The Privacy Flag Observatory: A Crowdsourcing Tool for Real Time Privacy Threats Evaluation
Abstract
:1. Introduction
2. Related Works
3. The Privacy Flag Observatory Architecture
4. Implementation and Operation of the Observatory
4.1. Confidentiality
- Encryption of the of traffic: The encryption of the traffic between a user’s computer and the web server is the most essential step to enforce data confidentiality. The Privacy Flag Observatory computes the percentage of websites that deploy encryption. However, not all deployed encryption mechanisms provide adequate protection against modern cryptanalytic techniques [21]. In particular, obsolete cryptographic suites such as SSLv3, TLS 1.0 or earlier, no longer ensure sufficient security protection [22,23]. Earlier versions of the TLS protocol, for instance, are associated with a list of known attacks such as the BEAST attack [24]. Moreover, the obsolete SSL protocol has enabled the POODLE and FREAK exploits [25], while some implementations of the TLS compression procedures can be abused by the CRIME and BREACH attacks [26,27]. Similar security issues arise in various vulnerable implementations of the OpenSSL cryptographic software library, which are still in widespread use. Despite the deployment of newer versions of the TLS protocol, which are secure, their integration into past implementations of the OpenSSL create paths to several attacks. The Heartbleed bug, for instance, demonstrated that several web applications can be compromised [28]. However, even a non-secure cipher is a much better approach than the transmission of sensitive information in plaintext. Even the less robust cryptographic algorithms often require significant effort to bypass their encryption. On the contrary, plaintext can be intercepted with minimal effort using well-documented open source tools, without requiring a high level of expertise. Therefore, we decided to accept all cryptographic algorithms and highlight the importance of data encryption as a means to achieve confidentiality and privacy for all Internet users. Our main objective is, thus, to encourage users to visit websites using the HTTPS protocol instead of the insecure HTTP protocol.
- Use of the HSTS protocol: Several of the shortcomings of the HTTPS protocol have been addressed with the HTTP Strict Transport Security or HSTS protocol [29]. The websites that have adopted this enhancement can protect their users more effectively. In particular, the HSTS can neutralize the protocol downgrade attacks. It is also very effective against Man-In-The Middle (MITM) attacks [29]. However, the protocol has some limitations as the user must have had accessed, previously, a website using the HSTS within a trusted network and the HTTPS connection mode. In this case, the browser will enforce HTTPS connection throughout the whole communication session. Otherwise, if the initial connection is made using the standard HTTP protocol in an insecure network, it is possible that an eavesdropper can intercept the initial request and redirect the traffic to a malicious website. Furthermore, the HSTS protocol can significantly reduce the risk of SSL stripping attacks. However, as expected, the HSTS is not a panacea. Sophisticated attacks, such as BEAST and CRIME, cannot be eliminated, but the deployment of HSTS lowers their success rate. Finally, HSTS should be enabled and supported both on the client and server sides.
- Use of a trustworthy certificate chain: A website should have a valid and trusted certificate. The process of validating the certificate is based on a chain of trust that links back to a Root Certification Authority (CA) trusted by the user’s browser [30]. Websites that use self-issued, expired or non-recognizable certificates from unknown or not trusted CAs [31,32] are not suitable for web applications that handle sensitive data and content. On the other hand, a self-issued certificate might be a better alternative to the deployment of the simple HTTP connection which offers no protection at all, allowing all information to be transmitted as plaintext. A compromising solution may be to use certificates, such as the ones provided by the Let’s Encrypt initiative, which are free encryption certificates. However, such certificates have limited support and lifetime compared to the commercial certificates [33]. The adoption of valid and trusted certificates is a key aspect in the efforts to increase the security of the Web.
