Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies

Nowadays, cookies are the most prominent mechanism to identify and authenticate users on the Internet. Although protected by the Same Origin Policy, popular browsers include cookies in all requests, even when these are cross-site. Unfortunately, these third-party cookies enable both cross-site attacks and third-party tracking. As a response to these nefarious consequences, various countermeasures have been developed in the form of browser extensions or even protection mechanisms that are built directly into the browser. In this paper, we evaluate the effectiveness of these defense mechanisms by leveraging a framework that automatically evaluates the enforcement of the policies imposed to third-party requests. By applying our framework, which generates a comprehensive set of test cases covering various web mechanisms, we identify several flaws in the policy implementations of the 7 browsers and 46 browser extensions that were evaluated. We find that even built-in protection mechanisms can be circumvented by multiple novel techniques we discover. Based on these results, we argue that our proposed framework is a much-needed tool to detect bypasses and evaluate solutions to the exposed leaks. Finally, we analyze the origin of the identified bypass techniques, and find that these are due to a variety of implementation, configuration and design flaws.

[1]  Jian Jiang,et al.  Cookies Lack Integrity: Real-World Implications , 2015, USENIX Security Symposium.

[2]  E. Felten,et al.  Cross-Site Request Forgeries : Exploitation and Prevention , 2008 .

[3]  Martín Abadi,et al.  Host Fingerprinting and Tracking on the Web: Privacy and Security Implications , 2012, NDSS.

[4]  Georgios Kontaxis,et al.  Tracking Protection in Firefox For Privacy and Performance , 2015, ArXiv.

[5]  C. Jackson,et al.  Beware of Finer-Grained Origins , 2008 .

[6]  Dan Boneh,et al.  Exposing private information by timing web applications , 2007, WWW '07.

[7]  Dan Boneh,et al.  An Analysis of Private Browsing Modes in Modern Browsers , 2010, USENIX Security Symposium.

[8]  Collin Jackson,et al.  Robust defenses for cross-site request forgery , 2008, CCS.

[9]  David M. Kristol,et al.  HTTP State Management Mechanism , 1997, RFC.

[10]  Arvind Narayanan,et al.  The Web Never Forgets: Persistent Tracking Mechanisms in the Wild , 2014, CCS.

[11]  John C. Mitchell,et al.  Third-Party Web Tracking: Policy and Technology , 2012, 2012 IEEE Symposium on Security and Privacy.

[12]  Zhiyun Qian,et al.  The ad wars: retrospective measurement and analysis of anti-adblock filter lists , 2017, Internet Measurement Conference.

[13]  Peter Eckersley,et al.  How Unique Is Your Web Browser? , 2010, Privacy Enhancing Technologies.

[14]  Wouter Joosen,et al.  Large-Scale Security Analysis of the Web: Challenges and Findings , 2014, TRUST.

[15]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.1 , 1997, RFC.

[16]  Chris Jay Hoofnagle,et al.  Flash Cookies and Privacy , 2009, AAAI Spring Symposium: Intelligent Information Privacy Management.

[17]  Sorin Lerner,et al.  Establishing Browser Security Guarantees through Formal Shim Verification , 2012, USENIX Security Symposium.

[18]  Wouter Joosen,et al.  The Clock is Still Ticking: Timing Attacks in the Modern Web , 2015, CCS.

[19]  Jörg Schwenk,et al.  Same-Origin Policy: Evaluation in Modern Browsers , 2017, USENIX Security Symposium.

[20]  David Wetherall,et al.  Detecting and Defending Against Third-Party Tracking on the Web , 2012, NSDI.

[21]  Arvind Narayanan,et al.  The Future of Ad Blocking: An Analytical Framework and New Techniques , 2017, ArXiv.

[22]  Arvind Narayanan,et al.  Online Tracking: A 1-million-site Measurement and Analysis , 2016, CCS.

[23]  Bill Fitzgerald,et al.  Tracking the Trackers , 2016 .

[24]  Ben Stock,et al.  The Unexpected Dangers of Dynamic JavaScript , 2015, USENIX Security Symposium.

[25]  Shriram Krishnamurthi,et al.  Verifying Web Browser Extensions' Compliance with Private-Browsing Mode , 2013, ESORICS.

[26]  Mark Nottingham,et al.  Web Linking , 2010, RFC.

[27]  Amir Herzberg,et al.  Cross-Site Search Attacks , 2015, CCS.

[28]  Chris Jay Hoofnagle,et al.  Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning , 2011 .

[29]  Helen J. Wang,et al.  On the Incoherencies in Web Browser Access Control Policies , 2010, 2010 IEEE Symposium on Security and Privacy.