Our (in)Secure Web: Understanding Update Behavior of Websites and Its Impact on Security

Demir, Nurullah; Urban, Tobias; Wittek, Kevin; Pohlmann, Norbert

doi:10.1007/978-3-030-72582-2_5

Cited by 7 publications

(4 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Sites and Pages. In this work, we use the term site to depict the registerable part of a given domain-often referred to as "extended Top Level Domain plus one" (eTLD+1) [6,10,23,42]. For example, given the URL https://www.bar.com/ the eTLD+1 is bar.com, or the URL https://foo.co.uk the eTLD+1 is foo.co.uk.…”

Section: Terminology and Backgroundmentioning

confidence: 99%

A Large-Scale Study of Cookie Banner Interaction Tools and their Impact on Users' Privacy

Demir,

Urban,

Pohlmann

et al. 2024

PoPETs

View full text Add to dashboard Cite

Cookie notices (or cookie banners) are a popular mechanism for websites to provide (European) Internet users a tool to choose which cookies the site may set. Banner implementations range from merely providing information that a site uses cookies over offering the choice to accepting or denying all cookies to allowing fine-grained control of cookie usage. Users frequently get annoyed by the banner's pervasiveness as they interrupt ''natural'' browsing on the Web. As a remedy, different browser extensions have been developed to automate the interaction with cookie banners. In this work, we perform a large-scale measurement study comparing the effectiveness of extensions for ''cookie banner interaction.'' We configured the extensions to express different privacy choices (e.g., accepting all cookies, accepting functional cookies, or rejecting all cookies) to understand their capabilities to execute a user's preferences. The results show statistically significant differences in which cookies are set, how many of them are set, and which types are set---even for extensions that aim to implement the same cookie choice. Extensions for ''cookie banner interaction'' can effectively reduce the number of set cookies compared to no interaction with the banners. However, all extensions increase the tracking requests significantly except when rejecting all cookies.

show abstract

Section: Terminology and Backgroundmentioning

confidence: 99%

A Large-Scale Study of Cookie Banner Interaction Tools and their Impact on Users' Privacy

Demir,

Urban,

Pohlmann

et al. 2024

PoPETs

View full text Add to dashboard Cite

show abstract

“…Online tracking. Several works analyzed the usage of cross-site tracking techniques in the wild [15]. Chen et al [13] propose a data flow tracking system to measure user tracking performed through first-party cookies that third-party JavaScript sets.…”

Section: Related Workmentioning

confidence: 99%

Understanding the Privacy Risks of Popular Search Engine Advertising Systems

Chouaki,

Goga,

Haddadi

et al. 2023

Proceedings of the 2023 ACM on Internet Measurement Conference

View full text Add to dashboard Cite

We present the first extensive measurement of the privacy properties of the advertising systems used by privacy-focused search engines. We propose an automated methodology to study the impact of clicking on search ads on three popular private search engines which have advertising-based business models: StartPage, Qwant, and DuckDuckGo, and we compare them to two dominant dataharvesting ones: Google and Bing. We investigate the possibility of third parties tracking users when clicking on ads by analyzing first-party storage, redirection domain paths, and requests sent before, when, and after the clicks.Our results show that privacy-focused search engines fail to protect users' privacy when clicking ads. Users' requests are sent through redirectors on 4% of ad clicks on Bing, 86% of ad clicks on Qwant, and 100% of ad clicks on Google, DuckDuckGo, and StartPage. Even worse, advertising systems collude with advertisers across all search engines by passing unique IDs to advertisers in most ad clicks. These IDs allow redirectors to aggregate users' activity on ads' destination websites in addition to the activity they record when users are redirected through them. Overall, we observe that both privacy-focused and traditional search engines engage in privacy-harming behaviors allowing cross-site tracking, even in privacy-enhanced browsers. CCS CONCEPTS• Security and privacy → Privacy protections; Privacy protections; • Networks → Network measurement; Network measurement.

show abstract

“…Reference [12] performed a survey to 548 governmental websites in Indonesia to see the technologies used, in particular: web server, web programming, CSS, content management system, web framework, and web 3.0. Reference [13] reviewed 5.6 million websites within the time span of 18 months from HTTPArchive, to see whether they are using outdated software. Their work is similar to our research and done on a much larger scale (our research was done on 1,500 websites and performed on one day).…”

Section: Related Workmentioning

confidence: 99%

“…However, there are several differences between the two. Reference [13] looked for software that does not use the latest minor or patch version as extracted from each application GitHub repository, while our research focuses more on the versions supported stated in the maintainer's website. We also used on-the-fly Wappalyzer detection, while reference [13] relied on Wapplayzer information detected earlier by HTTPArchive.…”

Section: Related Workmentioning

confidence: 99%

Measurement of Unsupported Applications used in Indonesia Popular Websites

Nugroho

Steven²

2021

Jurnal Ilmiah Teknik Elektro Komputer Dan Informatika

View full text Add to dashboard Cite

A security vulnerability exists in unsupported systems, and using applications supported by their maintainer help to reduce attacks based on such vulnerabilities. However, website administrators may ignore this exercise due to various reasons. This research measures the top 1,500 websites in Indonesia on how much of them are using supported applications to prevent such attacks, based on the application version number. The measurement is performed automatically using the Wappalyzer tool. From such measurement, we found that most of the applications detected do not contain version information (70%) or invalid version number (11%). We also found that more than half of the websites measured contain at least one unsupported application. In terms of the applications used, we found that many Nginx users worryingly do not keep their server version updated, while Apache and WordPress did a good job in keeping their users using the most recent version. This study highlights the need for website administrators to have their applications up to date to the supported versions, as well as for application developers to promote application updates to their users.

show abstract

Our (in)Secure Web: Understanding Update Behavior of Websites and Its Impact on Security

Cited by 7 publications

References 18 publications

A Large-Scale Study of Cookie Banner Interaction Tools and their Impact on Users' Privacy

A Large-Scale Study of Cookie Banner Interaction Tools and their Impact on Users' Privacy

Understanding the Privacy Risks of Popular Search Engine Advertising Systems

Measurement of Unsupported Applications used in Indonesia Popular Websites

Contact Info

Product

Resources

About