Abstract
The constant expansion of the World Wide Web allows users to enjoy a wide range of products and services delivered directly to their browsers. At the same time however, this expansion of functionality is usually coupled with more ways of attacking a user’s security and privacy. In this arms race, certain web-services present themselves as privacy-preserving or privacy-enhancing. One type of such services is a Referrer-Anonymizing Service (RAS), a service which relays users from a source site to a destination site while scrubbing the contents of the referrer header from user requests.
In this paper, we investigate the ecosystem of RASs and how they interact with web-site administrators and visiting users. We discuss their workings, what happens behind the scenes and how top Internet sites react to traffic relayed through such services. In addition, we present user statistics from our own Referrer-Anonymizing Service and show the leakage of private information by others towards advertising agencies as well as towards ‘curious’ RAS owners.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Panopticlick, http://panopticlick.eff.org/
Aggrawal, G., Bursztein, E., Jackson, C., Boneh, D.: An analysis of private browsing modes in modern browsers. In: Proc. of 19th Usenix Security Symposium (2010)
Readability | Arc90 Lab, http://lab.arc90.com/2009/03/02/readability/
Barth, A.: The Web Origin Concept, http://tools.ietf.org/html/draft-abarth-origin-09
Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. To appear at the 15th ACM Conference on Computer and Communications Security, CCS 2008 (2008)
Beverloo, P.: List of Chromium Command Line Switches, –no-referrers, http://peter.sh/experiments/chromium-command-line-switches/#no-referrers
Bowen, B.M., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Baiting Inside Attackers Using Decoy Documents. In: Chen, Y., Dimitriou, T.D., Zhou, J. (eds.) SecureComm 2009. LNICST, vol. 19, pp. 51–70. Springer, Heidelberg (2009), http://www.springerlink.com/index/H4833U76H771L873.pdf
Chu, Z., Wang, H.: An investigation of hotlinking and its countermeasures. Computer Communications 34, 577–590 (2011)
Clayton, R.C., Murdoch, S.J., Watson, R.N.M.: Ignoring the Great Firewall of China. In: Danezis, G., Golle, P. (eds.) PET 2006. LNCS, vol. 4258, pp. 20–35. Springer, Heidelberg (2006)
P. Developers. Privoxy, http://www.privoxy.org .
Dingledine, R., Mathewson, N., Syverson, P.: Tor: the second-generation onion router. In: Proceedings of the 13th USENIX Security Symposium (2004)
ebricca. refspoof Firefox extension, https://addons.mozilla.org/en-US/firefox/addon/refspoof/
Eckersley, P.: How Unique Is Your Web Browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010), http://dx.doi.org/10.1007/978-3-642-14527-8_1
Recent referer xss vulnerabilities, http://evuln.com/xss/referer.html
Fioravanti, M.: Client fingerprinting via analysis of browser scripting environment. Technical report (2010)
I2P Anonymous Network, http://www.i2p2.de/
ietf-http-wg mailinglist. Re: Referer (sic) from Phillip M. Hallam-Baker (March 09, 1995), http://lists.w3.org/Archives/Public/ietf-http-wg-old/1995JanApr/0109.html
MozillaZine. Network.http.sendRefererHeader - MozillaZine Knowledge Base, http://kb.mozillazine.org/Network.http.sendRefererHeader
Murphey, L.: Secure session management: Preventing security voids in web applications (2005)
Nikiforakis, N., Balduzzi, M., Van Acker, S., Joosen, W., Balzarotti, D.: Exposing the lack of privacy in file hosting services. In: Proceedings of the 4th USENIX Conference on Large-Scale Exploits and Emergent Threats, LEET 2011. USENIX Association, Berkeley (2011)
Opera. Disabling referrer logging - Opera Knowledge Base, http://www.opera.com/support/kb/view/93/
Provos, N.: A virtual honeypot framework. In: Proceedings of the 13th Conference on USENIX Security Symposium, SSYM 2004, vol. 13, pp. 1–1. USENIX Association, Berkeley (2004)
Reiter, M.K., Rubin, A.D.: Crowds: anonymity for web transactions. ACM Trans. Inf. Syst. Secur. 1, 66–92 (1998)
RFC 2616 - Hypertext Transfer Protocol
Tor Project: Anonymity Online, http://www.torproject.org
WHATWG. HTML - Living standard, http://www.whatwg.org/specs/web-apps/current-work/multipage/links.html#link-type-noreferrer
Wikipedia. Referrer spam, http://en.wikipedia.org/wiki/Referrer_spam
Wondracek, G., Holz, T., Platzer, C., Kirda, E., Kruegel, C.: Is the internet for porn? an insight into the online adult industry. In: Proceedings of the Ninth Workshop on the Economics of Information Security, WEIS (2010)
Yuill, J., Zappe, M., Denning, D., Feer, F.: Honeyfiles: deceptive files for intrusion detection. In: Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, pp. 116–122 (June 2004)
Zeller, W., Felten, E.W.: Cross-site request forgeries: Exploitation and prevention. Technical report (2008)
Zhou, Y., Evans, D.: Why Aren’t HTTP-only Cookies More Widely Deployed? In: Proceedings of 4th Web 2.0 Security and Privacy Workshop (W2SP 2010) (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Nikiforakis, N., Van Acker, S., Piessens, F., Joosen, W. (2012). Exploring the Ecosystem of Referrer-Anonymizing Services. In: Fischer-Hübner, S., Wright, M. (eds) Privacy Enhancing Technologies. PETS 2012. Lecture Notes in Computer Science, vol 7384. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31680-7_14
Download citation
DOI: https://doi.org/10.1007/978-3-642-31680-7_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-31679-1
Online ISBN: 978-3-642-31680-7
eBook Packages: Computer ScienceComputer Science (R0)