SlideShare a Scribd company logo

How the Cookie Monster breached encrypted VPN sessions

Panagiotis Papadopoulos
Panagiotis Papadopoulos

This document discusses how cookie synchronization can breach the privacy of users browsing over encrypted VPN or TLS connections. It shows how a curious monitoring entity like an ISP can use cookie synchronization between HTTP and HTTPS domains to re-identify users, learn their unique IDs, and reconstruct their browsing history, even after they have changed IP addresses. The document analyzes data from 12,000 Alexa top websites and finds that around 1 in 13 expose users to these privacy leaks through cookie synchronization between HTTP and HTTPS requests and domains. It calls for browsers to restrict cookie synchronization and only allow explicit use of TLS to prevent these privacy breaches.

Technology
1 of 18
Download to read offline
How the (synced) Cookie Monster breached my encrypted VPN session Panagiotis Papadopoulos FORTH-ICS, Greece Nicolas Kourtellis, Evangelos P. Markatos
Online privacy starts drawing people’s attention Panagiotis Papadopoulos ~ panpap@ics.forth.gr 3
Online privacy starts drawing corporate attention •More elaborate anti-tracking mechanisms •More and more vendors provide privacy preserving tools Panagiotis Papadopoulos ~ panpap@ics.forth.gr 4
User Data matter • For advertisers e.g., ad auctions, targeted advertising • For ISPs (2017) Congress cleared way for ISPs to sell browsing history • For agencies (2013) NSA used google cookies to pinpoint targets for hacking* *https://www.washingtonpost.com/news/the-switch/wp/2013/12/10/nsa-uses-google-cookies-to- pinpoint-targets-for-hacking/ Panagiotis Papadopoulos ~ panpap@ics.forth.gr 5
Good news! • Adoption of TLS-supported website increases* • VPN services become an embedded feature of Browsers *Firefox telemetry: 70% of page loads use HTTPS. https://letsencrypt.org/stats/#percent-pageloads Panagiotis Papadopoulos ~ panpap@ics.forth.gr 6
So this was it! We are safe! Panagiotis Papadopoulos ~ panpap@ics.forth.gr 7
In this paper... Cookie Synchronization may wreck the anonymity of over TLS and VPN users We show how: Panagiotis Papadopoulos ~ panpap@ics.forth.gr 8
What is Cookie Synchronization? • technique to bypass same-origin policy • match different pseudonymous user IDs that 2 domains have assigned to the same user Re-identification of users after cookie erasure Panagiotis Papadopoulos ~ panpap@ics.forth.gr 9
Threat Model • curious monitoring entity (e.g., an ISP) • collects user data (e.g., location and browsing patterns or interests) • afterwards sell to anyone interested (e.g., data management platforms, advertisers or data brokers Panagiotis Papadopoulos ~ panpap@ics.forth.gr 10
The Breach (1/2) 1. User visits https://example.com over VPN. 2. example.com is ad-supported collaborating with https://tracker1.com: • tracker1.com provides audience segments for personalized advertising • tracker1.com sets a cookie (user123) on the user-side Panagiotis Papadopoulos ~ panpap@ics.forth.gr 11
The Breach (2/2) 3. tracker1.com redirects user to http://tracker2.com: • piggybacks its cookie in location URL (user123) • allows tracker2 to read (or set) its own cookie (userABC) (1) ID-spilling: userABC==user123 (2) browsing history leak: user123 just visited example.com Panagiotis Papadopoulos ~ panpap@ics.forth.gr 12
Spilling out of TLS • VPN + TLS-supporting site • ISP learned: 1. userABC==user123 2. user123 just visited example.com • whenever ISP sees request from tracker2.com of user123 it will reidentify the user who visited example.com ...even if she changes her IP! Panagiotis Papadopoulos ~ panpap@ics.forth.gr 13
The Dataset Type Amount Alexa Top Websites crawled 12000 HTTP(S) requests 440000 TLS websites 8398/12000 TLS websites with CSync 2317/8398 Unique synced IDs in TLS websites 9045 Unique cookie IDs leaked 609/9045 Leaked (over TLS) visited websites 174/2317 More about Cookie Synchronization detection: Panagiotis Papadopoulos, Nicolas Kourtellis, and Evangelos P.Markatos, The cost of digital advertisement: Comparing user and advertiser views, WWW’18 Panagiotis Papadopoulos ~ panpap@ics.forth.gr 14
Real example Track these 2 cookie IDs and you know who is this user The synced ID links together all consecutive set cookies Panagiotis Papadopoulos ~ panpap@ics.forth.gr 15
Non-TLS synchronizations in TLS websites Distribution of non-TLS sync requests per TLS website. 1 in 13 of the websites include at least one plain-HTTP Sync request. Panagiotis Papadopoulos ~ panpap@ics.forth.gr 16
Parties that learn each synced ID Panagiotis Papadopoulos ~ panpap@ics.forth.gr 17 10% of cookie IDs gets synced with more than 17 third parties and thus links more than 17 different cookies
Countermeasures • Careless third parties impede the overall adoption of HTTPS • Websites cannot always prevent mixed content üBrowser vendors must 1. Force explicit use of TLS* 2. Strip requests from any information (e.g., referrer field) may link together HTTPS and HTTP type of traffic *Chrome will mark all HTTP sites as ‘not secure’ starting in July 2018 https://www.theverge.com/2018/2/8/16991254/chrome-not-secure-marked-http-encryption-ssl Panagiotis Papadopoulos ~ panpap@ics.forth.gr 18
Conclusion • severe breach caused by Cookie Synchronization to TSL and VPN (TOR?) users • Leaks: • User unique ID allowing a snooping entity to re-identify user on the web • Visited website allowing the reconstruction of browsing history • 1 out of 13 of the top 12K Alexa sites expose their visitors to these privacy leaks • Time to get rid of plain HTTP! Panagiotis Papadopoulos ~ panpap@ics.forth.gr 19

