Wat vertelt mijn surfgedrag over wie ik ben?
Is mijn surfgedrag veilig voor criminelen (en de overheid) ?
Facebook, WhatsApp, Instagram, Tinder ... het gebruik van sociale media is niet meer weg te denken in onze huidige maatschappij. Met behulp van deze websites of apps is het o.a. mogelijk om allerlei persoonlijke informatie uit te wisselen, foto's te uploaden of een nieuw lief te vinden. Veel van deze gegevens worden publiekelijk opengesteld voor het wereldwijde internet. Helaas kunnen veel van deze publiekelijke gegevens ook gebruikt worden voor talloze andere doeleinden waarvan de gemiddelde gebruiker zich vaak niet bewust van is. Deze doeleinden bestaan o.a. uit marketinggerelateerde aspecten, het opsporen van verdachten via de politie of het oplichten van gebruikers d.m.v. phishing, waarbij gebruikers worden misleid in het vrijgeven van nog meer gevoelige informatie. Dit onderzoek toont aan dat dergelijke doeleinden actueel gebruikt worden ondanks de vele implicaties m.b.t. privacy en gaat er vervolgens dieper op in hoe dit wordt verwezenlijkt op een technisch niveau.
Naast deze publieke gegevens zijn er ook gegevens die wat een gebruiker absoluut geheim wilt houden, zoals de intieme gesprekken met een partner, de sociale media profielen die iemand bezoekt of naar welke hotel men misschien volgend jaar op vakantie wilt gaan. Gelukkig voor ons is dit soort gevoelige communicatie vaak versleuteld waardoor het niet mogelijk is voor aanvallers met kwaadaardige bedoelingen om deze informatie te achterhalen. Stel het 'versleutelen' voor als een pakket die de gebruiker met de post stuurt en dit in een kleine box steekt achter slot en grendel, waarbij enkel de ontvanger (b.v. je partner) de sleutel heeft om dit te openen. De postbediende kan het pakket niet openen en weet dus niet wat de gebruiker verstuurd heeft.
Versleutelen van gegevens is niet voldoende
Naar aanleiding van het voorgaande, heeft dit onderzoek een methode ontwikkeld genaamd 'IUPTIS' om dit soort conceptuele pakketten te analyseren en op basis van grootte van het pakket te bepalen wat er precies in het pakket zit , zonder toegang te hebben tot de sleutel van het pakket. In vakjargon noemt deze techniek 'webpage fingerprinting'. Men voorspelt namelijk welke webpagina een gebruiker heeft bezocht ondanks de versleuteling. Deze webpagina kan dan b.v. bestaan uit een social media profiel, een hotel of zelfs een Tinder match. Er bestaan reeds andere webpage fingerprinting technieken, maar deze aanpak focust zich op methodes toepasbaar op een gemiddelde internet gebruiker binnen de context van online platformen. De ontwikkelde methode wordt ook aangetoond op platformen zoals DeviantArt, Hotels.com, Pinterest en Pornhub. Met het laatstgenoemde platform is het dus mogelijk voor eender wie, om te achterhalen welke intieme filmpjes je precies bekijkt. Experimenten tonen ook aan dat deze methode haalbaar is in een realistische situatie en dat de privacy van internetgebruikers hierdoor zwaar in het gedrang komt. Om de privacy van deze gebruikers dan toch te waarborgen, zijn er ook methodes besproken die het toelaten om de gebruiker te beschermen tegen dit soort aanvallen.
Help, mijn Playstation lekt en verwijdert mijn persoonlijke gegevens!
Daarnaast wordt er in dit onderzoek ook de veiligheid en privacy van een Playstation 4 (spelconsole) besproken. Hieruit is gebleken dat de veiligheid ondermaats is en er talloze gevoelige informatie van de gebruiker kan worden achterhaald. Tenslotte zijn er ook 2 kwetsbaarheden gevonden die de internetveiligheid van Playstation gebruikers in het gedrang kan brengen en waardoor men een gewenste Playstation 4 op afstand kan laten uitschakelen, soms met een verlies aan data als gevolg.
