[00:00:05] >> I want to Energy's rank contract from Stony Brook University and he's going to talk today what he calls the Netlink Needleman the empirical analysis of risk at data saving mobile browsers. So we're excited for your talk and welcome Brian I'm going to just tell everyone a little bit of background about you before we get started so Bryant is a Ph d. student and he's working in the crags stack lab at Stony Brook University under the guidance nick nick of forecasts and his research involves keeping the Web secure by the severing vulnerabilities and actions of attackers 3 network fingerprinting really exciting talk and I'm going to I'm going to go on you and I'll come back at the end again everybody just feel free to submit your questions thanks. [00:01:02] I mean this bright baby food production. So I will be sharing the work that we published at Oakland this year not only Millman Imperial analysis of the risks of saving mobile browsers so this is a face of the work to the security of the implications of saving browsers up intruder Let's get right into that So as I don't know smartphones are everywhere but what about if the city account proposed half a pool of say traffic and on top of that there's an increased consumption of multimedia resources such as video streaming from. [00:01:42] The visitors users are forced to alter their behavior to budget data that they have available in the hope of. All those items that show that typically about 6 that pull it through in this. The levy some of the problems there's been a boom in popularity of the data in browsers and what these browsers do is they leverage the computing power of the cloud the auto the rendering and compression what ages and this shifts the burden of budgeting data away from users and put them back onto the browsers that users can brown them feed it and you feel like they have more data and their data might actually. [00:02:26] It's plain how this kind of work if you're animations here so in a traditional browsing environment the mobile device will connect to the web infrastructure of the web say that they're interested in you over any action only. And Bill if they get requests and they will receive back the full sized payload to be rendered on the screen. [00:02:53] For example in a data savings browser Vironment you take the middle 80 s connection and we split in 2 and we stick that is even progress there are in the middle the now rather than a connect to the profits or we're an encrypted action and send and get requests. [00:03:16] And that's going to be corrected and read on the processor and then sent along to the us or over an additional 80 via connection and then the letter will come back that simple that pillow will be decrypted again. And then sent back along to the browser on the mobile device in a smaller or and that again is rendered on the device at that that processor was never there so the benefit of that is that obviously the user has increased but with 86 1st of all. [00:03:55] That thing in some cases the speed of the user can increase and their damn a smaller scale. And also if the user is visiting a state that only serves over h.t.t.p. that it is free in critic and actions of the server that they otherwise would have. Ever come across and that causes that users must that the days when proxy servers do a few things 1st of all their respect their privacy so in the case where the user is spreading over any T.V.'s connection there might be some secure then there. [00:04:37] Since the processor to encrypt all traffic in and read and it has to since. In trying to save data here are these servers they even some of the data reading the payload and doing anything with the various of that data. Back in the process servers have to adhere to the best experience practices the that happens to force a person of all are the promise for secure themselves from becoming our mind's eye doctors. [00:05:09] That can do the proxy servers and will enable security checks like c.l.s. or to get validation and providing strong cyber sweet to the web server to do that properly because otherwise just by a one day saving of users in our no worse position from a security system. And lastly are the private servers malicious So in browsers that we said. [00:05:39] These are has no to which processor are their tactics rather So if any of these problems are become compromised the user has no way to know their content or their data now optimized by factors. So through this we want to answer the following 3 questions 1st of all how effective are dating browsers in the age of data this was ground covers all showing that to the brothers actually do what they say they are doing they do save anything is enough to overcome the downsides of the security an idea of security and privacy things that we show. [00:06:23] Second due to big rock concert utilize their position to extract by he's updated in transit. So you know if the user privacy preserved by using these browsers and there are others unable and getting adversely affected He's scary Bosher So to what extent does the simple act of flipping the days in these modes but on. [00:06:47] May user less secure the end of these questions we have the 1st 3 election infrastructure so the data saving proxy server structure is pretty much a black box though we have to promise to this to the data collection a shocker So on one side we have a real little girl and her devices that were controlling even entered the book Bridge and on that site for collecting things like network actors and you know I've dresses that the predators connect to and then on the server side web server we have web pages with. [00:07:29] Experiment that we're trying to run things like that on both I and they were able to use differential now for this in a lot of cases to determine what's going on within the processor or structure. So