person:arvind narayanan

No boundaries for user identities: Web trackers exploit browser login managers
▻https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-lo

In this second installment of the No Boundaries series, we show how a long-known vulnerability in browsers’ built-in password managers is abused by third-party scripts for tracking on more than a thousand sites. by Gunes Acar, Steven Englehardt, and Arvind Narayanan

We show how third-party scripts exploit browsers’ built-in login managers (also called password managers) to retrieve and exfiltrate user identifiers without user awareness. To the best of our knowledge, our research is the first to show that login managers are being abused by third-party scripts for the purposes of web tracking. The underlying vulnerability of login managers to credential theft has been known for years. Much of the past discussion has focused on password exfiltration by malicious scripts through cross-site (...)

When the cookie meets the blockchain:
Privacy risks of web payments via cryptocurrencies
(Princeton researchers Dillon Rewsman, Steven Goldfeder, Harry Kalender and Arvind Narayanan)

https://d.ibtimes.co.uk/en/full/1632454/bitcoin-anonymity-lost-through-web-cookies.jpg

▻https://arxiv.org/pdf/1708.04748.pdf

We show how third-party web trackers can deanonymize users of cryptocurrencies. We present two distinct but complementary attacks. On most shopping websites, third party trackers receive information about user purchases for purposes of advertising and analytics. We show that, if the user pays using a cryptocurrency, trackers typically possess enough information about the purchase to uniquely identify the transaction on the blockchain, link it to the user’s cookie, and
further to the user’s real identity. Our second attack shows that if the tracker is able to link two purchases of the same user to the blockchain in this manner, it can identify the user’s entire cluster of addresses and transactions on the blockchain, even if the user employs blockchain anonymity techniques such as CoinJoin. The attacks are passive and hence can be retroactively applied to past purchases. We discuss several mitigations, but none are perfect.

▻https://www.theregister.co.uk/2017/08/20/bitcoins_anonymity_easy_to_penetrate

Of 130 online merchants that accept Bitcoin, the researchers say, 53 leak payment information to 40 third parties, “most frequently from shopping cart pages,” and most of these on purpose (for advertising, analytics and the like).

[...]

Of the 130 sites the researchers checked:

In total, 107 sites leaked some kind of transaction information;
31 allowed third-party scripts to access users’ Bitcoin addresses;
104 shared the non-BTC denominated price of a transaction; and
30 shared the transaction price in Bitcoin.

A total of 49 merchants shared users’ identifying information, and 38 shared that even if the user tries to stop them with tracking protection.

Blog of one of the researchers talking about it:

▻https://freedom-to-tinker.com/2017/08/17/when-the-cookie-meets-the-blockchain

#bitcoin
#anonymity
#privacy
#cookie

A Critical Look at Decentralized Personal Data Architectures
by Arvind Narayanan, Vincent Toubiana, Solon Barocas, Helen Nissenbaum, Dan Boneh
▻http://arxiv.org/abs/1202.4503

Developers, regulators, and consumer advocates have looked to alternative decentralized architectures as the natural response to threats posed by these centralized services. The result has been a great variety of solutions (...) [such as] distributed social networks. And yet, for all these efforts, decentralized personal data architectures have seen little adoption.
This position paper attempts to account for these failures, challenging the accepted wisdom in the web community on the feasibility and desirability of these approaches.

#réseaux_sociaux #internet #histoire #centralisation