Wat kan ik doen om mij tegen al deze aanvallen te beschermen ?
Een essentiële optie is om persoonlijke informatie niet voor iedereen te grabbel te gooien op het open internet. Helaas zal dit uiteraard niet alle problemen verhelpen. Daarnaast zijn veel van de bewezen beschermingen vaak nog te complex voor een gemiddelde gebruiker. Het is daarom belangrijk om een internetgebruiker correct op te leiden hoe men veilig moet omspringen met dit soort gevoelige informatie. Tenslotte staan privacy en gebruiksgemak vaak haaks op elkaar en is het vaak moeilijk voor een gebruiker om de juiste afweging te maken. Want zeg nu zelf, zou jij je Instagram en Facebook in de steek laten om je privacy te waarborgen ?
Bibliografie
[1] How the great firewall of china is blocking tor. In Presented as part of the 2nd
USENIX Workshop on Free and Open Communications on the Internet (Bellevue,
WA, 2012), USENIX.
[2] Exploiting cors misconfigurations for bitcoins and bounties.PortSwigger,October2016. http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-f….
[3] Facebook bug bounty: $5 million paid in 5 years.Joey Tyson, October 2016. https://www.facebook.com/notes/facebook-bug-bounty/
facebook-bug-bounty-5-million-paid-in-5-years/1419385021409053/.
[4] Reporting a security vulnerability. Soundcloud, December 2017. https://help.soundcloud.com/hc/en-us/articles/115003561228-Reporting-a-….
[5] Sony, 2017. https://www.sony.com.
[6] Are you on tinder? someone may be watching your swipe. Checkmarx, January
2018. https://info.checkmarx.com/hubfs/Tinder_Research.pdf.
[7] Don’t trust the vpn facebook wants you to use. Wired, February 2018. https:
//www.wired.com/story/facebook-onavo-protect-vpn-privacy/.
55[8] Accenture. Cost of cyber crime study.
[9] Alan, H. F., and Kaur, J. Can android applications be identified using only
tcp/ip headers of their launch time traffic? In Proceedings of the 9th ACM Conference
on Security & Privacy in Wireless and Mobile Networks (New York, NY, USA,
2016), WiSec ’16, ACM, pp. 61–66.
[10] AlFardan, N. J., Bernstein, D. J., Paterson, K. G., Poettering, B., and
Schuldt, J. C. N. On the security of rc4 in tls. In Proceedings of the 22Nd USENIX
Conference on Security (Berkeley, CA, USA, 2013), SEC’13, USENIX Association,
pp. 305–320.
[11] Alnaami, K., Ayoade, G., Siddiqui, A., Ruozzi, N., Khan, L., and Thu-
raisingham, B. P2v: Effective website fingerprinting using vector space represen-
tations. In Computational Intelligence, 2015 IEEE Symposium Series on (2015),
IEEE, pp. 59–66.
[12] Android. Android open source project - dns-dev, 2017. https://android-review.
googlesource.com/q/topic:dns-dev-opt+(status:open+OR+status:merged).
[13] Armerding, T. The 16 biggest data breaches of the 21st century. CSO,
October 2017.
https://www.csoonline.com/article/2130877/data-breach/
the-16-biggest-data-breaches-of-the-21st-century.html.
[14] Boundless Informant: the NSA’s secret tool to track global surveillance data.
The Guardian, June 2013. https://www.theguardian.com/world/2013/jun/08/
nsa-boundless-informant-global-datamining.
[15] Bounty, F. B. Facebook bug bounty, 2014.
BugBounty/posts/778897822124446.
[16] Brandwatch. Brandwatch Peer Index. peerindex-and-brandwatch. https://www.brandwatch.com/p/
[17] Bugcrowd. A radical cybersecurity advantage, 2017. https://www.bugcrowd.
com/.
[18] Cai, X., Nithyanand, R., and Johnson, R. CS-BuFLO: A Congestion Sensitive
Website Fingerprinting Defense. In Proceedings of the 13th Workshop on Privacy in
the Electronic Society (New York, NY, USA, 2014), WPES ’14, ACM, pp. 121–130.
http://doi.acm.org/10.1145/2665943.2665949.
