privacyscore privacyweek 2017-10 - uni-hamburg.de · top 20 cities known trackers third party...
TRANSCRIPT
![Page 1: PrivacyScore PrivacyWeek 2017-10 - uni-hamburg.de · Top 20 Cities Known Trackers Third Party Servers Third Party Cookies Web: HTTPS Mail: STARTTLS Hamburg 40 81 49 no redirection](https://reader033.vdocuments.net/reader033/viewer/2022051903/5ff4577c6c88626863672702/html5/thumbnails/1.jpg)
Prof.Dr.DominikHerrmannOtto-Friedrich-UniversitätBamberg
joint work with AnneLaubach (UniKassel),MaxMaaß(TUDarmstadt),HenningPridöhl (UniBamberg),and PascalWichmann(UniHamburg)
https://dhgo.to/pw17-slides
Testwebsites and rankthem accordingto their security and privacyfeatures
PRIVACYSCORE.ORG
![Page 2: PrivacyScore PrivacyWeek 2017-10 - uni-hamburg.de · Top 20 Cities Known Trackers Third Party Servers Third Party Cookies Web: HTTPS Mail: STARTTLS Hamburg 40 81 49 no redirection](https://reader033.vdocuments.net/reader033/viewer/2022051903/5ff4577c6c88626863672702/html5/thumbnails/2.jpg)
Motivation
2
![Page 3: PrivacyScore PrivacyWeek 2017-10 - uni-hamburg.de · Top 20 Cities Known Trackers Third Party Servers Third Party Cookies Web: HTTPS Mail: STARTTLS Hamburg 40 81 49 no redirection](https://reader033.vdocuments.net/reader033/viewer/2022051903/5ff4577c6c88626863672702/html5/thumbnails/3.jpg)
Whoknows that …you are onwelfare?
3
THENEWNORMAL?
🤔
![Page 4: PrivacyScore PrivacyWeek 2017-10 - uni-hamburg.de · Top 20 Cities Known Trackers Third Party Servers Third Party Cookies Web: HTTPS Mail: STARTTLS Hamburg 40 81 49 no redirection](https://reader033.vdocuments.net/reader033/viewer/2022051903/5ff4577c6c88626863672702/html5/thumbnails/4.jpg)
Existing WebsiteScanningServicesfocus onsingle sites
4
![Page 5: PrivacyScore PrivacyWeek 2017-10 - uni-hamburg.de · Top 20 Cities Known Trackers Third Party Servers Third Party Cookies Web: HTTPS Mail: STARTTLS Hamburg 40 81 49 no redirection](https://reader033.vdocuments.net/reader033/viewer/2022051903/5ff4577c6c88626863672702/html5/thumbnails/5.jpg)
https://www.ssllabs.com/ssltest 5observatory.mozilla.org ·securityheaders.io · urlscan.io
![Page 6: PrivacyScore PrivacyWeek 2017-10 - uni-hamburg.de · Top 20 Cities Known Trackers Third Party Servers Third Party Cookies Web: HTTPS Mail: STARTTLS Hamburg 40 81 49 no redirection](https://reader033.vdocuments.net/reader033/viewer/2022051903/5ff4577c6c88626863672702/html5/thumbnails/6.jpg)
https://www.sit.fraunhofer.de/de/track-your-tracker https://webbkoll.dataskydd.net/en 6
![Page 7: PrivacyScore PrivacyWeek 2017-10 - uni-hamburg.de · Top 20 Cities Known Trackers Third Party Servers Third Party Cookies Web: HTTPS Mail: STARTTLS Hamburg 40 81 49 no redirection](https://reader033.vdocuments.net/reader033/viewer/2022051903/5ff4577c6c88626863672702/html5/thumbnails/7.jpg)
are targeted atserver operators
7
use apre-defined rating scheme
ExistingScanningServices…
Description Modifier
HSTSpreloaded 5
HSTSheadermaxage≥6months 0
HSTSheadermaxage<sixmonths -10
HSTSheadernotimplemented -20
HSTSheadercannotbeset,assitecontainsaninvalidcertificatechain -20
https://github.com/mozilla/http-observatory/blob/master/httpobs/docs/scoring.md
![Page 8: PrivacyScore PrivacyWeek 2017-10 - uni-hamburg.de · Top 20 Cities Known Trackers Third Party Servers Third Party Cookies Web: HTTPS Mail: STARTTLS Hamburg 40 81 49 no redirection](https://reader033.vdocuments.net/reader033/viewer/2022051903/5ff4577c6c88626863672702/html5/thumbnails/8.jpg)
PrivacyScorehasadifferentfocus.
