From 3961cc96f6a452a17dec946ac20e1d4f1b8abafb Mon Sep 17 00:00:00 2001 From: Libor Polčák Date: May 31 2022 14:02:24 +0000 Subject: Small fixes of issues found during reading --- diff --git a/main.tex b/main.tex index e56e8c2..7ab8455 100644 --- a/main.tex +++ b/main.tex @@ -101,7 +101,7 @@ The Web is used daily by billions. Even so, users are not protected from many \section{Introduction} Most people interact with web pages daily. Nowadays, many -activities are often carried out exclusively in a Web browser, including shopping, searching for +activities are often carried out exclusively in a web browser, including shopping, searching for travel information, performing leisure activities such as gaming, business and office work. For several years, browser vendors have been adding new JavaScript APIs to solicit the development of rich web applications~\cite{Snyder_features}. @@ -216,7 +216,7 @@ browser APIs. %Version 2 of the framework allows companies to self-report active and passive fingerprinting. Figure~\ref{fig:tcffingerprinting} depicts publicly -available data by IAB Europe\footnote{See +available data by IAB Europe Transparency and Consent Framework (TCF)\footnote{See \url{https://vendor-list.consensu.org/v2/archives/vendor-list-vNUM.json} where NUM is the number of the week since the start of the framework. See \url{https://www.fit.vutbr.cz/~polcak/tcf/tcf2.html} for more data from the @@ -224,7 +224,7 @@ framework.} and shows that more than 400 companies passively fingerprint users and more than 100 companies actively use JavaScript APIs to create a unique fingerprint. One of the goals of \jshelter{} is to prevent active fingerprinting. -Transparency and Consent Framework (TCF) + \begin{figure}[h!] \centering @@ -268,7 +268,7 @@ prevent fraud. %transfer the question while the user types instead of waiting for the user to press %the send button~\cite{chat_sneakpeak}. -Previous literature focused on processing behavioural biometric features derived from input +Other branch of previous literature focused on processing behavioural biometric features derived from input user interaction (keyboard, mouse, and touch events). For example, it is possible to uniquely identify users~\cite{MouseDynamicsAuthentication,MouseMovementUserVerification}, derive @@ -384,14 +384,15 @@ evade the blockers~\cite{block_me_if_you_can}. Webextensions like NoScript Security Suite and uMatrix Origin allow users to block JavaScript or other content either completely or per domain. Hence, they -can address all six threats raised in Sect.~\ref{sec:threats}. However, the user -needs to evaluate what scripts to allow. HTTP Archive -reports\footnote{\url{https://httparchive.org/reports/page-weight?start=earliest&end=latest&view=list\#reqJs}} -that an average page includes 22 external requests (21 requests for mobile devices). -Many pages depend on JavaScript. Users must select what content to trust. A -typical page contains resources from many external sources, so such a user -requires excellent knowledge. Moreover, a malicious code may be only a -part of resources; the rest of the resource can be necessary for correct page +can address all threats raised in Sect.~\ref{sec:threats}. However, +many pages depend on JavaScript. Users must select what content to trust. +HTTP Archive +reports +that an average page includes 22 external requests (21 requests for mobile devices)\footnote{\url{https://httparchive.org/reports/page-weight?start=earliest&end=latest&view=list\#reqJs}}. +typical page contains resources from many external sources, so a user trying to +determine what code to run +requires excellent knowledge about the external sites. Moreover, a malicious code may be only a +part of a resource; the rest of the resource can be necessary for correct page functionality. So we believe that webextensions like NoScript Security Suite and uMatrix Origin are good but do not protect the user from accidentally allowing malicious code. @@ -447,8 +448,10 @@ resize the window and install additional webextensions. These requirements downgrade comfort, and users might be unwilling to abandon favourite webextensions or be tempted to resize the window for more comfort. As the communication is relayed multiple times by relays spread worldwide, -latency increases, and throughput is limited. The list of Tor exit node IP addresses is public. -Moreover, malicious actors often misuse Tor. Some services block Tor +latency increases, and throughput is limited. +Moreover, malicious actors often misuse Tor. +The list of Tor exit node IP addresses is public. +Some services block Tor traffic, either to prevent frequent attacks or as a temporary measure to block an attack. @@ -567,7 +570,8 @@ mode is to prevent the page from uploading the full fingerprint to a server. How from the browser. The heuristic approach was chosen as many prior studies \cite{fingerprinting_survey,web_never_forgets,million_web_site_fingerprint,fingerprint_fingerprinters} -proved it to be a viable approach with a very low false-positive rate. Our heuristics contain two basic types of entries: (1) JavaScript API endpoints, which are relevant for +proved it to be a viable approach with a very low false-positive rate. +\jshelter{} heuristics contain two basic types of entries: (1) JavaScript API endpoints, which are relevant for fingerprinting detection and (2) a hierarchy of groups of related endpoints. Endpoints can be grouped by their purpose or any other relation. The heuristics also allow clustering groups to other groups and creating a hierarchy of groups. Ultimately, the heuristics are a tree-like structure that computes the threat that a webpage tried to obtain enough information to compute a unique fingerprint. @@ -752,7 +756,7 @@ return modified location derived from the reading from the original API. \subsubsection{User in Control} -The number of modified APIs is huge. We expect that users will encounter pages +The number of modified APIs is high. We expect that users will encounter pages that are broken by \jshelter{} or do not work as expected. For example, the user might want to play games with a gamepad device on some pages or make a call on others. @@ -1199,8 +1203,8 @@ audience and users want to control their browsers. Based on the feedback from users, one of the reasons for the decline is that they -encounter too many broken or slow pages. We do not think that -\jshelter{} is finished. After we focused on fixing broken pages the decline +encounter too many broken or slow pages. +After we focused on fixing broken pages the decline slowed down for Firefox and the number of weekly users is stable for Chrome. Another reason is that users do not understand the little lies fingerprint