[19] Cai, X., Nithyanand, R., Wang, T., Johnson, R., and Goldberg, I. A Sys-
tematic Approach to Developing and Evaluating Website Fingerprinting Defenses. In
Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communica-
tions Security (New York, NY, USA, 2014), CCS ’14, ACM, pp. 227–238.
[20] Cai, X., Zhang, X. C., Joshi, B., and Johnson, R. Touching from a Distance:
Website Fingerprinting Attacks and Defenses. In Proceedings of the 2012 ACM Con-
ference on Computer and Communications Security (New York, NY, USA, 2012),
CCS ’12, ACM, pp. 605–616. http://doi.acm.org/10.1145/2382196.2382260.
[21] Cao, Y., Li, S., and Wijmans, E. (cross-)browser fingerprinting via os and
hardware level features. In NDSS (2017). https://doi.org/10.14722/ndss.2017.
23152.
[22] Cheng, H., , Cheng, H., and Avnur, R. Traffic Analysis of SSL Encrypted Web
Browsing, 1998.
[23] Cherubin, G. Bayes, not Naı̈ve: Security Bounds on Website Fingerprinting De-
fenses. PoPETs (2017), 215–231. https://doi.org/10.1515/popets-2017-0046.
[24] Communications, N. Netscape announces ”netscape bugs bounty” with re- lease ofnetscape navigator 2.0 beta, 1997. https://web.archive.org/web/19970501041756
[25] Conti, M., Mancini, L. V., Spolaor, R., and Verde, N. V. Can’t you
hear me knocking: Identification of user actions on android apps via traffic analysis.
In Proceedings of the 5th ACM Conference on Data and Application Security and
Privacy (New York, NY, USA, 2015), CODASPY ’15, ACM, pp. 297–304.
[26] Coull, S. E., Collins, M. P., Wright, C. V., Monrose, F., and Reiter,
M. K. On Web Browsing Privacy in Anonymized NetFlows. In Proceedings of 16th
USENIX Security Symposium on USENIX Security Symposium (Berkeley, CA, USA,
2007), SS’07, USENIX Association, pp. 23:1–23:14. http://dl.acm.org/citation.
cfm?id=1362903.1362926.
[27] Dai, S., Tongaonkar, A., Wang, X., Nucci, A., and Song, D. Networkpro-
filer: Towards automatic fingerprinting of android apps. 809–817.
[28] Davies, M., Read, H., Xynos, K., and Sutherland, I. Forensic analysis of a
sony playstation 4: A first look. Digital Investigation 12 (2015), S81 – S89. DFRWS
2015 Europe.
[30] DeviantArt. Accessed on 12-21-2017.
[31] Dierks, T. The transport layer security (tls) protocol version 1.2. STD 5246,
August 2008. https://www.ietf.org/rfc/rfc5246.txt.
57[32] Donohue, B. Gaming console hacks. Kaspersky, January 2014. https://www.
kaspersky.com/blog/gaming-console-hacks/3552/.
[33] Dyer, K. P., Coull, S. E., Ristenpart, T., and Shrimpton, T. Peek-a-Boo, I
Still See You: Why Efficient Traffic Analysis Countermeasures Fail. In Proceedings of
the 2012 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2012),
SP ’12, IEEE Computer Society, pp. 332–346. http://dx.doi.org/10.1109/SP.
2012.28.
[34] Economist, T. Very personal finance, June 2012. http://www.economist.com/node/21556263.
[35] Ejeta, T. G., and Kim, H. J. Website Fingerprinting Attack on Psiphon and Its
Forensic Analysis. In Digital Forensics and Watermarking (Cham, 2017), C. Kraet-
zer, Y.-Q. Shi, J. Dittmann, and H. J. Kim, Eds., Springer International Publishing,
pp. 42–51. https://doi.org/10.1007/978-3-319-64185-0_4.
[37] Fernández, A. Clinical report: The impact of social media on children, adolescents
and families. Archivos de Pediatrı́a del Uruguay 82, 1 (2011), 31–32.
