dimva 2019 beliz kaleli manuel egele gianluca stringhini ......beliz kaleli background - http...
TRANSCRIPT
![Page 1: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/1.jpg)
Authors:
Beliz Kaleli Manuel Egele Gianluca Stringhini [email protected] [email protected] [email protected]
DIMVA 2019On the Perils of Leaking Referrers in Online Collaboration Services
![Page 2: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/2.jpg)
Beliz Kaleli
Online Collaboration Services (OCSs)
2
Online Collaboration
Services
File operations;
▪ Upload/Create ▪ View/Edit online▪ Share
![Page 3: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/3.jpg)
Beliz Kaleli
Sharing a File on an OCS
3
OCS
Upload or
Create Share https://www.ocs-name.com/<UniqueIdentifier>}Ideally unguessable
secret location:
![Page 4: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/4.jpg)
Beliz Kaleli
This year McAfee reported that;
“8% of shared files contain sensitive data” [1]
▪ OCS Files, used by individuals and companies, can contain sensitive information.
4
[1] https://www.skyhighnetworks.com/cloud-computing-trends-2019/
[1] Where cloud files are shared.
![Page 5: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/5.jpg)
Beliz Kaleli
Introduction
We show that:The secret location of OCS files can be leaked by the improper handling of links embedded in these files.
▪ 21 OCS are analyzed on 6 different web browsers
5
![Page 6: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/6.jpg)
Beliz Kaleli
Background - HTTP Referer
6
http://ocs.com/file1
--------------------------------------------------------
HTTP Request
▪ HTTP Request Header that identifies the URI from which the request originated.
Request HeadersAccept
Accept-EncodingAccept-Language
ConnectionDNTHost
RefererUser-Agent
Valuetext/html, application/xhtml+xmlgzip, deflateen-US, en; q=0.5keep-alive1ocs.comhttp://ocs.com/file1Mozilla/5.0 (X11; Linux x86_64)
![Page 7: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/7.jpg)
Beliz Kaleli
Background - HTTP Referer
Purpose:▪ Personalize the website: provide specific help, suggest relevant
pages to targeted users▪ Generate special offers ▪ Webpage analytics (e.g., analyzing where most of the traffic is
coming from) ▪ Block visitors from specific domains
The HTTP Referer field is configurable with the Referrer Policy [1]
7
[1] W3C Candidate Recommendation referrer policy. https://www.w3.org/TR/referrer-policy/.
![Page 8: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/8.jpg)
Beliz Kaleli
Background - Existing Mitigations
8
● "no-referrer"● "no-referrer-when-downgrade"● "same-origin"● "origin"● "strict-origin"● "origin-when-cross-origin"● "strict-origin-when-cross-origin"● "unsafe-url"
HTTP Referer Referrer Structure
No Referrer -
ASCII Serialized http(s)://www.service-name.com/
Full Referrer http(s)://www.service-name.com/<UniqueIdentifier>
▪ Referrer Policy
▪ HTML Link Type(i.e. rel=”noreferrer”)
![Page 12: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/12.jpg)
Beliz Kaleli
Attack Model
12
secret URL
secret URL
Referrer: secret URL maggi.cc
Eve
![Page 13: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/13.jpg)
Beliz Kaleli
Attack Model
13
secret URL
secret URL
Referrer: secret URL maggi.cc
maggi.cc Eve
![Page 14: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/14.jpg)
Beliz Kaleli14
Alice:Upload/Create
file
![Page 15: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/15.jpg)
Beliz Kaleli
https://docs.google.com/document/d/17AA7PNbyu94pHe8QxKHKq8SsKPuLZV-9-ZrWvV-k45o/edit?usp=sharing
15
Alice:Share file
![Page 16: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/16.jpg)
Beliz Kaleli16
Bob:Visit link
![Page 17: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/17.jpg)
Beliz Kaleli
Implementation - Methodology
To test our attack model on real-world OCSs:
1. Identifying relevant services
2. Creating files
3. Sharing files
4. Examining the referrer
17
![Page 18: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/18.jpg)
Beliz Kaleli
Implementation - Identifying Relevant Services
▪ We obtained the most popular services by Google queries and crawling Alexa lists▪ Top/Computers/Internet/File_Sharing▪ Top/Computers/Internet/On_the_Web/Web_Applications/Storage
▪ Test manually:▪ Setup an account▪ Upload/Create file with link to our server▪ Check if clickable▪ Check if shareable via a URL
18
----------------------------------------our-server.com-----------------------------------------------------------
Uploaded file
![Page 19: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/19.jpg)
Beliz Kaleli
Implementation - Creating Files
▪ Created different types of files: “.doc”, “.docx”, “.pdf”, “.xls”, “.xlsx”, “.ppt”, “.pptx”, “.note”, etc.
