo/searx},
|
url = {https://github.com/asciimoo/searx},
|
||||||
urldate = {2020-07-10},
|
urldate = {2020-07-10},
|
||||||
abstract = {Privacy-respecting metasearch engine. Contribute to asciimoo/searx development by creating an account on GitHub.},
|
abstract = {Privacy-respecting metasearch engine. Contribute to asciimoo/searx development by creating an account on GitHub.},
|
||||||
copyright = {AGPL-3.0 License , AGPL-3.0 License}
|
copyright = {AGPL-3.0 License , AGPL-3.0 License},
|
||||||
|
note = {Accessed 2020-07-10}
|
||||||
}
|
}
|
||||||
|
|
||||||
@article{trevisanYearsEUCookie2019,
|
@article{trevisanYearsEUCookie2019,
|
||||||
@ -1320,8 +1347,6 @@
|
|||||||
url = {http://arxiv.org/abs/1811.08660},
|
url = {http://arxiv.org/abs/1811.08660},
|
||||||
urldate = {2019-08-14},
|
urldate = {2019-08-14},
|
||||||
abstract = {The European General Data Protection Regulation (GDPR), which went into effect in May 2018, leads to important changes in this area: companies are now required to ask for users' consent before collecting and sharing personal data and by law users now have the right to gain access to the personal information collected about them. In this paper, we study and evaluate the effect of the GDPR on the online advertising ecosystem. In a first step, we measure the impact of the legislation on the connections (regarding cookie syncing) between third-parties and show that the general structure how the entities are arranged is not affected by the GDPR. However, we find that the new regulation has a statistically significant impact on the number of connections, which shrinks by around 40\%. Furthermore, we analyze the right to data portability by evaluating the subject access right process of popular companies in this ecosystem and observe differences between the processes implemented by the companies and how they interpret the new legislation. We exercised our right of access under GDPR with 36 companies that had tracked us online. Although 32 companies (89\%) we inquired replied within the period defined by law, only 21 (58\%) finished the process by the deadline set in the GDPR. Our work has implications regarding the implementation of privacy law as well as what online tracking companies should do to be more compliant with the new regulation.},
|
abstract = {The European General Data Protection Regulation (GDPR), which went into effect in May 2018, leads to important changes in this area: companies are now required to ask for users' consent before collecting and sharing personal data and by law users now have the right to gain access to the personal information collected about them. In this paper, we study and evaluate the effect of the GDPR on the online advertising ecosystem. In a first step, we measure the impact of the legislation on the connections (regarding cookie syncing) between third-parties and show that the general structure how the entities are arranged is not affected by the GDPR. However, we find that the new regulation has a statistically significant impact on the number of connections, which shrinks by around 40\%. Furthermore, we analyze the right to data portability by evaluating the subject access right process of popular companies in this ecosystem and observe differences between the processes implemented by the companies and how they interpret the new legislation. We exercised our right of access under GDPR with 36 companies that had tracked us online. Although 32 companies (89\%) we inquired replied within the period defined by law, only 21 (58\%) finished the process by the deadline set in the GDPR. Our work has implications regarding the implementation of privacy law as well as what online tracking companies should do to be more compliant with the new regulation.},
|
||||||
archiveprefix = {arXiv},
|
|
||||||
eprintclass = {cs},
|
|
||||||
language = {English}
|
language = {English}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1334,6 +1359,9 @@
|
|||||||
month = oct,
|
month = oct,
|
||||||
pages = {1382--1393},
|
pages = {1382--1393},
|
||||||
