This document discusses how cookie synchronization can breach the privacy of users browsing over encrypted VPN or TLS connections. It shows how a curious monitoring entity like an ISP can use cookie synchronization between HTTP and HTTPS domains to re-identify users, learn their unique IDs, and reconstruct their browsing history, even after they have changed IP addresses. The document analyzes data from 12,000 Alexa top websites and finds that around 1 in 13 expose users to these privacy leaks through cookie synchronization between HTTP and HTTPS requests and domains. It calls for browsers to restrict cookie synchronization and only allow explicit use of TLS to prevent these privacy breaches.
08448380779 Call Girls In Civil Lines Women Seeking Men
How the Cookie Monster breached encrypted VPN sessions
1. How the (synced) Cookie
Monster breached my
encrypted VPN session
Panagiotis Papadopoulos
FORTH-ICS, Greece
Nicolas Kourtellis, Evangelos P. Markatos
3. Online privacy starts drawing corporate attention
•More elaborate anti-tracking mechanisms
•More and more vendors provide privacy preserving tools
Panagiotis Papadopoulos ~ panpap@ics.forth.gr 4
4. User Data matter
• For advertisers
e.g., ad auctions, targeted advertising
• For ISPs
(2017) Congress cleared way for ISPs to sell
browsing history
• For agencies
(2013) NSA used google cookies to pinpoint
targets for hacking*
*https://www.washingtonpost.com/news/the-switch/wp/2013/12/10/nsa-uses-google-cookies-to-
pinpoint-targets-for-hacking/
Panagiotis Papadopoulos ~ panpap@ics.forth.gr 5
5. Good news!
• Adoption of TLS-supported website increases*
• VPN services become an embedded feature of Browsers
*Firefox telemetry: 70% of page loads use HTTPS. https://letsencrypt.org/stats/#percent-pageloads
Panagiotis Papadopoulos ~ panpap@ics.forth.gr 6
6. So this was it! We are safe!
Panagiotis Papadopoulos ~ panpap@ics.forth.gr 7
7. In this paper...
Cookie Synchronization may wreck the
anonymity of over TLS and VPN users
We show how:
Panagiotis Papadopoulos ~ panpap@ics.forth.gr 8
8. What is Cookie Synchronization?
• technique to bypass same-origin policy
• match different pseudonymous user IDs that 2 domains have assigned
to the same user
Re-identification of users after cookie erasure
Panagiotis Papadopoulos ~ panpap@ics.forth.gr 9
9. Threat Model
• curious monitoring entity
(e.g., an ISP)
• collects user data
(e.g., location and browsing patterns or interests)
• afterwards sell to anyone interested
(e.g., data management platforms, advertisers or data brokers
Panagiotis Papadopoulos ~ panpap@ics.forth.gr 10
10. The Breach (1/2)
1. User visits https://example.com over
VPN.
2. example.com is ad-supported
collaborating with https://tracker1.com:
• tracker1.com provides audience segments for
personalized advertising
• tracker1.com sets a cookie (user123) on the
user-side
Panagiotis Papadopoulos ~ panpap@ics.forth.gr 11
11. The Breach (2/2)
3. tracker1.com redirects user
to http://tracker2.com:
• piggybacks its cookie in location URL (user123)
• allows tracker2 to read (or set) its own cookie
(userABC)
(1) ID-spilling:
userABC==user123
(2) browsing history leak: user123
just visited example.com
Panagiotis Papadopoulos ~ panpap@ics.forth.gr 12
12. Spilling out of TLS
• VPN + TLS-supporting site
• ISP learned:
1. userABC==user123
2. user123 just visited example.com
• whenever ISP sees request from tracker2.com of user123 it will reidentify the
user who visited example.com
...even if she
changes her IP!
Panagiotis Papadopoulos ~ panpap@ics.forth.gr 13
13. The Dataset
Type Amount
Alexa Top Websites crawled 12000
HTTP(S) requests 440000
TLS websites 8398/12000
TLS websites with CSync 2317/8398
Unique synced IDs in TLS websites 9045
Unique cookie IDs leaked 609/9045
Leaked (over TLS) visited websites 174/2317
More about Cookie Synchronization detection: Panagiotis Papadopoulos, Nicolas Kourtellis, and Evangelos P.Markatos,
The cost of digital advertisement: Comparing user and advertiser views, WWW’18
Panagiotis Papadopoulos ~ panpap@ics.forth.gr 14
14. Real example
Track these 2 cookie
IDs and you know who
is this user
The synced ID links together all
consecutive set cookies
Panagiotis Papadopoulos ~ panpap@ics.forth.gr 15
15. Non-TLS synchronizations in TLS websites
Distribution of non-TLS sync requests per TLS website.
1 in 13 of the websites include
at least one plain-HTTP Sync request.
Panagiotis Papadopoulos ~ panpap@ics.forth.gr 16
16. Parties that learn each synced ID
Panagiotis Papadopoulos ~ panpap@ics.forth.gr 17
10% of cookie IDs gets synced with more than 17 third
parties and thus links more than 17 different cookies
17. Countermeasures
• Careless third parties impede the overall adoption of HTTPS
• Websites cannot always prevent mixed content
üBrowser vendors must
1. Force explicit use of TLS*
2. Strip requests from any information (e.g., referrer field) may link together
HTTPS and HTTP type of traffic
*Chrome will mark all HTTP sites as ‘not secure’ starting in July 2018
https://www.theverge.com/2018/2/8/16991254/chrome-not-secure-marked-http-encryption-ssl
Panagiotis Papadopoulos ~ panpap@ics.forth.gr 18
18. Conclusion
• severe breach caused by Cookie Synchronization
to TSL and VPN (TOR?) users
• Leaks:
• User unique ID allowing a snooping entity to re-identify user on the web
• Visited website allowing the reconstruction of browsing history
• 1 out of 13 of the top 12K Alexa sites expose their visitors to these privacy
leaks
• Time to get rid of plain HTTP!
Panagiotis Papadopoulos ~ panpap@ics.forth.gr 19