Objective:publicrankingstocreateincentivesforoperatorstoimproveprivacyandsecurityontheirsite.
Visitorscanuploadannotatedlistsofwebsites andinfluencetherankingaccordingtotheirpreference(soon™).
Allcodeopensource (GPLv3+),allresultspublishedasopendata.
8
USER-DEFINEDATTRIBUTES
Arethe sites oflarge cities worsethan those ofsmaller cities?
Any regional differences forwebsites of,e.g.,universities?
?
![Page 9: PrivacyScore PrivacyWeek 2017-10 - uni-hamburg.de · Top 20 Cities Known Trackers Third Party Servers Third Party Cookies Web: HTTPS Mail: STARTTLS Hamburg 40 81 49 no redirection](https://reader033.vdocuments.net/reader033/viewer/2022051903/5ff4577c6c88626863672702/html5/thumbnails/9.jpg)
Rankingand Detailed Results
Fourcategoriesofchecks
9
EncryptiontoWebsiteNoTracking Encryptionto
Mailserver
ProtectionAgainstOther
Attacks
![Page 10: PrivacyScore PrivacyWeek 2017-10 - uni-hamburg.de · Top 20 Cities Known Trackers Third Party Servers Third Party Cookies Web: HTTPS Mail: STARTTLS Hamburg 40 81 49 no redirection](https://reader033.vdocuments.net/reader033/viewer/2022051903/5ff4577c6c88626863672702/html5/thumbnails/10.jpg)
PublicRanking(as of Oct 2017)
change sort order
![Page 11: PrivacyScore PrivacyWeek 2017-10 - uni-hamburg.de · Top 20 Cities Known Trackers Third Party Servers Third Party Cookies Web: HTTPS Mail: STARTTLS Hamburg 40 81 49 no redirection](https://reader033.vdocuments.net/reader033/viewer/2022051903/5ff4577c6c88626863672702/html5/thumbnails/11.jpg)
detailedresultsof asite
![Page 12: PrivacyScore PrivacyWeek 2017-10 - uni-hamburg.de · Top 20 Cities Known Trackers Third Party Servers Third Party Cookies Web: HTTPS Mail: STARTTLS Hamburg 40 81 49 no redirection](https://reader033.vdocuments.net/reader033/viewer/2022051903/5ff4577c6c88626863672702/html5/thumbnails/12.jpg)
![Page 13: PrivacyScore PrivacyWeek 2017-10 - uni-hamburg.de · Top 20 Cities Known Trackers Third Party Servers Third Party Cookies Web: HTTPS Mail: STARTTLS Hamburg 40 81 49 no redirection](https://reader033.vdocuments.net/reader033/viewer/2022051903/5ff4577c6c88626863672702/html5/thumbnails/13.jpg)
Predefinedanalysesfor moretransparency(underdevelopment)
13
Top20Cities
Known
Trackers
ThirdParty
Servers
ThirdParty
Cookies Web:HTTPS Mail:STARTTLS
Hamburg 40 81 49 noredirection minorissuesBerlin 22 37 17 minorissues noTLS1.2
Leipzig 6 10 5 noredirection minorissuesMünchen 5 11 3 enforcesHTTP! minorissuesBremen 4 13 3 minorissues noTLS1.2
Dresden 3 8 4 noredirection minorissuesDüsseldorf 2 3 3 certificateissue checktimedoutHannover 2 3 1 minorissues minorissuesKöln 2 3 1 enforcesHTTP! minorissuesStuttgart 1 7 2 noredirection minorissuesBielefeld 1 2 0 noredirection minorissuesBonn 1 1 0 checktimedout minorissuesDuisburg 0 4 0 noredirection checktimedoutEssen 0 2 1 minorissues minorissuesWuppertal 0 2 0 minorissues minorissuesMünster 0 0 0 minorissues noTLS1.2
Dortmund 0 0 0 noTLS1.2 minorissuesNürnberg 0 0 0 noTLS1.2 minorissuesBochum 0 0 0 minorissues minorissuesFrankfurt 0 0 0 minorissues minorissues
![Page 14: PrivacyScore PrivacyWeek 2017-10 - uni-hamburg.de · Top 20 Cities Known Trackers Third Party Servers Third Party Cookies Web: HTTPS Mail: STARTTLS Hamburg 40 81 49 no redirection](https://reader033.vdocuments.net/reader033/viewer/2022051903/5ff4577c6c88626863672702/html5/thumbnails/14.jpg)
