Determinando o Risco de Fingerprinting em Páginas Web
Resumo
As técnicas de fingerprinting aplicadas em páginas Web para identificar e rastrear usuários na Internet têm se tornado cada vez mais comum. Embora existam soluções e contramedidas contra tais técnicas, elas muitas vezes esbarram na necessidade de comparação de códigos ou execução em segundo plano. Neste contexto, este artigo propõe uma metodologia para detectar artefatos (scripts) de fingerprinting em páginas Web e informar aos usuários o quão perigosa a página é para sua privacidade. Os resultados mostram que embora simples, a metodologia é eficaz ao encontrar códigos fingerprinting nos websites e categorizá-los em níveis de severidade quanto aos riscos à privacidade dos usuários.
Referências
Acar, G., Juarez, M., Nikiforakis, N., Diaz, C., Gürses, S., Piessens, F., and Preneel, B. (2013). Fpdetective: Dusting the web for fingerprinters. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, CCS ’13, pages 1129–1140, New York, NY, USA. ACM.
Boda, K., Földes, A. M., Gulyás, G. G., and Imre, S. (2012). User tracking on the web via cross-browser fingerprinting. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 7161 LNCS:31–46.
Bos, B., Celik, T., Hickson, I., and Lie, H. W. (2011). Cascading style sheets level 2 revision 1 (css 2.1) specification. W3c recommendation, W3C. http://www.w3.org/TR/CCS2.
BrowserLeaks.com (2015). Web browser security ? browserleaks.com. https://www.browserleaks.com.
Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., Morris, J., Hansen, M., and Smith, R. (2013). Privacy Considerations for Internet Protocols. RFC 6973 (Informational). http://www.ietf.org/rfc/rfc6973.txt.
Crockford, D. (2008). JavaScript - the good parts: unearthing the excellence in JavaScript. O’Reilly.
Eckersley, P. (2010). How unique is your web browser? In Proceedings of the 10th International Conference on Privacy Enhancing Technologies, PETS’10, pages 1–18, Berlin, Heidelberg. Springer-Verlag.
Englehardt, S. and Narayanan, A. (2016). Online tracking: A 1-million-site measurement and analysis.
Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and Berners-Lee, T. (1999). Hypertext Transfer Protocol – HTTP/1.1. RFC 2616 (Draft Standard). http://www.ietf.org/rfc/rfc2616.txt.
Forshaw, J. (2011). WebGL - A New Dimension for Browser Exploitation. [link].
Group, K. (2014). Webgl 2 specification. Khronos draft, Khronos Group. https://www.khronos.org/registry/webgl/specs/latest/2.0/.
Khademi, A. F. (2014). Browser Fingerprinting : Analysis, Detection, and Prevention at Runtime. (October).
Kirk, J. (2014). Canvas fingerprinting online tracking is sneaky but easy to halt. [link].
Mowery, K., Bogenreif, D., Yilek, S., and Shacham, H. (2011). Fingerprinting information in JavaScript implementations. In Proceedings of Web 2.0 Security and Privacy 2011 (W2SP), San Franciso.
Mowery, K. and Shacham, H. (2012). Pixel perfect: Fingerprinting canvas in HTML5. In Fredrikson, M., editor, Proceedings of W2SP 2012. IEEE Computer Society.
Mulazzani, M., Huber, M., Leithner, M., and Schrittwieser, S. (2013). Fast and reliable browser identification with javascript engine fingerprinting. In Web 2.0 Workshop on Security and Privacy, (W2SP).
Nikiforakis, N., Acar, G., and Saelinger, D. (2014). Browse at your own risk. Spectrum, IEEE, 51(8):30–35.
Nikiforakis, N., Joosen, W., and Livshits, B. (2015). PriVaricator: Deceiving Fingerprinters with Little White Lies.
Olejnik, L., Castelluccia, C., and Janc, A. (2013). On the uniqueness of Web browsing history patterns. Annals of Telecommunications - Annales Des Télécommunications, 69(1-2):63–74.
Saraiva, A. R., Elleres, P. A., Carneiro, G. B., and Feitosa, E. (2014). Device fingerprinting: Conceitos e técnicas, exemplos e contramedidas. In Livro de Minicursos do XIV Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (SBSeg14), Belo Horizonte, MG, Brasil. SBC.
Tian, Y., Liu, Y. C., Bhosale, A., Huang, L. S., Tague, P., and Jackson, C. (2014). All your screens are belong to us: Attacks exploiting the html5 screen sharing api. In 2014 IEEE Symposium on Security and Privacy, pages 34–48.
