web privacy and adobe local shared objects€¦ · for google mail: use hps://gmail.google.com not...
TRANSCRIPT
![Page 1: Web Privacy and Adobe Local Shared Objects€¦ · For Google Mail: use hps://gmail.google.com not hp://gmail.google.com Your enre session will be SSL encrypted aer login. Yahoo,](https://reader034.vdocuments.net/reader034/viewer/2022051922/600f505d265b003ebc61b273/html5/thumbnails/1.jpg)
WebPrivacyandAdobeLocalSharedObjects
(andotherthingsyoushouldknow)
Defcon16,August2008
![Page 2: Web Privacy and Adobe Local Shared Objects€¦ · For Google Mail: use hps://gmail.google.com not hp://gmail.google.com Your enre session will be SSL encrypted aer login. Yahoo,](https://reader034.vdocuments.net/reader034/viewer/2022051922/600f505d265b003ebc61b273/html5/thumbnails/2.jpg)
Theseslidesareobsolete
• ThisisthepresentaKonincludedontheDefcon16CD.
• ChecktheDefconwebsiteforthelatestversionofthistalk.
![Page 3: Web Privacy and Adobe Local Shared Objects€¦ · For Google Mail: use hps://gmail.google.com not hp://gmail.google.com Your enre session will be SSL encrypted aer login. Yahoo,](https://reader034.vdocuments.net/reader034/viewer/2022051922/600f505d265b003ebc61b273/html5/thumbnails/3.jpg)
ThisTalkIsn’tAboutAnythingNew
AccordingtohPp://en.wikipedia.org/wiki/Local_Shared_Object:
“FlashPlayer[…]doesnotasktheuser'spermissiontostoredatapermanently.ThismayconsKtuteacollecKonofcookie‐likedatathatmayincludenotonlyuser‐trackinginformaKonbutanypersonaldatathattheuserhasenteredinanyFlash‐enabledapplicaKon”
![Page 4: Web Privacy and Adobe Local Shared Objects€¦ · For Google Mail: use hps://gmail.google.com not hp://gmail.google.com Your enre session will be SSL encrypted aer login. Yahoo,](https://reader034.vdocuments.net/reader034/viewer/2022051922/600f505d265b003ebc61b273/html5/thumbnails/4.jpg)
PublicServiceAnnouncement
• Thingsyoushouldknowbutprobablydon’t.• HowdoImanageLSOs?
• WhatelseshouldIdodifferently?
![Page 5: Web Privacy and Adobe Local Shared Objects€¦ · For Google Mail: use hps://gmail.google.com not hp://gmail.google.com Your enre session will be SSL encrypted aer login. Yahoo,](https://reader034.vdocuments.net/reader034/viewer/2022051922/600f505d265b003ebc61b273/html5/thumbnails/5.jpg)
HTTPCookiesAreWellUnderstood
It’s2008,everyoneknowsabout“cookies”.
IETFstandards:
• HTTP/1.1:RFC2616• HTTPCookies:RFC2109
Let’stakealookatthat…
![Page 6: Web Privacy and Adobe Local Shared Objects€¦ · For Google Mail: use hps://gmail.google.com not hp://gmail.google.com Your enre session will be SSL encrypted aer login. Yahoo,](https://reader034.vdocuments.net/reader034/viewer/2022051922/600f505d265b003ebc61b273/html5/thumbnails/6.jpg)
WebBrowserSendsThis…
GEThPp://www.google.com/HTTP/1.1
User‐Agent:Mozilla/5.0(Macintosh;U;IntelMacOSX10_5_3;en‐us)AppleWebKit/525.18(KHTML,likeGecko)Version/3.1.1Safari/525.20
Accept‐Encoding:gzip,deflate
Accept:text/xml,applicaKon/xml,applicaKon/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept‐Language:en‐usHost:www.google.com
ConnecKon:close
![Page 7: Web Privacy and Adobe Local Shared Objects€¦ · For Google Mail: use hps://gmail.google.com not hp://gmail.google.com Your enre session will be SSL encrypted aer login. Yahoo,](https://reader034.vdocuments.net/reader034/viewer/2022051922/600f505d265b003ebc61b273/html5/thumbnails/7.jpg)
WebServerRepliesWithThis…
HTTP/1.0200OK
Cache‐Control:private,max‐age=0Date:Thu,26Jun200804:18:25GMT
Content‐Type:text/html;charset=UTF‐8Set‐Cookie:PREF=ID=a2bce[…]keepthisinmindfornextslide
domain=.google.com
Content‐Encoding:gzipServer:gws
Content‐Length:2654
…
![Page 8: Web Privacy and Adobe Local Shared Objects€¦ · For Google Mail: use hps://gmail.google.com not hp://gmail.google.com Your enre session will be SSL encrypted aer login. Yahoo,](https://reader034.vdocuments.net/reader034/viewer/2022051922/600f505d265b003ebc61b273/html5/thumbnails/8.jpg)