Top20Cities
Known
Trackers
ThirdParty
Servers
ThirdParty
Cookies Web:HTTPS Mail:STARTTLS
Hamburg 40 81 49 noredirection minorissuesBerlin 22 37 17 minorissues noTLS1.2
Leipzig 6 10 5 noredirection minorissuesMünchen 5 11 3 enforcesHTTP! minorissuesBremen 4 13 3 minorissues noTLS1.2
Dresden 3 8 4 noredirection minorissuesDüsseldorf 2 3 3 certificateissue checktimedoutHannover 2 3 1 minorissues minorissuesKöln 2 3 1 enforcesHTTP! minorissuesStuttgart 1 7 2 noredirection minorissuesBielefeld 1 2 0 noredirection minorissuesBonn 1 1 0 checktimedout minorissuesDuisburg 0 4 0 noredirection checktimedoutEssen 0 2 1 minorissues minorissuesWuppertal 0 2 0 minorissues minorissuesMünster 0 0 0 minorissues noTLS1.2
Dortmund 0 0 0 noTLS1.2 minorissuesNürnberg 0 0 0 noTLS1.2 minorissuesBochum 0 0 0 minorissues minorissuesFrankfurt 0 0 0 minorissues minorissues
adnxs.com googlesyndication.commxcdn.net adsafeprotected.comtealiumiq.com youtube.commookie1.comadform.net criteo.comadtech.de google-analytics.comgstatic.com truste.com oms.eutiqcdn.com adnet.de mathtag.comrefinedads.com stickyadstv.comgoogleapis.com smartadserver.comdoubleclick.net theadex.com m6r.eumpnrs.com adition.com fqtag.com2mdn.netintelliad.de ioam.demeetrics.net turn.com fonts.comcloudfront.net mp-success.comsascdn.com adscale.de nuggad.netcontent-recommendation.net […]
operatedby mediaagencies
![Page 15: PrivacyScore PrivacyWeek 2017-10 - uni-hamburg.de · Top 20 Cities Known Trackers Third Party Servers Third Party Cookies Web: HTTPS Mail: STARTTLS Hamburg 40 81 49 no redirection](https://reader033.vdocuments.net/reader033/viewer/2022051903/5ff4577c6c88626863672702/html5/thumbnails/15.jpg)
Top20Cities
Known
Trackers
ThirdParty
Servers
ThirdParty
Cookies Web:HTTPS Mail:STARTTLS
Hamburg 40 81 49 noredirection minorissuesBerlin 22 37 17 minorissues noTLS1.2
Leipzig 6 10 5 noredirection minorissuesMünchen 5 11 3 enforcesHTTP! minorissuesBremen 4 13 3 minorissues noTLS1.2
Dresden 3 8 4 noredirection minorissuesDüsseldorf 2 3 3 certificateissue checktimedoutHannover 2 3 1 minorissues minorissuesKöln 2 3 1 enforcesHTTP! minorissuesStuttgart 1 7 2 noredirection minorissuesBielefeld 1 2 0 noredirection minorissuesBonn 1 1 0 checktimedout minorissuesDuisburg 0 4 0 noredirection checktimedoutEssen 0 2 1 minorissues minorissuesWuppertal 0 2 0 minorissues minorissuesMünster 0 0 0 minorissues noTLS1.2
Dortmund 0 0 0 noTLS1.2 minorissuesNürnberg 0 0 0 noTLS1.2 minorissuesBochum 0 0 0 minorissues minorissuesFrankfurt 0 0 0 minorissues minorissues
some resultsmay be wrong
BETA
![Page 16: PrivacyScore PrivacyWeek 2017-10 - uni-hamburg.de · Top 20 Cities Known Trackers Third Party Servers Third Party Cookies Web: HTTPS Mail: STARTTLS Hamburg 40 81 49 no redirection](https://reader033.vdocuments.net/reader033/viewer/2022051903/5ff4577c6c88626863672702/html5/thumbnails/16.jpg)
14 Aug 27 Oct Delta
Piraten 0 0 –
Linke 0 1 ‼
Die PARTEI 0 0 –
CDU 1 1 –
Grüne 1 2 ‼
SPD 1 0 J
FDP 2 2 –
AFD 4 4 –
CSU 5 38 ‼
NO. OF KNOWN TRACKERSVisualizingchangesovertimetotrackprogress(underdevelopment)
⁉
Allsubmittedwebsitesarerescannedperiodically.