[38] Foundation, O. S. Experimental defense for website traffic finger- printing. The Tor Project, 2011. https://blog.torproject.org/experimental-defense-website-traffic-finger….
[39] Foundation, O. S. Meerderheid zorgwebsites heeft geen veilige https-verbinding
(dutch). O’Reilly Media, August 2017. https://openstate.eu/nl/2017/08/
meerderheid-zorg-websites-heeft-geen-veilige-https-verbinding/.
[40] Gan, D., and Jenkins, L. R. Social networking privacywhos stalking you? Future
Internet 7, 1 (2015), 67–93.
[41] Gonzalez, R., Soriente, C., and Laoutaris, N. User profiling in the time of
https. In Proceedings of the 2016 Internet Measurement Conference (2016), ACM,
pp. 373–379.
[43] Grigorik, I. Transport layer security (tls) networking 101, chapter 4. O’Reilly
Media. https://hpbn.co/transport-layer-security-tls/.
[44] Hajli, N. A study of the impact of social media on consumers. In International
Journal of Market Research (03 2014), vol. 56.
[45] Hayes, J., and Danezis, G. k-fingerprinting: A Robust Scalable Website Fin-
gerprinting Technique. In 25th USENIX Security Symposium (USENIX Security 16)
(Austin, TX, 2016), USENIX Association, pp. 1187–1203. https://www.usenix.
org/conference/usenixsecurity16/technical-sessions/presentation/hayes.
[46] Herrmann, D., Wendolsky, R., and Federrath, H. Website Fingerprinting:
Attacking Popular Privacy Enhancing Technologies with the Multinomial Naı̈Ve-
bayes Classifier. In Proceedings of the 2009 ACM Workshop on Cloud Computing
Security (New York, NY, USA, 2009), CCSW ’09, ACM, pp. 31–42. http://doi.
acm.org/10.1145/1655008.1655013.
[47] Hintz, A. Fingerprinting Websites Using Traffic Analysis. In Proceedings of the 2Nd
International Conference on Privacy Enhancing Technologies (Berlin, Heidelberg,
2003), PET’02, Springer-Verlag, pp. 171–178. http://dl.acm.org/citation.cfm?
id=1765299.1765312.
[48] Hotels.com. Accessed on 12-21-2017.
[49] Hunt, T. Have i been pwned? https://haveibeenpwned.com/.
[50] Husák, M., Čermák, M., Jirsı́k, T., and Čeleda, P. HTTPS traffic analysis
and client identification using passive SSL/TLS fingerprinting. EURASIP Journal on
Information Security (Feb 2016). https://doi.org/10.1186/s13635-016-0030-7.
[51] Information is Beautiful. World’s biggest http://www.informationisbeautiful.net/visualizations/ worlds-biggest-data-breaches-hacks/. data breaches.
[52] Juarez, M., Afroz, S., Acar, G., Diaz, C., and Greenstadt, R. A Critical
Evaluation of Website Fingerprinting Attacks. In Proceedings of the 2014 ACM
SIGSAC Conference on Computer and Communications Security (New York, NY,
USA, 2014), CCS ’14, ACM, pp. 263–274. http://doi.acm.org/10.1145/2660267.
2660368.
[53] Juarez, M., Imani, M., Perry, M., Diaz, C., and Wright, M. Toward an Efficient Website Fingerprinting Defense. In Computer Security – ESORICS 2016 (Cham, 2016), I. Askoxylakis, S. Ioannidis, S. Katsikas, and C. Meadows, Eds., Springer International Publishing, pp. 27–46. https://doi.org/10.1007/978-3-319-45744-4_2.
[54] Kakavas, I. Creepy. https://www.geocreepy.com/.
[55] Karakostas, D., and Zindros, D. Practical new developments on breach. https://www.blackhat.com/docs/asia-16/materials/asia-16-Karakostas Practical-New-Developments-In-The-BREACH-Attack-wp.pdf.
[56] Khanji, S., Jabir, R., Iqbal, F., and Marrington, A. Forensic analysis of
xbox one and playstation 4 gaming consoles. In 2016 IEEE International Workshop
on Information Forensics and Security (WIFS) (Dec 2016), pp. 1–6.