19
Embedded URL
Our web server
HTTP headers are logged
![Page 20: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/20.jpg)
Beliz Kaleli
Implementation - Sharing Files
Relevant OCSs = File Hosting Services + Instant Messaging Services
For file hosting services and instant messaging services;▪ Shared through links which are editable or view-only
For some instant messaging services; (e.g., Flock)▪ File sent directly to chat between two accounts
20
![Page 21: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/21.jpg)
Beliz Kaleli
Implementation - Examining Referrers
21
OCS
ShareUploadsecret URL
Alice
----------------------------------------our-server.com-----------------------------------------------------------
![Page 22: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/22.jpg)
Beliz Kaleli
Implementation - Examining Referrers
22
OCS
ShareUploadsecret URL
Alice
----------------------------------------our-server.com-----------------------------------------------------------
![Page 23: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/23.jpg)
Beliz Kaleli
Implementation - Examining Referrers
23
secret URLVisit link
Click on embedded link
our-server
Collect Referrer URL from output of script
Bob
----------------------------------------our-server.com-----------------------------------------------------------
![Page 24: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/24.jpg)
Beliz Kaleli
Implementation - Examining Referrers
24
secret URLVisit link
Click on embedded link
our-server
Collect Referrer URL from output of script
Bob
----------------------------------------our-server.com-----------------------------------------------------------
![Page 25: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/25.jpg)
Beliz Kaleli
Implementation - Examining Referrers
25
secret URLVisit link
Click on embedded link
our-server
Collect Referrer URL from output of script
Bob
----------------------------------------our-server.com-----------------------------------------------------------
![Page 26: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/26.jpg)
Beliz Kaleli
Implementation - Examining Referrers
26
Visit recordedReferrer URL
![Page 27: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/27.jpg)
Beliz Kaleli
Implementation - Examining Referrers
27
Visit recordedReferrer URL
File is NOT accessed
![Page 28: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/28.jpg)
Beliz Kaleli
Implementation - Examining Referrers
28
Visit recordedReferrer URL
Secret URL is NOT leaked
File is NOT accessed
![Page 29: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/29.jpg)
Beliz Kaleli
Implementation - Examining Referrers
29
Visit recordedReferrer URL
Secret URL is NOT leaked
File is accessedFile is NOT accessed
![Page 30: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/30.jpg)
Beliz Kaleli
Implementation - Examining Referrers
30
Visit recordedReferrer URL
Secret URL is leaked
Secret URL is NOT leaked
File is accessedFile is NOT accessed
![Page 31: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/31.jpg)
Beliz Kaleli
Referrer Policy
First Public Draft (2014):
▪ "none"▪ "none-when-downgrade"▪ "origin-only"▪ "origin-when-cross-origin"▪ "unsafe-url"
31
Working Draft (2016):
▪ "no-referrer"▪ "no-referrer-when-downgrade"▪ "same-origin"▪ "origin"▪ "origin-when-cross-origin"▪ "unsafe-url"
![Page 32: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/32.jpg)
Beliz Kaleli
Referrer Policy
First Public Draft (2014):
▪ "none"▪ "none-when-downgrade"▪ "origin-only"▪ "origin-when-cross-origin"▪ "unsafe-url"
32
Working Draft (2016):
▪ "no-referrer"▪ "no-referrer-when-downgrade"▪ "same-origin"▪ "origin"▪ "strict-origin"▪ "origin-when-cross-origin"▪ "strict-origin-when-cross-origin"▪ "unsafe-url"
Currently a Candidate Recommendation
![Page 33: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/33.jpg)
Beliz Kaleli
Evaluation - Common Insights
Reasons behind vulnerabilities;
33
Services
▪ Referrer Policy is not set by the OCS
▪ Referrer Policy option is not secure enough
▪ Different behavior on mobile and desktop browsers
Browsers ▪ Edge and iOS Safari support older draft of Referrer Policy
![Page 34: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/34.jpg)
Beliz Kaleli
Evaluation
34
7/21 Vulnerable
: Vulnerable: Not vulnerable: N/A
![Page 35: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/35.jpg)
Beliz Kaleli
Evaluation
▪ Edge and iOS Safari supports older draft of Referrer Policye.g., Overleaf ▪ "origin-when-cross-origin"
→ Overleaf changed to "no-referrer" and added "rel=noreferrer"→ No longer vulnerable
