1. bookVolume 2019 (2019): Issue 3 (July 2019)
Journal Details
License
Format
Journal
eISSN
2299-0984
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
access type Open Access

A QUIC Look at Web Tracking

Published Online: 12 Jul 2019
Page range: 255 - 266
Received: 30 Nov 2018
Accepted: 16 Mar 2019
Journal Details
License
Format
Journal
eISSN
2299-0984
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
Abstract

QUIC has been developed by Google to improve the transport performance of HTTPS traffic. It currently accounts for approx. 7% of the global Internet traffic. In this work, we investigate the feasibility of user tracking via QUIC from the perspective of an online service. Our analysis reveals that the protocol design contains violations of privacy best practices through which a tracker can passively and uniquely identify clients across several connections. This tracking mechanisms can achieve reduced delays and bandwidth requirements compared to conventional browser fingerprinting or HTTP cookies. This allows them to be applied in resource- or time-constrained scenarios such as real-time biddings in online advertising. To validate this finding, we investigated browsers which enable QUIC by default, e.g., Google Chrome. Our results suggest that the analyzed browsers do not provide protective measures against tracking via QUIC. However, the introduced mechanisms reset during a browser restart, which clears the cached connection data and thus limits achievable tracking periods. To mitigate the identified privacy issues, we propose changes to QUIC’s protocol design, the operation of QUIC-enabled web servers, and browser implementations.

Keywords

[1] G. Acar, C. Eubank, S. Englehardt, M. Juarez, A. Narayanan, and C. Diaz. The web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 674–689. ACM, 2014.10.1145/2660267.2660347Search in Google Scholar

[2] A. Albasir, K. Naik, B. Plourde, and N. Goel. Experimental study of energy and bandwidth costs of web advertisements on smartphones. In Mobile Computing, Applications and Services (MobiCASE), 2014 6th International Conference on, pages 90–97. IEEE, 2014.10.4108/icst.mobicase.2014.257770Search in Google Scholar

[3] Alexa Internet Inc. Alexa Top 1,000,000 Sites, 2018. URL http://s3.amazonaws.com/alexa-static/top-1m.csv.zip.Search in Google Scholar

[4] M. Bishop. Hypertext Transfer Protocol Version 3 (HTTP/3). Internet-Draft draft-ietf-quic-http-18, Internet Engineering Task Force, Jan. 2019. URL https://datatracker.ietf.org/doc/html/draft-ietf-quic-http-18. Work in Progress.Search in Google Scholar

[5] M. Boucadair, M. Ford, P. Roberts, A. Durand, and P. Levis. Issues with IP Address Sharing. RFC 6269, June 2011. URL https://rfc-editor.org/rfc/rfc6269.txt.10.17487/rfc6269Search in Google Scholar

[6] T. Bujlow, V. Carela-Español, J. Sole-Pareta, and P. Barlet- Ros. A survey on web tracking: Mechanisms, implications, and defenses. Proceedings of the IEEE, 105(8):1476–1510, 2017.Search in Google Scholar

[7] G. Combs. Tshark- the Wireshark Network Analyser. URL http://www.wireshark.org, 2017.Search in Google Scholar

[8] Z. Durumeric, E. Wustrow, and J. A. Halderman. ZMap: Fast Internet-wide Scanning and Its Security Applications. In USENIX Security Symposium, volume 8, pages 47–53, 2013.Search in Google Scholar

[9] S. Englehardt and A. Narayanan. Online tracking: A 1- million-site measurement and analysis. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 1388–1401. ACM, 2016.10.1145/2976749.2978313Search in Google Scholar

[10] S. Englehardt, D. Reisman, C. Eubank, P. Zimmerman, J. Mayer, A. Narayanan, and E. W. Felten. Cookies that give you away: The surveillance implications of web tracking. In Proceedings of the 24th International Conference on World Wide Web, pages 289–299. International World Wide Web Conferences Steering Committee, 2015.10.1145/2736277.2741679Search in Google Scholar

[11] M. Fischlin and F. Günther. Multi-stage key exchange and the case of Google’s QUIC protocol. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 1193–1204. ACM, 2014.10.1145/2660267.2660308Search in Google Scholar

[12] J. Iyengar and M. Thomson. QUIC: A UDP-Based Multiplexed and Secure Transport. Internet-Draft draft-ietf-quictransport- 12, Internet Engineering Task Force, May 2018. URL https://datatracker.ietf.org/doc/html/draft-ietf-quictransport-12. Work in Progress.Search in Google Scholar

[13] T. Jager, J. Schwenk, and J. Somorovsky. On the security of tls 1.3 and quic against weaknesses in pkcs# 1 v1. 5 encryption. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 1185–1196. ACM, 2015.10.1145/2810103.2813657Search in Google Scholar

[14] C. K. Karlof, U. Shankar, et al. A Usability Study of Doppelganger, A Tool for Better Browser Privacy. 2007.Search in Google Scholar

[15] G. Kontaxis and M. Chew. Tracking Protection in Firefox For Privacy and Performance. CoRR, abs/1506.04104, 2015. URL http://arxiv.org/abs/1506.04104.Search in Google Scholar

