Helei Cui,Yajin Zhou,Cong Wang,Xinyu Wang,Yuefeng Du,Qian Wang

DOI: https://doi.org/10.1109/tdsc.2019.2937783

2020-01-01

Abstract:Safe Browsing (SB) is an important security feature in modern web browsers to help detect new unsafe websites. Although useful, recent studies have pointed out that the widely adopted SB services, such as Google Safe Browsing and Microsoft SmartScreen, can raise privacy concerns since users' browsing history might be subject to unauthorized leakage to service providers. In this paper, we present a Privacy-Preserving Safe Browsing (PPSB) platform. It bridges the browser that uses the service and the third-party blacklist providers who provide unsafe URLs, with the guaranteed privacy of users and blacklist providers. Particularly, in PPSB, the actual URL to be checked, as well as its associated hashes or hash prefixes, never leave the browser in cleartext. This protects the user's browsing history from being directly leaked or indirectly inferred. Moreover, these lists of unsafe URLs, the most valuable asset for the blacklist providers, are always encrypted and kept private within our platform. Extensive evaluations using real datasets (with over 1 million unsafe URLs) demonstrate that our prototype can function as intended without sacrificing normal user experience, and block unsafe URLs at the millisecond level. All resources, including Chrome extension, Docker image, and source code, are available for public use.

Ruba Abu-Salma,Benjamin Livshits

DOI: https://doi.org/10.48550/arXiv.1811.08460

2019-06-03

Abstract:Nowadays, all major web browsers have a private browsing mode. However, the mode's benefits and limitations are not particularly understood. Through the use of survey studies, prior work has found that most users are either unaware of private browsing or do not use it. Further, those who do use private browsing generally have misconceptions about what protection it provides. However, prior work has not investigated \emph{why} users misunderstand the benefits and limitations of private browsing. In this work, we do so by designing and conducting a three-part study: (1) an analytical approach combining cognitive walkthrough and heuristic evaluation to inspect the user interface of private mode in different browsers; (2) a qualitative, interview-based study to explore users' mental models of private browsing and its security goals; (3) a participatory design study to investigate why existing browser disclosures, the in-browser explanations of private browsing mode, do not communicate the security goals of private browsing to users. Participants critiqued the browser disclosures of three web browsers: Brave, Firefox, and Google Chrome, and then designed new ones. We find that the user interface of private mode in different web browsers violates several well-established design guidelines and heuristics. Further, most participants had incorrect mental models of private browsing, influencing their understanding and usage of private mode. Additionally, we find that existing browser disclosures are not only vague, but also misleading. None of the three studied browser disclosures communicates or explains the primary security goal of private browsing. Drawing from the results of our user study, we extract a set of design recommendations that we encourage browser designers to validate, in order to design more effective and informative browser disclosures related to private mode.

Human-Computer Interaction

Yuxi Ling,Kailong Wang,Guangdong Bai,Haoyu Wang,Jin Song Dong

DOI: https://doi.org/10.1145/3551349.3560436

2022-01-01

Abstract:Browser extensions have emerged as integrated characteristics in modern browsers, with the aim to boost the online browsing experience. Their advantageous position between a user and the Internet endows them with easy access to the user's sensitive data, which has raised mounting privacy concerns from both legislators and extension users. In this work, we propose an end-to-end approach to automatically diagnosing the privacy compliance violations among extensions. It analyzes the compliance of privacy policy versus regulation requirements and their actual privacy-related practices during runtime. This approach can serve the extension users, developers and store operators as an efficient and practical detection mechanism for privacy compliance violations. Our approach utilizes the state-of-the-art language processing model BERT for annotating the policy texts, and a hybrid technique to analyze an extension's source code and runtime behavior. To facilitate the model training, we construct a corpus named PrivAud-100 which contains 100 manually annotated privacy policies. Our large-scale diagnostic evaluation reveals that the vast majority of existing extensions suffer from privacy non-compliance issues. Around 92% of them have at least one violation of either their privacy policies or data collection practices. Based on our findings, we further propose an index to facilitate the filtering and identification of privacy-incompliant extensions with high accuracy (over 90%). Our work should raise the awareness of extension users, service providers, and platform operators, and encourage them to implement solutions toward better privacy compliance. To facilitate future research in this area, we have released our dataset, corpus and analyzer.

