Abstract
Protecting the privacy of web users against tracking by blocking third-party content has become a cat-and-mouse game. Continuously changing tracking methods make it difficult to block all third-party content. On the other hand, it is necessary to accept some third-party content to ensure web site functionality. In this work we present the concept and an implementation for the automatic isolation of the locally stored web site state into separate containers. This eliminates the ability of trackers to re-identify users across different sites, by isolating HTTP cookies, HTML5 Web Storage, Indexed DB, and the browsing cache. The so-called Site Isolation was implemented for the Chromium browser and in addition secures the browser against CORS, CSRF, and click-jacking attacks, while limiting the impact of cache timing, and rendering engine hijacking. To evaluate the effectiveness of Site Isolation, we visited 1.6 million pages on over 94,000 distinct domains and compared the data saved against usual browsing. We show that top trackers collect enough information to identify billions of users reliably. In contrast, with Site Isolation in place the number of tracked pages can be reduced by 44%.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Roesner, F., Kohno, T., Wetherall, D.: Detecting and Defending Against Third-Party Tracking on the Web. In: Usenix NSDI (2012)
Krishnamurthy, B., Wills, C.: Privacy diffusion on the web: A longitudinal perspective. In: WWW (2009)
Baviskar, S., Thilagam, P.S.: Protection of Web User’s Privacy by Securing Browser from Web Privacy Attacks. IJCTA (2011)
nugg.ad AG: Predictive Behavioural Targeting (2014), http://nuggad.net/en/solutions/predictive-behavioural-targeting.html (accessed on August 13, 2014)
Castelluccia, C., Ali Kaafar, M., Tran, M.-D.: Betrayed by Your Ads! Reconstructing User Profiles from Targeted Ads. In: Fischer-Hübner, S., Wright, M. (eds.) PETS 2012. LNCS, vol. 7384, pp. 1–17. Springer, Heidelberg (2012)
Ohm, P.: Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization. UCLA Law Review (2009)
Behar, R.: Never Heard of Acxiom? Chances Are It’s Heard of You. How a little-known Little Rock company—the world’s largest processor of consumer data—found itself at the center of a very big national security debate (2004), http://money.cnn.com/magazines/fortune/fortune_archive/2004/02/23/362182/index.htm (accessed on October 25, 2013)
Communications Consumer Panel: Online Personal Data: the Consumer Perspective. Technical report (2011), http://www.communicationsconsumerpanel.org.uk/Online%20personal%20data%20final%20240511.pdf
Steel, E., Fowler, G.A.: Facebook in Privacy Breach (2010), http://online.wsj.com/article/SB10001424052702304772804575558484075236968.html (accessed on October 25, 2013)
Mayer, J.R., Mitchell, J.C.: Third-Party Web Tracking: Policy and Technology. In: IEEE Symposium on Security and Privacy (2012)
Leon, P.G., Ur, B., Balebako, R., Cranor, L.F., Shay, R., Wang, Y.: Why Johnny Can’t Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising. In: CHI (2012)
Scientist, C., Italia, T.: Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning. World Wide Web Internet and Web Information Systems (2009)
Eckersley, P.: How unique is your web browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010)
Anderson, N.: Firm uses typing cadence to finger unauthorized users (2010), http://arstechnica.com/tech-policy/2010/02/firm-uses-typing-cadence-to-finger-unauthorized-users (accessed on October 30, 2013)
Mowery, K., Shacham, H.: Pixel Perfect: Fingerprinting Canvas in HTML5. In: W2SP. IEEE Computer Society (2012)
Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting. In: IEEE Symposium on Security and Privacy (2013)
