Skip to main content
SpringerLink
Log in

Control What You Include!

Server-Side Protection Against Third Party Web Tracking

  • Conference paper
  • First Online:
Engineering Secure Software and Systems (ESSoS 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10379))

Included in the following conference series:

Abstract

Third party tracking is the practice by which third parties recognize users accross different websites as they browse the web. Recent studies show that more than 90% of Alexa top 500 websites [38] contain third party content that is tracking its users across the web. Website developers often need to include third party content in order to provide basic functionality. However, when a developer includes a third party content, she cannot know whether the third party contains tracking mechanisms. If a website developer wants to protect her users from being tracked, the only solution is to exclude any third-party content, thus trading functionality for privacy. We describe and implement a privacy-preserving web architecture that gives website developers a control over third party tracking: developers are able to include functionally useful third party content, the same time ensuring that the end users are not tracked by the third parties.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    For example, see https://duckduckgo.com/.

  2. 2.

    Tracking is often defined as the ability of a third party to recognize a user through different websites. However, being able to identify the websites a user is interacting with is equally crucial for the effectiveness of tracking.

  3. 3.

    Origin header is also automatically generated by the browser when the third party content is trying to access data using Cross-Origin Resource Sharing [4] mechanism.

References

  1. Browsing Contexts. https://www.w3.org/TR/html51/browsers.html

  2. Cascading Style Sheets. https://www.w3.org/Style/CSS/

  3. CLIQZ. https://cliqz.com

  4. Cross-origin-resource sharing. https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

  5. CSS Parser for Node.js. https://github.com/reworkcss/css

  6. Disconnect. https://disconnect.me/

  7. Ghostery. https://www.ghostery.com/

  8. HTML Parser for Node.js. https://github.com/tmpvar/jsdom

  9. Iframe Sandbox Attribute. https://www.w3.org/TR/2011/WD-html5-20110525/the-iframe-element.html#attr-iframe-sandbox

  10. Node.js. https://nodejs.org/en/

  11. Node.js Proxy. https://newspaint.wordpress.com/2012/11/05/node-js-http-and-https-proxy

  12. PostMessage - Cross-Origin Iframe Secure Communication. https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage

  13. Privacy Badger. https://www.eff.org/fr/privacybadger

  14. Reverse Proxy. https://en.wikipedia.org/wiki/Revers_proxy

  15. Same Origin Policy. https://www.w3.org/Security/wiki/Same_Origin_Policy

  16. Service Worker API. https://developer.mozilla.org/en-US/docs/Web/API/Service_Worker_API

  17. Tor Browser. https://www.torproject.org/projects/torbrowser/design/

  18. Tracking Compliance and Scope. https://www.w3.org/TR/tracking-compliance/

  19. Tracking Preference Expression. https://www.w3.org/TR/tracking-dnt/

  20. uBlock Origin. https://www.ublock.org/

  21. URL. https://www.w3.org/TR/url

  22. Abgrall, E., Traon, Y.L., Monperrus, M., Gombault, S., Heiderich, M., Ribault, A.: XSS-FP: browser fingerprinting using HTML parser quirks. CoRR (2012)

    Google Scholar 

  23. Acar, G., Eubank, C., Englehardt, S., Juárez, M., Narayanan, A., Díaz, C.: The web never forgets: persistent tracking mechanisms in the wild. In: Proceedings of CCS 2014 (2014)

    Google Scholar 

  24. Acar, G., Juárez, M., Nikiforakis, N., Díaz, C., Gürses, S.F., Piessens, F., Preneel, B.: FPDetective: dusting the web for fingerprinters. In: Proceedings of CCS 2013 (2013)

    Google Scholar 

  25. Achara, J.P., Parra-Arnau, J., Castelluccia, C.: Mytrackingchoices: pacifying the ad-block war by enforcing user privacy preferences. CoRR (2016)

    Google Scholar 

  26. Boda, K., Földes, Á.M., Gulyás, G.G., Imre, S.: User tracking on the web via cross-browser fingerprinting. In: Laud, P. (ed.) NordSec 2011. LNCS, vol. 7161, pp. 31–46. Springer, Heidelberg (2012). doi:10.1007/978-3-642-29615-4_4

    Chapter  Google Scholar 

  27. Cao, Y., Li, S., Wijmans, E.: (cross-)browser fingerprinting via os and hardware level features. In: Proceedings of the 24th NDSS (2017)

    Google Scholar 

  28. Eckersley, P.: How unique is your web browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010). doi:10.1007/978-3-642-14527-8_1

