Upload
truongkien
View
250
Download
9
Embed Size (px)
Citation preview
upribox – Zeroconfig AdblockingITSecX, St. Pölten, 11/2015Dr. Markus Huber
https://upribox.org
Online Advertisement
https://upribox.org 3/31
https://upribox.org 4/314
TargetedAds
#epicfail
https://upribox.org 5/315
https://upribox.org 6/316
https://upribox.org 7/31Gotta Block'Em All | CCC Camp 2015 | Markus Huber 7
Governmental Organizations#snowden NSA piggybacks on Cookies / UUID De-Anonymization of Tor users Target selection for exploitation
Ad/Tracker Blocker Arms Race
https://upribox.org 9/31
Browser Extensions
https://upribox.org 10/31
Browser Extensions for Advertisement
AdBlock Plus (ABP)• “Acceptable Ads” program• Maintains EasyList block rules• ABP Fork: AdBlock Edge
AdBlock• Based on AdBlock Plus EasyList• Solution for Chrome, ABP were to slow• Joined Acceptable Ads in October/2015
uBlock● Based on EasyList, EasyPrivacy, Peter Lowe's List, Disconnect
● Focus on performance and privacy
https://upribox.org 11/31
Tracker Blocker
● Ghostery– Detection and blocking of trackers– Blocking is Opt-In
● Disconnect.me– Similar to Ghostery– Included in Firefox since v41
● Privacy Badger– Heuristics instead of filter rules
https://upribox.org 12/31
Empirical Study
● How effective are these browser extensions?
● Analysis of 200,000 websites (0.5 billion requests)– Selenium + different browser extensions– Collection of network traffic with mitmproxy
● Joined work with Georg Merzdovnik (SBA Research)
https://upribox.org 13/31
Study Results
Usable Privacy Box@usableprivacy
https://upribox.org 15/31
Motivation
● Browser extensions are effective● What about smartphones / tablets?
– Extensions for Android FF / Safari– In-App advertisement !
● Make it even simpler than installing extensions ...
https://upribox.org 16/31
In-App Ads
● Malvertisement● Sensitive info● Leaks / Exploits
https://upribox.org 17/31
upribox - Usable Privacy Box
● Open Source Project– Supported by the Internet Foundation Austria
● Hardware– Raspberry Pi 2 (ARM Cortex-A7)
– Wifi: 150Mbit draft N
● Usable Privacy– Make Privacy Tools accessible
https://upribox.org 18/31
Main Features
● Silent Mode– Adblocking Wifi
● Ninja Mode– Adblocking + Tor Wifi
● VPN Server– Privacy with open access points
https://upribox.org 19/31
DNS based blocking● DNS Blacklist (dnsmasq)
– EasyList, Easylist Germany, EasyPrivacy– Resets Cookies
news.com:80
content news.com:80
doubleclick.net:80 id=788087878 Expire 1.1.2020
empty document id=0 Expire 1.1.1970
google-analytics.com:443 id=788087878 Expire 1.1.2020
TCP RST
https://upribox.org 20/31
URL Filtering / CSS
● Transparent Proxy (privoxy)– URI path filter– Rules based on EasyList, EasyList Privacy– Injects CSS header
● CSS header– Make blocked content invisble
https://upribox.org 21/31
Network Blocking
● Easy to set up == connect to upribox WiFi● Works with every device (e.g. old phones)
● TLS (HTTPS)– Active MiTM is a bad idea for a privacy tool– Certain trackers not blockable
https://upribox.org 22/31
Onion Routing (Tor)
● Legacy devices● Circumvent censorship● Hide traffic from your provider
● upribox advice:– For best protection:– Download the Tor Browser Bundle!
https://upribox.org 23/31
VPN
● Based on OpenVPN (certificate based)● IPSec with strongswan dropped● Surf secure when on the road
● „Zero config“ tricky to set up– UpnP, NAT-PMP– Dynamic IPs
upribox alpha batch
https://upribox.org 25/31
upribox alpha batch alpha batch: first 25 upriboxes
Deterministic builds• Raspbian Wheezy image customized with ansible
Rolling release• Updates via git repo + ansible
3D printed case
Chance to win one tonight!
https://upribox.org 26/31
upribox Community Image
Scheduled for December 2015 In-cooperate feedback from alpha batch Reset crypto keys on first boot
Updates on release: @usableprivacy
https://upribox.org 27/31
upribox Team
Peter Judmaier, Gernot Rottermanner (Usability)
Lisa Gringl (Design), Bernhard Zeller (Web Development)
Julian Rauchberger, Tobias Dam (Software Development, Security, Configuration Management)
Aron Molnar, Anton Hinterleitner, Alex Kolmann (Network Security, Software Prototype)
Daniel Zeisner, Matthias Borowski (Industrial Design)
upribox demo
Takeaways from this presentation ...
https://upribox.org 30/31
We are entering an arms race between trackers and blockers ...
Protection by browser extensions is effective• Privacy Badger, Disconnect, uBlock
upriBox = Zero config
Soon you can turn your Raspberry Pi into an upribox