privacyscore privacyweek 2017-10 - uni-hamburg.de · top 20 cities known trackers third party...
TRANSCRIPT
Prof.Dr.DominikHerrmannOtto-Friedrich-UniversitätBamberg
joint work with AnneLaubach (UniKassel),MaxMaaß(TUDarmstadt),HenningPridöhl (UniBamberg),and PascalWichmann(UniHamburg)
https://dhgo.to/pw17-slides
Testwebsites and rankthem accordingto their security and privacyfeatures
PRIVACYSCORE.ORG
Motivation
2
Whoknows that …you are onwelfare?
3
THENEWNORMAL?
🤔
Existing WebsiteScanningServicesfocus onsingle sites
4
https://www.ssllabs.com/ssltest 5observatory.mozilla.org ·securityheaders.io · urlscan.io
https://www.sit.fraunhofer.de/de/track-your-tracker https://webbkoll.dataskydd.net/en 6
are targeted atserver operators
7
use apre-defined rating scheme
ExistingScanningServices…
Description Modifier
HSTSpreloaded 5
HSTSheadermaxage≥6months 0
HSTSheadermaxage<sixmonths -10
HSTSheadernotimplemented -20
HSTSheadercannotbeset,assitecontainsaninvalidcertificatechain -20
https://github.com/mozilla/http-observatory/blob/master/httpobs/docs/scoring.md
PrivacyScorehasadifferentfocus.
Objective:publicrankingstocreateincentivesforoperatorstoimproveprivacyandsecurityontheirsite.
Visitorscanuploadannotatedlistsofwebsites andinfluencetherankingaccordingtotheirpreference(soon™).
Allcodeopensource (GPLv3+),allresultspublishedasopendata.
8
USER-DEFINEDATTRIBUTES
Arethe sites oflarge cities worsethan those ofsmaller cities?
Any regional differences forwebsites of,e.g.,universities?
?
Rankingand Detailed Results
Fourcategoriesofchecks
9
EncryptiontoWebsiteNoTracking Encryptionto
Mailserver
ProtectionAgainstOther
Attacks
PublicRanking(as of Oct 2017)
change sort order
detailedresultsof asite
Predefinedanalysesfor moretransparency(underdevelopment)
13
Top20Cities
Known
Trackers
ThirdParty
Servers
ThirdParty
Cookies Web:HTTPS Mail:STARTTLS
Hamburg 40 81 49 noredirection minorissuesBerlin 22 37 17 minorissues noTLS1.2
Leipzig 6 10 5 noredirection minorissuesMünchen 5 11 3 enforcesHTTP! minorissuesBremen 4 13 3 minorissues noTLS1.2
Dresden 3 8 4 noredirection minorissuesDüsseldorf 2 3 3 certificateissue checktimedoutHannover 2 3 1 minorissues minorissuesKöln 2 3 1 enforcesHTTP! minorissuesStuttgart 1 7 2 noredirection minorissuesBielefeld 1 2 0 noredirection minorissuesBonn 1 1 0 checktimedout minorissuesDuisburg 0 4 0 noredirection checktimedoutEssen 0 2 1 minorissues minorissuesWuppertal 0 2 0 minorissues minorissuesMünster 0 0 0 minorissues noTLS1.2
Dortmund 0 0 0 noTLS1.2 minorissuesNürnberg 0 0 0 noTLS1.2 minorissuesBochum 0 0 0 minorissues minorissuesFrankfurt 0 0 0 minorissues minorissues
Top20Cities
Known
Trackers
ThirdParty
Servers
ThirdParty
Cookies Web:HTTPS Mail:STARTTLS
Hamburg 40 81 49 noredirection minorissuesBerlin 22 37 17 minorissues noTLS1.2
Leipzig 6 10 5 noredirection minorissuesMünchen 5 11 3 enforcesHTTP! minorissuesBremen 4 13 3 minorissues noTLS1.2
Dresden 3 8 4 noredirection minorissuesDüsseldorf 2 3 3 certificateissue checktimedoutHannover 2 3 1 minorissues minorissuesKöln 2 3 1 enforcesHTTP! minorissuesStuttgart 1 7 2 noredirection minorissuesBielefeld 1 2 0 noredirection minorissuesBonn 1 1 0 checktimedout minorissuesDuisburg 0 4 0 noredirection checktimedoutEssen 0 2 1 minorissues minorissuesWuppertal 0 2 0 minorissues minorissuesMünster 0 0 0 minorissues noTLS1.2