![Page 17: PrivacyScore PrivacyWeek 2017-10 - uni-hamburg.de · Top 20 Cities Known Trackers Third Party Servers Third Party Cookies Web: HTTPS Mail: STARTTLS Hamburg 40 81 49 no redirection](https://reader033.vdocuments.net/reader033/viewer/2022051903/5ff4577c6c88626863672702/html5/thumbnails/17.jpg)
Fraction with NoTrack Fraction with EncWeb 17darker is worse
Geographicanalysisofuniversitysitesuncoversregionalpeculiarities (underdevelopment)
![Page 18: PrivacyScore PrivacyWeek 2017-10 - uni-hamburg.de · Top 20 Cities Known Trackers Third Party Servers Third Party Cookies Web: HTTPS Mail: STARTTLS Hamburg 40 81 49 no redirection](https://reader033.vdocuments.net/reader033/viewer/2022051903/5ff4577c6c88626863672702/html5/thumbnails/18.jpg)
PrivacyScorealsochecksfortypicalinformationleaks
http://www.xxxxxxxxxx.bg/phpinfo.phpREDACTED
5.5.9-1ubuntu4.22is the current version‼
Tryto retrieve …
/phpinfo.php/.git/and /.svn//server.key/backup.sql/server-status/
[…]
![Page 19: PrivacyScore PrivacyWeek 2017-10 - uni-hamburg.de · Top 20 Cities Known Trackers Third Party Servers Third Party Cookies Web: HTTPS Mail: STARTTLS Hamburg 40 81 49 no redirection](https://reader033.vdocuments.net/reader033/viewer/2022051903/5ff4577c6c88626863672702/html5/thumbnails/19.jpg)
19
Morethan20listssofar
Healthinsurers
Universities
Politicalparties
Authorities
Municipalities
Hospitals
Dataprotectionauthorities
GlobalTop500(moz.com)
InternetServiceProviders
Banks
NewsSites
CCCErfas /Chaostreffs […]
![Page 20: PrivacyScore PrivacyWeek 2017-10 - uni-hamburg.de · Top 20 Cities Known Trackers Third Party Servers Third Party Cookies Web: HTTPS Mail: STARTTLS Hamburg 40 81 49 no redirection](https://reader033.vdocuments.net/reader033/viewer/2022051903/5ff4577c6c88626863672702/html5/thumbnails/20.jpg)
EthicalConsiderations
Aren’tyouhelpingthebadguys?dualuse
Wedon’twanttooverloadservers.ratelimiting
20
1
2
![Page 21: PrivacyScore PrivacyWeek 2017-10 - uni-hamburg.de · Top 20 Cities Known Trackers Third Party Servers Third Party Cookies Web: HTTPS Mail: STARTTLS Hamburg 40 81 49 no redirection](https://reader033.vdocuments.net/reader033/viewer/2022051903/5ff4577c6c88626863672702/html5/thumbnails/21.jpg)
LegalConsiderations
21
![Page 22: PrivacyScore PrivacyWeek 2017-10 - uni-hamburg.de · Top 20 Cities Known Trackers Third Party Servers Third Party Cookies Web: HTTPS Mail: STARTTLS Hamburg 40 81 49 no redirection](https://reader033.vdocuments.net/reader033/viewer/2022051903/5ff4577c6c88626863672702/html5/thumbnails/22.jpg)
Legalconsiderations for runningPrivacyScore(inGermany)
22
1 Websitesare analyzedwithout consent of owners
2 Results are interpreted andused to obtain aranking
3 Rankingsare published onthe PrivacyScorewebsite
MMaaß,A.Laubach,D.Herrmann:PrivacyScore:AnalysevonWebseitenaufSicherheits- undPrivatheitsprobleme– KonzeptundrechtlicheZulässigkeit.GIINFORMATIK2017,WorkshopRechtundTechnik:https://arxiv.org/abs/1705.08889(2017)
Received one abuse reportsince June2017afterscanningamailserver.
Whitelisting policy:Wemaystop scanning uponrequest,butpublish this fact onthe site.
![Page 23: PrivacyScore PrivacyWeek 2017-10 - uni-hamburg.de · Top 20 Cities Known Trackers Third Party Servers Third Party Cookies Web: HTTPS Mail: STARTTLS Hamburg 40 81 49 no redirection](https://reader033.vdocuments.net/reader033/viewer/2022051903/5ff4577c6c88626863672702/html5/thumbnails/23.jpg)
PrivacyScore:test and rankwebsitesaccording to security and privacyfeatures
Creates transparency,awareness,and incentives for site operators
What checks would you want to see?
Uploadyour own lists today!
Prof.Dr.DominikHerrmann@herdom https://dhgo.to/pw17-slides
Summary