DNS Cache-Based User Tracking

Klein, Amit; Pinkas, Benny

doi:10.14722/ndss.2019.23186

Cited by 25 publications

(13 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Despite this significant amount of prior work on online advertising, tracking, and ad-blockers, to the best of our knowledge the impact of advertising-related CNAME cloaking on cookie policies has not been previously investigated in detail. c) DNS Security: DNS is an aging protocol, and efforts to improve its security have been slow and marred by deployment mistakes [32], [20], enabling various attacks [28], [27] and misuse by ISPs [44]. New technologies like DNSover-HTTPS [34] have been proposed for remediation, but deployment has only recently begun.…”

Section: Related Workmentioning

confidence: 99%

An Analysis of First-Party Cookie Exfiltration due to CNAME Redirections

Ren¹,

Wittmany²,

Carli³

et al. 2021

Proceedings 2021 Workshop on Measurements, Attacks, and Defenses for the Web

View full text Add to dashboard Cite

DNS CNAME redirections, which can "steer" browser requests towards a domain different than the one in the request's URI, are a simple and oftentimes effective means to obscure the source of a web object behind an alias. These redirections can be used to make third-party content appear as first-party content. The practice of evading browser security mechanisms through misuse of CNAMEs, referred to as CNAME cloaking, has been recently growing in popularity among advertisers/trackers to bypass blocklists and privacy policies.While CNAME cloaking has been reported in past measurement studies, its impact on browser cookie policies has not been analyzed. We close this gap by presenting an in-depth characterization of how CNAME redirections affect cookie propagation. Our analysis uses two distinct data collection samples (June and December 2020). Beyond confirming that CNAME cloaking continues to be popular, our analysis identifies a number of websites transmitting sensitive cookies to cloaked third-parties, thus breaking browser cookie policies. Manual review of such cases identifies exfiltration of authentication cookies to advertising/tracking domains, which raises serious security concerns.

show abstract

Section: Related Workmentioning

confidence: 99%

An Analysis of First-Party Cookie Exfiltration due to CNAME Redirections

Ren¹,

Wittmany²,

Carli³

et al. 2021

Proceedings 2021 Workshop on Measurements, Attacks, and Defenses for the Web

View full text Add to dashboard Cite

show abstract

“…Yet, the results offer tracking results quite similar to HTTP cookie and affected by browser shutdown. Recently, [24] showed how to track users by their DNS cache. This work shows a tracking method that is not affected by the "golden image", browser restarts or privacy modes, however, it does not survive network changes, and its longevity is typically below one day.…”

Section: Related Work Ipv6 Privacymentioning

confidence: 99%

Flaw Label: Exploiting IPv6 Flow Label

Berger

Klein

Pinkas

2020

2020 IEEE Symposium on Security and Privacy (SP)

Self Cite

View full text Add to dashboard Cite

The IPv6 protocol was designed with security in mind. One of the changes that IPv6 has introduced over IPv4 is a new 20-bit flow label field in its protocol header.We show that remote servers can use the flow label field in order to assign a unique ID to each device when communicating with machines running Windows 10 (versions 1703 and higher), and Linux and Android (kernel versions 4.3 and higher). The servers are then able to associate the respective device IDs with subsequent transmissions sent from those machines. This identification is done by exploiting the flow label field generation logic and works across all browsers regardless of network changes. Furthermore, a variant of this attack also works passively, namely without actively triggering traffic from those machines.To design the attack we reverse-engineered and cryptanalyzed the Windows flow label generation code and inspected the Linux kernel flow label generation code. We provide a practical technique to partially extract the key used by each of these algorithms, and observe that this key can identify individual devices across networks, VPNs, browsers and privacy settings. We deployed a demo (for both Windows and Linux/Android) showing that key extraction and machine fingerprinting works in the wild, and tested it from networks around the world. 1 We use the term "fingerprinting" as a synonym for obtaining a device-ID.(i.e., it survives shutdown+startup). Both techniques generate a consistent device-ID regardless of network changes or the browser used, and are unaffected by IPv6 privacy mechanisms. These techniques are feasible and we have successfully tested our techniques in the wild.

show abstract

“…Tracking and analyzing behavioural patterns of users through the use of plaintext domains such as DNS and SNI have been explored extensively in previous works [32][33][34]. As DoH and ESNI have been introduced in 2018, little work has been conducted from a security and privacy angle.…”

Section: Related Workmentioning

confidence: 99%

Knocking on IPs: Identifying HTTPS Websites for Zero-Rated Traffic

Martino

Quax

Lamotte

2020

Security and Communication Networks

View full text Add to dashboard Cite

Zero-rating is a technique where internet service providers (ISPs) allow consumers to utilize a specific website without charging their internet data plan. Implementing zero-rating requires an accurate website identification method that is also efficient and reliable to be applied on live network traffic. In this paper, we examine existing website identification methods with the objective of applying zero-rating. Furthermore, we demonstrate the ineffectiveness of these methods against modern encryption protocols such as Encrypted SNI and DNS over HTTPS and therefore show that ISPs are not able to maintain the current zero-rating approaches in the forthcoming future. To address this concern, we present “Open-Knock,” a novel approach that is capable of accurately identifying a zero-rated website, thwarts free-riding attacks, and is sustainable on the increasingly encrypted web. In addition, our approach does not require plaintext protocols or preprocessed fingerprints upfront. Finally, our experimental analysis unveils that we are able to convert each IP address to the correct domain name for each website in the Tranco top 6000 websites list with an accuracy of 50.5% and therefore outperform the current state-of-the-art approaches.

show abstract

DNS Cache-Based User Tracking

Cited by 25 publications

References 9 publications

An Analysis of First-Party Cookie Exfiltration due to CNAME Redirections

An Analysis of First-Party Cookie Exfiltration due to CNAME Redirections

Flaw Label: Exploiting IPv6 Flow Label

Knocking on IPs: Identifying HTTPS Websites for Zero-Rated Traffic

Contact Info

Product

Resources

About