Exploring the Ecosystem of Referrer-Anonymizing Services

The constant expansion of the World Wide Web allows users to enjoy a wide range of products and services delivered directly to their browsers. At the same time however, this expansion of functionality is usually coupled with more ways of attacking a user's security and privacy. In this arms race, certain web-services present themselves as privacy-preserving or privacy-enhancing. One type of such services is a Referrer-Anonymizing Service (RAS), a service which relays users from a source site to a destination site while scrubbing the contents of the referrer header from user requests. In this paper, we investigate the ecosystem of RASs and how they interact with web-site administrators and visiting users. We discuss their workings, what happens behind the scenes and how top Internet sites react to traffic relayed through such services. In addition, we present user statistics from our own Referrer-Anonymizing Service and show the leakage of private information by others towards advertising agencies as well as towards ‘curious' RAS owners.

[1]  Collin Jackson,et al.  Robust defenses for cross-site request forgery , 2008, CCS.

[2]  J. Yuill,et al.  Honeyfiles: deceptive files for intrusion detection , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[3]  Christopher Krügel,et al.  Is the Internet for Porn? An Insight Into the Online Adult Industry , 2010, WEIS.

[4]  Haining Wang,et al.  An investigation of hotlinking and its countermeasures , 2011, Comput. Commun..

[5]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[6]  Yuchen Zhou Why Aren ’ t HTTP-only Cookies More Widely Deployed ? , 2010 .

[7]  Wouter Joosen,et al.  Exposing the Lack of Privacy in File Hosting Services , 2011, LEET.

[8]  Adam Barth,et al.  The Web Origin Concept , 2011, RFC.

[9]  Dan Boneh,et al.  An Analysis of Private Browsing Modes in Modern Browsers , 2010, USENIX Security Symposium.

[10]  Peter Eckersley,et al.  How Unique Is Your Web Browser? , 2010, Privacy Enhancing Technologies.

[11]  Robert N. M. Watson,et al.  Ignoring the Great Firewall of China , 2006, Privacy Enhancing Technologies.

[12]  Salvatore J. Stolfo,et al.  Baiting Inside Attackers Using Decoy Documents , 2009, SecureComm.

[13]  E. Felten,et al.  Cross-Site Request Forgeries : Exploitation and Prevention , 2008 .

[14]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[15]  Michael K. Reiter,et al.  Crowds: anonymity for Web transactions , 1998, TSEC.