- Public key pinning: HTTP Public Key Pinning (HPKP) is a security mechanism which allows HTTPS websites to defend against impersonation attacks [34]. These attacks are based on malformed or invalid, i.e., fraudulent, certificates [35]. For example, attackers might compromise a Certificate Authority and then issue fraudulent certificates for any domain. To defend against this threat, the web server can provide a list of “pinned” public key hashes. In this way, in subsequent connections, web clients will expect the server to use one or more of those public values (keys) in its certificate chain [36].
4.2. Security
- Flash: It was once the most commonly used multimedia content player. Most websites delivered interactive content almost exclusively for the Flash player. Unfortunately, the Flash protocol has been ranked highly as a major source of security risks [37]. Therefore, today, most websites avoid using Flash in favor of new multimedia codecs. Thus, although it is not always possible to refrain from using Flash, users should try to use websites with the more secure, native, HTML5 video players. The percentage, as identified by the Privacy Flag Web add-on, of the websites currently using the risky Flash codec is presented on the Privacy Flag Observatory.
- HTML5 APIs - Web Audio API: The HTML5 Web Audio is a very useful technology for capturing and storing sound streams from various audio input sources as well as the devices’ microphones. Naturally, care should be taken to protect users from unauthorized recording or eavesdropping [38] of their audio streams and their environment. Thus, this specific recording functionality should be used with utmost caution. The percentage of websites that provide potentially risky access to the microphone is displayed on the Privacy Flag Observatory.
- HTML5 APIs—WebRTC: It is a very effective mechanism for providing real-time communication, but it is also used by hackers to intercept sensitive information or deanonymize users [39,40]. Nonetheless, this is a promising and useful technology, but whenever privacy is absolutely necessary, WebRTC should be avoided. The percentage of websites that use potentially privacy threatening WebRTC communication sessions is presented on the Privacy Flag Observatory.
- ActiveX: It is an obsolete Microsoft technology supported only by older Internet Explorer browsers. ActiveX components can be used to build complex scripts to automate several tasks. ActiveX normally operates from the website directly on the users’ devices. As a consequence, many serious security issues may arise (see [41,42]). Microsoft has disabled ActiveX on the recent versions of the Internet Explorer browser, but older versions still support it for legacy web applications. The percentage of websites that use the highly insecure ActiveX components is highlighted on the Privacy Flag Observatory.
- Java Applets: A very popular programming language, Java has been used since the earliest days of the web to develop powerful web applications known as Java Applets. Due to the many vulnerabilities that Java has suffered during the past years, it is not considered a good practice, from a security perspective, to incorporate Java Applets in webpages [43,44]. Most web browsers support deprecated Java Applets in a way or another, but a limited number of web business applications still require Java Applets to function properly. The percentage of websites that contain Java Applets is depicted on the Privacy Flag Observatory.
- Silverlight: It is a Microsoft technology based on the .NET framework. It is used for the development of highly interactive applications which enrich user experience [45]. As any middleware, .NET with direct access to a user’s computer can give rise to security risks [46]. If not absolutely necessary, it should be avoided. The percentage of websites that are based on the Silverlight framework are shown on the Privacy Flag Observatory.
4.3. Privacy
- Average number of coolies per site: It is useful to have a good estimate of the average number of cookies per site, since an unusually large number of cookies in a website may be an indication of privacy risks.
- Use of potentially risky types of cookies: Although most cookies are not dangerous, some types of cookies such as super cookies, zombie cookies, evercookies and LSO (Local Shared Objects) are persistent and very difficult to remove [47,48]. Unfortunately, their reliable detection requires much more effort in comparison with the standard or the third-party cookies. Therefore, this feature was not implemented in the Privacy Flag Observatory.
4.4. Mobile Applications Permissions
- The percentage of evaluated applications that use permissions that belong to the Camera group: If an application has access to the device’s camera, it can take pictures with or without the user’s knowledge. For applications that are related to image editing or social networking as well as other communication tools, it is normal to require such access to provide the full experience to the users. On the other hand, it is a a very serious privacy violation incident if an application takes pictures without the user’s knowledge and explicit consent [51].