Palin talk about the state of the data in browser ecosystem before we go into answering those 3 research questions. [00:07:56] So before you can actually do any of this for me if you're out what is in browsers is that. You know how to say and for so you can get an exhaust search of the Google it for your browser that advertises sort of days of elegy. So we search terms that proxy browser data in burns or via browser. [00:08:18] And then downloaded the browsers that were returned the spirit. Had some sort of an indication that they were trying to save these data we then had to filter out the browsers that they data through clients I mean those are some browsers that will walk advertisements and help in there because of that which is not all about where we're externally browsers do this data processing. [00:08:45] So we tested the browser by. Proposing a web page from our web server and just looking at the the IP address now it's a real office with different that that of our mobile device earlier these 9 browsers here as you can see a different behaviors some of them a g.p.s. some of them don't so the ones that don't want to step aside and you know let's you do right they are up a web page. [00:09:14] Down will they and will they think most of all others will require you to hop in. And you see you know the range in the number of downloads you know comes from 100000 all of the 5000000000 of Crawl. What they are now is that opera many has to stay dated in its most high entry and they both defeaters so we're gonna talk about separately how did they smote by the seat in daylight also preserving is the kind of the look and feel of websites that are going to while it's true as the name suggests will try to do everything that expands the data even if asked for it being all the thrill of the website the Bradley the doom or tear of the neigbor out there. [00:10:07] Is that bullcrap major brother may be factors provide functionalities So there's a need like Carlyle of you who from an opera were your major browser many backers kind of before the boom of browsers started but are getting in on this space. Segment David they're proud of a couple or percentage of the overall browser market share so therefore and over here that anything that big 5 as far as negative 6 privacy implications will you know of the millions or billions of users. [00:10:49] It so as Hoover I think he's proud of Zap and playing around we started to realize that the. Actual architecture of the our king that the founders use is that more complicated that I want to go to earlier so. The basic view is that that there's a single processor of them over the next 2 and then that same server next to us or other we found a list of the more where the bull's eyes will connect to a gateway processor the track of the get routed software infernally and then end up added end points for which connects to the web server and you know this makes sense you know and just in terms of what about thing we found that a lot of point servers are located mostly in next to data centers of major was late so all that makes sense to speed up the present users and just make sure that the overall are structured you know early so the determine the size of the infrastructures of the browser or as the. [00:11:59] How much each browser manufacturer investing into the introspective infrastructure we enumerated every IP address that we can I. Rather it's on the last. Are the unique ideas or the gateway servers so those IP addresses that our browser arm allows you to directly and then on the right you could see a unique IP addresses of the End Point service of the nec the 2 are what's for. [00:12:32] D.c. there's a a major difference in the number of proxy servers that are used on the endpoints tied together this makes sense for mobile dowsing standpoint p.c.m. point service seem to be the ones that are active doing data saving so you don't want to get. You don't want to or take away servers which are just you know routing to be bogged down by waiting for a web search or response. [00:13:04] Back we're going to talk about the effectiveness of data things though how much data do they actually save so data seeing other vendors our mobile data say the 90 percent. Of the claim is from opera but if a virus called it's very similar claims from the other browser many factors as well so we want to have all these claims and we did so simply by are working the amount of days with a thin coat able to able when there's an elected top on a science the discipline problem once around $100.00 in a row and just. [00:13:44] Hearing the daily news and then also viewing 310 minutes of those and in both cases you know we ran sleaze ball with the trouser and took the average. So what we found on the last figure here you see the daily news. And here in New York the top 100 sites on the right the Daily News when using You Tube video games. [00:14:12] The overdoses at the browser that proxy A.T.V.'s traffic perform much better on the list of top 100 sites so at this point most of the sites with the like the top 100 are utilizing If yes so you're getting the benefit of databasing across a little further I was state here. [00:14:35] So you can free the 7 separate. Whose active members left it with these things but unable on average as a good analyst because to get down to the proper step. Don't cross the c.v.s. of those just about the way and let you directly request web status liking and access using many of you see rather So you know those are a lot worse and the worst for using any and you see profit or refuse birth data on average with it assumes both labels and our theory behind why this has this happened which is it was a surprising finding but. [00:15:18] Pretty much what we think is that thanks for not getting that savings. Since most of the sites are using h.t.t.p. Yes and. All those are bus are going