[57] Kumar, M. India probes report on breach of national identity database. https://www.reuters.com/article/us-india-economy-biometric/india-probes….
[58] Kwon, A., AlSabah, M., Lazar, D., Dacier, M., and Devadas, S. Cir-
cuit Fingerprinting Attacks: Passive Deanonymization of Tor Hidden Services. In
24th USENIX Security Symposium (USENIX Security 15) (Washington, D.C., 2015),
USENIX Association, pp. 287–302.
[59] Laszka, A., Zhao, M., and Grossklags, J. Banishing Misaligned Incentives
for Validating Reports in Bug-Bounty Platforms. Springer International Publishing,
Cham, 2016, pp. 161–178.
[60] Lee, L., Fifield, D., Malkin, N., Iyer, G., Egelman, S., and Wagner,
D. Tor’s usability for censorship circumvention. Master’s thesis, EECS Department,
University of California, Berkeley, May 2016. http://www2.eecs.berkeley.edu/
Pubs/TechRpts/2016/EECS-2016-58.html.
[61] Liberatore, M., and Levine, B. N. Inferring the Source of Encrypted HTTP
Connections. In Proceedings of the 13th ACM Conference on Computer and Com-
munications Security (New York, NY, USA, 2006), CCS ’06, ACM, pp. 255–263.
http://doi.acm.org/10.1145/1180405.1180437.
[62] Liu, L., Preoiuc-Pietro, D., Riahi, Z., Moghaddam, M. E., and Ungar,
L. Analyzing Personality through Social Media Profile Picture Choice. In ICWSM
(2016). https://sites.sas.upenn.edu/sites/default/files/danielpr/files/
persimages16icwsm.pdf.
[63] Ltd, D. P. Twitonomy. https://www.twitonomy.com/.
[64] Lu, L., Chang, E.-C., and Chan, M. C. Website Fingerprinting and Identifi-
cation Using Ordered Feature Sequences. In Proceedings of the 15th European Con-
ference on Research in Computer Security (Berlin, Heidelberg, 2010), ESORICS’10,
Springer-Verlag, pp. 199–214.
[65] Luo, X., Zhou, P., Chan, E. W. W., Lee, W., Chang, R. K. C., and
Perdisci, R. HTTPOS: Sealing information leaks with browser-side obfuscation of
60encrypted flows. In In Proc. Network and Distributed Systems Symposium (NDSS).
The Internet Society (2011). 10.1.1.300.1748.
[66] Markovikj, D., Gievska, S., Kosinski, M., and Stillwell, D. Mining
Facebook Data for Predictive Personality Modeling. https://www.aaai.org/ocs/
index.php/ICWSM/ICWSM13/paper/view/6179.
[67] McAfee. Economic impact of cybercrime no slowing down.
[68] Meister, J.Will your klout score get you hired? The role of social media in recruiting. Forbes, May2012. https://www.forbes.com/sites/jeannemeister/2012/05/07/will-your-klout-s….
[69] Miller, B., Huang, L., Joseph, A. D., and Tygar, J. D. I Know Why
You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis. In Pri-
vacy Enhancing Technologies (Cham, 2014), E. De Cristofaro and S. J. Murdoch,
Eds., Springer International Publishing, pp. 143–163. https://doi.org/10.1007/
978-3-319-08506-7_8.
[70] Miskovic, S., Lee, G. M., Liao, Y., and Baldi, M. Appprint: Automatic
fingerprinting of mobile applications in network traffic. In Passive and Active Mea-
surement (2015), Springer International Publishing, pp. 57–69.
[71] Mitmproxy. Mitmproxy, 2018. https://mitmproxy.org/.
[72] Mockapetris, P. Domain names - concepts and facilities. STD 13, RFC Editor,
November 1987. http://www.rfc-editor.org/rfc/rfc1034.txt.
[73] Mongkolluksamee, S., Visoottiviseth, V., and Fukuda, K. Combining
communication patterns & traffic patterns to enhance mobile traffic identification
performance. 247–254.