Recommended

Web analytics & Online privacy
Web analytics & Online privacyWeb analytics & Online privacy
Web analytics & Online privacyPanagiotis Tzamtzis
 
HTTP cookie hijacking in the wild: security and privacy implications
HTTP cookie hijacking in the wild: security and privacy implicationsHTTP cookie hijacking in the wild: security and privacy implications
HTTP cookie hijacking in the wild: security and privacy implicationsPriyanka Aash
 
PyConWeb - 2019 Auditing websites & apps for privacy leaks.
PyConWeb - 2019 Auditing websites & apps for privacy leaks.PyConWeb - 2019 Auditing websites & apps for privacy leaks.
PyConWeb - 2019 Auditing websites & apps for privacy leaks.Konark modi
 
Media Kitchen - The Cookieless Future
Media Kitchen - The Cookieless FutureMedia Kitchen - The Cookieless Future
Media Kitchen - The Cookieless FutureThe Media Kitchen
 
Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...
Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...
Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...Panagiotis Papadopoulos
 
Chrome Extensions: Masking risks in entertainment
Chrome Extensions: Masking risks in entertainmentChrome Extensions: Masking risks in entertainment
Chrome Extensions: Masking risks in entertainmentEduardo Chavarro
 
Tracking the Trackers tutorial at the Digital Methods Summer School 2013
Tracking the Trackers tutorial at the Digital Methods Summer School 2013Tracking the Trackers tutorial at the Digital Methods Summer School 2013
Tracking the Trackers tutorial at the Digital Methods Summer School 2013Digital Methods Initiative
 
A-Z Guide to Cookie Consent and Cookie Laws Around the World.pdf
A-Z Guide to Cookie Consent and Cookie Laws Around the World.pdfA-Z Guide to Cookie Consent and Cookie Laws Around the World.pdf
A-Z Guide to Cookie Consent and Cookie Laws Around the World.pdfAdzappier
 

Recommended

Web analytics & Online privacy
Web analytics & Online privacyWeb analytics & Online privacy
Web analytics & Online privacyPanagiotis Tzamtzis
 
HTTP cookie hijacking in the wild: security and privacy implications
HTTP cookie hijacking in the wild: security and privacy implicationsHTTP cookie hijacking in the wild: security and privacy implications
HTTP cookie hijacking in the wild: security and privacy implicationsPriyanka Aash
 
PyConWeb - 2019 Auditing websites & apps for privacy leaks.
PyConWeb - 2019 Auditing websites & apps for privacy leaks.PyConWeb - 2019 Auditing websites & apps for privacy leaks.
PyConWeb - 2019 Auditing websites & apps for privacy leaks.Konark modi
 