abstract = {Web-based timing attacks have been known for over a decade, and it has been shown that, under optimal network conditions, an adversary can use such an attack to obtain information on the state of a user in a cross-origin website. In recent years, desktop computers have given way to laptops and mobile devices, which are mostly connected over a wireless or mobile network. These connections often do not meet the optimal conditions that are required to reliably perform cross-site timing attacks. In this paper, we show that modern browsers expose new side-channels that can be used to acquire accurate timing measurements, regardless of network conditions. Using several real-world examples, we introduce four novel web-based timing attacks against modern browsers and describe how an attacker can use them to obtain personal information based on a user's state on a cross-origin website. We evaluate our proposed attacks and demonstrate that they significantly outperform current attacks in terms of speed, reliability, and accuracy. Furthermore, we show that the nature of our attacks renders traditional defenses, i.e., those based on randomly delaying responses, moot and discuss possible server-side defense mechanisms.},
|
abstract = {Web-based timing attacks have been known for over a decade, and it has been shown that, under optimal network conditions, an adversary can use such an attack to obtain information on the state of a user in a cross-origin website. In recent years, desktop computers have given way to laptops and mobile devices, which are mostly connected over a wireless or mobile network. These connections often do not meet the optimal conditions that are required to reliably perform cross-site timing attacks. In this paper, we show that modern browsers expose new side-channels that can be used to acquire accurate timing measurements, regardless of network conditions. Using several real-world examples, we introduce four novel web-based timing attacks against modern browsers and describe how an attacker can use them to obtain personal information based on a user's state on a cross-origin website. We evaluate our proposed attacks and demonstrate that they significantly outperform current attacks in terms of speed, reliability, and accuracy. Furthermore, we show that the nature of our attacks renders traditional defenses, i.e., those based on randomly delaying responses, moot and discuss possible server-side defense mechanisms.},
|
||||||
|
annote = {CSS:visited property for link differentiation
|
||||||
|
\par
|
||||||
|
Timing attacks over wireless networks},
|
||||||
series = {{{CCS}} '15}
|
series = {{{CCS}} '15}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1367,7 +1395,8 @@
|
|||||||
urldate = {2020-02-09},
|
urldate = {2020-02-09},
|
||||||
abstract = {This specification defines the Document Object Model Level 1, a platform- and language-neutral interface that allows programs and scripts to dynamically access and update the content, structure and style of documents. The Document Object Model provides a standard set of objects for representing HTML and XML documents, a standard model of how these objects can be combined, and a standard interface for accessing and manipulating them. Vendors can support the DOM as an interface to their proprietary data structures and APIs, and content authors can write to the standard DOM interfaces rather than product-specific APIs, thus increasing interoperability on the Web.
|
abstract = {This specification defines the Document Object Model Level 1, a platform- and language-neutral interface that allows programs and scripts to dynamically access and update the content, structure and style of documents. The Document Object Model provides a standard set of objects for representing HTML and XML documents, a standard model of how these objects can be combined, and a standard interface for accessing and manipulating them. Vendors can support the DOM as an interface to their proprietary data structures and APIs, and content authors can write to the standard DOM interfaces rather than product-specific APIs, thus increasing interoperability on the Web.
|
||||||
|
|
||||||
The goal of the DOM specification is to define a programmatic interface for XML and HTML. The DOM Level 1 specification is separated into two parts: Core and HTML. The Core DOM Level 1 section provides a low-level set of fundamental interfaces that can represent any structured document, as well as defining extended interfaces for representing an XML document. These extended XML interfaces need not be implemented by a DOM implementation that only provides access to HTML documents; all of the fundamental interfaces in the Core section must be implemented. A compliant DOM implementation that implements the extended XML interfaces is required to also implement the fundamental Core interfaces, but not the HTML interfaces. The HTML Level 1 section provides additional, higher-level interfaces that are used with the fundamental interfaces defined in the Core Level 1 section to provide a more convenient view of an HTML document. A compliant implementation of the HTML DOM implements all of the fundamental Core interfaces as well as the HTML interfaces.}