Dortmund 0 0 0 noTLS1.2 minorissuesNürnberg 0 0 0 noTLS1.2 minorissuesBochum 0 0 0 minorissues minorissuesFrankfurt 0 0 0 minorissues minorissues
adnxs.com googlesyndication.commxcdn.net adsafeprotected.comtealiumiq.com youtube.commookie1.comadform.net criteo.comadtech.de google-analytics.comgstatic.com truste.com oms.eutiqcdn.com adnet.de mathtag.comrefinedads.com stickyadstv.comgoogleapis.com smartadserver.comdoubleclick.net theadex.com m6r.eumpnrs.com adition.com fqtag.com2mdn.netintelliad.de ioam.demeetrics.net turn.com fonts.comcloudfront.net mp-success.comsascdn.com adscale.de nuggad.netcontent-recommendation.net […]
operatedby mediaagencies
Top20Cities
Known
Trackers
ThirdParty
Servers
ThirdParty
Cookies Web:HTTPS Mail:STARTTLS
Hamburg 40 81 49 noredirection minorissuesBerlin 22 37 17 minorissues noTLS1.2
Leipzig 6 10 5 noredirection minorissuesMünchen 5 11 3 enforcesHTTP! minorissuesBremen 4 13 3 minorissues noTLS1.2
Dresden 3 8 4 noredirection minorissuesDüsseldorf 2 3 3 certificateissue checktimedoutHannover 2 3 1 minorissues minorissuesKöln 2 3 1 enforcesHTTP! minorissuesStuttgart 1 7 2 noredirection minorissuesBielefeld 1 2 0 noredirection minorissuesBonn 1 1 0 checktimedout minorissuesDuisburg 0 4 0 noredirection checktimedoutEssen 0 2 1 minorissues minorissuesWuppertal 0 2 0 minorissues minorissuesMünster 0 0 0 minorissues noTLS1.2
Dortmund 0 0 0 noTLS1.2 minorissuesNürnberg 0 0 0 noTLS1.2 minorissuesBochum 0 0 0 minorissues minorissuesFrankfurt 0 0 0 minorissues minorissues
some resultsmay be wrong
BETA
14 Aug 27 Oct Delta
Piraten 0 0 –
Linke 0 1 ‼
Die PARTEI 0 0 –
CDU 1 1 –
Grüne 1 2 ‼
SPD 1 0 J
FDP 2 2 –
AFD 4 4 –
CSU 5 38 ‼
NO. OF KNOWN TRACKERSVisualizingchangesovertimetotrackprogress(underdevelopment)
⁉
Allsubmittedwebsitesarerescannedperiodically.
Fraction with NoTrack Fraction with EncWeb 17darker is worse
Geographicanalysisofuniversitysitesuncoversregionalpeculiarities (underdevelopment)
PrivacyScorealsochecksfortypicalinformationleaks
http://www.xxxxxxxxxx.bg/phpinfo.phpREDACTED
5.5.9-1ubuntu4.22is the current version‼
Tryto retrieve …
/phpinfo.php/.git/and /.svn//server.key/backup.sql/server-status/
[…]
19
Morethan20listssofar
Healthinsurers
Universities
Politicalparties
Authorities
Municipalities
Hospitals
Dataprotectionauthorities
GlobalTop500(moz.com)
InternetServiceProviders
Banks
NewsSites
CCCErfas /Chaostreffs […]
EthicalConsiderations
Aren’tyouhelpingthebadguys?dualuse
Wedon’twanttooverloadservers.ratelimiting
20
1
2
LegalConsiderations
21
Legalconsiderations for runningPrivacyScore(inGermany)
22
1 Websitesare analyzedwithout consent of owners
2 Results are interpreted andused to obtain aranking
3 Rankingsare published onthe PrivacyScorewebsite
MMaaß,A.Laubach,D.Herrmann:PrivacyScore:AnalysevonWebseitenaufSicherheits- undPrivatheitsprobleme– KonzeptundrechtlicheZulässigkeit.GIINFORMATIK2017,WorkshopRechtundTechnik:https://arxiv.org/abs/1705.08889(2017)
Received one abuse reportsince June2017afterscanningamailserver.
Whitelisting policy:Wemaystop scanning uponrequest,butpublish this fact onthe site.
PrivacyScore:test and rankwebsitesaccording to security and privacyfeatures
Creates transparency,awareness,and incentives for site operators
What checks would you want to see?
Uploadyour own lists today!
Prof.Dr.DominikHerrmann@herdom https://dhgo.to/pw17-slides
Summary