Media Kitchen - The Cookieless Future
Media Kitchen - The Cookieless FutureMedia Kitchen - The Cookieless Future
Media Kitchen - The Cookieless FutureThe Media Kitchen
 
Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...
Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...
Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...Panagiotis Papadopoulos
 
Chrome Extensions: Masking risks in entertainment
Chrome Extensions: Masking risks in entertainmentChrome Extensions: Masking risks in entertainment
Chrome Extensions: Masking risks in entertainmentEduardo Chavarro
 
Tracking the Trackers tutorial at the Digital Methods Summer School 2013
Tracking the Trackers tutorial at the Digital Methods Summer School 2013Tracking the Trackers tutorial at the Digital Methods Summer School 2013
Tracking the Trackers tutorial at the Digital Methods Summer School 2013Digital Methods Initiative
 
A-Z Guide to Cookie Consent and Cookie Laws Around the World.pdf
A-Z Guide to Cookie Consent and Cookie Laws Around the World.pdfA-Z Guide to Cookie Consent and Cookie Laws Around the World.pdf
A-Z Guide to Cookie Consent and Cookie Laws Around the World.pdfAdzappier
 
Ferrante and Griffey "Federated Authentication_ Browser changes and what to e...
Ferrante and Griffey "Federated Authentication_ Browser changes and what to e...Ferrante and Griffey "Federated Authentication_ Browser changes and what to e...
Ferrante and Griffey "Federated Authentication_ Browser changes and what to e...National Information Standards Organization (NISO)
 
Search Engine Marketing: Tracking Pages Without JavaScript by Using Web Beacons
Search Engine Marketing: Tracking Pages Without JavaScript by Using Web BeaconsSearch Engine Marketing: Tracking Pages Without JavaScript by Using Web Beacons
Search Engine Marketing: Tracking Pages Without JavaScript by Using Web BeaconsNavigationArts
 
The State of HTTPS In Search
The State of HTTPS In SearchThe State of HTTPS In Search
The State of HTTPS In SearchSemrush
 
Briefing for World Federation of Advertisers Media Buyers
Briefing for World Federation of Advertisers Media Buyers Briefing for World Federation of Advertisers Media Buyers
Briefing for World Federation of Advertisers Media Buyers Johnny Ryan
 
Ntia 0900
Ntia 0900Ntia 0900
Ntia 0900gsgiles
 
Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid ...
Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid ...Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid ...
Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid ...Panagiotis Papadopoulos
 
Anti phishing web browser
Anti phishing web browserAnti phishing web browser
Anti phishing web browserSujal Chawala
 
HackCon - SPF
HackCon - SPFHackCon - SPF
HackCon - SPFAdam Compton
 
Online Privacy
Online PrivacyOnline Privacy
Online PrivacyIWMW
 
Expressive Privacy Control With Pseudonyms
Expressive Privacy Control With PseudonymsExpressive Privacy Control With Pseudonyms
Expressive Privacy Control With PseudonymsSeungyeop Han
 
Privacy in private browsing mode
Privacy in private browsing modePrivacy in private browsing mode
Privacy in private browsing modeAparna “Ash” Himmatramka
 
Cookie surveillance
Cookie surveillanceCookie surveillance
Cookie surveillanceGreg Sterling
 
Safe Browsing in 2016
Safe Browsing in 2016Safe Browsing in 2016
Safe Browsing in 2016Gabor Szathmari
 
eBusiness Club "Demystifying the EU Cookie Law presentation, Geldards
eBusiness Club "Demystifying the EU Cookie Law presentation, GeldardseBusiness Club "Demystifying the EU Cookie Law presentation, Geldards
eBusiness Club "Demystifying the EU Cookie Law presentation, GeldardsJon Egley
 
Web Browsers and Tracking Protections
Web Browsers and Tracking ProtectionsWeb Browsers and Tracking Protections
Web Browsers and Tracking ProtectionsSimo Ahava
 
Internet Cookies
Internet CookiesInternet Cookies
Internet Cookiesanita gouda
 
GLG webcast impact of GDPR on ad tech
GLG webcast impact of GDPR on ad tech GLG webcast impact of GDPR on ad tech
GLG webcast impact of GDPR on ad tech Johnny Ryan
 
Cyber ethics cbse class xi
Cyber ethics cbse class xiCyber ethics cbse class xi
Cyber ethics cbse class xiArchana Dwivedi
 