Unger, T., Mulazzani, M., Fruhwirt, D., Huber, M., Schrittwieser, S., and Weippl, E. (2013). Shpf: Enhancing http(s) session security with browser fingerprinting. In Availability, Reliability and Security (ARES), 2013 Eighth International Conference on, pages 255–261.
W3C (2014). Fingerprinting guidance for web specification authors. http://w3c.github.io/fingerprinting-guidance/.
Boda, K., Földes, A. M., Gulyás, G. G., and Imre, S. (2012). User tracking on the web via cross-browser fingerprinting. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 7161 LNCS:31–46.
Bos, B., Celik, T., Hickson, I., and Lie, H. W. (2011). Cascading style sheets level 2 revision 1 (css 2.1) specification. W3c recommendation, W3C. http://www.w3.org/TR/CCS2.
BrowserLeaks.com (2015). Web browser security ? browserleaks.com. https://www.browserleaks.com.
Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., Morris, J., Hansen, M., and Smith, R. (2013). Privacy Considerations for Internet Protocols. RFC 6973 (Informational). http://www.ietf.org/rfc/rfc6973.txt.
Crockford, D. (2008). JavaScript - the good parts: unearthing the excellence in JavaScript. O’Reilly.
Eckersley, P. (2010). How unique is your web browser? In Proceedings of the 10th International Conference on Privacy Enhancing Technologies, PETS’10, pages 1–18, Berlin, Heidelberg. Springer-Verlag.
Englehardt, S. and Narayanan, A. (2016). Online tracking: A 1-million-site measurement and analysis.
Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and Berners-Lee, T. (1999). Hypertext Transfer Protocol – HTTP/1.1. RFC 2616 (Draft Standard). http://www.ietf.org/rfc/rfc2616.txt.
Forshaw, J. (2011). WebGL - A New Dimension for Browser Exploitation. [link].
Group, K. (2014). Webgl 2 specification. Khronos draft, Khronos Group. https://www.khronos.org/registry/webgl/specs/latest/2.0/.
Khademi, A. F. (2014). Browser Fingerprinting : Analysis, Detection, and Prevention at Runtime. (October).
Kirk, J. (2014). Canvas fingerprinting online tracking is sneaky but easy to halt. [link].
Mowery, K., Bogenreif, D., Yilek, S., and Shacham, H. (2011). Fingerprinting information in JavaScript implementations. In Proceedings of Web 2.0 Security and Privacy 2011 (W2SP), San Franciso.
Mowery, K. and Shacham, H. (2012). Pixel perfect: Fingerprinting canvas in HTML5. In Fredrikson, M., editor, Proceedings of W2SP 2012. IEEE Computer Society.
Mulazzani, M., Huber, M., Leithner, M., and Schrittwieser, S. (2013). Fast and reliable browser identification with javascript engine fingerprinting. In Web 2.0 Workshop on Security and Privacy, (W2SP).
Nikiforakis, N., Acar, G., and Saelinger, D. (2014). Browse at your own risk. Spectrum, IEEE, 51(8):30–35.
Nikiforakis, N., Joosen, W., and Livshits, B. (2015). PriVaricator: Deceiving Fingerprinters with Little White Lies.
Olejnik, L., Castelluccia, C., and Janc, A. (2013). On the uniqueness of Web browsing history patterns. Annals of Telecommunications - Annales Des Télécommunications, 69(1-2):63–74.
Saraiva, A. R., Elleres, P. A., Carneiro, G. B., and Feitosa, E. (2014). Device fingerprinting: Conceitos e técnicas, exemplos e contramedidas. In Livro de Minicursos do XIV Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (SBSeg14), Belo Horizonte, MG, Brasil. SBC.
Tian, Y., Liu, Y. C., Bhosale, A., Huang, L. S., Tague, P., and Jackson, C. (2014). All your screens are belong to us: Attacks exploiting the html5 screen sharing api. In 2014 IEEE Symposium on Security and Privacy, pages 34–48.
Unger, T., Mulazzani, M., Fruhwirt, D., Huber, M., Schrittwieser, S., and Weippl, E. (2013). Shpf: Enhancing http(s) session security with browser fingerprinting. In Availability, Reliability and Security (ARES), 2013 Eighth International Conference on, pages 255–261.
W3C (2014). Fingerprinting guidance for web specification authors. http://w3c.github.io/fingerprinting-guidance/.
Publicado
07/11/2016
Como Citar
SARAIVA, Adriana R.; OLIVEIRA, Adria M. de; FEITOSA, Eduardo L..
Determinando o Risco de Fingerprinting em Páginas Web. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 16. , 2016, Niterói.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2016
.
p. 268-281.
DOI: https://doi.org/10.5753/sbseg.2016.19313.