Christopher Warren,Eman El-Sheikh,Nhien-An Le-Khac

DOI: https://doi.org/10.48550/arXiv.1710.09598

2017-10-26

Abstract:With the advance of technology, Criminal Justice agencies are being confronted with an increased need to investigate crimes perpetuated partially or entirely over the Internet. These types of crime are known as cybercrimes. In order to conceal illegal online activity, criminals often use private browsing features or browsers designed to provide total browsing privacy. The use of private browsing is a common challenge faced in for example child exploitation investigations, which usually originate on the Internet. Although private browsing features are not designed specifically for criminal activity, they have become a valuable tool for criminals looking to conceal their online activity. As such, Technological Crime units often focus their forensic analysis on thoroughly examining the web history on a computer. Private browsing features and browsers often require a more in-depth, post mortem analysis. This often requires the use of multiple tools, as well as different forensic approaches to uncover incriminating evidence. This evidence may be required in a court of law, where analysts are often challenged both on their findings and on the tools and approaches used to recover evidence. However, there are very few research on evaluating of private browsing in terms of privacy preserving as well as forensic acquisition and analysis of privacy preserving internet browsers. Therefore in this chapter, we firstly review the private mode of popular internet browsers. Next, we describe the forensic acquisition and analysis of Browzar, a privacy preserving internet browser and compare it with other popular internet browsers

Cryptography and Security

Abu Awal Md Shoeb

DOI: https://doi.org/10.48550/arXiv.1802.10523

2018-01-06

Abstract:Web browsers are the most common tool to perform various activities over the internet. Along with normal mode, all modern browsers have private browsing mode. The name of the mode varies from browser to browser but the purpose of the private mode remains same in every browser. In normal browsing mode, the browser keeps track of users' activity and related data such as browsing histories, cookies, auto-filled fields, temporary internet files, etc. In private mode, it is said that no information is stored while browsing or all information is destroyed after closing the current private session. However, some researchers have already disproved this claim by performing various tests in most popular browsers. I have also some personal experience where private mode browsing fails to keep all browsing information as private. In this position paper, I take the position against private browsing. By examining various facts, it is proved that the private browsing mode is not really private as it is claimed; it does not keep everything private. In following sections, I will present the proof to justify my argument. Along with some other already performed research work, I will show my personal case studies and experimental data as well.

Cryptography and Security,Computers and Society

Berk Gulmezoglu,Andreas Zankl,Thomas Eisenbarth,Berk Sunar

DOI: https://doi.org/10.48550/arXiv.1705.04437

2017-05-12

Abstract:The browser history reveals highly sensitive information about users, such as financial status, health conditions, or political views. Private browsing modes and anonymity networks are consequently important tools to preserve the privacy not only of regular users but in particular of whistleblowers and dissidents. Yet, in this work we show how a malicious application can infer opened websites from Google Chrome in Incognito mode and from Tor Browser by exploiting hardware performance events (HPEs). In particular, we analyze the browsers' microarchitectural footprint with the help of advanced Machine Learning techniques: k-th Nearest Neighbors, Decision Trees, Support Vector Machines, and in contrast to previous literature also Convolutional Neural Networks. We profile 40 different websites, 30 of the top Alexa sites and 10 whistleblowing portals, on two machines featuring an Intel and an ARM processor. By monitoring retired instructions, cache accesses, and bus cycles for at most 5 seconds, we manage to classify the selected websites with a success rate of up to 86.3%. The results show that hardware performance events can clearly undermine the privacy of web users. We therefore propose mitigation strategies that impede our attacks and still allow legitimate use of HPEs.

