This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Talk:Summit 2011 Working Sessions/Session073

From OWASP
Revision as of 19:09, 4 March 2013 by Achim (talk | contribs) (duplicate removed)

Jump to: navigation, search

Thank you for attending! This page is for the session participants to add their ideas and comments.

Please also take a look at the FTC response http://www.owasp.org/index.php/Industry:FTC_Protecting_Consumer_Privacy completed with your help.

Thank you

colin.watson(at)owasp.org


Accomplishments

I was asked to provide the top 3 accomplishments from our session to the summit team. I have suggested:

1) A recognition that OWASP MUST (not should) be active in this space

2) Direct input into OWASP's response to the FTC staff report on consumer privacy

3) A consensus to try to document the drivers, issues, resources and relevant technical approaches

Ideas...

Some suggested headings, but please feel free to add more:

Government legislation & policies

Legislation:

Primary data protection authorities:

  • US:
    • FTC
    •  ???

Issues

  • Fair processing
  • Acceptable use/specified purpose
  • Avoid collecting excessive information
  • Data accuracy
  • Data retention period enforcement (& disposal)
  • Protection of data
  • Transfers (inter department, company, country)
  • Tracking consent and withdrawal of consent
  • Provision of consent
  • Collection and storage of PII (personally identifiable information)
  • User tracking
  • User profiling

Privacy vulnerabilities

  • Build up user profiles used e.g. for retargetted / behavioral advertising
  • Identify users based on e.g. IP address, browser type and version, add-ons,... based on fingerprinting

Technical approaches

  • Privacy vulnerability detection on server side
  • Privacy vulnerability detection on client side
    • Client side patterns implying privacy vulnerability e.g.
      • 3rd party links (typically trackers)
      • 3rd party cookies
      • invisible images / web bugs
      • behavioral tracking patterns

For #Tools, Add-ons, Projects to Detect & Protect Privacy see below.

Micro survey

CW created a micro survey on paper called A Few Questions, to try to gather a few [10] views from other quarters in OWASP [2 participants from the working session, and 8 other leaders], as to the relevance of "personal data protection" within OWASP's mission. The questions (and anonymous answers) were:

Q1: Can OWASP contribute to PCI-DSS compliance initiatives?

A1:

Yes.

Yes of course - we already have by reference to the Top 10.

Yes, we have done so, but to my knowledge we have allowed our relationship with PCI to languish.

Yes.

Unsure, as I'm not fully used to PCI-DSS, but guess 'yes'.

Yes.

Yes.

Yes.

Don't know.

Yes in terms of providing knowledge, training and resources to QSAs. We [OWASP] could also provide info focused on companies who are going to be assessed.



Q2: Can OWASP contribute to fraud detection and prevention?

A2:

Yes.

Yes it would be included in our mission/purpose.

Yes, ***, *** and I were discussing some potential solutions to this.

Yes.

Yes.

Yes, it should at least 'list' possible threats.

Yes.

Yes.

Don't know.

AppSensor seems to be quite useful here.



Q3: Are there application vulnerabilities that can contribute to successful fraud?

A3:

Yes.

Yes of course.

At the risk of being glib, most successful exploitations of vulnerabilities lead to some sort of fraud.

Yes.

Maybe.

Yes.

Yes.

Yes.

-

Injection flaws, possibly XSS if client credentials can be compromised, session weaknesses, SSL issues.


Q4: Can OWASP contribute to the protection of personal data?

A4: (if 'no', skip Q5 and Q6 to end)

Yes.

Certainly.

Yes, anytime our efforts close a vulnerability, we contribute.

Yes.

No.

Yes.

Yes.

Yes.

Yes.

If OWASP wants to start talking at that issue, yes.


Q5: Are there application security vulnerabilities that can contribute to attacks against personal data?

A5: (if 'no', skip to end)

Yes.

Certainly, yes!

Yes, I'm hard pressed to think of one that doesn't have the potential.

Yes.

-

Yes (for example inclusion of 3rd party code/scripts).

Yes.

Yes.

-

Injection, XSS, session flows, SSL issues.