|
The goal of the DOM specification is to define a programmatic interface for XML and HTML. The DOM Level 1 specification is separated into two parts: Core and HTML. The Core DOM Level 1 section provides a low-level set of fundamental interfaces that can represent any structured document, as well as defining extended interfaces for representing an XML document. These extended XML interfaces need not be implemented by a DOM implementation that only provides access to HTML documents; all of the fundamental interfaces in the Core section must be implemented. A compliant DOM implementation that implements the extended XML interfaces is required to also implement the fundamental Core interfaces, but not the HTML interfaces. The HTML Level 1 section provides additional, higher-level interfaces that are used with the fundamental interfaces defined in the Core Level 1 section to provide a more convenient view of an HTML document. A compliant implementation of the HTML DOM implements all of the fundamental Core interfaces as well as the HTML interfaces.},
|
||||||
|
note = {Accessed 2020-02-09}
|
||||||
}
|
}
|
||||||
|
|
||||||
@misc{w3cTrackingPreferenceExpression2019,
|
@misc{w3cTrackingPreferenceExpression2019,
|
||||||
@ -1376,7 +1405,8 @@ The goal of the DOM specification is to define a programmatic interface for XML
|
|||||||
year = {2019},
|
year = {2019},
|
||||||
month = jan,
|
month = jan,
|
||||||
url = {https://www.w3.org/TR/tracking-dnt/},
|
url = {https://www.w3.org/TR/tracking-dnt/},
|
||||||
urldate = {2020-07-09}
|
urldate = {2020-07-09},
|
||||||
|
note = {Accessed 2020-07-09}
|
||||||
}
|
}
|
||||||
|
|
||||||
@misc{w3techsHistoricalYearlyTrends2020,
|
@misc{w3techsHistoricalYearlyTrends2020,
|
||||||
@ -1385,7 +1415,8 @@ The goal of the DOM specification is to define a programmatic interface for XML
|
|||||||
year = {2020},
|
year = {2020},
|
||||||
month = feb,
|
month = feb,
|
||||||
url = {https://w3techs.com/technologies/history_overview/client_side_language/all/y},
|
url = {https://w3techs.com/technologies/history_overview/client_side_language/all/y},
|
||||||
urldate = {2020-02-17}
|
urldate = {2020-02-17},
|
||||||
|
note = {Accessed 2020-02-17}
|
||||||
}
|
}
|
||||||
|
|
||||||
@misc{w3techsUsageStatisticsSilverlight2020,
|
@misc{w3techsUsageStatisticsSilverlight2020,
|
||||||
@ -1394,7 +1425,8 @@ The goal of the DOM specification is to define a programmatic interface for XML
|
|||||||
year = {2020},
|
year = {2020},
|
||||||
month = feb,
|
month = feb,
|
||||||
url = {https://w3techs.com/technologies/details/cp-silverlight},
|
url = {https://w3techs.com/technologies/details/cp-silverlight},
|
||||||
urldate = {2020-02-20}
|
urldate = {2020-02-20},
|
||||||
|
note = {Accessed 2020-02-20}
|
||||||
}
|
}
|
||||||
|
|
||||||
@inproceedings{wachsPushAwayYour2018,
|
@inproceedings{wachsPushAwayYour2018,
|
||||||
@ -1427,7 +1459,8 @@ The goal of the DOM specification is to define a programmatic interface for XML
|
|||||||
year = {2020},
|
year = {2020},
|
||||||
month = feb,
|
month = feb,
|
||||||
url = {https://dom.spec.whatwg.org/},
|
url = {https://dom.spec.whatwg.org/},
|
||||||
urldate = {2020-02-09}
|
urldate = {2020-02-09},
|
||||||
|
note = {Accessed 2020-02-09}
|
||||||
}
|
}
|
||||||
|
|
||||||
@misc{whatwgHTMLStandard2020,
|
@misc{whatwgHTMLStandard2020,
|
||||||
@ -1436,7 +1469,8 @@ The goal of the DOM specification is to define a programmatic interface for XML
|
|||||||
year = {2020},
|
year = {2020},
|
||||||
month = feb,
|
month = feb,
|
||||||
url = {https://html.spec.whatwg.org/},
|
url = {https://html.spec.whatwg.org/},
|
||||||
urldate = {2020-02-20}
|
urldate = {2020-02-20},
|
||||||
|
note = {Accessed 2020-02-20}
|
||||||
}
|
}
|
||||||
|
|
||||||
@misc{whatwgHTMLStandard2020a,
|
@misc{whatwgHTMLStandard2020a,
|
||||||
@ -1445,7 +1479,8 @@ The goal of the DOM specification is to define a programmatic interface for XML
|
|||||||
year = {2020},
|
year = {2020},
|
||||||
month = feb,
|
month = feb,
|
||||||
url = {https://html.spec.whatwg.org/\#disk-space-2},
|