to record to the web server you're not doing that they've been back to the same time we also noticed a large amount of data being transferred meditated being transferred between the old site and the party server regardless of this the actual requests are going through the process or through the other using more been with or the method it transfers but you're not getting the benefit of data savings. [00:15:58] On the Apple as that is. Only look on the right it's that not browser really doing that. With. The videos so include that in the current incarnation of browsers really getting much benefit for multimedia content it's mostly for text news articles. You know because it is very easily compressed but in the web page while right now it seems like the ultimate topic than just that right there Ok So next up about the effect on use the link photos using it it even browser. [00:16:43] Just made the browser this period more complement just not as nice as a traditional browser though since. Many users will share them a proxy server IP address any given time. This leads to a natural choke point the user tracked. So due to that there's an increased likelihood that the reputation of proxy servers I address the soccer so if whole bunch of users are all using the same processor repeater out and they're all our Facebook at the same time the server the Web servers of Facebook will see many are from the same IP or. [00:17:26] The one here we might see more regular meeting catches and other sort of you know low down mechanisms to see that share IP addresses. Or that the actions of all of malicious minority users can have an adverse effect on the I'm sure the want to attack or if they want to adversely affect the usability of the browsers for all the other users they just you know try to group or stay afterward using them for hours then in the century have the IP address of the proxy server blocked by major website. [00:18:06] You know so the this is really the number one way that the state prevent identity through catches and. There are all aware of and have seen many patches of ground in the way. And so what Google up to a really new version of refactor just prior to when we started this experiment what it is really has to be true so so what we've got to be free does is rather than show a checkbox like I had on the previous slide. [00:18:41] It returns us for the web server in the background so the user will come to the located with regard to the theory. The squirrel be sent to the web server and then Webster of the socket what to do based on this course of this corpus from 0 to $1.00 where 0 is this current user is most likely a bot and one is this user is most likely human believe this to quantify the effect on the usability of the others so that if we have to be free for lower with. [00:19:16] A datum browser then there's a higher likelihood that other types of anti-pot services would also adversely affect the switch as well. What we did in this experiment in order to make our traffic look at human like it possible other than our IP is best we need a browser between the hours of 8 and 6 pm you know typical browsing at ours a little more conservative than I get more most people use their mobile faces. [00:19:46] But we this is a Rense that the elect the top 100 sites to get a browsing history and on the place we lived in elements that made very kind of gathered in a cookie and then we went to our web server or reported the recap to the 34 and we did this with. [00:20:05] The example figure on the right. Or the 1st of the 70 that we did that if it really the score that we would receive when that data is going on with the lower top of that there was a higher incidence of scores with this and. So this would imply that depending on the IP address of the proxy server that you were assigned could have a major effect on the order to receive. [00:20:38] If so to answer the 2nd part of the usability question. We want to know can a benefactor earnestly. Catches another test and that by mechanisms to negatively effect users of data a process. So like I mentioned before in most cases user can perform but like activity using a database and browser and or any that are servers of P.C.'s we have this buy in to buy this one of them was the victim and the other after we major phone had the same. [00:21:17] IP address to process server address and the others die with a with an anti boxer's protected. We then Major both of them to not receive any catches We then use the activists to. Just refresh the page a few times though it's dogcatcher which occur typically within 20 seconds and then we went back to the victim device and a request the same page and then we saw to catch it though if this is possible in our small experiments. [00:21:50] With pondering over the summer tradition so the victim of the hacker have to share the same prosecutor obviously. Will copy of the show in device model which implies that bot services for using you know to buy fingerprints and see if though there's the same IP address are they that into practice. [00:22:13] Lastly it had to happen within some local Apple products and the. So these are kind of restricted to actually you know make a large scale attack work load line that didn't pack really want to talk or arms or use they could just employee by mobile devices of popular models and just simply brute force or do other activity. [00:22:44] Talk about the privacy infringement that these processes are responsible for so as I mentioned are they progress or are in a position to actually execute very or modify the of the data in transit so in order to do any native savings they have to be able to decrypt the concept. [00:23:09] That habitat up to them to not do anything the various with the data like modify any of the data that falling through or scrapes of that out in the earlier that we want to study