[74] Morla, R. Effect of Pipelining and Multiplexing in Estimating HTTP/2.0 Web
Object Sizes. ArXiv e-prints (7 2017).
[75] Mulazzani, M., Huber, M., and Weippl, E. Data visualization for social
network forensics. In Advances in Digital Forensics VIII (Berlin, Heidelberg, 2012),
G. Peterson and S. Shenoi, Eds., Springer Berlin Heidelberg, pp. 115–126.
[76] Mulazzani, M., Reschl, P., Huber, M., Leithner, M., Schrittwieser,
S., and Weippl, E. Fast and reliable browser identification with javascript engine
fingerprinting. In Web 2.0 Workshop on Security and Privacy (W2SP) (2013). http:
//www.ieee-security.org/TC/W2SP/2013/papers/s2p1.pdf.
[77] Overheid.nl. Wet op de inlichtingen- en veiligheidsdiensten 2017 (dutch), 2017.
http://wetten.overheid.nl/BWBR0039896/2018-05-01.
61[78] OWASP. Cross-site scripting (xss), 2016. https://www.owasp.org/index.php/
Cross-site_Scripting_(XSS).
[79] OWASP. Clickjacking, 2017. https://www.owasp.org/index.php/Clickjacking.
[80] Panchenko, A., Lanze, F., Pennekamp, J., Engel, T., Zinnen, A., Henze,
M., and Wehrle, K. Website Fingerprinting at Internet Scale. In NDSS (2016).
https://doi.org/10.14722/ndss.2016.23477.
[81] Panchenko, A., Niessen, L., Zinnen, A., and Engel, T. Website Fingerprint-
ing in Onion Routing Based Anonymization Networks. In Proceedings of the 10th
Annual ACM Workshop on Privacy in the Electronic Society (New York, NY, USA,
2011), WPES ’11, ACM, pp. 103–114. http://doi.acm.org/10.1145/20465562046570.
[82] Perez, S. Facebook starts pushing its data tracking onavo vpn within its main mobile app, 2018. https://techcrunch.com/2018/02/12/ facebook-starts-pushing-its-data-tracking-onavo-vpn-within-its-main-mobile-app/.
[83] Portswigger. Burp suite, 2018. https://portswigger.net/burp.
[84] Project, T. T. Tor. https://www.torproject.org.
[85] Pyka wifi. https://www.pyka-wifi.com.
[86] Rao, A., Spasojevic, N., Li, Z., and Dsouza, T. Klout Score: Measuring
Influence Across Multiple Social Networks. Conference: 2015 IEEE International
Conference on Big Data (Big Data) (2015), 2282–2289. https://doi.org/10.1109/
BigData.2015.7364017.
[87] Rimmer, V., Preuveneers, D., Juarez, M., Van Goethem, T., and Joosen,
W. Automated Feature Extraction for Website Fingerprinting through Deep Learn-
ing, 08 2017. (to appear).
[88] RT. Hacker posts facebook bug report on zuckerbergs wall, August 2013. https:
//www.rt.com/news/facebook-post-exploit-hacker-zuckerberg-621/.
[89] Ruderman, J. Same-origin policy, 2017. https://developer.mozilla.org/
en-US/docs/Web/Security/Same-origin_policy.
[90] Saltaformaggio, B., Choi, H., Johnson, K., Kwon, Y., Zhang, Q.,
Zhang, X., Xu, D., and Qian, J. Eavesdropping on fine-grained user activ-
ities within smartphone apps over encrypted network traffic. In 10th USENIX
Workshop on Offensive Technologies (WOOT 16) (Austin, TX, 2016), USENIX
Association. https://www.usenix.org/conference/woot16/workshop-program/
presentation/saltaformaggio.
62[91] Shah, S. Android is getting a feature that encrypts website name requests, 2017.
https://www.engadget.com/2017/10/23/google-android-dns-tls/.
[92] Shi, Y., and Biswas, S. Website fingerprinting using traffic analysis of dy-
namic webpages. In Global Communications Conference (GLOBECOM), 2014 IEEE
(2014), IEEE, pp. 557–563.
[93] So wifi. https://www.socialwifi.com.
[94] Social wifi. https://www.sowifi.com.