- The percentage of evaluated applications that use permissions which belong to the Contacts group: Personal contacts on a mobile device can be accessed by applications upon appropriate user authorization. Software that can handle calls, e-mails or social media are expected to require permission to use this information. Yet, again, a malicious application might gain knowledge about users’ personal and professional relations and, thus, endanger their privacy.
- The percentage of evaluated applications which use permissions that belong to the Calendar group: The calendar application helps users organize meetings and set up task reminders. As the calendar application has a complete knowledge of a user’s schedules, tasks and plans, such as meetings with other people, attending events and visiting places, it is important that this information remains private, unless it is required otherwise.
- The percentage of evaluated applications that use permissions which belong to the Location group: By allowing an application to access a user’s location, it can extract, accurately, all the mobility patterns and habits of a user, e.g., the path that the user follows commuting to work during the day or the places the user visits for recreational purposes. Therefore, the software can reveal detailed information about the places users frequent, i.e., where they live, work and travel. An application might need this information to help users optimize their daily mobility plans, to suggest nearby shops, restaurants and bars. However, location-related information is considered sensitive and, therefore, it should be adequately protected [52].
- The percentage of evaluated applications that use permissions which belong to the Microphone group: Accessing the microphone implies that it is possible, for an application, to capture all discussions and sounds in the proximity of the user’s mobile phone. This is entirely normal for applications that provide real-time communication capabilities, but it can also be very risky since a malware can turn a mobile device into a powerful spying machine [53].
- The percentage of evaluated applications that use permissions which belong to the Phone group: A very limited number of legitimate applications that provide real-time communication capabilities might need to access a mobile phone’s telephony subsystem. A malware, however, may use this functionality for initiating and receiving calls towards spying on users or calling premium toll numbers [54].
- The percentage of evaluated applications which use permissions that belong to the Sensors group: Smart devices are equipped with a variety of sensors to enable them to monitor the mobile phone’s motion and orientation as well as various environmental parameters and conditions. If an application has access to the data of these sensors, it is possible to infer users’ behavior patterns and launch privacy breach attacks related to users’ physical activity and perform user profiling and tracking [55].
- The percentage of evaluated applications that use permissions that belong to the SMS group: Only a limited number of applications should require access to the SMS functionality, since the exchanged messages usually contain private and, sometimes, sensitive information. Therefore, if an application needs to use this functionality on the user’s behalf should clearly state the purpose of doing that and receive the user’s consent. Otherwise, the information contained in the exchanged messages may become available to, perhaps, malicious third parties. In addition to this, malware may send SMS messages to premium toll numbers and, thus, increase a user’s mobile phone bill [56].
- The percentage of evaluated applications that use permissions which belong to the Storage group: If an application accesses the external (e.g., SD card) storage of a mobile device, it can read, write or modify the user’s documents, photographs and data. This can lead to privacy violation if the user stores private or sensitive information in the mobile device’s external memory [57]. Of course, for maintenance applications that need to periodically organize the contents of the mobile phone, access to the external storage should be granted.
5. Discussion
- Cryptography: The majority of the websites use encryption, which is a positive finding (the corresponding percentage is about 54.8%). Various initiatives that offer certificates at a low or no cost at all (e.g., Let’s Encrypt), have reinforced the adoption of encrypted communications on the Internet. Even so, the vast majority of the certificates originated from a trusted source (84.9%). The HSTS protocol is utilized in about one-third of the websites (38.4%). More advanced and secure techniques, however, such as the Public Key Pinning, are practically non-existing, as they were identified on only in the 1.3% of the websites.