Anonymous internet
Anonymous internetAnonymous internet
Anonymous internetVong Borey
 
Anonymous internet
Anonymous internetAnonymous internet
Anonymous internetVong Borey
 
Keeping out the Masses: Understanding the Popularity and Implications of Int...
Keeping out the Masses: Understanding the Popularity and Implications of Int... Keeping out the Masses: Understanding the Popularity and Implications of Int...
Keeping out the Masses: Understanding the Popularity and Implications of Int...Panagiotis Papadopoulos
 
Truth in Web Mining: Measuring the Profitability and the Imposed Overheads of...
Truth in Web Mining: Measuring the Profitability and the Imposed Overheads of...Truth in Web Mining: Measuring the Profitability and the Imposed Overheads of...
Truth in Web Mining: Measuring the Profitability and the Imposed Overheads of...Panagiotis Papadopoulos
 

More Related Content

Similar to How the Cookie Monster breached encrypted VPN sessions

Search Engine Marketing: Tracking Pages Without JavaScript by Using Web Beacons
Search Engine Marketing: Tracking Pages Without JavaScript by Using Web BeaconsSearch Engine Marketing: Tracking Pages Without JavaScript by Using Web Beacons
Search Engine Marketing: Tracking Pages Without JavaScript by Using Web BeaconsNavigationArts
 
The State of HTTPS In Search
The State of HTTPS In SearchThe State of HTTPS In Search
The State of HTTPS In SearchSemrush
 
Briefing for World Federation of Advertisers Media Buyers
Briefing for World Federation of Advertisers Media Buyers Briefing for World Federation of Advertisers Media Buyers
Briefing for World Federation of Advertisers Media Buyers Johnny Ryan
 
Ntia 0900
Ntia 0900Ntia 0900
Ntia 0900gsgiles
 
Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid ...
Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid ...Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid ...
Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid ...Panagiotis Papadopoulos
 
Anti phishing web browser
Anti phishing web browserAnti phishing web browser
Anti phishing web browserSujal Chawala
 
Online Privacy
Online PrivacyOnline Privacy
Online PrivacyIWMW
 
Expressive Privacy Control With Pseudonyms
Expressive Privacy Control With PseudonymsExpressive Privacy Control With Pseudonyms
Expressive Privacy Control With PseudonymsSeungyeop Han
 
eBusiness Club "Demystifying the EU Cookie Law presentation, Geldards
eBusiness Club "Demystifying the EU Cookie Law presentation, GeldardseBusiness Club "Demystifying the EU Cookie Law presentation, Geldards
eBusiness Club "Demystifying the EU Cookie Law presentation, GeldardsJon Egley
 
Web Browsers and Tracking Protections
Web Browsers and Tracking ProtectionsWeb Browsers and Tracking Protections
Web Browsers and Tracking ProtectionsSimo Ahava
 
Internet Cookies
Internet CookiesInternet Cookies
Internet Cookiesanita gouda
 
GLG webcast impact of GDPR on ad tech
GLG webcast impact of GDPR on ad tech GLG webcast impact of GDPR on ad tech
GLG webcast impact of GDPR on ad tech Johnny Ryan
 
Cyber ethics cbse class xi
Cyber ethics cbse class xiCyber ethics cbse class xi
Cyber ethics cbse class xiArchana Dwivedi
 
Anonymous internet
Anonymous internetAnonymous internet
Anonymous internetVong Borey
 
Anonymous internet
Anonymous internetAnonymous internet
Anonymous internetVong Borey
 

Similar to How the Cookie Monster breached encrypted VPN sessions (20)

Ferrante and Griffey "Federated Authentication_ Browser changes and what to e...
Ferrante and Griffey "Federated Authentication_ Browser changes and what to e...Ferrante and Griffey "Federated Authentication_ Browser changes and what to e...
Ferrante and Griffey "Federated Authentication_ Browser changes and what to e...
 