Cryptography and Security

Xiaoyin Liu,Wenzhi Li,Qinsheng Hou,Shishuai Yang,Lingyun Ying,Wenrui Diao,Yanan Li,Shanqing Guo,Hai-Xin Duan

DOI: https://doi.org/10.1145/3589334.3645320

2024-01-01

Abstract:Private browsing is a common feature of web browsers on desktop platforms. This feature protects the privacy of users browsing the Internet and, therefore, is widely welcomed by users. In recent years, with the popularity of smartphones, the private browsing mode has been introduced into mobile browsers. However, its deployment on mobile platforms has not been well evaluated. To bridge the gap, in this work, we systemically studied the private browsing modes of Android browser apps. Specifically, we proposed six private rules for mobile browsers to follow by combining the mobile browsing features with the previous research on private browsing. Furthermore, we designed an automated analysis framework, BroDroid, to detect whether mobile browsers violate these rules. Also, with BroDroid, we evaluated 49 popular browser apps crawled from Google Play. Finally, BroDroid successfully identified 58 violations, some of which come from the promised capabilities of the browser. We reported our discovered issues to the corresponding developers, and four of them (Yandex Browser, Mint Browser, Web Explorer, and Net Fast Web Browser) have acknowledged our findings. Our observation may be the tip of the iceberg, and more efforts should be put into improving the privacy protections of mobile browsers.

Pablo Picazo-Sanchez,Juan Tapiador,Gerardo Schneider

DOI: https://doi.org/10.1007/s10207-019-00481-8

2019-08-06

Abstract:Browser extensions are small applications executed in the browser context that provide additional capabilities and enrich the user experience while surfing the web. The acceptance of extensions in current browsers is unquestionable. For instance, Chrome's official extension repository has more than 63,000 extensions, with some of them having more than 10M users. When installed, extensions are pushed into an internal queue within the browser. The order in which each extension executes depends on a number of factors, including their relative installation times. In this paper, we demonstrate how this order can be exploited by an unprivileged malicious extension (i.e., one with no more permissions than those already assigned when accessing web content) to get access to any private information that other extensions have previously introduced. Our solution does not require modifying the core browser engine as it is implemented as another browser extension. We prove that our approach effectively protects the user against usual attackers (i.e., any other installed extension) as well as against strong attackers having access to the effects of all installed extensions (i.e., knowing who did what). We also prove soundness and robustness of our approach under reasonable assumptions.

Cryptography and Security

Jian Mao,Yue Chen,Futian Shi,Yaoqi Jia,Zhenkai Liang

DOI: https://doi.org/10.3390/s17030464

2017-02-25

Abstract:Web applications have become the foundation of many types of systems, ranging from cloud services to Internet of Things (IoT) systems. Due to the large amount of sensitive data processed by web applications, user privacy emerges as a major concern in web security. Existing protection mechanisms in modern browsers, e.g., the same origin policy, prevent the users' browsing information on one website from being directly accessed by another website. However, web applications executed in the same browser share the same runtime environment. Such shared states provide side channels for malicious websites to indirectly figure out the information of other origins. Timing is a classic side channel and the root cause of many recent attacks, which rely on the variations in the time taken by the systems to process different inputs. In this paper, we propose an approach to expose the timing-based probing attacks in web applications. It monitors the browser behaviors and identifies anomalous timing behaviors to detect browser probing attacks. We have prototyped our system in the Google Chrome browser and evaluated the effectiveness of our approach by using known probing techniques. We have applied our approach on a large number of top Alexa sites and reported the suspicious behavior patterns with corresponding analysis results. Our theoretical analysis illustrates that the effectiveness of the timing-based probing attacks is dramatically limited by our approach.

Gabor Gyorgy Gulyas,Doliere Francis Some,Nataliia Bielova,Claude Castelluccia

DOI: https://doi.org/10.48550/arXiv.1808.07359

2018-08-22

Abstract:Recent works showed that websites can detect browser extensions that users install and websites they are logged into. This poses significant privacy risks, since extensions and Web logins that reflect user's behavior, can be used to uniquely identify users on the Web. This paper reports on the first large-scale behavioral uniqueness study based on 16,393 users who visited our website. We test and detect the presence of 16,743 Chrome extensions, covering 28% of all free Chrome extensions. We also detect whether the user is connected to 60 different websites. We analyze how unique users are based on their behavior, and find out that 54.86% of users that have installed at least one detectable extension are unique; 19.53% of users are unique among those who have logged into one or more detectable websites; and 89.23% are unique among users with at least one extension and one login. We use an advanced fingerprinting algorithm and show that it is possible to identify a user in less than 625 milliseconds by selecting the most unique combinations of extensions. Because privacy extensions contribute to the uniqueness of users, we study the trade-off between the amount of trackers blocked by such extensions and how unique the users of these extensions are. We have found that privacy extensions should be considered more useful than harmful. The paper concludes with possible countermeasures.