url = {https://html.spec.whatwg.org/\#disk-space-2},
|
||||||
urldate = {2020-02-27}
|
urldate = {2020-02-27},
|
||||||
|
note = {Accessed 2020-02-27}
|
||||||
}
|
}
|
||||||
|
|
||||||
@inproceedings{wondracekPracticalAttackDeanonymize2010,
|
@inproceedings{wondracekPracticalAttackDeanonymize2010,
|
||||||
@ -1455,7 +1490,8 @@ The goal of the DOM specification is to define a programmatic interface for XML
|
|||||||
year = {2010},
|
year = {2010},
|
||||||
month = may,
|
month = may,
|
||||||
pages = {223--238},
|
pages = {223--238},
|
||||||
abstract = {Social networking sites such as Facebook, LinkedIn, and Xing have been reporting exponential growth rates and have millions of registered users. In this paper, we introduce a novel de-anonymization attack that exploits group membership information that is available on social networking sites. More precisely, we show that information about the group memberships of a user (i.e., the groups of a social network to which a user belongs) is sufficient to uniquely identify this person, or, at least, to significantly reduce the set of possible candidates. That is, rather than tracking a user's browser as with cookies, it is possible to track a person. To determine the group membership of a user, we leverage well-known web browser history stealing attacks. Thus, whenever a social network user visits a malicious website, this website can launch our de-anonymization attack and learn the identity of its visitors. The implications of our attack are manifold, since it requires a low effort and has the potential to affect millions of social networking users. We perform both a theoretical analysis and empirical measurements to demonstrate the feasibility of our attack against Xing, a medium-sized social network with more than eight million members that is mainly used for business relationships. Furthermore, we explored other, larger social networks and performed experiments that suggest that users of Facebook and LinkedIn are equally vulnerable.}
|
abstract = {Social networking sites such as Facebook, LinkedIn, and Xing have been reporting exponential growth rates and have millions of registered users. In this paper, we introduce a novel de-anonymization attack that exploits group membership information that is available on social networking sites. More precisely, we show that information about the group memberships of a user (i.e., the groups of a social network to which a user belongs) is sufficient to uniquely identify this person, or, at least, to significantly reduce the set of possible candidates. That is, rather than tracking a user's browser as with cookies, it is possible to track a person. To determine the group membership of a user, we leverage well-known web browser history stealing attacks. Thus, whenever a social network user visits a malicious website, this website can launch our de-anonymization attack and learn the identity of its visitors. The implications of our attack are manifold, since it requires a low effort and has the potential to affect millions of social networking users. We perform both a theoretical analysis and empirical measurements to demonstrate the feasibility of our attack against Xing, a medium-sized social network with more than eight million members that is mainly used for business relationships. Furthermore, we explored other, larger social networks and performed experiments that suggest that users of Facebook and LinkedIn are equally vulnerable.},
|
||||||
|
annote = {Demonstrates impact of history stealing attacks on user privacy}
|
||||||
}
|
}
|
||||||
|
|
||||||
@inproceedings{xuUCognitoPrivateBrowsing2015,
|
@inproceedings{xuUCognitoPrivateBrowsing2015,
|
||||||
|
|||||||
@ -44,6 +44,8 @@
|
|||||||
\setpnumwidth{2.5em} % Avoid overfull hboxes in the table of contents (see memoir manual).
|
\setpnumwidth{2.5em} % Avoid overfull hboxes in the table of contents (see memoir manual).
|
||||||
\setsecnumdepth{subsection} % Enumerate subsections.
|
\setsecnumdepth{subsection} % Enumerate subsections.
|
||||||
|
|
||||||
|
\renewcommand{\baselinestretch}{1.1}
|
||||||
|
|
||||||
\definecolor{light-gray}{gray}{0.95} % Define colour for minted code snippets
|
\definecolor{light-gray}{gray}{0.95} % Define colour for minted code snippets
|
||||||
|
|
||||||
\nonzeroparskip % Create space between paragraphs (optional).
|
\nonzeroparskip % Create space between paragraphs (optional).
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user