Q6: Are there vulnerabilities in the realms of personal data protection - consent, accuracy, fair use & retention (ie not just protection of data in use/at rest) - that OWASP can help with?

A6:

Yes, at least OWASP should in the future.

Possibly to a lesser degree - seems more like the legal realm than technical.

Certainly, but I'm not in a position to identify any that aren't already a focus of the organization [OWASP].

Yes.

-

Yes.

Yes.

I am not so sure - what is a vulnerability? If a poor audit trail or no audit trail is a vulnerability, then maybe. If lack of privacy policy is a vulnerability, then maybe.

-

Accuracy and use seem to be in the relam of privacy. If OWASP works in this area, we could rewach end users much more significantly.


End: Please supply any other comments here, or overleaf

-

-

-

[For] all questions, I answered yes, but it would need details how to achieve it.

-

-

-

-

I am working to enable ASVS as a government recommendation to verify the implementation of adequate protection of PII.

-


Tools, Add-ons, Projects to Detect & Protect Privacy

Please note OWASP Foundation does not endorse or recommend commercial products or services. The tools, add-ons, etc here are simply listed to help identify technical approaches.
Please also note that the tools, add-ons, etc have not yet been tested or verified.

Data privacy is not only a client-side issue, but may also be a server-side issue. For example storing data in cloud services, where the data needs to be protected somehow. So we distinguish protection and detection tools in four areas for now:

  1. client-side
  2. server-side
  3. protocol
  4. services

1. Client-side Tools

On the client we have three categories of tools:

  • Add-ons in the browser
  • Proxies
  • Standalone tools based on the underlaying OS

Add-ons in the browser

Template:TBD: table needs to be sorted according browser, functionality, etc.

