How to Protect Your Privacy on The Web

Over the past several months we have learned that users cannot always trust a platform to honor their promises regarding safeguarding user data. Even in cases where consent is provided by one user, insufficient privacy controls can still allow a malicious app to collect and funnel private information from others connected to that user—and who did not give consent—to a collection point.

Alarmingly, even if no personally identifiable information (PII) is explicitly provided, thanks to advancements in tracking technologies a party collecting that data can still uniquely identify a person.  Security researchers (yours truly included) have sounded the alarm about this problem for many years ([1], [2], [3], [4]), and new attacks exploiting this reality show up on a fairly regular basis([5]). Even more alarming, for the purpose of social manipulation (in the form of distributing tailored fake news, propaganda, and conspiracy theories), a psychology profile is enough. There is no need to really know actual ID information such as real names, etc. in order to accomplish their objectives.

The hard truth is that personal data is not only used for highly targeted advertising, but can lead to serious consequences like identity theft and social manipulation. Naturally, there is a need for consumers to take matter into their own hands. And in this research report from FortiGuard Labs, we will show you how.

 

General Strategy for Protecting Yourself

Security is not foolproof, which means that users cannot only count on organizations to protect their data. Instead, they need to proactively protect themselves using a number of techniques, such as not using the same password for multiple accounts, which is one good strategy among the many detailed for you below.

On a side note, this research is not meant to be comprehensive but rather, a generic framework to help individuals maximize privacy while minimizing the cost of time and resources. Privacy-minded consumers can combine general strategies with cost effective privacy-oriented tools to achieve the goal of protecting their privacy and identity.

The best general strategy is to combine common sense with enhancing your general security posture by utilizing security best practices, such as:

·       Keeping software up to date

·       Applying patches and fixes as soon as they are released

·       Securing your password management (e.g. avoid reusing the same password)

·       Installing anti-virus and anti-malware protection

·       Implementing effective firewalls technologies as needed – edge firewalls, web filtering, network segmentation, etc.

Once a baseline security foundation is in place, you can then focus on protecting privacy, which is the main focus of this research:

·       Using VPN to hide the real IP address (e.g. ZenMate VPN)

·       Or better yet, using The Onion Router (TOR)

Not All Browsers Are Built the Same

In order for you to counter the tracking technologies used in web sites, only in-browser logics can help. All of the major browsers offer some support for protecting your privacy. Firefox, for example, offers especially effective privacy options because of the broad set of extensions it provides to support privacy.

After completing our research we found that the following Firefox browser extensions are the most useful:

 

Name

Size

Code hash

Ghostery

4,698,487  bytes

8C2A915F408DED4DE03F5B17D30E1C2526AC8D8522FC9E516542F6F4BB57957E

NoScript Security Suite

375,278 bytes

69424AFDE4420C64344DF74871454BB8969B2F984C134503A310C37A5E2E7013

Decentraleyes

5,912,700 bytes

AE29F5684B433773C78B1E31092B389955DBF36DB19A0CA47137596F4A44F7AE

AdBlock for Firefox

1,084,644 bytes

01E303F25E1D464CDC8E00DAA28B7802EFD82AB148E450EBC4F03E246CE4F1DB

Facebook Container

10,611 bytes

7E5AFF72DD301A1A3F762ABF408625CF464DE9879F5732DF95E40E5F88BB95C6

Firefox Multi-Account Containers

132,689 bytes

4D0148504C80097F075F7BC1AB8848B949A1A8FF098090FBB9671F869BBD8098

Primer on Firefox Extensions

Given what we have learned about security claims, we decided to dig deeper. We reviewed technical designs and then, to confirm the soundness of the implementation, we performed a security analysis.

But before diving in to the implementation of extensions, it’s worthwhile to understand the overall context. Extensions for Firefox are built using the WebExtensions API. To a large extent, WebExtensions API is also compatible with the extension API supported by Opera, Chrome, and the W3C Draft Community Group. Extensions written for these browsers will run in Firefox in most cases, with just a few modifications. 

Extensions come with a manifest file used to describe itself (e.g. permissions). The code is in JavaScript so it can be statically analyzed (even though it may have been minified or obfuscated.)

Firefox has a debug capability built in, which enables dynamic analysis to be enabled, as shown above. Further details on this capability can be obtained from MDN Web Docs (previously, Mozilla Developer Network – MDN) and this blog post is not going to repeat that.

Facebook Container Extension

This extension is interesting because it can automatically contain Facebook and thereby prevent it from tracking you across web sites.

As of this writing, only Firefox 57 fully supports this feature. We have analyzed Facebook Container and found that the key feature that enables this “magic” is contextualIdentities, as seen below:

Mozilla says it best, so we’ll let it speak for itself: “Contextual identities, also known as “containers”, are a browser feature which addresses the idea that users assume multiple identities when browsing the web and wish to maintain some separation between these identities. For example, a user might consider their “work identity” separate from their “personal identity”, and not want to share cookies between these two contexts.”

