Privacy on the Web Gertzman Lora Krakov Lena. Why privacy? Privacy is the number one consumer issue facing the internet. An eavesdropper (server, service.

Privacy on the Web

Gertzman Lora

Krakov Lena

Why privacy?• Privacy is the number one consumer issue

facing the internet.

• An eavesdropper (server, service provider or a private person) can reveal surfer’s identity, profile etc.

• The computer security community has concentrated on improving user privacy by hiding his identifiable tracks on the WEB, thus assuring his anonymity while surfing.

Anonymity as a solution

Rough definition: A communicates

anonymously with B, if B doesn’t know A’s

identity, and if A’s and B’s communication

can’t be linked together by someone who has

an overview on the global network.

Sometimes B is allowed to know A’s identity,

but both sides want to hide their

communication from outsiders.

Anonymity properties

1. Anonymity type (sender / receiver anonymity)

2. Adversaries (web server, eavesdropper)

3. Degree of anonymity (ranges from absolute privacy to provably exposed)

Anonymity as a solution (cont.)

• Disadvantage: can be misused by criminals or people with malicious intentions (spam e-mail, money laundering).

• Providing anonymity on the internet isn’t trivial.

• We’ll present 4 solutions: • Anonymizer

• Crowds

• Onion Routing

• The new privacy model

Anonymizer

• Popular tool for anonymizing web communication.

• Web site that serves as a mediator between the client and the server.

• Used as web proxy, that strips identifying data and forwards the request.

• Similar mechanism is the LPWA (Lucent Personalized Web Assistant)

How anonymizer works

• User requests URL via the browser.

• The request sent to the anonymizer.

• Anonymizer submits the URL to end server.

• Server replies to anonymizer.

• Anonymizer sends the response to the user.

Advantages & disadvantages

Advantages:

• Simple.

• Doesn’t need wide bandwidth.

• Quick.

Disadvantages:

• The sender- anonymizer link isn’t secure.

• The user must trust the anonymizer.

Crowds

• An innovative way to become an invisible user is simply to get lost in the crowds. After all, anonymity loves company.

• This is an anonymity agent developed by AT&T labs.

• The goal: anonymous browsing, so that user data and retrieved info are hidden from web servers and other parties.

How crowds works

• Collecting web users into geographically diverse group called “crowd”.

• User represented by a process on his local machine called “jondo”.

• The jondo engages in a protocol to join the crowd and exchanging data with the other members.

• Now jondo can employ the crowd to issue requests to web servers.

How crowds works (cont.)

• User requests URL via the browser.

• The HTTP request being sent to the jondo.

• Jondo randomly chooses another crowd member and sends the request to him.

• The new member chooses to forward or to submit the request (pf>0.5), creating “path”.

• The request is submitted to the end server.

• The answer is sent along the same path.

How crowds works (cont.)

• Subsequent requests initiated by the same jondo follow the same path, even if they have different destinations.

• Each jondo knows his predecessor and successor.

• Path is changed only when jondo fails or a new jondo joins the crowd.

• All communication between jondos is encrypted, by key shared between them.

Advantages & disadvantages

Advantages:• End server obtains

no data about the request initiator.

• Each crowd member is probably innocent.

• The jondos on the path don’t know the initiator

Disadvantages:• Message content isn’t protected.• Increasing retrieval time & bandwidth.

• Mobile code allows to circumvent crowds.• Submitting jondo’s IP may be recorded by the end server.

Onion Routing

• It’s an infrastructure for private communication over public network.

• Provides anonymous connection that are strongly resistant to eavesdropping and traffic analysis.

• An onion is a layered data structure, treated by onion routers.

• Users submit layered encrypted data and at each pass through each onion router one layer is removed.

How onion routing works

• The network consists of a number of onion routers and is accessed via series of proxies.

• Data is sent by the user through a path of onion routers, determined by an onion.

• The onion is encrypted with the public key of the onion router to which it is sent. It contains the next hop info, key seed material and embedded onion.

How onion routing works (cont.)

• Data movement from an initiating client to responding server:

Client Data stream Server

How onion routing works (cont.)

Four phases in an onion routing system:1. Network setup (establishes connections

between OR).2. Connection setup (establishes anonymous

connections through the OR network).3. Data movement over an anonymous

connection.4. Destruction and cleanup of anonymous

connection.

How onion routing works (cont.)

Advantages & disadvantagesAdvantages:• Independent from

the actual application.

• Resistant to both eavesdropping and traffic analysis.

• Almost real time.

Disadvantages:

•Sender-first OR and last OR-receiver not anonymity protected.

•Limits traffic delay and therefore limits OR mixing properties.

•Connection bandwidth

A new privacy model

• This model was developed in BG University(2002).

• Designed for preserving users’ privacy while allowing them to identify themselves.

• Based on generation of faked transactions.

• Researchers are still planning to evaluate the effectiveness of the model.

A new privacy model(cont.)

• A User Transaction- an access to a web page from the user computer.

• Internal user profile (IUP)- constructed inside the user’s computer and based on the content of pages the user accesses.

• External user profile (EUP)- based on the data flowing from the Web to the user’s computer.

In this model the EUP is different from IUP.

A new privacy model(cont.)

• The new model uses vector space model based on the representation of documents and profiles by a vector of significant weighted terms.

d=(w1,w2,…,wn)

wi- weight of term i in document d.

A new privacy model(cont.)

• A new document(candidate) is considered relevant to user if the vector d is similar to the user profile.

• Cosine measure: the cos of the angle between two vectors

How the new model works

Three main components:

1. Browser Monitor

2. Transaction Generator

3. Profile Meter

back

Browser Monitor

• Input - user transactions• Output - vector of weighted terms for each

trans’ result sent to the Profile Meter. - trigger to Transaction Generator.• Functionality- while the user is surfing the

Web, BM generates a vector of weighted terms, , at time stamp . The trigger that sent indicates a completion of user’s trans’.

VU

tU t

U

To figure

Transaction Generator

• Input - a trigger from the Browser Monitor

- set of terms from an internal DB

- IUP from the Profile Meter

- faked transaction results(Web pages)

• Output- vector of weighted terms for each faked trans’ sent to the Profile Meter.

To figure

Transaction Generator(cont.)

• Functionality - constructs the “faked trans’ query string”.- randomly accesses selected pages from results

to the query.- generates faked trans’. User calibrates the

average number of faked trans’ per user trans’- .

- builds a vector of term weights for each of faked trans’, , at time stamp .

T r

VT

tT t

T

To figure

Profile Meter

• Input - vector , from the BM

- vector , from the TG

- parameters , from the user

• Output - IUP to TG

- current degree of privacy of the user

VT

tT

VU

tU

T r rP

To figure

Profile Meter(cont.)

• Functionality

- generates the IUP ( )

- generates the FUP( ), faked trans’ profile at time stamp :

- generates the EUP(t), combining IUP and FUP into one vector

- computes the Privacy Measure

tU

tT

tT

To PM figure

Computing the Privacy Measure

• Whenever the IUP or the EUP changes, PM computes the similarity between the profiles by finding the cos of the angle between the vectors:

The Profile Meter tasks

back

Advantages & disadvantages

Advantages:

•Enables the user to identify himself while preserving his privacy

•Enables the user to calibrate him privacy

Disadvantages:

•Communication bandwidth towards the Internet

•Works around MS Internet Explorer only

Prototype System

• The system consists of a smart agent installed in the user computer

• The system is built around the MS Internet Explorer

• The Transaction Generator and the Profile Meter are written using Borland C++ Builder

Future Research

• The effect of different values of on similarity

• The effect of different values of on system performance

T r

rP

The End