Browser Add-ons
Name Description
(most description taken from home page)
Link
Chrome
Adblock Plus [1]
Ads no more Replace ads in page for clean space. [2]
Analytics Blocker Stops user selected websites from sending information to Google Analytics. [3]
Analytics Helper Detects if Google Analytics script is installed on page. [4]
Chromeblock Protect your privacy by stopping secret tracking of your web browsing.
ChromeBlock automatically blocks 100's of web beacons, bugs, and other tracking technologies that advertisers and others use to track your browsing.
[5]
Click&Clean [6]
Deaktivierungs-Add-on von Google Analytics Weist das JavaScript (ga.js) von Google Analytics an, keine Informationen an Google Analytics zu übermitteln. [7]
Disconnect Stop third parties and search engines from tracking the webpages you go to and searches you do. [8]
Forget Me Delete everything about a website. Cookies, History, localStorage, sessionStorage...everything! [9]
Ghostery (see below) [10]
Abine (TACO) Abine TACO sets all the NAI opt-out cookies to stop advertisers from delivering content based on their attempts to profile you and your online behavior. At each website you visit TACO can show you how many and which advertising networks you've opted-out of. [11]
Keep More Opt-Outs Permanently opts your browser out of online ad personalization via cookies for over 150 tracking companie.
This extension is based on Google's "Keep My Opt Outs" extension.
This extension provides more complete coverage by including opt-out cookies from over 150 tracking companies, based on the PrivacyChoice Tracker Index.
[12]
Keep My Opt-Outs Permanently opts your browser out of online ad personalization via cookies. [13]
SelectOut Cookie Monitor Introducing the new Google Chrome extension for SelectOut. This extension allows you to control your online tracking cookie by Opting-Out and In to the companies you choose, Opt-Out of all if you don't want to have to research them all, and even gives you the option of viewing profiles on each of the companies. [14]
Tracking Token Stripper Removes Google Analytics (UTM) tracking tokens from URL query strings. [15]
TrackMeNot (beside the tools name, description a bit confosing, 04/2011) [16]
Tynt Blocker Allows the user to prevent Tynt.com from recording copy/paste events from sites that use Tynt's tracer script. [17]
Vanilla A Cookie Whitelist Manager that helps protect your privacy. Automatically removes unwanted cookies. [18]
Window Name Eraser An extension preventing user-tracking methods (e.g. evercookie) from transmitting data through the window.name property. [19]
WPS Privacy 196 Privacy 196 è un servizio gratuito di WPS Group per offrire all’utente tutte gli ultimi aggiornamenti e le più interessanti novità in materia di Privacy (D.Lgs. 196/03). [20]
Firefox
Template:List needs attributes for: usablity, funtionality, active/passive protection, ...
Abine (TACO) Stops behavioral advertising by over 120 different companies who quietly track you as you surf [21]
AdBan aka AdvertBan Blocks ads, ad popups, cookie trackers and spyware on the web. [22]
AddBlock Plus
AddBlock Plus Pop-up Adblock Plus Pop-up Addon extends the blocking functionality of Adblock Plus to those annoying pop-up windows that are being opened on mouse clicks or other user actions. [23]
Ads no more Replace ads in page for clean space. [24]
Annihilytics Blocks connections to web analytics services. [25]
AVG Do Not Track AVG Do Not Track helps you identify websites that are collecting data about your online activities. An icon in your browser shows the websites or advertisers collecting data about your activity and gives you the choice to allow or disallow it. [26]
BeeFree Removes tracking links from several web search engines. [27]
Beef Taco (Targeted Advertising Cookie Opt-Out) Sets permanent opt-out cookies to stop behavioral advertising for 100+ different advertising networks, including Google, Yahoo, Microsoft, all members of the Network Advertising Initiative, and many other companies. [28]
BetterPrivacy BetterPrivacy is a safeguard which protects from usually not deletable LSO's on ... [29]
Bloody Vikings! Simplifies the use of temporary e-mail addresses in order to protect your real address from spam. [30]
BrowserMasquerade Browser Masquerade: Modifies the HTTP-request-string and the Javascript UserAgent ID sent by the browser, depending on the website you're currently visiting, and the referrer. [31]
Browser Protect
Bynamite Control what online advertisers know about you. [32]
Click&Clean
Cocoon Cocoon is an Internet privacy and security toolbar that gives you control of online tracking and protects your computer from viruses. [33]
Cookie Whitelist With Buttons
Dashboard (see below)
DNT+ Do Not Track Plus Do Not Track Plus blocks web beacons and other tracking technologies that advertisers use to track your browsing behavior. Easily see what trackers are in use at each website you visit and block any or all of them. [34]
Facebook Blocker Disables auto-submitting your data to Facebook. [35]
FireStorage
Ghostery (see below) [36]
Google Disconnect Stop Google from tracking the webpages you go to. [37]
Google/Yandex search link fix This extension prevents Google Search from modifying result links when they are clicked. [38]
Greasemonkey
GA? - Is Google Analytics Installed Checks the current page you are on to see if Google Analytics is installed. It'll automatically detect and report back to your browsers status bar. [39]
Header Tool
HTTP Request String Editor Control of the HTTP Request the browser sents to the servers. Set up rules for a page with Regular expression to modify headers. [40]
Maximum AddBlock Maximum AdBlock is a community-based Ad Blocking tool that erases Ads. ... [41]
No FB Tracking Prevent FB to known the websites you visits. [42]
PageTweak
Priv3 Priv3 protects you from being tracked by social networks. Social networking sites can track your visits to any web page that uses the familiar "Like", "Follow", or "+1" buttons, even if you do not actually click these buttons. Priv3 lets you remain logged in to the social networking sites you use and still browse the web, knowing that those third-party sites only learn where you go on the web when you want them to. [43]
PrivacyChoice Opt-out Opt-out of behavioral tracking by 100+ companies. Choose individual networks, all networks or networks with policy questions. [44] Disabled in 2012?
Privarcy Protector Protect your privacy in just one click! Safeguard your privacy by removing all traces of your browsing history! These features are already built into Firefox but Privacy Protector give you ease of access. [45]
Privacy + Privacy Plus will add a simple checkbox in the [Clear Recent History] dialog that will allow you to delete these cookies (Flash LSO). [46]
PrivarcySuite One place to protect your privacy ... [47]
RefControl Control what gets sent as the HTTP Referer on a per-site basis. [48]
Remove google search redirects Google uses a redirection link to track your clicks. This addon simply removes that redirection and turns every search result in its original link, saving your time and giving you more security. [49]
Remove Google Tracking Remove Google Tracking(redirect) at Click link in Google Search [50]
RequestPolicy Gives you control over when cross-site requests are allowed by webpages you visit. [51]
ShareMeNot Protecting against tracking from third-party social media buttons while still allowing you to use them [52], [53]
TACO - Targeted Advertisong Cookie Opt-Out Stops behavioral advertising by over 120 different companies who quietly track you as you surf [54]
ThinkAhead
TrackerBlock Block companies from tracking you through cookies and delete Flash cookies they may leave behind. [55]
Trueblock Plus Trueblock Plus is a fork of the Adblock Plus extension for blocking unwanted advertisements on the web. This fork provides the exact same features as Adblock plus, with the unpopular, unwanted "acceptable ads" (non-)feature turned off by default. [56]
Twitter Disconnect Stop Twitter from tracking the webpages you go to. [57]
IE
Ghostery (see below)
Opera
Safari
Ghostery (see below)
WebKit
Ghostery plug-in
Available for Firefox, Chrome, Safari, Internet Explorer
Scans the page for scripts, pixels, and other elements and notifies the user of the companies whose code is present on the page. These page elements aren't otherwise visible to the user, and often not detailed in the page source code. Ghostery allows users to learn more about these companies and their practices, and block the page elements from loading if the user chooses.