Cryptography and Security

Bihui Jin,Heng Li,Ying Zou

2024-04-10

Abstract:Web browsers have been used widely by users to conduct various online activities, such as information seeking or online shopping. To improve user experience and extend the functionality of browsers, practitioners provide mechanisms to allow users to install third-party-provided plugins (i.e., extensions) on their browsers. However, little is known about the performance implications caused by such extensions. In this paper, we conduct an empirical study to understand the impact of extensions on the user-perceived performance (i.e., energy consumption and page load time) of Google Chrome, the most popular browser. We study a total of 72 representative extensions from 11 categories (e.g., Developer Tools and Sports). We observe that browser performance can be negatively impacted by the use of extensions, even when the extensions are used in unintended circumstances (e.g., when logging into an extension is not granted but required, or when an extension is not used for designated websites). We also identify a set of factors that significantly influence the performance impact of extensions, such as code complexity and privacy practices (i.e., collection of user data) adopted by the extensions. Based on our empirical observations, we provide recommendations for developers and users to mitigate the performance impact of browser extensions, such as conducting performance testing and optimization for unintended usage scenarios of extensions, or adhering to proper usage practices of extensions (e.g., logging into an extension when required).

Performance,Human-Computer Interaction,Software Engineering

Anuj Gautam,Tarun Kumar Yadav,Kent Seamons,Scott Ruoti

DOI: https://doi.org/10.48550/arXiv.2402.06159

2024-02-09

Abstract:Password-based authentication faces various security and usability issues. Password managers help alleviate some of these issues by enabling users to manage their passwords effectively. However, malicious client-side scripts and browser extensions can steal passwords after they have been autofilled by the manager into the web page. In this paper, we explore what role the password manager can take in preventing the theft of autofilled credentials without requiring a change to user behavior. To this end, we identify a threat model for password exfiltration and then use this threat model to explore the design space for secure password entry implemented using a password manager. We identify five potential designs that address this issue, each with varying security and deployability tradeoffs. Our analysis shows the design that best balances security and usability is for the manager to autofill a fake password and then rely on the browser to replace the fake password with the actual password immediately before the web request is handed over to the operating system to be transmitted over the network. This removes the ability for malicious client-side scripts or browser extensions to access and exfiltrate the real password. We implement our design in the Firefox browser and conduct experiments, which show that it successfully thwarts malicious scripts and extensions on 97\% of the Alexa top 1000 websites, while also maintaining the capability to revert to default behavior on the remaining websites, avoiding functionality regressions. Most importantly, this design is transparent to users, requiring no change to user behavior.

Cryptography and Security

Liam Tyler,Ivan De Oliveira Nunes

2024-09-19

Abstract:Cookies maintain state across related web traffic. As such, cookies are commonly used for authentication by storing a user's session ID and replacing the need to re-enter credentials in subsequent traffic. These so-called ``session cookies'' are prime targets for attacks that aim to steal them to gain unauthorized access to user accounts. To mitigate these attacks, the Secure and HttpOnly cookie attributes limit a cookie's accessibility from malicious networks and websites. However, these controls overlook browser extensions: third-party HTML/JavaScript add-ons with access to privileged browser APIs and the ability to operate across multiple websites. Thus malicious or compromised extensions can provide unrestricted access to a user's session cookies. In this work, we first analyze the prevalence of extensions with access to ``risky'' APIs (those that enable cookie modification and theft) and find that they have hundreds of millions of users. Motivated by this, we propose a mechanism to protect cookies from malicious extensions by introducing two new cookie attributes: BrowserOnly and Monitored. The BrowserOnly attribute prevents extension access to cookies altogether. While effective, not all cookies can be made inaccessible. Thus cookies with the Monitored attribute remain accessible but are tied to a single browser and any changes made to the cookie are logged. As a result, stolen Monitored cookies are unusable outside their original browser and servers can validate the modifications performed. To demonstrate the proposed functionalities, we design and implement CREAM (Cookie Restrictions for Extension Abuse Mitigation) a modified version of the open-source Chromium browser realizing these controls. Our evaluation indicates that CREAM effectively protects cookies from malicious extensions while incurring little run-time overheads.