- Legacy Technologies: Obsolete technologies are the relics of the first and second generations of the web. At those times, the trend was to overcome the limitations of the HTML protocol by developing new frameworks which could be executed in the web browsers as Web Plugins. The implications of this decision, however, were devastating in terms of privacy and security. This tendency allowed the execution of powerful applications on the users’ computers, a concept known as mobile code. The obvious problem with this approach was that it was difficult to enforce effective sandboxing techniques to eliminate the risks of harmful actions. Gradually, but steadily, these technologies were deprecated and expelled from all modern browsers. Yet, some websites still rely on them. At the time of this research, the participating users did not encounter websites that required Java Applets (%0) or Sivlerlight extensions (%0). On the other hand, 13.1% of websites were based on Flash, which was more or less expected given the wide popularity of the particular Adobe tools. Counter-intuitively, ActiveX Controls which had been long abandoned were found on a small percentage of websites (3.2%).
- Modern Protocols: As discussed earlier, the latest version of the HTML protocol, HTML5, provides some powerful capabilities which might have security implications. None of the websites that Privacy Flag users interacted with had enabled them (0%) at the time of the research.
- Mobile Applications: The number of permissions required by each mobile application is indicative of the privacy risks that may arise. Smartphone applications that request access to many different sensitive subsystems of the mobile devices represent a far greater threat than applications with minimum access requirements. This metric was effective in identifying potential risky smartphone applications with the Privacy Flag SmartApp tool, but the overall statistical findings in the Privacy Flag Observatory cannot be directly translated to privacy recommendations. Nonetheless, these findings are significant in the sense that they demonstrate that modern applications require a considerable number of permissions to function properly.
6. Concluding Remarks and Future Work
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Acknowledgments
Conflicts of Interest
References
- Berners-Lee, T. Universal Resource Identifiers in WWW: A Unifying Syntax for the Expression of Names and Addresses of Objects on the Network as Used in the World-Wide Web; RFC 1630: Washington, DC, USA, 1994. [Google Scholar] [CrossRef]
- Kim, S.J.; Viswanathan, V.; Lee, H.M. Platform war vs. platform synergy? A longitudinal analysis of media substitution between personal computers and mobile devices. J. Broadcast. Electron. Media 2020, 64, 65–88. [Google Scholar] [CrossRef]
- Singh, S.; Singh, N. Internet of Things (IoT): Security challenges, business opportunities & reference architecture for E-commerce. In Proceedings of the 2015 International Conference on Green Computing and Internet of Things (ICGCIoT), Delhi, India, 8–10 October 2015; pp. 1577–1581. [Google Scholar]
- Mulliner, C.; Oberheide, J.; Robertson, W.; Kirda, E. Patchdroid: Scalable third-party security patches for android devices. In Proceedings of the 29th Annual Computer Security Applications Conference, Austin, TX, USA, 4–8 December 2013; pp. 259–268. [Google Scholar]
- Isaak, J.; Hanna, M.J. User data privacy: Facebook, Cambridge Analytica, and privacy protection. Computer 2018, 51, 56–59. [Google Scholar] [CrossRef]
- Kaur, J.; Ramkumar, K. The recent trends in cyber security: A review. J. King Saud-Univ.-Comput. Inf. Sci. 2021. [Google Scholar] [CrossRef]
- Alagheband, M.R.; Mashatan, A.; Zihayat, M. Time-based gap analysis of cybersecurity trends in academic and digital media. ACM Trans. Manag. Inf. Syst. 2020, 11, 1–20. [Google Scholar] [CrossRef]
- Sundaramurthy, S.C.; Case, J.; Truong, T.; Zomlot, L.; Hoffmann, M. A tale of three security operation centers. In Proceedings of the 2014 ACM Workshop on Security Information Workers, New York, NY, USA, 7 November 2014; pp. 43–50. [Google Scholar]
- Jacobs, P.; Arnab, A.; Irwin, B. Classification of security operation centers. In Proceedings of the 2013 Information Security for South Africa, South Africa, 14–16 August 2013; pp. 1–7. [Google Scholar]
- Ristić, I. SSL/TLS Deployment Best Practices. 2012. Available online: https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices_1 (accessed on 22 October 2022).
