Tom Van Goethem & Gertjan Franken
Tom Van Goethem is a PhD researcher at the University of Leuven with a keen interest in web security and online privacy. In his research, Tom performs large-scale security experiments, both to analyze the presence of good and bad security practices on the web, as well as to demystify security claims. More recently, Tom started exploring side-channel attacks in the context of the web. In an attempt to make the web a safer place, Tom on occasion rummages the web in search for vulnerabilities.
Gertjan is a starting PhD student at the University of Leuven in Belgium. His main research interests are in web security and more specifically understanding how browsers deal with security and privacy policies, and which effects browser extensions have on this ecosystem.
Who Left Open The Cookie Jar? A Comprehensive Evaluation of Third-party Cookie Policies
Nowadays, cookies are the most prominent mechanism to identify and authenticate users on the Internet. Although protected by the Same-Origin Policy, popular browsers include cookies in all requests, even when these are cross-site. Unfortunately, these third-party cookies enable both cross-site attacks and third-party tracking. As a response to these nefarious consequences, various countermeasures have been developed in the form of browser extensions or even protection mechanisms that are built directly into the browser. In this presentation, we elaborate on our study in which we evaluated the effectiveness of these defense mechanisms by creating a framework that automatically evaluates the enforcement of the policies imposed to third-party requests.
By applying our framework, which generates a comprehensive set of test cases covering various web mechanisms, we identified several flaws in the policy implementations of the 7 browsers and 46 browser extensions that were analyzed. We find that even built-in protection mechanisms can be circumvented by the multiple novel techniques we discovered. Furthermore, our results show that for every anti-tracking or ad-blocking browser extension, there exists at least one technique to bypass its defenses. Based on these results, we argue that our proposed framework is a much-needed tool to detect bypasses and evaluate solutions to the exposed leaks. Finally, we analyze the origin of the identified bypass techniques, and find that these are due to a variety of implementation, configuration and design flaws.
Technology & Innovation