WebBrowserSubsequentlySendsThis…
GEThPp://www.google.com/favicon.icoHTTP/1.1User‐Agent:Mozilla/5.0(Macintosh;U;IntelMacOSX10_5_3;en‐us)
AppleWebKit/525.18(KHTML,likeGecko)Version/3.1.1Safari/525.20
Referer:hPp://www.google.com/Accept:*/*Accept‐Language:en‐usAccept‐Encoding:gzip,deflate
Cookie:PREF=ID=a2bce[…]valuethatservergaveusinpreviousslideHost:www.google.comConnecKon:close
![Page 9: Web Privacy and Adobe Local Shared Objects€¦ · For Google Mail: use hps://gmail.google.com not hp://gmail.google.com Your enre session will be SSL encrypted aer login. Yahoo,](https://reader034.vdocuments.net/reader034/viewer/2022051922/600f505d265b003ebc61b273/html5/thumbnails/9.jpg)
BrowsersLetYouManageCookies
Setcookieacceptance/expiraKonpolicy.E.g.,Firefox3:
![Page 10: Web Privacy and Adobe Local Shared Objects€¦ · For Google Mail: use hps://gmail.google.com not hp://gmail.google.com Your enre session will be SSL encrypted aer login. Yahoo,](https://reader034.vdocuments.net/reader034/viewer/2022051922/600f505d265b003ebc61b273/html5/thumbnails/10.jpg)
BrowsersLetYouManageCookies
Clearallprivatedataupondemand:
![Page 11: Web Privacy and Adobe Local Shared Objects€¦ · For Google Mail: use hps://gmail.google.com not hp://gmail.google.com Your enre session will be SSL encrypted aer login. Yahoo,](https://reader034.vdocuments.net/reader034/viewer/2022051922/600f505d265b003ebc61b273/html5/thumbnails/11.jpg)
WebProxiesCanFilterHTTPCookiesPrivoxyisafilteringwebproxy.
Flexiblefilteringrules,cookiesincluded.
Stripoutcookies,allowcookiesforcertainsites.
Seealso:hPp://privoxy.org
![Page 12: Web Privacy and Adobe Local Shared Objects€¦ · For Google Mail: use hps://gmail.google.com not hp://gmail.google.com Your enre session will be SSL encrypted aer login. Yahoo,](https://reader034.vdocuments.net/reader034/viewer/2022051922/600f505d265b003ebc61b273/html5/thumbnails/12.jpg)
Adobe’sAlternateCookieSystem
• AdobeFlashusesLocalSharedObjectstokeeppersistentsessionstate,similartoHTTPcookies.
• MostallbrowsersincludetheAdobeFlashplug‐in.
• LSOsarenotclearedwhenyouclearyourHTTPCookies.
• Webbrowsersdon’tknowhowtomanagethem.
• Bydefault,they’rethereunMlyouexplicitlyclearthem.
![Page 13: Web Privacy and Adobe Local Shared Objects€¦ · For Google Mail: use hps://gmail.google.com not hp://gmail.google.com Your enre session will be SSL encrypted aer login. Yahoo,](https://reader034.vdocuments.net/reader034/viewer/2022051922/600f505d265b003ebc61b273/html5/thumbnails/13.jpg)
ThisDoesn’tAffectAdobeLSOs
![Page 14: Web Privacy and Adobe Local Shared Objects€¦ · For Google Mail: use hps://gmail.google.com not hp://gmail.google.com Your enre session will be SSL encrypted aer login. Yahoo,](https://reader034.vdocuments.net/reader034/viewer/2022051922/600f505d265b003ebc61b273/html5/thumbnails/14.jpg)
ThisDoesn’tManageLSOEither
![Page 15: Web Privacy and Adobe Local Shared Objects€¦ · For Google Mail: use hps://gmail.google.com not hp://gmail.google.com Your enre session will be SSL encrypted aer login. Yahoo,](https://reader034.vdocuments.net/reader034/viewer/2022051922/600f505d265b003ebc61b273/html5/thumbnails/15.jpg)
CompaniesAreExploiKngThis
CompanyBypassesCookie‐DeleMngConsumersInformaKonWeekarKclebyAntoneGonsalves,3/31/05
“UnitedVirtualiKesisofferingonlinemarketersandpublisherstechnologythataPemptstounderminethegrowingtrendamongconsumerstodeletecookiesplantedintheircomputers.TheNewYorkcompanyonThursdayunveiledwhatitcallsPIE,orpersistentidenKficaKonelement,atechnologythat'suploadedtoabrowserandrestoresdeletedcookies.InaddiKon,PIE,whichcan'tbeeasilyremoved,canalsoactasacookiebackup,sinceitcontainsthesameinformaKon.”