- Lavrenovs, A.; Melón, F.J.R. HTTP security headers analysis of top one million websites. In Proceedings of the 2018 10th International Conference on Cyber Conflict (CyCon), Tallinn, Estonia, 29 May–1 June 2018; pp. 345–370. [Google Scholar]
- Felt, A.P.; Barnes, R.; King, A.; Palmer, C.; Bentzel, C.; Tabriz, P. Measuring {HTTPS} adoption on the web. In Proceedings of the 26th USENIX Security Symposium (USENIX Security 17), Vancouver, BC, Canada, 16–18 August 2017; pp. 1323–1338. [Google Scholar]
- Libert, T. Exposing the hidden web: An analysis of third-party HTTP requests on 1 million websites. arXiv 2015, arXiv:1511.00619. [Google Scholar]
- Kaufhold, M.A.; Basyurt, A.S.; Eyilmez, K.; Stöttinger, M.; Reuter, C. Cyber Threat Observatory: Design and Evaluation of an Interactive Dashboard for Computer Emergency Response Teams. In Proceedings of the ECIS, Crete, Greece, 18–24 June 2022. [Google Scholar]
- Douha Prieto, I. Analysis, Detection and Classification of Web Tracking Techniques. Master’s Thesis, Universitat Politècnica de Catalunya, Barselona, Spain, 2021. [Google Scholar]
- Calciati, P.; Kuznetsov, K.; Gorla, A.; Zeller, A. Automatically Granted Permissions in Android Apps: An Empirical Study on Their Prevalence and on the Potential Threats for Privacy. In Proceedings of the 17th International Conference on Mining Software Repositories, Seoul, Republic of Korea, 29–30 June 2020; Association for Computing Machinery: New York, NY, USA, 2020; pp. 114–124. [Google Scholar]
- Gibler, C.; Crussell, J.; Erickson, J.; Chen, H. AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale. In Proceedings of the Trust and Trustworthy Computing, Vienna, Austria, 13–15 June 2012; Katzenbeisser, S., Weippl, E., Camp, L.J., Volkamer, M., Reiter, M., Zhang, X., Eds.; Springer: Berlin/Heidelberg, Germany, 2012; pp. 291–307. [Google Scholar]
- Liu, B.; Andersen, M.S.; Schaub, F.; Almuhimedi, H.; Zhang, S.A.; Sadeh, N.; Agarwal, Y.; Acquisti, A. Follow My Recommendations: A Personalized Privacy Assistant for Mobile App Permissions. In Proceedings of the Twelfth Symposium on Usable Privacy and Security (SOUPS 2016), USENIX Association, Denver, CO, USA, 22–24 June 2016; pp. 27–41. [Google Scholar]
- Harbach, M.; Hettig, M.; Weber, S.; Smith, M. Using Personal Examples to Improve Risk Communication for Security & Privacy Decisions. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, Association for Computing Machinery, New York, NY, USA, 26 April–1 May 2014; CHI ’14. pp. 2647–2656. [Google Scholar] [CrossRef]
- Yamada, A.; Tanaka, S.; Sawaya, Y.; Kubota, A.; Matsuda, S.; Matsumura, R.; Umemoto, S.; Christin, N.; Nakajima, J.; Crichton, K.; et al. Mobile Security Behavior Observatory: Long-term Monitoring of Mobile User Behavior. In Proceedings of the USENIX ATC’20: 2020 USENIX Conference on Usenix Annual Technical Conference, Berkeley, CA, USA, 15–17 July 2020. [Google Scholar]
- Meyer, C.; Schwenk, J. SoK: Lessons Learned from SSL/TLS Attacks. In Proceedings of the Information Security Applications, Jeju Island, Republic of Korea, 19–21 August 2014; pp. 189–209. [Google Scholar]
- Meyer, C.; Schwenk, J. Lessons learned from previous SSL/TLS attacks-a brief chronology of attacks and weaknesses. Cryptol. Eprint Arch. 2013. [Google Scholar]
- Eldewahi, A.E.; Sharfi, T.M.; Mansor, A.A.; Mohamed, N.A.; Alwahbani, S.M. SSL/TLS attacks: Analysis and evaluation. In Proceedings of the 2015 International Conference on Computing, Control, Networking, Electronics and Embedded Systems Engineering (ICCNEEE), Khartoum, Sudan, 7–9 September 2015; pp. 203–208. [Google Scholar]
- Sarkar, P.G.; Fitzgerald, S. Attacks on ssl a Comprehensive Study of Beast, Crime, Time, Breach, Lucky 13 & rc4 Biases. 2013. Available online: https://www.isecpartners.com/media/106031/sslattackssurvey.pdf (accessed on 20 March 2021).