[95] Stöber, T., Frank, M., Schmitt, J., and Martinovic, I. Who do you sync
you are?: Smartphone fingerprinting via application behaviour. In Proceedings of the
Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks
(New York, NY, USA, 2013), WiSec ’13, ACM, pp. 7–12.
[96] Sun, Q., Simon, D. R., Wang, Y.-M., Russell, W., Padmanabhan, V. N.,
and Qiu, L. Statistical Identification of Encrypted Web Browsing Traffic. In Pro-
ceedings of the 2002 IEEE Symposium on Security and Privacy (Washington, DC,
USA, 2002), SP ’02, IEEE Computer Society, pp. 19–. https://doi.org/10.1109/
SECPRI.2002.1004359.
[97] Synack. The hacker-powered security platform, 2017. https://www.synack.com/.
[98] Taylor, S. What do mobile business users want from wi-fi? Insights from Cisco
IBSG Research, 2012. https://www.cisco.com/c/dam/en_us/about/ac79/docs/
sp/What_Do_Mobile_Business_Users_Want_from_Wi-Fi.pdf.
[99] Taylor, V. F., Spolaor, R., Conti, M., and Martinovic, I. Robust smart-
phone app identification via encrypted network traffic analysis. IEEE Transactions
on Information Forensics and Security 13, 1 (Jan 2018), 63–78.
[100] Van Goethem, T., Vanhoef, M., Piessens, F., and Joosen, W. Re-
quest and conquer: Exposing cross-origin resource size. In 25th USENIX Se-
curity Symposium (USENIX Security 16) (Austin, TX, 2016), USENIX Associ-
ation, pp. 447–462. https://www.usenix.org/conference/usenixsecurity16/
technical-sessions/presentation/goethem.
[101] Vanhoef, M., and Van Goethem, T. Heist: Http encrypted information can be
stolen through tcp-windows.
[102] Vegh, L. Cookies consent under the gdpr. EU GDPR Compliant, February 2018.
https://eugdprcompliant.com/cookies-consent-gdpr/.
[103] Vranken, G. Https bicycle attack, December 2015. https://guidovranken.com/
2015/12/30/https-bicycle-attack/.
63[104] Wang, T. Website Fingerprinting: Attacks and Defenses (Doctoral dissertation),
2015. University of Waterloo, Canada.
[105] Wang, T., and Goldberg, I. Walkie-Talkie: An Efficient Defense Against Passive
Website Fingerprinting Attacks. In 26th USENIX Security Symposium (USENIX
Security 17) (Vancouver, BC, 2017), USENIX Association, pp. 1375–1390.
[106] WiFi4EU. Free wi-fi for europeans, 9 2016. https://ec.europa.eu/
digital-single-market/en/policies/wifi4eu-free-wi-fi-europeans.
[107] Wijnants, M., Marx, R., Quax, P., and Lamotte, W. HTTP/2 Prioritization
and its Impact on Web Performance. In The Web Conference (2018), WWW 2018.
(to appear).
[108] Winter, P., Pulls, T., and Fuss, J. Scramblesuit: A polymorphic network
protocol to circumvent censorship. In Proceedings of the 12th ACM Workshop on
Workshop on Privacy in the Electronic Society (New York, NY, USA, 2013), WPES
’13, ACM, pp. 213–224. http://doi.acm.org/10.1145/2517840.2517856.
[109] Wright, C. V., Coull, S. E., and Monrose, F. Traffic Morphing: An Efficient
Defense Against Statistical Traffic Analysis. In In Proceedings of the 16th Network
and Distributed Security Symposium (2009), IEEE, pp. 237–250.
[110] Yin-Poole, W. Ps4 hits 70m sold. Eurogamer, December 2017. https://www.
eurogamer.net/articles/2017-12-07-ps4-hits-70m-sold.
[111] Zhao, M., Laszka, A., and Grossklags, J. Devising effective policies for bug-
bounty platforms and security vulnerability discovery. Journal of Information Policy
7 (2017), 372–418. http://www.jstor.org/stable/10.5325/jinfopoli.7.2017.
0372.