Search Engine Marketing: Tracking Pages Without JavaScript by Using Web Beacons
Search Engine Marketing: Tracking Pages Without JavaScript by Using Web BeaconsSearch Engine Marketing: Tracking Pages Without JavaScript by Using Web Beacons
Search Engine Marketing: Tracking Pages Without JavaScript by Using Web Beacons
 
The State of HTTPS In Search
The State of HTTPS In SearchThe State of HTTPS In Search
The State of HTTPS In Search
 
Briefing for World Federation of Advertisers Media Buyers
Briefing for World Federation of Advertisers Media Buyers Briefing for World Federation of Advertisers Media Buyers
Briefing for World Federation of Advertisers Media Buyers
 
Ntia 0900
Ntia 0900Ntia 0900
Ntia 0900
 
Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid ...
Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid ...Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid ...
Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid ...
 
Anti phishing web browser
Anti phishing web browserAnti phishing web browser
Anti phishing web browser
 
HackCon - SPF
HackCon - SPFHackCon - SPF
HackCon - SPF
 
Online Privacy
Online PrivacyOnline Privacy
Online Privacy
 
Expressive Privacy Control With Pseudonyms
Expressive Privacy Control With PseudonymsExpressive Privacy Control With Pseudonyms
Expressive Privacy Control With Pseudonyms
 
Privacy in private browsing mode
Privacy in private browsing modePrivacy in private browsing mode
Privacy in private browsing mode
 
Cookie surveillance
Cookie surveillanceCookie surveillance
Cookie surveillance
 
Safe Browsing in 2016
Safe Browsing in 2016Safe Browsing in 2016
Safe Browsing in 2016
 
eBusiness Club "Demystifying the EU Cookie Law presentation, Geldards
eBusiness Club "Demystifying the EU Cookie Law presentation, GeldardseBusiness Club "Demystifying the EU Cookie Law presentation, Geldards
eBusiness Club "Demystifying the EU Cookie Law presentation, Geldards
 
Web Browsers and Tracking Protections
Web Browsers and Tracking ProtectionsWeb Browsers and Tracking Protections
Web Browsers and Tracking Protections
 
Internet Cookies
Internet CookiesInternet Cookies
Internet Cookies
 
GLG webcast impact of GDPR on ad tech
GLG webcast impact of GDPR on ad tech GLG webcast impact of GDPR on ad tech
GLG webcast impact of GDPR on ad tech
 
Cyber ethics cbse class xi
Cyber ethics cbse class xiCyber ethics cbse class xi
Cyber ethics cbse class xi
 
Anonymous internet
Anonymous internetAnonymous internet
Anonymous internet
 
Anonymous internet
Anonymous internetAnonymous internet
Anonymous internet
 

More from Panagiotis Papadopoulos

Keeping out the Masses: Understanding the Popularity and Implications of Int...
Keeping out the Masses: Understanding the Popularity and Implications of Int... Keeping out the Masses: Understanding the Popularity and Implications of Int...
Keeping out the Masses: Understanding the Popularity and Implications of Int...Panagiotis Papadopoulos
 
Truth in Web Mining: Measuring the Profitability and the Imposed Overheads of...
Truth in Web Mining: Measuring the Profitability and the Imposed Overheads of...Truth in Web Mining: Measuring the Profitability and the Imposed Overheads of...
Truth in Web Mining: Measuring the Profitability and the Imposed Overheads of...Panagiotis Papadopoulos
 
Is privacy possible without Anonymity? The case for microblogging services
Is privacy possible without Anonymity? The case for microblogging servicesIs privacy possible without Anonymity? The case for microblogging services
Is privacy possible without Anonymity? The case for microblogging servicesPanagiotis Papadopoulos
 
Where’s Wally? How to Privately Discover your Friends on the Internet
Where’s Wally? How to Privately Discover your Friends on the InternetWhere’s Wally? How to Privately Discover your Friends on the Internet
Where’s Wally? How to Privately Discover your Friends on the InternetPanagiotis Papadopoulos
 
The Cost of Digital Advertisement: Comparing User and Advertiser Views
The Cost of Digital Advertisement: Comparing User and Advertiser ViewsThe Cost of Digital Advertisement: Comparing User and Advertiser Views
The Cost of Digital Advertisement: Comparing User and Advertiser ViewsPanagiotis Papadopoulos
 
0pass: Zero-storage Password Management Based on Password Reminders
0pass: Zero-storage Password Management Based on Password Reminders0pass: Zero-storage Password Management Based on Password Reminders
0pass: Zero-storage Password Management Based on Password RemindersPanagiotis Papadopoulos
 
If you are not paying for it, you are the product: How much do advertisers p...
If you are not paying for it, you are the product: How much do advertisers p... If you are not paying for it, you are the product: How much do advertisers p...
If you are not paying for it, you are the product: How much do advertisers p...Panagiotis Papadopoulos
 
MAD: A Middleware Framework for Multi-Step Attack Detection
MAD: A Middleware Framework for Multi-Step Attack DetectionMAD: A Middleware Framework for Multi-Step Attack Detection
MAD: A Middleware Framework for Multi-Step Attack DetectionPanagiotis Papadopoulos
 
Cassandra Consistency: Tradeoffs and Limitations
Cassandra Consistency: Tradeoffs and LimitationsCassandra Consistency: Tradeoffs and Limitations
Cassandra Consistency: Tradeoffs and LimitationsPanagiotis Papadopoulos
 

More from Panagiotis Papadopoulos (9)

Keeping out the Masses: Understanding the Popularity and Implications of Int...
Keeping out the Masses: Understanding the Popularity and Implications of Int... Keeping out the Masses: Understanding the Popularity and Implications of Int...
Keeping out the Masses: Understanding the Popularity and Implications of Int...
 
Truth in Web Mining: Measuring the Profitability and the Imposed Overheads of...
Truth in Web Mining: Measuring the Profitability and the Imposed Overheads of...Truth in Web Mining: Measuring the Profitability and the Imposed Overheads of...
Truth in Web Mining: Measuring the Profitability and the Imposed Overheads of...
 
Is privacy possible without Anonymity? The case for microblogging services
Is privacy possible without Anonymity? The case for microblogging servicesIs privacy possible without Anonymity? The case for microblogging services
Is privacy possible without Anonymity? The case for microblogging services
 
Where’s Wally? How to Privately Discover your Friends on the Internet
Where’s Wally? How to Privately Discover your Friends on the InternetWhere’s Wally? How to Privately Discover your Friends on the Internet
Where’s Wally? How to Privately Discover your Friends on the Internet
 
The Cost of Digital Advertisement: Comparing User and Advertiser Views
The Cost of Digital Advertisement: Comparing User and Advertiser ViewsThe Cost of Digital Advertisement: Comparing User and Advertiser Views
The Cost of Digital Advertisement: Comparing User and Advertiser Views
 
0pass: Zero-storage Password Management Based on Password Reminders
0pass: Zero-storage Password Management Based on Password Reminders0pass: Zero-storage Password Management Based on Password Reminders
0pass: Zero-storage Password Management Based on Password Reminders
 
If you are not paying for it, you are the product: How much do advertisers p...
If you are not paying for it, you are the product: How much do advertisers p... If you are not paying for it, you are the product: How much do advertisers p...
If you are not paying for it, you are the product: How much do advertisers p...
 
MAD: A Middleware Framework for Multi-Step Attack Detection
MAD: A Middleware Framework for Multi-Step Attack DetectionMAD: A Middleware Framework for Multi-Step Attack Detection
MAD: A Middleware Framework for Multi-Step Attack Detection
 
Cassandra Consistency: Tradeoffs and Limitations
Cassandra Consistency: Tradeoffs and LimitationsCassandra Consistency: Tradeoffs and Limitations
Cassandra Consistency: Tradeoffs and Limitations
 