- Fogel, B.; Farmer, S.; Alkofahi, H.; Skjellum, A.; Hafiz, M. POODLEs, More POODLEs, FREAK Attacks Too: How Server Administrators Responded to Three Serious Web Vulnerabilities. In Proceedings of the Engineering Secure Software and Systems—8th International Symposium, ESSoS 2016 Proceedings, London, UK, 6–8 April 2016; Caballero, J., Bodden, E., Athanasopoulos, E., Eds.; Springer: Berlin, Germany, 2016; Volume 9639, pp. 122–137. [Google Scholar] [CrossRef]
- Karakostas, D.; Zindros, D. Practical new developments on BREACH. Black Hat Asia 2016. [Google Scholar]
- Gluck, Y.; Harris, N.; Prado, A. BREACH: Reviving the CRIME attack. Unpubl. Manuscr. 2013. [Google Scholar]
- Durumeric, Z.; Kasten, J.; Adrian, D.; Halderman, J.A.; Bailey, M.; Li, F.; Weaver, N.; Amann, J.; Beekman, J.; Payer, M.; et al. The Matter of Heartbleed. In Proceedings of the Internet Measurement Conference, Vancouver, BC, Canada, 5–7 November 2014; pp. 475–488. [Google Scholar]
- Hodges, J.; Jackson, C.; Barth, A. Http Strict Transport Security (hsts). 2012. Available online: http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-04 (accessed on 22 October 2022).
- Yee, P. Updates to the internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. RFC 6818 2013. [Google Scholar]
- Fu, Y.; Wang, Q.; Lin, J.; Sun, A.; Lu, L. Exploring the Security Issues of Trusted CA Certificate Management. In Proceedings of the Information and Communications Security, Virtual Event, 6–9 September 2021; Gao, D., Li, Q., Guan, X., Liao, X., Eds.; Springer International Publishing: Berlin, Germany, 2021; pp. 384–401. [Google Scholar]
- Kent, S. Evaluating certification authority security. In Proceedings of the 1998 IEEE Aerospace Conference Proceedings (Cat. No.98TH8339), Snowmass, CO, USA, 28 March 1998; Volume 4, pp. 319–327. [Google Scholar] [CrossRef]
- Aas, J.; Barnes, R.; Case, B.; Durumeric, Z.; Eckersley, P.; Flores-López, A.; Halderman, J.A.; Hoffman-Andrews, J.; Kasten, J.; Rescorla, E.; et al. Let’s Encrypt: An Automated Certificate Authority to Encrypt the Entire Web. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, Association for Computing Machinery, New York, NY, USA, 11–15 November 2019; CCS ’19. pp. 2473–2487. [Google Scholar] [CrossRef] [Green Version]
- Petrov, I.; Peskov, D.; Coard, G.; Chung, T.; Choffnes, D.; Levin, D.; Maggs, B.M.; Mislove, A.; Wilson, C. Measuring the Rapid Growth of HSTS and HPKP Deployments. Available online: http://www.cs.umd.edu/content/measuring-rapid-growth-hsts-and-hpkp-deployments (accessed on 10 October 2022).