First, the extension uses the feature to setup a Container to contain Facebook:  

It then adds a request listener (containFacebook) to listen to requests to all URL:

The Listener will receive notifications and then basically apply a “filter” based on URLs and put them into corresponding containers.

Multi-Account Containers (MAC) extension 

Multi-Account Containers (MAC) can be thought of as a generic version of Facebook Container. The Facebook Container extension only isolates Facebook, but it works automatically. On the other hand, MAC allows users to create containers for other sites and put them into separate containers, but that has to be done manually.

Under the hood, it separates website storage (e.g. cookies) into tab-specific Containers. Cookies created by one Container are not accessible by other Containers. As a result, a user’s social identity (in one Container) is separated from tracking scripts on other websites connected to a work identity.

Next, we will briefly dive into the technical implementation of the extension. The key component here is the global object browser.storage.local (“area”). 

siteStoreKey is the unique key used to index the storage area when there is a need to get or set the data for a site. 

A similar mechanism is also used to separate cookies (Figure 10)

NoScript Security Suite Extensions 
As the name implies, NoScript is used to block executable content (e.g. JavaScript, Flash, Java) on untrusted domains.

It follows a blanket approach, so untrusted domains literally mean anything else besides explicitly trusted domains (the initial list is shown below.)

By blocking JavaScript, this extension protects users from being exploited by JavaScript attacks such as XSS, Clickjacking, CSRF attacks, cross-zone DNS rebinding, and Cryptocurrency mining malware. It also protects users against tracking scripts which intrude on privacy.

AdBlock Extension

AdBlock blocks all advertisements on web pages. This is important because advertisements typically employ behavioral targeting. This works by collecting information about users’ browsing behaviors, which obviously violate privacy.  Note that not only cookies are used for tracking. Many new technologies allow mechanisms to be used for tracking as a well, like Flash cookies and HTML5 local storage.

The main blocking logic of AdBlock is shown below:

 

Decentraleyes Extension 
Briefly speaking, when a web site downloads content (e.g. jQuery) from a CDN (Content Delivery Network—e.g. Google Hosted Libraries), the CDN can set a cookie belonging to the CDN’s domain. Then, when the user visits another website, such as www.bar.com, which also contains CDN content, these cookies will also be sent to the CDN when loading (e.g. HTTP requests) their CDN content. Hence, the CDN can then use these cookies to build up a browsing history of the user across all the websites that have content from this CDN.

Blocking requests for ads or trackers is usually ok, however blocking actual content almost certainly, breaks pages. And this is where Decentraleyes comes into the picture. In a nutshell, Decentraleyes “hooks“ those HTTP requests that fetch from CDN and instead serves local files (in other words: caches) to keep sites from breaking. This solution naturally complements regular ad blockers.

The logic for mapping is below:

As can be seen, the default mapping contains major libraries so it “just works”:

 

Ghostery Extension 
In a sense, Ghostery is like AdBlock, but focuses more on trackers, so we’ll skip the lengthy introduction and focus more on the technical side. Essentially, Ghostery can detect and block trackers and hence speed up page loads while protecting your privacy.

Hooking scripts are set to run on all URI (both http and https):

Thanks to its clever design, it is rather straightforward to see that Ghostery can indeed block trackers early on.

We can now dive deeper in to the default blocklist (bugs.json). Here we can see that Ghostery has an extensive blacklist that can match trackers using both literal strings and regular expressions. 

 

Final Thoughts

Certainly, there is no such thing as a free lunch. The privacy vs functionality trade-off means that some or all of the extensions listed above may break some websites in subtle ways that are hard to debug. And some websites that depend on tracking revenue to support their service can detect blocking and may prevent someone using them to access their content. It is also an open research question as to whether one can completely prevent tracking and profiling because fundamentally speaking, each HTTP request leaks some information in one form or another.

Nevertheless, all is not lost, because together with the defenses detailed above, the FortiGuard Web Filtering Service can automatically block all malicious websites and script out of the box, and custom signatures can always be added later on as new threats are identified. And at the same time, other vendors have also begun stepping up their efforts to protect privacy, which is an encouraging trend.

As always, FortiGuard Labs will keep monitoring the threat landscape and share interesting insights from our research.

 

 

Check out our latest Quarterly Threat Landscape Report for more details about recent threats.

Sign up for our weekly FortiGuard intel briefs or for our FortiGuard Threat Intelligence Service.



*** This is a Security Bloggers Network syndicated blog from Fortinet All Blogs authored by Fortinet All Blogs. Read the original post at: http://feedproxy.google.com/~r/fortinet/blogs/~3/nHlGBbRP9fw/i-still-know-what-you-did-last-summer-how-to-protect-your-privacy-on-the-web.html