Acar, G., Juarez, M., Nikiforakis, N., Diaz, C., Gürses, S., Piessens, F., Preneel, B.: FPDetective: Dusting the web for fingerprinters. In: CCS (2013)
Tran, M., Dong, X., Liang, Z., Jiang, X.: Tracking the trackers: Fast and scalable dynamic analysis of web content for privacy violations. In: Bao, F., Samarati, P., Zhou, J. (eds.) ACNS 2012. LNCS, vol. 7341, pp. 418–435. Springer, Heidelberg (2012)
Bau, J., Mayer, J., Paskov, H., Mitchell, J.: A Promising Direction for Web Tracking Countermeasures. In: W2SP (2013)
Siddiqui, M.S.: Evercookies: Extremely persistent cookies. IJCSIS (2011)
Eyeo GmbH: Allowing acceptable ads in Adblock Plus (2014), https://adblockplus.org/en/acceptable-ads (accessed on August 13, 2014)
Bilton, R.: Ghostery: A Web tracking blocker that actually helps the ad industry (2012), http://venturebeat.com/2012/07/31/ghostery-a-web-tracking-blocker-that-actually-helps-the-ad-industry (accessed on August 13, 2014)
Witte, D.: (doublekey) Key cookies on setting domain * toplevel load domain (2010), https://bugzilla.mozilla.org/show_bug.cgi?id=565965 (accessed on July 10, 2014)
Perry, M.: Apply third party cookie patch (2011), https://trac.torproject.org/projects/tor/ticket/3246 (accessed on July 10, 2014)
Chen, E.Y., Bau, J., Reis, C., Barth, A., Jackson, C.: App Isolation: Get the Security of Multiple Browsers with Just One. In: CCS (2011)
Reis, C., Gribble, S.D.: Isolating web programs in modern browser architectures. In: EuroSys 2009 (2009)
Wang, H., Grier, C., Moshchuk, A.: The Multi-Principal OS Construction of the Gazelle Web Browser. In: Usenix Security Symposium (2009)
Jackson, C., Bortz, A., Boneh, D., Mitchell, J.C.: Protecting browser state from web privacy attacks. In: WWW (2006)
Grier, C., Tang, S., King, S.T.: Secure Web Browsing with the OP Web Browser. In: IEEE Symposium on Security and Privacy (2008)
Aggarwal, G., Bursztein, E., Jackson, C., Boneh, D.: An analysis of private browsing modes in modern browsers. In: Usenix Security Symposium (2010)
Felten, E., Schneider, M.: Timing attacks on Web privacy. In: CCS (2000)
Weinberg, Z., Chen, E., Jackson, C.: I Still Know What You Visited Last Summer: Leaking Browsing History Via User Interaction and Side Channel Attacks. In: IEEE Symposium on Security and Privacy (2011)
Stone, P.: Pixel Perfect Timing Attacks with HTML5. White Paper (2013), http://contextis.co.uk/files/Browser_Timing_Attacks.pdf
Jackson, C., Bortz, A., Boneh, D., Mitchell, J.: Protecting Browser State from Web Privacy Attacks. In: WWW (2006)
Clauset, A., Shalizi, C.R., Newman, M.E.J.: Power-Law Distributions in Empirical Data. SIAM Rev. (2009)
Shannon, C.E.: A Mathematical Theory of Communication. The Bell System Technical Journal (1948)
Huffman, D.A.: A Method for the Construction of Minimum-Redundancy Codes. Institute of Radio Engineers (1952)
Pavlov, I.: LZMA specification (2013), http://dl.7-zip.org/lzma-specification.zip (accessed on October 30, 2013)
Morse Jr., K.G.: Compression Tools Compared. Linux J. (2005)
Eferati, A.: ‘Like’ Button Follows Web Users (2011), http://online.wsj.com/news/articles/SB10001424052748704281504576329441432995616 (accessed on October 30, 2013)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Stopczynski, M., Zugelder, M. (2014). Reducing User Tracking through Automatic Web Site State Isolations. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds) Information Security. ISC 2014. Lecture Notes in Computer Science, vol 8783. Springer, Cham. https://doi.org/10.1007/978-3-319-13257-0_18
Download citation
DOI: https://doi.org/10.1007/978-3-319-13257-0_18
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-13256-3
Online ISBN: 978-3-319-13257-0
eBook Packages: Computer ScienceComputer Science (R0)