this from the bottom line is the 1st of all we want to see are there any modifications to the AC transport I mean by that I mean the 8 speakers so our inspectors are moved or changed or new things added to or by the responses. [00:23:38] Second we want to see any indications to a single shot that so is the body you're able of of each question response modified in a way. And lastly we want to see is there any leakage of user data. So the way that we did this we just created some web pages are what's for. [00:23:59] Some positive different had a. Different path and the body didn't leave for National Party by design. And some money which were unique links that could only have been yesterday but it could have been guessed and the only way that we could steer us from that number read our response and then did a ring. [00:24:26] And it was compared the top and had on the web server slowly recede on a mobile device to see if there were any pocket. So we found that after rousers were removed by all the security measures some of the more severe ones or extreme caution is are a token and for transport security so obviously these protect against some pretty serious attacks extreme options will protect you from the diving attacks the throw ins will protect from give you definitely attacks and atheists will protect a substitute. [00:25:08] So that these users aren't you know quite a bit more dangerous than if they were still there and overall seems like operands or they can capture a header that they didn't understand whether the early header or just a matter that was added by let's say it was just for movies. [00:25:29] We also found that opera and using browsers exploit very persistent the fires that can be used to track these or so about. That and that the data transfer that I mentioned earlier with it is a means of backing that this method is transparent blue to. The actual tribune of. [00:25:50] I.e. I never serial number average has any thing like that. Although we didn't find that any browser a single hit or reviews any of the data leads in the response was Ok our talk about the security degradation that hers when someone is using the data or the other beginning users are relying on data as a proxy servers to have the best security practices. [00:26:30] So we want to make sure that the level of security that these are has on their mobile device proud thing in the traditional meaning. Of matches or you know it's even better when you're when using a proxy servers do so we don't want the proxy server to be secure the user has. [00:26:52] So that we look at this from a policy one has. First of all the the the server attack service So how vulnerable are services to being compromised 2nd we look at the the deal last act of the process or else we look at the cyber suite that it offers to web servers the sea level and open question and user data will have between the process there or at the Webster. [00:27:20] And lastly we look at the handling as those are the good answers those and the the super is handling all the best places to pick it do they do a good job of letting the browser know and user know if there's an error that the say or do they just ignore the error and just you know tell the user that's Ok so as we numerated all the proxy server IP addresses we want to know how many. [00:27:53] Over the course and listing services are present on this project server so do they look like they're only use for. It a proxying are the only reporters there will be used to see them prosper open or there are other services that are used for things open as well so we found that. [00:28:17] The kind of screwed streams of the old rouse that we actually were able to. To scan for the. Worst in an operetta so. We put the product listen on the expected words of a word or 3 and below them sure to be proper software. Or on the other and then add a large number of open for configuration and we 5 figure is in a unique set of open ports and mostly services so that we claim that having a more diverse configurations that lead to a very complexity and natural defenses so if you're the network administrator about to come up with a fire will rule to protect these processors it blind here to know that all of the proxy servers are going to be listening on either a year or 2 or 3 or a combination of both but if you know that there's $28.00 or $23.00 different figuration that you need to. [00:29:20] Account for this prediction that you'll mess up immediately something open that's been closed. We also lawfully can see the. Attack services you know based on the software the listening so we found that. Out of the browser to here there was a lot of proxy server that were posting very vulnerable to offer a very out of the software so for example I'm bringing up a premium. [00:29:56] Had software that for that was pictures and update anything a lot of these have very severe of the known the Associated with that although it is a or an attacker to either compromise or severely degraded or most of these processors just the look of the cd or this software and just that available Ok I will look at the security of the D.L.'s text as stronger to let the back of the processor. [00:30:36] So on the left you can see the number of strong and weak cipher boots that are present. When you visit the site visit a website with the same turned up so from your will elicit feel a stack. And then on the right you see the same thing with data sitting at the able to refine that one and just by switching that is most which on. [00:31:05] Your traffic maybe less securely encrypted because there's a greater number of weeks there so we. Presented to the weather another. Large number of structures we presented Ok So actually we had it out each of the proxy servers and rules has altered to figure those out of the browsers that proxy yet. [00:31:40] We had the each of the and