35
![Page 36: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/36.jpg)
Beliz Kaleli
Evaluation
▪ Different behaviors on desktop and mobile browsers▪ PDF.js removes referrers, built-in mechanisms may not
e.g., Box ▪ Desktop browsers - PDF.js (removes referrers in requests)▪ Mobile browsers - native PDF viewer (no referrer removal)▪ "no-referrer-when-downgrade"
▪ Vulnerable: HTTPS → HTTPS
36
![Page 37: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/37.jpg)
Beliz Kaleli
Evaluation
▪ Referrer Policy is not set by the OCSe.g., Onehub, Linkedin Slideshare, Evernote▪ Fallback to "no-referrer-when-downgrade"
▪ Vulnerable: HTTPS → HTTPS
37
![Page 38: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/38.jpg)
Beliz Kaleli
Adoption ofReferrer Policy
▪ First 100K oflists
38
: less safe option
![Page 39: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/39.jpg)
Beliz Kaleli
Countermeasures
39
User Provider
▪ Configure browser settings▪ Use browser extensions▪ Use private browsing mode
(on Firefox)
▪ Trim HTTP Referer to only display the hostname
▪ Use rel=”noreferrer”▪ Redirect links inside
documents
![Page 40: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/40.jpg)
Beliz Kaleli
Future Steps
▪ Analyze different browsers and OCSs
▪ Investigate whether this vulnerability is known▪ Embed links to several real-world websites
▪ Analyze the use of information▪ Fill files with fake sensitive data
40
![Page 41: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/41.jpg)
Beliz Kaleli
Conclusion
▪ We analyzed 21 OCSs with uploading different types of documents containing a link referring to our servers
▪ 7 out of 21 services are vulnerable
▪ Improper use of the Referrer Policy by online services ▪ Limited support offered by web browsers
41
![Page 42: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/42.jpg)
Beliz Kaleli
THANK YOU
42
![Page 43: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/43.jpg)
Beliz Kaleli43
"no-referrer": Referrer header is omitted entirely for requests to any origin.
"no-referrer-when-downgrade": Full referrer is sent in requests from a TLS protected environment to a potentially trustworthy URL and also from a non-TLS protected environment to any origin. Conversely, referrer header is omitted in requests from a TLS protected environment to a non-potentially trustworthy URL.
"same-origin": A full URL, stripped for use as a referrer (the algorithm to strip URLs is defined in [8]), is sent within requests to same-origin. However, the referrer header is omitted in cross-origin requests.
"origin": Along with both same-origin and cross-origin requests, an ASCII serialization of the referrer is sent. An example of this serialization result is given in Table 1.
"strict-origin": ASCII serialization of the referrer is sent along with requests from a TLS protected environment to a potentially trustworthy URL and from a non-TLS protected environment to any origin. Whereas, no referrer is sent from a TLS-protected environment to a non-potentially trustworthy URL.
"origin-when-cross-origin": A full URL, stripped for use as a referrer, is sent within requests to same-origin. ASCII serialization of the origin of the request is sent within requests to cross-origin.
"strict-origin-when-cross-origin": A full URL, stripped for use as a referrer, is sent within requests to same-origin. For the cross-origin requests, the same schema is applied as "strict-origin".
"unsafe-url" : A full URL, stripped for use as a referrer, is sent within both same-origin and cross-origin requests.
![Page 44: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/44.jpg)
Beliz Kaleli44
![Page 45: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/45.jpg)
Beliz Kaleli
Countermeasures - “Safer” Policies
▪ "no-referrer"▪ all requests: no referrer
▪ "same-origin"▪ same origin requests: full referrer▪ cross origin requests: no referrer
45
![Page 46: DIMVA 2019 Beliz Kaleli Manuel Egele Gianluca Stringhini ......Beliz Kaleli Background - HTTP Referer Purpose: Personalize the website: provide specific help, suggest relevant pages](https://reader034.vdocuments.mx/reader034/viewer/2022052009/601e04dc8139425c4174198f/html5/thumbnails/46.jpg)
Beliz Kaleli
Countermeasures - “Safer” Policies
46
▪ TLS-protected environment potentially trustworthy URL
▪ non-TLS-protected environment any origin
▪ TLS-protected environment non-potentially trustworthy URL
ASCII Serial.
ASCII Serial.
No Referrer
▪ "strict-origin"
▪ "strict-origin-when-cross-origin"
▪ same origin requests: full referrer
▪ cross origin requests: same as “strict-origin”