Cryptography and Security

Ghazaleh Beigi,Ruocheng Guo,Alexander Nou,Yanchao Zhang,Huan Liu

DOI: https://doi.org/10.48550/arXiv.1811.09340

2018-11-23

Abstract:The overturning of the Internet Privacy Rules by the Federal Communications Commissions (FCC) in late March 2017 allows Internet Service Providers (ISPs) to collect, share and sell their customers' Web browsing data without their consent. With third-party trackers embedded on Web pages, this new rule has put user privacy under more risk. The need arises for users on their own to protect their Web browsing history from any potential adversaries. Although some available solutions such as Tor, VPN, and HTTPS can help users conceal their online activities, their use can also significantly hamper personalized online services, i.e., degraded utility. In this paper, we design an effective Web browsing history anonymization scheme, PBooster, aiming to protect users' privacy while retaining the utility of their Web browsing history. The proposed model pollutes users' Web browsing history by automatically inferring how many and what links should be added to the history while addressing the utility-privacy trade-off challenge. We conduct experiments to validate the quality of the manipulated Web browsing history and examine the robustness of the proposed approach for user privacy protection.

Cryptography and Security,Social and Information Networks

Zhaoyi Fan

DOI: https://doi.org/10.48550/arXiv.1910.07455

2019-10-17

Abstract:Websites are capable of learning a wide range of information about the platform on which a browser is executing. One major source of such information is the set of standardised Application Programming Interfaces (APIs) provided within the browser, which can be accessed by JavaScript downloaded by a website; this information can then either be used by the JavaScript or sent back to the originating site. As has been widely discussed, much of this information can threaten user privacy. The main purpose of this paper is to document a publicly available platform designed to enable further investigation of one class of such threats, namely those based on analysing user behavioural data. The platform has two main components: a Chrome extension that gathers user keystroke and mouse data via browser APIs, and server software that collects and stores this data for subsequent experimentation.

Cryptography and Security

Asmit Nayak,Rishabh Khandelwal,Kassem Fawaz

DOI: https://doi.org/10.48550/arXiv.2308.16321

2023-08-31

Abstract:In this work, we perform a comprehensive analysis of the security of text input fields in web browsers. We find that browsers' coarse-grained permission model violates two security design principles: least privilege and complete mediation. We further uncover two vulnerabilities in input fields, including the alarming discovery of passwords in plaintext within the HTML source code of the web page. To demonstrate the real-world impact of these vulnerabilities, we design a proof-of-concept extension, leveraging techniques from static and dynamic code injection attacks to bypass the web store review process. Our measurements and case studies reveal that these vulnerabilities are prevalent across various websites, with sensitive user information, such as passwords, exposed in the HTML source code of even high-traffic sites like Google and Cloudflare. We find that a significant percentage (12.5\%) of extensions possess the necessary permissions to exploit these vulnerabilities and identify 190 extensions that directly access password fields. Finally, we propose two countermeasures to address these risks: a bolt-on JavaScript package for immediate adoption by website developers allowing them to protect sensitive input fields, and a browser-level solution that alerts users when an extension accesses sensitive input fields. Our research highlights the urgent need for improved security measures to protect sensitive user information online.

Cryptography and Security,Computers and Society

Alan Reed,Mark Scanlon,Nhien-An Le-Khac

DOI: https://doi.org/10.48550/arXiv.1708.01732

2018-01-04

Abstract:Organised crime, as well as individual criminals, is benefiting from the protection of private browsers provide to those who would carry out illegal activity, such as money laundering, drug trafficking, the online exchange of child-abuse material, etc. The protection afforded to users of the Epic Privacy Browser illustrates these benefits. This browser is currently in use in approximately 180 countries worldwide. This paper outlines the location and type of evidence available through live and post-mortem state analyses of the Epic Privacy Browser. This study identifies the manner in which the browser functions during use, where evidence can be recovered after use, as well as the tools and effective presentation of the recovered material.