our tickets with a any smokers in the disabled. The photos the verger. And by group I just mean critical. For that job. So if any motive unable or just a easer is presented with a page that says. As I'm sure we've all seen or read or no errors and this is insecurity kind of to jump off a bunch of hoops to actually get to the. [00:32:10] Security age. That's for the browsers that let the user know that there's something wrong but it just kind of show a little pop on the office that there might be something wrong you could very easily. Go about this in the security Alas for the worst of them all so this group not only left the user go to the indicator page but I think morning once they get their positive security indicator like a lock on your are that's that the page is actually secure. [00:32:50] All these are great communities are all terrible boredom with a little bit closer at the super at home with proper browser for me so if you don't recall 2 years ago there was this big scandal with. This ad where call supervision and it shipped with a noble. And what is it science the certificate of off the Web sites in order to inject add into the what page caught. [00:33:25] Her politicizing He made public so any time after that you would see a subject that the time of supervision is very well could be. An attack or. Impersonating with a. So all proud or should reject all those those web pages of those that are because our We've found the Opera browser so Opera browser many when you have to say no load of able except the certificates though to show opera The problem with that and get them to fix the issue we perform to man the middle of it on our own site so you see on the bottom that you strange when you have data saving mode off if you see a security error and a broken lock eyes are or 30 is good but when you switch data sick note on which against just a single switch in the sense you see the branch on the right so everything looks this year when in reality all your data is being stolen by x.. [00:34:33] And I also have a demo video on the bottom right there if you want to do that after this. But after article or after the able to fix this problem pretty quickly Ok so I'm going to Apple with a quick discussion on an improved data same design that will still be used as a while so kind of already in some of these problems though at the moment users are forced to choose data savings over security and privacy and that's obviously not a deal. [00:35:11] Although our ability to be found in this work arises from each of these browsers trying to intercept all feel attracted However multimedia content is a major culprit of increased Katie's. So what we're proposing to do a lab browsers to selectively intercept kata so we have the browser go up and fax the mainstream out the page do the initial area asian of each certificate you know and all the test sensitive information from a single core and your credentials are trying to educate you directly to the web server and then if there is images and things like that on the web page you can count proxy the us. [00:35:55] And get those you know press So what does it reduces the impact of this configure proxy server since any type of misconfiguration will be limited to just request for resources while saving users data will receive in a city and the browsers that were not proxy c.p.s. for can me feel a bit more comfortable if the old of census data transfer directly so in summary is in browsers a lot of users to surf the web well using less mobile data directly via the fact in it that these brothers claim to be a bit exaggerated. [00:36:42] Will find that users are more likely to be laid off when using the browsers. Of a question. Have you looked into it in browsers I.O.'s or just platforms. So. Yes So there we we tried to find so before our studies start or there used to be often the same browser that we studied and raced through that on. [00:37:12] I OS but it was your good I applicable for research study and. There doesn't seem to be much terms of data say things like opera obviously is the big. Browsers Well they seem to be more focused on batteries. On their desktop. So there is a browser as we show that partisanship is information and you know they do other things for truck those those very vital security headers. [00:37:49] And other headers that may be important for each particular was picked. Up and lastly the fact that maybe it is in the mode has made an impact to the security in the users. And I'll be happy to inquests I mean to the end that scans of the proxy server show the full version of the stopper running. [00:38:16] So true that the. The software that's running on the fact service so it could be modified modified to fingerprinting and. A version as rhyme and that's something that we so the 2 accounting originally Downey's these a piece of the software. Although you find that. If a browser manufacturer is going to move the version that's running on a processor or they would lock rather than lie down so there was a lot of other versions they. [00:38:55] Are using a more secure version rather than less secure although when we disclose these things to the resume Baxter's they said that they were out of date. And another question if multimedia has not affected the state it was in request for most media cut to be a good solution. [00:39:20] So to think what we found is that the current incarnation of data savings does not do all that. So it's rather manufactor going to have to rethink what. You know how they do they savings so they would have focused more on. The compression in France coating of images and videos rather than text based. [00:39:48] So it could work it's just right now if they just try to use the same. Methodology to save data it wouldn't you know really see it in any other question. Again thank you for everyone pretty you all listening. Right.