hPp://www.informaKonweek.com/news/security/privacy/showArKcle.jhtml?arKcleID=160400801
![Page 16: Web Privacy and Adobe Local Shared Objects€¦ · For Google Mail: use hps://gmail.google.com not hp://gmail.google.com Your enre session will be SSL encrypted aer login. Yahoo,](https://reader034.vdocuments.net/reader034/viewer/2022051922/600f505d265b003ebc61b273/html5/thumbnails/16.jpg)
HowDoIFixThis?
• YouactuallycanmanageLSOs.• Adobe’swebsitedescribeshow:
hPp://www.macromedia.com/support/documentaKon/en/flashplayer/help/sewngs_manager.html
• InparKcular…
![Page 17: Web Privacy and Adobe Local Shared Objects€¦ · For Google Mail: use hps://gmail.google.com not hp://gmail.google.com Your enre session will be SSL encrypted aer login. Yahoo,](https://reader034.vdocuments.net/reader034/viewer/2022051922/600f505d265b003ebc61b273/html5/thumbnails/17.jpg)
SewngLSOAcceptancePolicy
VisitthisURL,whichhasaflashapp:hPp://www.macromedia.com/support/documentaKon/en/flashplayer/help/sewngs_manager03.html
![Page 18: Web Privacy and Adobe Local Shared Objects€¦ · For Google Mail: use hps://gmail.google.com not hp://gmail.google.com Your enre session will be SSL encrypted aer login. Yahoo,](https://reader034.vdocuments.net/reader034/viewer/2022051922/600f505d265b003ebc61b273/html5/thumbnails/18.jpg)
ClearingLSOs
ManuallydeleteLSOsbyvisiKngthisURL:hPp://www.macromedia.com/support/documentaKon/en/flashplayer/help/sewngs_manager06.html
![Page 19: Web Privacy and Adobe Local Shared Objects€¦ · For Google Mail: use hps://gmail.google.com not hp://gmail.google.com Your enre session will be SSL encrypted aer login. Yahoo,](https://reader034.vdocuments.net/reader034/viewer/2022051922/600f505d265b003ebc61b273/html5/thumbnails/19.jpg)
NotEasyToFilterLSOs
• LSOsarestoredbyFlashbrowserplug‐in.• Protocolformatbetweenplug‐inapplicaKonandserverisproprietary.
• Let’stakealook.
![Page 20: Web Privacy and Adobe Local Shared Objects€¦ · For Google Mail: use hps://gmail.google.com not hp://gmail.google.com Your enre session will be SSL encrypted aer login. Yahoo,](https://reader034.vdocuments.net/reader034/viewer/2022051922/600f505d265b003ebc61b273/html5/thumbnails/20.jpg)
LoggingInWithAFlashApp
POSThPp://[…]/xmlrpc/[…]HTTP/1.1
User‐Agent:Mozilla/5.0(Macintosh;U;IntelMacOSX10_5_3;en‐us)AppleWebKit/525.18(KHTML,likeGecko)Version/3.1.1Safari/525.20
Content‐Type:text/xml
Referer:hPp://[…]/
Accept:*/*
Accept‐Language:en‐us
Accept‐Encoding:gzip,deflate
Cookie:[…]
Content‐Length:480
Host:[…]ConnecKon:close
aeab4a7053[…]proprietaryencoding,maycontainLSOdata
![Page 21: Web Privacy and Adobe Local Shared Objects€¦ · For Google Mail: use hps://gmail.google.com not hp://gmail.google.com Your enre session will be SSL encrypted aer login. Yahoo,](https://reader034.vdocuments.net/reader034/viewer/2022051922/600f505d265b003ebc61b273/html5/thumbnails/21.jpg)
ResponseFromServer
HTTP/1.0200OKDate:Fri,27Jun200802:49:05GMT
Server:JePy/5.1.14(Linux/2.6.18‐6‐amd64amd64java/1.5.0_14)
Content‐Type:text/xmlContent‐Length:7164
<?xmlversion="1.0"encoding="UTF‐8”?>[…]
• Proprietarycontent;noteasytofilter.Thereisn’taclean,clear“Cookie”headerthatPrivoxycanlookfor.