Cryptography and Security

Rishal Ravikesh Chand,Neeraj Anand Sharma,Muhammad Ashad Kabir

2024-10-16

Abstract:As the use of web browsers continues to grow, the potential for cybercrime and web-related criminal activities also increases. Digital forensic investigators must understand how different browsers function and the critical areas to consider during web forensic analysis. Web forensics, a subfield of digital forensics, involves collecting and analyzing browser artifacts, such as browser history, search keywords, and downloads, which serve as potential evidence. While existing research has provided valuable insights, many studies focus on individual browsing modes or limited forensic scenarios, leaving gaps in understanding the full scope of data retention and recovery across different modes and browsers. This paper addresses these gaps by defining four browsing scenarios and critically analyzing browser artifacts across normal, private, and portable modes using various forensic tools. We define four browsing scenarios to perform a comprehensive evaluation of popular browsers -- Google Chrome, Mozilla Firefox, Brave, Tor, and Microsoft Edge -- by monitoring changes in key data storage areas such as cache files, cookies, browsing history, and local storage across different browsing modes. Overall, this paper contributes to a deeper understanding of browser forensic analysis and identifies key areas for enhancing privacy protection and forensic methodologies.

Cryptography and Security

Peter Story,Daniel Smullen,Yaxing Yao,Alessandro Acquisti,Lorrie Faith Cranor,Norman Sadeh,Florian Schaub

DOI: https://doi.org/10.2478/popets-2021-0049

2021-04-27

Proceedings on Privacy Enhancing Technologies

Abstract:Abstract Privacy and security tools can help users protect themselves online. Unfortunately, people are often unaware of such tools, and have potentially harmful misconceptions about the protections provided by the tools they know about. Effectively encouraging the adoption of privacy tools requires insights into people’s tool awareness and understanding. Towards that end, we conducted a demographically-stratified survey of 500 US participants to measure their use of and perceptions about five web browsing-related tools: private browsing, VPNs, Tor Browser, ad blockers, and antivirus software. We asked about participants’ perceptions of the protections provided by these tools across twelve realistic scenarios. Our thematic analysis of participants’ responses revealed diverse forms of misconceptions. Some types of misconceptions were common across tools and scenarios, while others were associated with particular combinations of tools and scenarios. For example, some participants suggested that the privacy protections offered by private browsing, VPNs, and Tor Browser would also protect them from security threats – a misconception that might expose them to preventable risks. We anticipate that our findings will help researchers, tool designers, and privacy advocates educate the public about privacy- and security-enhancing technologies.

Amogh Pradeep,Álvaro Feal,Julien Gamba,Ashwin Rao,Martina Lindorfer,Narseo Vallina-Rodriguez,David Choffnes

DOI: https://doi.org/10.48550/arXiv.2212.03615

2022-12-07

Abstract:The transparency and privacy behavior of mobile browsers has remained widely unexplored by the research community. In fact, as opposed to regular Android apps, mobile browsers may present contradicting privacy behaviors. On the one end, they can have access to (and can expose) a unique combination of sensitive user data, from users' browsing history to permission-protected personally identifiable information (PII) such as unique identifiers and geolocation. However, on the other end, they also are in a unique position to protect users' privacy by limiting data sharing with other parties by implementing ad-blocking features. In this paper, we perform a comparative and empirical analysis on how hundreds of Android web browsers protect or expose user data during browsing sessions. To this end, we collect the largest dataset of Android browsers to date, from the Google Play Store and four Chinese app stores. Then, we developed a novel analysis pipeline that combines static and dynamic analysis methods to find a wide range of privacy-enhancing (e.g., ad-blocking) and privacy-harming behaviors (e.g., sending browsing histories to third parties, not validating TLS certificates, and exposing PII -- including non-resettable identifiers -- to third parties) across browsers. We find that various popular apps on both Google Play and Chinese stores have these privacy-harming behaviors, including apps that claim to be privacy-enhancing in their descriptions. Overall, our study not only provides new insights into important yet overlooked considerations for browsers' adoption and transparency, but also that automatic app analysis systems (e.g., sandboxes) need context-specific analysis to reveal such privacy behaviors.

Cryptography and Security