Advertisement

PrivacyScore: Improving Privacy and Security via Crowd-Sourced Benchmarks of Websites

  • Max Maass
  • Pascal Wichmann
  • Henning Pridöhl
  • Dominik Herrmann
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10518)

Abstract

Website owners make conscious and unconscious decisions that affect their users, potentially exposing them to privacy and security risks in the process. In this paper we introduce PrivacyScore, an automated website scanning portal that allows anyone to benchmark security and privacy features of multiple websites. In contrast to existing projects, the checks implemented in PrivacyScore cover a wider range of potential privacy and security issues. Furthermore, users can control the ranking and analysis methodology. Therefore, PrivacyScore can also be used by data protection authorities to perform regularly scheduled compliance checks. In the long term we hope that the transparency resulting from the published assessments creates an incentive for website owners to improve their sites. The public availability of a first version of PrivacyScore was announced at the ENISA Annual Privacy Forum in June 2017.

Keywords

Scanner Tracking Compliance Security Privacy Data protection 

Notes

Acknowledgments

This work has been co-funded by the DFG as part of project C.1 within the RTG 2050 “Privacy and Trust for Mobile Users”. The authors are grateful to Marvin Hebisch and Nico Vitt, who implemented a prototype, the attendants of the PET-CON 2017.1 workshop, and members of Digitalcourage e. V. for their valuable suggestions.

References

  1. 1.
    Celery: Distributed task queue (2017). http://www.celeryproject.org/
  2. 2.
    Common Vulnerabilities and Exposures (2017). https://cve.mitre.org/
  3. 3.
    Django web framework (2017). https://www.djangoproject.com/
  4. 4.
    EasyList (2017). https://easylist.to/
  5. 5.
    Metasploit Penetration Testing Software (2017). https://www.metasploit.com/
  6. 6.
    Cloudflare: Incident report on memory leak caused by Cloudflare parser bug (2017). https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
  7. 7.
    Wetter, D.: testssl.sh (2017). https://testssl.sh/
  8. 8.
    dataskydd: Kommunundersökning (2016). https://dataskydd.net/kommuner-201611/
  9. 9.
    dataskydd: Webbkoll (2017). https://webbkoll.dataskydd.net/en/
  10. 10.
    Eckersley, P.: How unique is your web browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-14527-8_1 CrossRefGoogle Scholar
  11. 11.
    EFF: Privacy Badger (2017). https://eff.org/privacybadger
  12. 12.
    Englehardt, S., Narayanan, A.: Online tracking: a 1-million-site measurement and analysis. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS 2016), pp. 1388–1401. ACM (2016)Google Scholar
  13. 13.
    Graham, M.: Robots.txt meant for search engines don’t work well for web archives (2017). https://blog.archive.org/2017/04/17/robots-txt-meant-forsearch-engines-dont-work-well-for-web-archives/
  14. 14.
    High-Tech Bridge: SSL/TLS Server Test (2017). https://www.htbridge.com/ssl/
  15. 15.
    Holz, R., Amann, J., Mehani, O., Kâafar, M.A., Wachs, M.: TLS in the wild: an internet-wide analysis of TLS-based protocols for electronic communication. In: Proceedings of the 23nd Annual Network and Distributed System Security Symposium (NDSS 2016). The Internet Society (2016)Google Scholar
  16. 16.
    Khandelwal, S.: ‘Web Of Trust’ Browser Add-On Caught Selling Users’ Data (2016). http://thehackernews.com/2016/11/web-of-trust-addon.html
  17. 17.
    Kitterman, S.: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1. RFC 7208 (2014)Google Scholar
  18. 18.
    Kucherawy, M., Zwicky, E.: Domain-based Message Authentication, Reporting, and Conformance (DMARC). RFC 7489 (2015)Google Scholar
  19. 19.
    Laperdrix, P., Rudametkin, W., Baudry, B.: Beauty and the beast: diverting modern web browsers to build unique browser fingerprints. In: Proceedings of Symposium on Security and Privacy (S&P 2016), pp. 878–894. IEEE (2016)Google Scholar
  20. 20.
    Lauinger, T., Chaabane, A., Arshad, S., Robertson, W., Wilson, C., Kirda, E.: Thou shalt not depend on me: analysing the use of outdated javascript libraries on the web. In: Proceedings of the 24th Annual Network and Distributed System Security Symposium (NDSS 2017). The Internet Society (2017)Google Scholar
  21. 21.
    Maass, M., Laubach, A., Herrmann, D.: PrivacyScore: Analyse von Webseiten auf Sicherheits- und Privatheitsprobleme - Konzept und rechtliche Zulässigkeit. In: INFORMATIK 2017 (to appear). https://arxiv.org/abs/1705.08889, Gesellschaft für Informatik, Bonn (2017)
  22. 22.
    Mayer, J.R., Mitchell, J.C.: Third-party web tracking: policy and technology. In: Proceedings of Symposium on Security and Privacy (S&P 2013), pp. 413–427. IEEE (2012)Google Scholar
  23. 23.
    Mayer, W., Zauner, A., Schmiedecker, M., Huber, M.: No need for black chambers: testing TLS in the e-mail ecosystem at large. In: Proceedings of the 11th International Conference on Availability, Reliability and Security (ARES 2016), pp. 10–20. IEEE (2016)Google Scholar
  24. 24.
    Moxie Marlinspike: sslstrip (2017). https://moxie.org/software/sslstrip
  25. 25.
    Mozilla: Lightbeam (2017). https://www.mozilla.org/en-US/lightbeam/
  26. 26.
    Mozilla: Observatory (2017). https://observatory.mozilla.org/
  27. 27.
    Piwik: Piwik Free Web Analytics Software (2017). https://piwik.org/
  28. 28.
    Qualys: SSL Server Test (2017). https://www.ssllabs.com/ssltest/
  29. 29.
    Raymond Hill: uBlock Origin (2017). https://github.com/gorhill/uBlock
  30. 30.
    Helme, S.: Publishing my daily crawler data for wider analysis (2017). https://scotthelme.co.uk/alexa-top-1-million-analysis-feb-2017
  31. 31.
    Helme, S.: SecurityHeaders.io (2017). https://securityheaders.io/
  32. 32.
    Starov, O., Nikiforakis, N.: Extended tracking powers: measuring the privacy diffusion enabled by browser extensions. In: Proceedings of the 26th International Conference on World Wide Web (WWW 2017). ACM (2017)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Max Maass
    • 1
  • Pascal Wichmann
    • 2
  • Henning Pridöhl
    • 2
  • Dominik Herrmann
    • 2
  1. 1.Secure Mobile Networking LabTechnische Universität DarmstadtDarmstadtGermany
  2. 2.Security in Distributed Systems GroupUniversität HamburgHamburgGermany

Personalised recommendations