|
particular vulnerability on the researchers GitHub page, which includes a proof-
of-concept and a technical explanation of the attack.
6.9.2 Controlling WebRTC
To be quite honest, the WebRTC is not so good at all! Personally, I
recommend everyone disable it directly from the browser, using extensions/add-
ons like:
-
WebRTC Network Limiter for Chrome
[75]
, ScriptSafe
[76]
for Opera and
Chrome
-
Disable WebRTC Addon
[77]
for Firefox
With Firefox, you can also disable the feature directly from the browser, just
type
“about:config”
on
the
address
bar,
search
the
string
“media.peerconnection.enabled” and double-click to set its value to false.
6.10 Browser Fingerprinting
All the technologies we covered so far have been analyzed to show how they
can become a security problem for the user. Now we have to explain that all
these technologies together form the so-called browser fingerprinting.
The term fingerprinting relates to a unique value that is assumed by the
browser when the sum of all the related information take to a unique result. For
the sake of clarity, imagine you can literally disassemble your browser. Each
part belongs to a puzzle, and if such puzzle has an unique sorting in its structure,
then it automatically assumes a unique identity; if you are matched to such
identity, no proxy/VPN/Tor will ever protect you. But what those parts are?
6.10.1 Defining the Browser Fingerprinting
First of all, we must clarify that fingerprinting is an extremely complex
operation, and is only performed by purpose-specific pieces of software. When
we navigate the web, our browser leaves a channel “open”, allowing any site to
get the following information:
-
Resolution, color depth
-
Active plug-ins and the related versions
-
Current time and Timezone
-
WebGL Fingerprint
-
List of fonts in the Operating System
-
Current language
-
Operating System and version
-
User Agent, namely the browser and the underlying technology, and its
version
-
External devices, like a Touchpad
-
Use of AdBlock
-
... and all what we have already discussed of.
You will be amazed by knowing the amounts of information we release over
the websites we visit. If you wish, you can run a test on the Panopticlick site
[78]
,
developed by EFF. Using Opera on a freshly formatted OSX 10.11.5, the result
shows that the browser is unique across more than 139,000 tests (Figure 23).
Figure 23: results of a conventional Opera browser on Panopticlick
6.10.2 Defending yourself from Browser Fingerprinting
If you accurately followed each single recommendation from the previous
topics, your browser is probably quite secure. You can do more, however. The
trick is changing the game, handling the aforementioned resources. Each
browser allows some “covering-up”, such as changing the font list, disabling
plug-ins, etc. However, this topic would require more than a single book! You
can use some extensions/add-ons, though, for example:
-
FireGloves
[79]
, available for Mozilla Firefox
-
StopFingerprinting
[80]
, available for Google Chrome
6.11 File Downloading
This category includes all the files that are downloaded but, once opened,
may reveal information about your online data. When you need to open any
files, you should use tools like a Virtual Machine on a host computer not
connected to Internet. Files downloaded from the Internet may contain
executable code capable of communicating outside the anonymous network: for
example, with the proper knowledge, some arbitrary scripting code can be
inserted into Word or PDF files, not mentioning, of course, the classic
executables available for your operating system (.exe, .dmg, .sh and so on).
6.12 Browser Security Test
Browser Security is a very complex and ever changing topic, and requires an
extensive knowledge from multiple fields. Currently, the most complete and
reliable tool to test your browser and its security is offered by BrowserSPY
[81]
,
allowing to verify the existence, or rather the exposition, of any technology in
the browser.
Using this tool is quite simple: each item on the left side of the screen will
open a technology summary tab, and a list of values exposed to the network. You
must ensure that all the items that may somehow compromise your anonymity
are properly hidden, possibly exploring the ones that have not been covered in
this document.
7. Data Security
If, despite all precautions, somebody is accused of a crime – something I
would not want anybody to go through – all IT devices potentially leading to a
crime may be confiscated.
Computer forensics is the IT branch that studies methods and approaches to
find any data inside an IT device. Such field has been quite successful in recent
years: just think about the number of cases solved thanks a phone call, a picture
taken by a smartphone or recovered files from a criminal’s computer.
Furthermore, it has deeply changed and evolved: until a couple of years ago,
everything was confiscated together with the computers: keyboards, monitors
and mouse mats, and for no good reason!
Nowadays, labs and highly trained personnel are involved and results are
often excellent. The forensic research practices may be used by law enforcement
bodies – their actions are subject to the applicable laws – as well as by anyone
skilled enough to perform them. As we will see, some of these skills can be
easily learned and, except in rare cases, won’t require any particular tool. In this
Do'stlaringiz bilan baham: |