    Chapter  Google Scholar 

  29. Englehardt, S., Narayanan, A.: Online tracking: a 1-million-site measurement and analysis. In: Proceedings of the 2016 CCS, pp. 1388–1401 (2016)

    Google Scholar 

  30. Englehardt, S., Reisman, D., Eubank, C., Zimmerman, P., Mayer, J., Narayanan, A., Felten, E.W.: Cookies that give you away: The surveillance implications of web tracking. In: Proceedings of the 24th WWW, pp. 289–299 (2015)

    Google Scholar 

  31. Krishnamurthy, B., Wills, C.E.: Privacy diffusion on the web: a longitudinal perspective. In: Proceedings of the 18th WWW, pp. 541–550 (2009)

    Google Scholar 

  32. Laperdrix, P., Rudametkin, W., Baudry, B.: Beauty and the beast: diverting modern web browsers to build unique browser fingerprints. In: Proceedings of IEEE SP 2016 (2016)

    Google Scholar 

  33. Lerner, A., Simpson, A.K., Kohno, T., Roesner, F.: Internet jones and the raiders of the lost trackers: an archaeological study of web tracking from 1996 to 2016. In: Proceedings of the 25th USENIX Security, Austin, TX (2016)

    Google Scholar 

  34. Mayer, J.R., Mitchell, J.C.: Third-party web tracking: policy and technology. In: Proceedings of the 2012 IEEE SP, pp. 413–427 (2012)

    Google Scholar 

  35. Merzdovnik, G., Huber, M., Buhov, D., Nikiforakis, N., Neuner, S., Schmiedecker, M., Weippl, E.: Block me if you can: a large-scale study of tracker-blocking tools. In: Proceedings of the 2nd EuroSP, Paris, France (2017)

    Google Scholar 

  36. Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless monster: exploring the ecosystem of web-based device fingerprinting. In: Proceedings of the 2013 IEEE SP, pp. 541–555 (2013)

    Google Scholar 

  37. Pan, X., Cao, Y., Chen, Y.: I do not know what you visited last summer: protecting users from stateful third-party web tracking with trackingfree browser. In: Proceedings of the 22nd NDSS (2015)

    Google Scholar 

  38. Roesner, F., Kohno, T., Wetherall, D.: Detecting and defending against third-party tracking on the web. In: Proceedings of the 9th NSDI, pp. 155–168 (2012)

    Google Scholar 

  39. Soltani, A., Canty, S., Mayo, Q., Thomas, L., Hoofnagle, C.J.: Flash cookies and privacy. In: AAAI Spring Symposium: Intelligent Information Privacy Management, pp. 158–163 (2010)

    Google Scholar 

  40. Starov, O., Nikiforakis, N.: Extended tracking powers: measuring the privacy diffusion enabled by browser extensions. In: Proceedings of the 2017 WWW (2017)

    Google Scholar 

  41. Takei, N., Saito, T., Takasu, K., Yamada, T.: Web browser fingerprinting using only cascading style sheets. In: Proceedings of the 10th BWCCA, pp. 57–63 (2015)

    Google Scholar 

  42. Upathilake, R., Li, Y., Matrawy, A.: A classification of web browser fingerprinting techniques. In: Proceedings of the 7th NTMS, pp. 1–5 (2015)

    Google Scholar 

  43. West, M.: Mixed Content (2016). https://www.w3.org/TR/mixed-content/

  44. West, M., Barth, A., Veditz, D.: Content Security Policy Level 2 (2015)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Université Côte d’Azur, Inria, France

    Dolière Francis Somé, Nataliia Bielova & Tamara Rezk

Authors
  1. Dolière Francis Somé
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nataliia Bielova
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tamara Rezk
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dolière Francis Somé .

Editor information

Editors and Affiliations

  1. University of Paderborn, Paderborn, Germany

    Eric Bodden

  2. Purdue University, West Lafayette, USA

    Mathias Payer

  3. University of Cyprus, Nicosia, Cyprus

    Elias Athanasopoulos

Appendix

Appendix

Screenshots of the demo website map console (Fig. 5).

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Somé, D.F., Bielova, N., Rezk, T. (2017). Control What You Include!. In: Bodden, E., Payer, M., Athanasopoulos, E. (eds) Engineering Secure Software and Systems. ESSoS 2017. Lecture Notes in Computer Science(), vol 10379. Springer, Cham. https://doi.org/10.1007/978-3-319-62105-0_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-62105-0_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-62104-3

  • Online ISBN: 978-3-319-62105-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation