Transcript Privacy and Security on the Web

Privacy and Security on
the Web
Part 1
Agenda



Questions? Stories?
IRB: I will review and hopefully send
tomorrow.
Proposals: I will grade by next
Tuesday
In The Beginning…




Man-in-the-middle
Sniffing
SSL solved these
Browser SSL indicators
–
–
–
–
Locks
Keys
Borders
URL bar
Question: How would you show users that a secure
connection exists?
Now Common
Vulnerabilities




ActiveX Controls
Java applets (bypassing of sandbox’s restrictions)
Cross-Site Scripting (mainly faults of web sites)
Cross-Zone and Cross-Domain Vulnerabilities
– Prevention of a web site from accessing data in a different
domain (or zone) is broken


Malicious Scripting, Active Content, and HTML
Spoofing (faking various parts of the browser user
interface)
Also Privacy

Users give personal information to get
something
creating accounts, completing real world
transactions, etc.
 Cookies (usernames, sessionIDs, etc.)
 (which of course leads to phishing)


Just part of visiting a site
Tracking cookies
 Web bugs
 Traffic logs

So what do users do?

Privacy practices paper results:
– Users actions and stated preferences
don’t always agree
– Users do not understand current
technologies relating to privacy
– Judge “trustworthiness” on a variety of
factors
– Do not read privacy policies, but do use
their presence to judge trust
Implications?
Privacy policies

How to make one:
– http://www.the-dma.org/privacy/creating.shtml#form

Examples:
– http://www.amazon.com/gp/help/customer/display.html/1
02-1254057-3890544?ie=UTF8&nodeId=468496
What’s wrong with them?


Accessibility?
Readability?
– Number of notices contain complex
language requiring college-level
knowledge


Length (time)
Content
See Jensen and Potts. Privacy policies as decision-making tools: an
evaluation of online privacy notices. CHI 2004.
Proposed solution: P3P

What is P3P?
What do you think of P3P?
What happened to P3P?

Creating P3P policies:


– http://www.p3ptoolbox.org/tools/resources1.shtml
P3P and P3P user agents


What: machine readable privacy policy in XML
format.
How does it work?
– website encode their privacy policies in P3P format
– User agents read the policy and parse it out


Benefit: Offers an easy way for web sites to
communicate about their privacy policies in a
standard machine-readable format
Privacy is visualized in the following ways:
– Summarize privacy policies
– Compare policies with user preferences
– Alert and advise users
Privacy Bird: demo

Opinions on Privacy Bird?
Web Bugs and Traffic
Logs





Loading of remote image that doesn’t
impact visual layout of page
Set 3rd party cookie
Remote server can log event of image load
even if cookie is rejected
However, there are lots of cases where we
want our browsers to load images and
display them to us
Can be difficult to tell when this action is
beneficial and when it isn’t
Bugnosis: A demo

Thoughts?
P3P in IE6
Automatic processing of compact
policies only;
third-party cookies without compact
policies blocked by default
Privacy icon on status bar
indicates that a cookie has been
blocked – pop-up appears the
first time the privacy icon
appears
Users can click on
privacy icon for
list of cookies;
privacy summaries
are available at
sites that are
P3P-enabled
Privacy summary
report is
generated
automatically
from full P3P policy
What other tools are out
there?









Anti-spyware
Cookie managers
Anonymizers
Password managers and protectors
Anti-phishing toolbars
Encryption tools
Disk wiping utilities
What do you use?
What do you do manually to protect
yourself?
Research question


What privacy issues should people be
aware of on the Internet?
How do we build tools to make people
aware of these?
Next week




More Security/Privacy and the Internet
Heuristic eval of Firefox extensions
Test prep
Exam: 2 weeks from today