- Buchanan, W.J.; Helme, S.; Woodward, A. Analysis of the adoption of security headers in HTTP. IET Inf. Secur. 2018, 12, 118–126. [Google Scholar] [CrossRef]
- De los Santos, S.; Torres, J. Analysing HSTS and HPKP implementation in both browsers and servers. IET Inf. Secur. 2018, 12, 275–284. [Google Scholar] [CrossRef]
- Buhov, D.; Rauchberger, J.; Schrittwieser, S. FLASH: Is the 20th Century Hero Really Gone? Large-Scale Evaluation on Flash Usage & Its Security and Privacy Implications. J. Wirel. Mob. Netw. Ubiquitous Comput. Dep. Appl. 2018, 9, 26–40. [Google Scholar]
- Mavroudis, V.; Hao, S.; Fratantonio, Y.; Maggi, F.; Kruegel, C.; Vigna, G. On the privacy and security of the ultrasound ecosystem. Proc. Priv. Enhancing Technol. 2017, 2017, 95–112. [Google Scholar] [CrossRef] [Green Version]
- Tian, Y.; Liu, Y.C.; Bhosale, A.; Huang, L.S.; Tague, P.; Jackson, C. All your screens are belong to us: Attacks exploiting the html5 screen sharing api. In Proceedings of the 2014 IEEE Symposium on Security and Privacy, San Jose, CA, USA, 18–21 May 2014; pp. 34–48. [Google Scholar]
- Loreto, S.; Romano, S.P. Real-time communications in the web: Issues, achievements, and ongoing standardization efforts. IEEE Internet Comput. 2012, 16, 68–73. [Google Scholar] [CrossRef]
- Hayes, S. Java and activeX: Background and risks to the business. Comput. Fraud. Secur. 1998, 1998, 9–12. [Google Scholar] [CrossRef]
- Hopwood, D. A comparison between java and activeX security. Netw. Secur. 1997, 1997, 15–20. [Google Scholar] [CrossRef]
- Špiláková, P.; Jašek, R.; Schauer, F. Security risks of java applets in remote experimentation and available alternatives. Appl. Math. Comput. Sci. Eng. 2014. Available online: http://www.europment.org/library/2014/varna/bypaper/AMCSE/AMCSE-23.pdf (accessed on 20 October 2022).
- Niinimaki, P.; Markkanen, P.; Kajava, J. Java applets and security. In Proceedings of the Databases and Information Systems, 3rd IEEE International Baltic Workshop, Tallinn, Estonia, 16–19 June 1998; pp. 125–136. [Google Scholar]
- Suresh, J.K. Comparative Analysis of Security and Accessibility of Silverlight XAML with Other User Interface. Int. J. Comput. Electr. Eng. 2009, 1, 1793–8163. [Google Scholar]
- Kontaxis, G.; Antoniades, D.; Polakis, I.; Markatos, E.P. An empirical study on the security of cross-domain policies in rich internet applications. In Proceedings of the Fourth European Workshop on System Security, Salzburg, Austria, 10 April 2011; pp. 1–6. [Google Scholar]
- Verleg, P.; van Eekelen, M.; Vranken, H. Cache Cookies: Searching for Hidden Browser Storage. Bachelor’s Thesis, Radboud University, Nijmegen, The Netherlands, 2014. [Google Scholar]
- Saito, T.; Koshiba, R. Examination and Comparison of Countermeasures Against Web Tracking Technologies. In Proceedings of the International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, Asan, Republic of Korea, 1–3 July 2019; pp. 477–489. [Google Scholar]
- Souppaya, M.; Scarfone, K. Guidelines for managing the security of mobile devices in the enterprise. NIST Spec. Publ. 2013, 800, 124. [Google Scholar]
- Emerson, P. The original Borda count and partial voting. Soc. Choice Welf. 2013, 40, 353–358. [Google Scholar] [CrossRef]
- Wu, L.; Du, X.; Fu, X. Security threats to mobile multimedia applications: Camera-based attacks on mobile phones. IEEE Commun. Mag. 2014, 52, 80–87. [Google Scholar] [CrossRef]