[16] H. Krawczyk and H. Wee. The OPTLS protocol and TLS 1.3. In Security and Privacy (EuroS&P), 2016 IEEE European Symposium on, pages 81–96. IEEE, 2016.10.1109/EuroSP.2016.18Search in Google Scholar

[17] A. Langley and C. Wan-Teh. QUIC Crypto, 2018. URL https://www.chromium.org/quic.Search in Google Scholar

[18] A. Langley, A. Riddoch, A. Wilk, A. Vicente, C. Krasic, D. Zhang, et al. The QUIC transport protocol: Design and Internet-scale deployment. In Proceedings of the Conference of the ACM Special Interest Group on Data Communication, pages 183–196. ACM, 2017.10.1145/3098822.3098842Search in Google Scholar

[19] P. Laperdrix, W. Rudametkin, and B. Baudry. Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints. In Security and Privacy (SP), 2016 IEEE Symposium on, pages 878–894. IEEE, 2016.10.1109/SP.2016.57Search in Google Scholar

[20] B. Laurie, A. Langley, and E. Kasper. Certificate Transparency. RFC 6962, June 2013. URL https://rfceditor.org/rfc/rfc6962.txt.10.17487/rfc6962Search in Google Scholar

[21] R. Lychev, S. Jero, A. Boldyreva, and C. Nita-Rotaru. How secure and quick is QUIC? Provable security and performance analyses. In Security and Privacy (SP), 2015 IEEE Symposium on, pages 214–231. IEEE, 2015.10.1109/SP.2015.21Search in Google Scholar

[22] Y. Mansour, S. Muthukrishnan, and N. Nisan. Doubleclick ad exchange auction. CoRR, abs/1204.0535, 2012. URL http://arxiv.org/abs/1204.0535.Search in Google Scholar

[23] J. R. Mayer and J. C. Mitchell. Third-party web tracking: Policy and technology. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 413–427. IEEE, 2012.10.1109/SP.2012.47Search in Google Scholar

[24] K. Mowery and H. Shacham. Pixel perfect: Fingerprinting canvas in HTML5. Proceedings of W2SP, pages 1–12, 2012.Search in Google Scholar

[25] Refsnes Data. The Most Popular Browsers, 2018. URL www.w3schools.com/browsers/.Search in Google Scholar

[26] E. Rescorla and N. Sullivan. Semi-Static Diffie-Hellman Key Establishment for TLS 1.3. Internet-Draft draft-rescorlatls13- semistatic-dh-00, Internet Engineering Task Force, Mar. 2018. URL https://datatracker.ietf.org/doc/html/draft-rescorla-tls13-semistatic-dh-00. Work in Progress.Search in Google Scholar

[27] E. Rescorla, K. Oku, N. Sullivan, and C. A. Wood. Encrypted Server Name Indication for TLS 1.3. Internet-Draft draft-ietf-tls-esni-02, Internet Engineering Task Force, Oct. 2018. URL https://datatracker.ietf.org/doc/html/draft-ietftls-esni-02. Work in Progress.Search in Google Scholar

[28] E. Roman and M. Menke. NetLog: Chrome’s network logging system, 2018. URL https://www.chromium.org/developers/design-documents/network-stack/netlog.Search in Google Scholar

[29] J. Rüth, I. Poese, C. Dietzel, and O. Hohlfeld. A First Look at QUIC in the Wild. In International Conference on Passive and Active Network Measurement, pages 255–268. Springer, 2018.10.1007/978-3-319-76481-8_19Search in Google Scholar

[30] S. Schelter and J. Kunegis. On the Ubiquity of Web Tracking: Insights from a Billion-Page Web Crawl. arXiv preprint arXiv:1607.07403, 2016.Search in Google Scholar

[31] P. Srisuresh and K. Egevang. Traditional IP network address translator (Traditional NAT). Technical report, 2000.10.17487/rfc3022Search in Google Scholar

[32] StatCounter. Desktop vs Mobile vs Tablet Market Share Worldwide, 2018. URL gs.statcounter.com/platform-marketshare/desktop-mobile-tablet/worldwide.Search in Google Scholar

[33] StatCounter. The Most Popular Browsers, 2019. URL http://gs.statcounter.com/browser-market-share.Search in Google Scholar

[34] E. Sy, C. Burkert, H. Federrath, and M. Fischer. Tracking Users Across the Web via TLS Session Resumption. In Proceedings of the 34th Annual Computer Security Applications Conference, ACSAC ’18, pages 289–299, New York, NY, USA, 2018. ACM. ISBN 978-1-4503-6569-7. 10.1145/3274694.3274708. URL http://doi.acm.org/10.1145/3274694.3274708.10.1145/3274694.3274708Open DOISearch in Google Scholar

[35] The Chromium Project. QUIC, a multiplexed stream transport over UDP, 2018. URL https://www.chromium.org/quic.Search in Google Scholar

[36] The Chromium Project. QUIC Wire Layout Specification, 2018. URL https://www.chromium.org/quic.Search in Google Scholar

[37] S. Yuan, J. Wang, and X. Zhao. Real-time bidding for online advertising: measurement and analysis. In Proceedings of the Seventh International Workshop on Data Mining for Online Advertising, page 3. ACM, 2013.10.1145/2501040.2501980Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo