Block Me If You Can! A Large-Scale Study of Tracker-Blocking Tools Georg Merzdovnik, Markus Huber, Damjan Buhov, Nick Nikiforakis, Sebastian Neuner, Martin Schmiedecker, Edgar Weippl
Euro S&P 2017, Paris, 27.04.2017
Motivation Tracking: major impact on online privacy & security Past research: „everyone tracks“ Opt-Out cookies and DNT header do not work –
Blocking tools only option for users
–
Effectiveness of blocking tools?
Block me if you can! | Markus Huber | IEEE Euro S&P, Paris 2017
2/18
brief background
Types of online tracking Stateful tracking –
HTTP cookies, „supercookies“
Stateless tracking aka. fingerprinting –
Re-identify users based on their devices/software
Mobile tracking –
In-App ads/tracking: add. sensitive information
Block me if you can! | Markus Huber | IEEE Euro S&P, Paris 2017
4/18
Blocking Tools DNS-based –
Entire domains, http://news.com/track.js
Proxy-based –
Focus on HTTP traffic, https://facebook.com/like.php
Browser-extensions –
Most effective tools (not applicable to in-app tracking)
Block me if you can! | Markus Huber | IEEE Euro S&P, Paris 2017
5/18
Blocking Rules Community-driven –
EasyList, EasyPrivacy, ...
Centralized –
Ghostery, Disconnect, ...
Algorithmic –
EFF Privacy Badger
Block me if you can! | Markus Huber | IEEE Euro S&P, Paris 2017
6/18
experiments
Sample: browser extensions Alexa Top 200k – – –
3 subpages each 4.25% failed 5 extensions
Extension settings – –
Default settings (except Ghostery) Privacy Badger trained with Alexa Top 1k
Block me if you can! | Markus Huber | IEEE Euro S&P, Paris 2017
8/18
CRAWLIUM framework
– – –
Scalable (12h for dataset) Parallel collection for temporal effects CRAWLIUM vs. OpenWPM
Block me if you can! | Markus Huber | IEEE Euro S&P, Paris 2017
9/18
Sample: Android apps 10k Android apps – –
3 DNS blocklists (EasyList, AdAway, MoABB) dynamic instrumentation ●
–
Genymotion + monkeyrunner
90.61% successful
Block me if you can! | Markus Huber | IEEE Euro S&P, Paris 2017
10/18
results: effectiveness
Block me if you can! | Markus Huber | IEEE Euro S&P, Paris 2017
11/18
results: fingerprinting
Block me if you can! | Markus Huber | IEEE Euro S&P, Paris 2017
12/18
findings
Tracking and Security Less trackers == less risk –
Attacks via Drive-by-Downloads
–
Piggybacking on user tracking
Third parties and TLS –
60% in our sample HTTP only
–
HTTP injection attacks
–
Might change due to let‘s encrypt
Block me if you can! | Markus Huber | IEEE Euro S&P, Paris 2017
14/18
Future Tracking Defense Filterrules –
Centralized: best protection , Community: small trackers
–
Algorithmic: false positives
–
New heuristic-based approaches
Blind Spots –
Social Widgets (often weak protection)
–
Fingerprinting Services on the rise
–
Mobile apps (In-App tracking)
Block me if you can! | Markus Huber | IEEE Euro S&P, Paris 2017
15/18
future challenges
Future challenges Blocker / Anti-Blocker Arms Race –
Number of websites block adblock users
–
Methods for detection/blockng of Adblock-Blocker
–
under- / overblocking of different approaches
Provide for mobile devices –
Android: alternative browser (soon in Chrome)
–
In-App tracker blocker without rooting
Block me if you can! | Markus Huber | IEEE Euro S&P, Paris 2017
17/18
Questions?
[email protected] https://keybase.io/nysos