- Wernke, M.; Skvortsov, P.; Dürr, F.; Rothermel, K. A classification of location privacy attacks and approaches. Pers. Ubiquitous Comput. 2014, 18, 163–175. [Google Scholar] [CrossRef]
- Petracca, G.; Sun, Y.; Jaeger, T.; Atamli, A. Audroid: Preventing attacks on audio channels in mobile devices. In Proceedings of the 31st Annual Computer Security Applications Conference, Los Angeles, CA, USA, 7–11 December 2015; pp. 181–190. [Google Scholar]
- Hwang, S.; Lee, S.; Kim, Y.; Ryu, S. Bittersweet adb: Attacks and defenses. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, Singapore, 14–17 March 2015; pp. 579–584. [Google Scholar]
- Raij, A.; Ghosh, A.; Kumar, S.; Srivastava, M. Privacy risks emerging from the adoption of innocuous wearable sensors in the mobile environment. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, Atlanta, GA, USA, 10–15 April 2011; pp. 11–20. [Google Scholar]
- Tu, G.H.; Li, C.Y.; Peng, C.; Li, Y.; Lu, S. New security threats caused by IMS-based SMS service in 4G LTE networks. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016; pp. 1118–1130. [Google Scholar]
- Penning, N.; Hoffman, M.; Nikolai, J.; Wang, Y. Mobile malware security challeges and cloud-based detection. In Proceedings of the 2014 International Conference on Collaboration Technologies and Systems (CTS), Minneapolis, MN, USA, 19–23 May 2014; pp. 181–188. [Google Scholar]
Threat Descriptor | |
---|---|
Name | Does the Website Use Certificate Pinning? (HTTP Public Key Pinning) |
Threat | Website Impersonation |
High-level Description | HTTP Public Key Pinning (HPKP) is a security mechanism which allows HTTPS websites to defend against impersonation attacks in which attackers deploy misissued or fraudulent certificates. For example, attackers might compromise a certificate authority (i.e., the entity that issues soft authentication certificates for websites) and then misissue certificates for any domain. To defend against this risk, the web server can provide a list of “pinned” public key hashes. Thus, on subsequent connections, web browsers expect that server to use one or more of those public keys in its certificate chain. |
Threat Category | Confidentiality of Communications |
Implementation Details | This threat is implemented as a backend script that takes the URL as input and reads the HTTP headers. If the “public-key-pins” header exists, the “max-age” is well configured (i.e., greater than 30 s) and there is a valid SHA256 hash for the public key, then the script returns true, otherwise, it returns false. |
Return Value | True/False |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Vlachos, V.; Stamatiou, Y.C.; Nikoletseas, S. The Privacy Flag Observatory: A Crowdsourcing Tool for Real Time Privacy Threats Evaluation. J. Cybersecur. Priv. 2023, 3, 26-43. https://doi.org/10.3390/jcp3010003
Vlachos V, Stamatiou YC, Nikoletseas S. The Privacy Flag Observatory: A Crowdsourcing Tool for Real Time Privacy Threats Evaluation. Journal of Cybersecurity and Privacy. 2023; 3(1):26-43. https://doi.org/10.3390/jcp3010003
Chicago/Turabian StyleVlachos, Vasileios, Yannis C. Stamatiou, and Sotiris Nikoletseas. 2023. "The Privacy Flag Observatory: A Crowdsourcing Tool for Real Time Privacy Threats Evaluation" Journal of Cybersecurity and Privacy 3, no. 1: 26-43. https://doi.org/10.3390/jcp3010003
APA StyleVlachos, V., Stamatiou, Y. C., & Nikoletseas, S. (2023). The Privacy Flag Observatory: A Crowdsourcing Tool for Real Time Privacy Threats Evaluation. Journal of Cybersecurity and Privacy, 3(1), 26-43. https://doi.org/10.3390/jcp3010003