Showing 1–5 of 5 results for author: Al-Fannah, N M

Beyond Cookie Monster Amnesia: Real World Persistent Online Tracking

Authors: Nasser Mohammed Al-Fannah, Wanpeng Li, Chris J Mitchell

Abstract: Browser fingerprinting is a relatively new method of uniquely identifying browsers that can be used to track web users. In some ways it is more privacy-threatening than tracking via cookies, as users have no direct control over it. A number of authors have considered the wide variety of techniques that can be used to fingerprint browsers; however, relatively little information is available on how… ▽ More Browser fingerprinting is a relatively new method of uniquely identifying browsers that can be used to track web users. In some ways it is more privacy-threatening than tracking via cookies, as users have no direct control over it. A number of authors have considered the wide variety of techniques that can be used to fingerprint browsers; however, relatively little information is available on how widespread browser fingerprinting is, and what information is collected to create these fingerprints in the real world. To help address this gap, we crawled the 10,000 most popular websites; this gave insights into the number of websites that are using the technique, which websites are collecting fingerprinting information, and exactly what information is being retrieved. We found that approximately 69\% of websites are, potentially, involved in first-party or third-party browser fingerprinting. We further found that third-party browser fingerprinting, which is potentially more privacy-damaging, appears to be predominant in practice. We also describe \textit{FingerprintAlert}, a freely available browser extension we developed that detects and, optionally, blocks fingerprinting attempts by visited websites. △ Less

Submitted 23 May, 2019; originally announced May 2019.

One Leak Will Sink A Ship: WebRTC IP Address Leaks

Authors: Nasser Mohammed Al-Fannah

Abstract: The introduction of the WebRTC API to modern browsers has brought about a new threat to user privacy. This API causes a range of client IP addresses to become available to a visited website via JavaScript even if a VPN is in use. This a potentially serious problem for users utilizing VPN services for anonymity. In order to better understand the magnitude of this issue, we tested widely used browse… ▽ More The introduction of the WebRTC API to modern browsers has brought about a new threat to user privacy. This API causes a range of client IP addresses to become available to a visited website via JavaScript even if a VPN is in use. This a potentially serious problem for users utilizing VPN services for anonymity. In order to better understand the magnitude of this issue, we tested widely used browsers and VPN services to discover which client IP addresses can be revealed and in what circumstances. In most cases, at least one of the client addresses is leaked. The number and type of leaked IP addresses are affected by the choices of browser and VPN service, meaning that privacy-sensitive users should choose their browser and their VPN provider with care. We conclude by proposing countermeasures which can be used to help mitigate this issue. △ Less

Submitted 15 September, 2017; originally announced September 2017.

Using Aesthetic Judgements to Distinguish between Humans and Computers

Authors: Nasser Mohammed Al-Fannah

Abstract: As a result of continuing advances in computer capabilities, it is becoming increasingly difficult to distinguish between humans and computers in the digital world. We propose using the fundamental human ability to distinguish between things that are aesthetically pleasing and those that are not as the basis of a method to verify that a communicating party is human. We discuss one possible impleme… ▽ More As a result of continuing advances in computer capabilities, it is becoming increasingly difficult to distinguish between humans and computers in the digital world. We propose using the fundamental human ability to distinguish between things that are aesthetically pleasing and those that are not as the basis of a method to verify that a communicating party is human. We discuss one possible implementation of this notion to develop a new CAPTCHA, the Aesthetic CAPTCHA, which we compare with widely used CAPTCHAs. Our initial analysis shows that, at least in theory, Aesthetic CAPTCHAs offer advantages over other schemes in terms of satisfying the full range of CAPTCHA requirements. More generally, using human aesthetic judgement adds a possible new dimension to the future design of Turing tests. △ Less

Submitted 8 July, 2019; v1 submitted 8 April, 2017; originally announced April 2017.

Comments: There are errors in the user trial described in 10.1.1 of the paper. Due to several reasons including that one of the described CAPTCHAs no longer exists, the author is unable to repeat the trial. However, it is important to note that the aforementioned trial only represents a small part of the results reported in the study. To the author's knowledge, the rest of the study is valid and sound

Making Defeating CAPTCHAs Harder for Bots

Authors: Nasser Mohammed Al-Fannah

Abstract: For a number of years, many websites have used CAPTCHAs to filter out interactions by bots. However, attackers have found ways to circumvent CAPTCHAs by programming bots to solve or bypass them, or even relay them for humans to solve. In order to reduce the chances of success of such attacks, CAPTCHAs can be strengthened by the addition of certain safeguards. In this paper, we discuss seven existi… ▽ More For a number of years, many websites have used CAPTCHAs to filter out interactions by bots. However, attackers have found ways to circumvent CAPTCHAs by programming bots to solve or bypass them, or even relay them for humans to solve. In order to reduce the chances of success of such attacks, CAPTCHAs can be strengthened by the addition of certain safeguards. In this paper, we discuss seven existing safeguards as well as five novel safeguards designed to make circumventing CAPTCHAs harder. These safeguards are not mutually exclusive and can add multiple layers of protection to a CAPTCHA. We further provide a high-level comparison of their effectiveness in addressing the threat posed by CAPTCHA-defeating techniques. In order to focus on safeguards that are usable, we restrict our attention to those which have minimal adverse effect on the user experience. △ Less

Submitted 10 April, 2017; originally announced April 2017.

Not All Browsers Are Created Equal: Comparing Web Browser Fingerprintability

Authors: Nasser Mohammed Al-Fannah, Wanpeng Li

Abstract: Browsers and their users can be tracked even in the absence of a persistent IP address or cookie. Unique and hence identifying pieces of information, making up what is known as a fingerprint, can be collected from browsers by a visited website, e.g. using JavaScript. However, browsers vary in precisely what information they make available, and hence their fingerprintability may also vary. In this… ▽ More Browsers and their users can be tracked even in the absence of a persistent IP address or cookie. Unique and hence identifying pieces of information, making up what is known as a fingerprint, can be collected from browsers by a visited website, e.g. using JavaScript. However, browsers vary in precisely what information they make available, and hence their fingerprintability may also vary. In this paper, we report on the results of experiments examining the fingerprintable attributes made available by a range of modern browsers. We tested the most widely used browsers for both desktop and mobile platforms. The results reveal significant differences between browsers in terms of their fingerprinting potential, meaning that the choice of browser has significant privacy implications. △ Less

Submitted 8 July, 2019; v1 submitted 15 March, 2017; originally announced March 2017.