This document discusses privacy leaks on websites and apps. It describes common uses of third parties like analytics and recommendations. However, it notes that many websites leak sensitive personal information to numerous third parties without user consent. It proposes tools like Mitmproxy and a framework called Babel to analyze privacy and security practices, identify leaks, and grade sites on headers. Demoing these tools, it finds sites leaking data and discusses helping organizations audit privacy.
26. Risks of Tell Tale URLs #1
• Websites are clearly leaking sensitive PII to plethora of third-parties.
27. Risks of Tell Tale URLs #2
• Websites are clearly leaking sensitive PII to plethora of third-parties.
• More often without users’ consent.
28. Risks of Tell Tale URLs #3
• Websites are clearly leaking sensitive PII to plethora of third-parties.
• More often with users’ consent.
• More dangerously without the websites realizing it.
31. What about control ?
• British airways
• Ticketmaster
• NewEgg
• VisionDirect
More details: https://whotracks.me/blog/trackers-
who-steal.html
32. Are these problems hard to fix?
• Make sure all communication is over HTTPS.
• Private pages should have noindex meta tags.
• Limit the presence of third-party services on private pages.
• Referrer-Policy on pages with sensitive data.
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
• Implement CSP and SRI. Even with a huge footprint of third-party
services CSP, SRI are not enabled on majority of the websites.
• CSP: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
• SRI: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
34. Missing piece in the puzzle.
Ø Open Source & Free
Ø Supports multiple
platforms.
Ø Save & Replay
functionality.
Ø Some API to
configure, transform
data as desired.
Ø Supports Python.
36. Mitmproxy - Setup
1. Install mitmproxy
• https://docs.mitmproxy.org/stable/overview-installation/
2. Configure it on client
3. One time configuration of installing the mitmproxy CA certificate
• https://docs.mitmproxy.org/stable/concepts-certificates/
4. Trust the certificate.
43. Babel: Network analysis framework
Step 3: Who maxymiser.net belongs too. Done via
locally shipped copy of whotracks.me dataset.
44. Babel: Network analysis framework
Step 4: Grade on security and privacy headers.
Using library from
https://github.com/mozilla/http-observatory
45. Babel: Network analysis framework
Step 5: Hook up geo-ip database to list where the
server is hosted. This is important in terms of data
processing agreements that companies have.
46. Babel: Network analysis framework
Step 6: Introspection tool. To play with this
processed data.
48. Next Steps & Resources
• Security header analysis
• DLP based detection of sensitive data
• Open-source Babel
• Browser extension is already open-sourced: https://github.com/cliqz-oss/local-sheriff/
• Help organizations set-up Babel in testing phase as an audit tool.
50. Organizations with digital products that lack even the most basic data
security practices are living in a utopian world where people leave their
safe open and never expect a burglar to walk in.
- https://twitter.com/pi_modi
Konark Modi
Twitter: @konarkmodi
Blog: https://medium.com/@konarkmodi