Exclusive: How the (synced) Cookie Monster breached my encrypted VPN session

In recent years, and after the Snowden revelations, there has been a significant movement in the web from organizations, policymakers and individuals to enhance the privacy awareness among users. As a consequence, more and more publishers support TLS in their websites, and vendors provide privacy and anonymity tools, such as secure VPNs or Tor onions, to cover the need of users for privacy-preserving web browsing. But is the sporadic appliance of such tools enough to provide privacy? In this paper, we describe two privacy-breaching threats against users accessing the Internet over a secure VPN. The breaches are made possible through Cookie Synchronization, nowadays widely used by third parties for advertisement and tracking purposes. The generated privacy leaks can be used by a snooping entity such as an ISP, to re-identify a user in the web and reveal their browsing history even when users are hidden behind a VPN. By probing the top 12K Alexa sites, we find that 1 out of 13 websites expose their users to these privacy leaks.

[1]  Arvind Narayanan,et al.  The Web Never Forgets: Persistent Tracking Mechanisms in the Wild , 2014, CCS.

[2]  Claude Castelluccia,et al.  Selling Off Privacy at Auction , 2014, NDSS 2014.

[3]  Pablo Rodriguez,et al.  If you are not paying for it, you are the product: how much do advertisers pay to reach you? , 2017, Internet Measurement Conference.

[4]  Tim Ring Your data in their hands: big data, mass surveillance and privacy , 2016 .

[5]  Sotiris Ioannidis,et al.  The Long-Standing Privacy Debate: Mobile Websites vs Mobile Apps , 2017, WWW.

[6]  Anneli Folkesson,et al.  World Wide Web Consortium (W3C) , 2005 .

[7]  Evangelos P. Markatos,et al.  The Cost of Digital Advertisement: Comparing User and Advertiser Views , 2018, WWW.

[8]  Claude Castelluccia,et al.  Selling off User Privacy at Auction , 2014, NDSS.

[9]  Evangelos P. Markatos,et al.  CCSP: A compressed certificate status protocol , 2017, IEEE INFOCOM 2017 - IEEE Conference on Computer Communications.

[10]  Claudio Soriente,et al.  User Profiling in the Time of HTTPS , 2016, Internet Measurement Conference.

[11]  Ashkan Soltani,et al.  NSA Uses Google Cookies to Pinpoint Hacking Targets , 2013 .

[12]  Evangelos P. Markatos,et al.  DCSP: performant certificate revocation a DNS-based approach , 2016, EuroSec '16.

[13]  H. Beales,et al.  The Value of Behavioral Targeting , 2010 .

[14]  Arvind Narayanan,et al.  Online Tracking: A 1-million-site Measurement and Analysis , 2016, CCS.

[15]  Yan Grunenberger,et al.  The Cost of the "S" in HTTPS , 2014, CoNEXT.

[16]  Hamed Haddadi,et al.  A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients , 2015, Proc. Priv. Enhancing Technol..

[17]  Tadayoshi Kohno,et al.  Internet Jones and the Raiders of the Lost Trackers: An Archaeological Study of Web Tracking from 1996 to 2016 , 2016, USENIX Security Symposium.

[18]  Alfredo Pironti,et al.  Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS , 2014, 2014 IEEE Symposium on Security and Privacy.