![Page 22: Web Privacy and Adobe Local Shared Objects€¦ · For Google Mail: use hps://gmail.google.com not hp://gmail.google.com Your enre session will be SSL encrypted aer login. Yahoo,](https://reader034.vdocuments.net/reader034/viewer/2022051922/600f505d265b003ebc61b273/html5/thumbnails/22.jpg)
OtherPublicServiceAnnouncements
Okay,IcanmanageAdobeLSOs.WhatelseshouldIwatchoutfor?
![Page 23: Web Privacy and Adobe Local Shared Objects€¦ · For Google Mail: use hps://gmail.google.com not hp://gmail.google.com Your enre session will be SSL encrypted aer login. Yahoo,](https://reader034.vdocuments.net/reader034/viewer/2022051922/600f505d265b003ebc61b273/html5/thumbnails/23.jpg)
What’swronghere?(AsofJune2008)
![Page 24: Web Privacy and Adobe Local Shared Objects€¦ · For Google Mail: use hps://gmail.google.com not hp://gmail.google.com Your enre session will be SSL encrypted aer login. Yahoo,](https://reader034.vdocuments.net/reader034/viewer/2022051922/600f505d265b003ebc61b273/html5/thumbnails/24.jpg)
Hint
FromhPp://www.wamu.com/personal/default.asp:
<formacKon="hPps://online.wamu.com/[...]"method="post">
...
<inputclass="usernamefield"type="text"[...]>
<inputclass="passwordfield"type="password"[...]>
…</form>
![Page 25: Web Privacy and Adobe Local Shared Objects€¦ · For Google Mail: use hps://gmail.google.com not hp://gmail.google.com Your enre session will be SSL encrypted aer login. Yahoo,](https://reader034.vdocuments.net/reader034/viewer/2022051922/600f505d265b003ebc61b273/html5/thumbnails/25.jpg)
LoginPagesNeedSSLToo!• HTMLFormsubmitstoHTTPSURL,but…• GewngtheloginpageoverHTTP(notHTTPS)doesn’tguaranteeanythingabouttheintegrityoftheloginpage.
• Itcouldhavebeen:<formacKon="hPps://IllegalHackerSite.com/[...]"method="post">
• Seealso:“CriMcalMistake#1:Non‐HTTPSLoginpage”
hPp://blogs.msdn.com/ie/archive/2005/04/20/410240.aspx
![Page 26: Web Privacy and Adobe Local Shared Objects€¦ · For Google Mail: use hps://gmail.google.com not hp://gmail.google.com Your enre session will be SSL encrypted aer login. Yahoo,](https://reader034.vdocuments.net/reader034/viewer/2022051922/600f505d265b003ebc61b273/html5/thumbnails/26.jpg)
What’sWrongWithThis?(June2008)
![Page 27: Web Privacy and Adobe Local Shared Objects€¦ · For Google Mail: use hps://gmail.google.com not hp://gmail.google.com Your enre session will be SSL encrypted aer login. Yahoo,](https://reader034.vdocuments.net/reader034/viewer/2022051922/600f505d265b003ebc61b273/html5/thumbnails/27.jpg)
HTTPCookieSentWithoutEncrypKon
• Onprivatetrustednetworks,that’snotabigdeal.• ButonpublicWi‐Finetworks,everyonecanseeitandimpersonateyou!
Seealso:
• RobertGraham’stalkatBlackHat2007,“Web2.0Hijacking”.
• hPp://en.wikipedia.org/wiki/Sidejacking
![Page 28: Web Privacy and Adobe Local Shared Objects€¦ · For Google Mail: use hps://gmail.google.com not hp://gmail.google.com Your enre session will be SSL encrypted aer login. Yahoo,](https://reader034.vdocuments.net/reader034/viewer/2022051922/600f505d265b003ebc61b273/html5/thumbnails/28.jpg)
SuggestedFix
ForGoogleMail:usehWps://gmail.google.com
nothPp://gmail.google.comYourenKresessionwillbeSSLencrypteda}erlogin.
Yahoo,Hotmail:NoknownsoluKon(thatIknowof).
EmailmeifyouknowasoluKonforthis.
![Page 29: Web Privacy and Adobe Local Shared Objects€¦ · For Google Mail: use hps://gmail.google.com not hp://gmail.google.com Your enre session will be SSL encrypted aer login. Yahoo,](https://reader034.vdocuments.net/reader034/viewer/2022051922/600f505d265b003ebc61b273/html5/thumbnails/29.jpg)
Summary
• ManageyourFlashLSOsewngs.• Don’tusealoginpageiftheURLis“hPp”insteadof“hPps”.
• UseemailservicesthatofferSSLforalltraffic.