Recently uploaded

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

How the Cookie Monster breached encrypted VPN sessions

  • 1. How the (synced) Cookie Monster breached my encrypted VPN session Panagiotis Papadopoulos FORTH-ICS, Greece Nicolas Kourtellis, Evangelos P. Markatos
  • 2. Online privacy starts drawing people’s attention Panagiotis Papadopoulos ~ panpap@ics.forth.gr 3
  • 3. Online privacy starts drawing corporate attention •More elaborate anti-tracking mechanisms •More and more vendors provide privacy preserving tools Panagiotis Papadopoulos ~ panpap@ics.forth.gr 4
  • 4. User Data matter • For advertisers e.g., ad auctions, targeted advertising • For ISPs (2017) Congress cleared way for ISPs to sell browsing history • For agencies (2013) NSA used google cookies to pinpoint targets for hacking* *https://www.washingtonpost.com/news/the-switch/wp/2013/12/10/nsa-uses-google-cookies-to- pinpoint-targets-for-hacking/ Panagiotis Papadopoulos ~ panpap@ics.forth.gr 5
  • 5. Good news! • Adoption of TLS-supported website increases* • VPN services become an embedded feature of Browsers *Firefox telemetry: 70% of page loads use HTTPS. https://letsencrypt.org/stats/#percent-pageloads Panagiotis Papadopoulos ~ panpap@ics.forth.gr 6
  • 6. So this was it! We are safe! Panagiotis Papadopoulos ~ panpap@ics.forth.gr 7
  • 7. In this paper... Cookie Synchronization may wreck the anonymity of over TLS and VPN users We show how: Panagiotis Papadopoulos ~ panpap@ics.forth.gr 8
  • 8. What is Cookie Synchronization? • technique to bypass same-origin policy • match different pseudonymous user IDs that 2 domains have assigned to the same user Re-identification of users after cookie erasure Panagiotis Papadopoulos ~ panpap@ics.forth.gr 9
  • 9. Threat Model • curious monitoring entity (e.g., an ISP) • collects user data (e.g., location and browsing patterns or interests) • afterwards sell to anyone interested (e.g., data management platforms, advertisers or data brokers Panagiotis Papadopoulos ~ panpap@ics.forth.gr 10
  • 10. The Breach (1/2) 1. User visits https://example.com over VPN. 2. example.com is ad-supported collaborating with https://tracker1.com: • tracker1.com provides audience segments for personalized advertising • tracker1.com sets a cookie (user123) on the user-side Panagiotis Papadopoulos ~ panpap@ics.forth.gr 11
  • 11. The Breach (2/2) 3. tracker1.com redirects user to http://tracker2.com: • piggybacks its cookie in location URL (user123) • allows tracker2 to read (or set) its own cookie (userABC) (1) ID-spilling: userABC==user123 (2) browsing history leak: user123 just visited example.com Panagiotis Papadopoulos ~ panpap@ics.forth.gr 12
  • 12. Spilling out of TLS • VPN + TLS-supporting site • ISP learned: 1. userABC==user123 2. user123 just visited example.com • whenever ISP sees request from tracker2.com of user123 it will reidentify the user who visited example.com ...even if she changes her IP! Panagiotis Papadopoulos ~ panpap@ics.forth.gr 13
  • 13. The Dataset Type Amount Alexa Top Websites crawled 12000 HTTP(S) requests 440000 TLS websites 8398/12000 TLS websites with CSync 2317/8398 Unique synced IDs in TLS websites 9045 Unique cookie IDs leaked 609/9045 Leaked (over TLS) visited websites 174/2317 More about Cookie Synchronization detection: Panagiotis Papadopoulos, Nicolas Kourtellis, and Evangelos P.Markatos, The cost of digital advertisement: Comparing user and advertiser views, WWW’18 Panagiotis Papadopoulos ~ panpap@ics.forth.gr 14
  • 14. Real example Track these 2 cookie IDs and you know who is this user The synced ID links together all consecutive set cookies Panagiotis Papadopoulos ~ panpap@ics.forth.gr 15
  • 15. Non-TLS synchronizations in TLS websites Distribution of non-TLS sync requests per TLS website. 1 in 13 of the websites include at least one plain-HTTP Sync request. Panagiotis Papadopoulos ~ panpap@ics.forth.gr 16
  • 16. Parties that learn each synced ID Panagiotis Papadopoulos ~ panpap@ics.forth.gr 17 10% of cookie IDs gets synced with more than 17 third parties and thus links more than 17 different cookies
  • 17. Countermeasures • Careless third parties impede the overall adoption of HTTPS • Websites cannot always prevent mixed content üBrowser vendors must 1. Force explicit use of TLS* 2. Strip requests from any information (e.g., referrer field) may link together HTTPS and HTTP type of traffic *Chrome will mark all HTTP sites as ‘not secure’ starting in July 2018 https://www.theverge.com/2018/2/8/16991254/chrome-not-secure-marked-http-encryption-ssl Panagiotis Papadopoulos ~ panpap@ics.forth.gr 18
  • 18. Conclusion • severe breach caused by Cookie Synchronization to TSL and VPN (TOR?) users • Leaks: • User unique ID allowing a snooping entity to re-identify user on the web • Visited website allowing the reconstruction of browsing history • 1 out of 13 of the top 12K Alexa sites expose their visitors to these privacy leaks • Time to get rid of plain HTTP! Panagiotis Papadopoulos ~ panpap@ics.forth.gr 19