Download: http://www.ghostery.com/download

Ghostery is owned by Evidon (formerly "Better Advertising": http://www.evidon.com/solutions/overview.php

"Selected by the Digital Advertising Alliance (DAA) to power its online behavioral advertising Self-Regulatory Program"
Dashboard Firefox extension
Developed by the research project !PrimeLife funded by the European Commission’s 7th Framework Programme.
Download: http://www.primelife.eu/results/opensource/76-dashboard
Alpha release: tracks what information is collected by the visited websites. Allows to set preferences on a site by site basis.
Note: Currently maintained by W3.org, full description expected by March 2011.

Description:
  • observe HTTP Requests ans Responses while loading the web page
  • log collected HTTP traffic in a SQLite database"dashboard.sqlite" in the browser's profile folder
  • access additional databases maintained by the browser and the folders containing the LSOs
  • cancel HTTP requests e.g. for third party content based on user's preference for a given web site
  • user settable site preferences, e.g. to block 3rd party cookies or content, to disable scripting,...

Detected privacy patterns e.g.
  • internal third party content
  • external third party content
  • invisible images (based on the image dimension / hidden by CSS)

User Interface
  • adds smiley icon to the browser's navigation toolbar to reflect a measure of the privacy friendliness of the current web page
  • click on the face to view privacy details

Proxies

A proxy can either be one on a intermediate server such as a company gateway, or a proxy installed on the client system itself. In both cases the browser needs to be configured to use that proxy. As it is no difference from the browser's view, we do not destingush these proxy types.

Proxies
Name Description Link
any OS
JAP [58]
Polipo [59]
privoxy [60]
squid [61]
tinyproxy [62]
WWWOFFLE [63]
Windows
Proxomitron [64]
Note
The drawback when using a proxy is that SSL/TLS (https) is either not supported (i.e. privoxy, 2011), or the trust chain is broken and the browser indicates that with a proper message and a broken "lock" icon.

Standalone Tools

TBD

2. Server-side Tools

3. Protocol

Mozilla Firefox 4 Beta
"Do Not Track" Option - Privacy Feature
You can check a “Do Not Track” box in the “Advanced” screen of Firefox’s Options. When this option is selected, a header will be sent signaling to websites that you wish to opt-out of online behavioral tracking. You will not notice any difference in your browsing experience until sites and advertisers start responding to the header.

See: http://blog.mozilla.com/blog/2011/02/08/mozilla-firefox-4-beta-now-including-do-not-track-capabilities/

Note: Also available for Google Chrome: http://google-chrome-browser.com/tags/do-not-track

Keywords for further Search

  • ETag (HTTP header and browser cache)
  • Evercookie
  • Flash Cookie
  • Supercookie
  • wlHelper.js

External Links

Papers, Articles