upribox – Zeroconfig AdblockingITSecX, St. Pölten, 11/2015Dr. Markus Huber

https://upribox.org

Online Advertisement

https://upribox.org 3/31

https://upribox.org 4/314

TargetedAds

#epicfail

https://upribox.org 5/315

https://upribox.org 6/316

https://upribox.org 7/31Gotta Block'Em All | CCC Camp 2015 | Markus Huber 7

Governmental Organizations#snowden NSA piggybacks on Cookies / UUID De-Anonymization of Tor users Target selection for exploitation

Ad/Tracker Blocker Arms Race

https://upribox.org 9/31

Browser Extensions

https://upribox.org 10/31

Browser Extensions for Advertisement

AdBlock Plus (ABP)• “Acceptable Ads” program• Maintains EasyList block rules• ABP Fork: AdBlock Edge

AdBlock• Based on AdBlock Plus EasyList• Solution for Chrome, ABP were to slow• Joined Acceptable Ads in October/2015

uBlock● Based on EasyList, EasyPrivacy, Peter Lowe's List, Disconnect

● Focus on performance and privacy

https://upribox.org 11/31

Tracker Blocker

● Ghostery– Detection and blocking of trackers– Blocking is Opt-In

● Disconnect.me– Similar to Ghostery– Included in Firefox since v41

● Privacy Badger– Heuristics instead of filter rules

https://upribox.org 12/31

Empirical Study

● How effective are these browser extensions?

● Analysis of 200,000 websites (0.5 billion requests)– Selenium + different browser extensions– Collection of network traffic with mitmproxy

● Joined work with Georg Merzdovnik (SBA Research)

https://upribox.org 13/31

Study Results

Usable Privacy Box@usableprivacy

https://upribox.org 15/31

Motivation

● Browser extensions are effective● What about smartphones / tablets?

– Extensions for Android FF / Safari– In-App advertisement !

● Make it even simpler than installing extensions ...

https://upribox.org 16/31

In-App Ads

● Malvertisement● Sensitive info● Leaks / Exploits

https://upribox.org 17/31

upribox - Usable Privacy Box

● Open Source Project– Supported by the Internet Foundation Austria

● Hardware– Raspberry Pi 2 (ARM Cortex-A7)

– Wifi: 150Mbit draft N

● Usable Privacy– Make Privacy Tools accessible

https://upribox.org 18/31

Main Features

● Silent Mode– Adblocking Wifi

● Ninja Mode– Adblocking + Tor Wifi

● VPN Server– Privacy with open access points

https://upribox.org 19/31

DNS based blocking● DNS Blacklist (dnsmasq)

– EasyList, Easylist Germany, EasyPrivacy– Resets Cookies

news.com:80

content news.com:80

doubleclick.net:80 id=788087878 Expire 1.1.2020

empty document id=0 Expire 1.1.1970

google-analytics.com:443 id=788087878 Expire 1.1.2020

TCP RST

https://upribox.org 20/31

URL Filtering / CSS

● Transparent Proxy (privoxy)– URI path filter– Rules based on EasyList, EasyList Privacy– Injects CSS header

● CSS header– Make blocked content invisble

https://upribox.org 21/31

Network Blocking

● Easy to set up == connect to upribox WiFi● Works with every device (e.g. old phones)

● TLS (HTTPS)– Active MiTM is a bad idea for a privacy tool– Certain trackers not blockable

https://upribox.org 22/31

Onion Routing (Tor)

● Legacy devices● Circumvent censorship● Hide traffic from your provider

● upribox advice:– For best protection:– Download the Tor Browser Bundle!

https://upribox.org 23/31

VPN

● Based on OpenVPN (certificate based)● IPSec with strongswan dropped● Surf secure when on the road

● „Zero config“ tricky to set up– UpnP, NAT-PMP– Dynamic IPs

upribox alpha batch

https://upribox.org 25/31

upribox alpha batch alpha batch: first 25 upriboxes

Deterministic builds• Raspbian Wheezy image customized with ansible

Rolling release• Updates via git repo + ansible

3D printed case

Chance to win one tonight!

https://upribox.org 26/31

upribox Community Image

Scheduled for December 2015 In-cooperate feedback from alpha batch Reset crypto keys on first boot

Updates on release: @usableprivacy

https://upribox.org 27/31

upribox Team

Peter Judmaier, Gernot Rottermanner (Usability)

Lisa Gringl (Design), Bernhard Zeller (Web Development)

Julian Rauchberger, Tobias Dam (Software Development, Security, Configuration Management)

Aron Molnar, Anton Hinterleitner, Alex Kolmann (Network Security, Software Prototype)

Daniel Zeisner, Matthias Borowski (Industrial Design)

upribox demo

Takeaways from this presentation ...

https://upribox.org 30/31

We are entering an arms race between trackers and blockers ...

Protection by browser extensions is effective• Privacy Badger, Disconnect, uBlock

upriBox = Zero config

Soon you can turn your Raspberry Pi into an upribox

stay tuned for the public release:

@usableprivacy

contact me for questionsmarkus.huber@fhstp.ac.at