Dominik Herrmann

Michael Mühlhauser, Henning Pridöhl, Dominik Herrmann

DNS over TLS (DoT) and DNS over HTTPS (DoH) promise to improve privacy and security of DNS by encrypting DNS messages, especially when messages are padded to a uniform size. Firstly, to demonstrate the limitations of recommended padding approaches, we present Segram, a novel app fingerprinting attack that allows adversaries to infer which mobile apps are executed on a device. Secondly, we record traffic traces of 118 Android apps using 10 different DoT/DoH resolvers to study the effectiveness of Segram under different conditions. According to our results, Segram identifies apps with accuracies of up to 72% with padding in a controlled closed world setting. The effectiveness of Segram is comparable with state-of-the-art techniques but Segram requires less computational effort. We release our datasets and code. Thirdly, we study the prevalence of padding among privacy-focused DoT/DoH resolvers, finding that up to 81% of our sample fail to enable padding. Our results suggest that recommended padding approaches are less effective than expected and that resolver operators are not sufficiently aware about this feature.

Max Maass, Henning Pridöhl, Dominik Herrmann et al.

Researchers help operators of vulnerable and non-compliant internet services by individually notifying them about security and privacy issues uncovered in their research. To improve efficiency and effectiveness of such efforts, dedicated notification studies are imperative. As of today, there is no comprehensive documentation of pitfalls and best practices for conducting such notification studies, which limits validity of results and impedes reproducibility. Drawing on our experience with such studies and guidance from related work, we present a set of guidelines and practical recommendations, including initial data collection, sending of notifications, interacting with the recipients, and publishing the results. We note that future studies can especially benefit from extensive planning and automation of crucial processes, i.e., activities that take place well before the first notifications are sent.

Oleg Geier, Dominik Herrmann

In this paper we present a platform which is usable by novice users without domain knowledge of experts. The platform consisting of an iOS app to monitor network traffic and a website to evaluate the results. Monitoring takes place on-device; no external server is required. Users can record and share network activity, compare evaluation results, and create rankings on apps and app-groups. The results are used to detect new trackers, point out misconduct in privacy practices, or automate comparisons on app-attributes like price, region, and category. To demonstrate potential use cases, we compare 75 apps before and after the iOS 14 release and show that we can detect trends in app-specific behavior change over time, for example, by privacy changes in the OS. Our results indicate a slight decrease in tracking but also an increase in contacted domains. We identify seven new trackers which are not present in current tracking lists such as EasyList. The games category is particularly prone to tracking (53% of the traffic) and contacts on average 36.2 domains with 59.3 requests per minute.

Max Maass, Alina Stöver, Henning Pridöhl et al.

Misconfigurations and outdated software are a major cause of compromised websites and data leaks. Past research has proposed and evaluated sending automated security notifications to the operators of misconfigured websites, but encountered issues with reachability, mistrust, and a perceived lack of importance. In this paper, we seek to understand the determinants of effective notifications. We identify a data protection misconfiguration that affects 12.7 % of the 1.3 million websites we scanned and opens them up to legal liability. Using a subset of 4754 websites, we conduct a multivariate randomized controlled notification experiment, evaluating contact medium, sender, and framing of the message. We also include a link to a public web-based self-service tool that is run by us in disguise and conduct an anonymous survey of the notified website owners (N=477) to understand their perspective. We find that framing a misconfiguration as a problem of legal compliance can increase remediation rates, especially when the notification is sent as a letter from a legal research group, achieving remediation rates of 76.3 % compared to 33.9 % for emails sent by computer science researchers warning about a privacy issue. Across all groups, 56.6 % of notified owners remediated the issue, compared to 9.2 % in the control group. In conclusion, we present factors that lead website owners to trust a notification, show what framing of the notification brings them into action, and how they can be supported in remediating the issue.

Max Maass, Nicolas Walter, Dominik Herrmann et al.

Today, online privacy is the domain of regulatory measures and privacy-enhancing technologies. Transparency in the form of external and public assessments has been proposed for improving privacy and security because it exposes otherwise hidden deficiencies. Previous work has studied privacy attitudes and behavior of consumers. However, little is known on how organizations react to measures that employ public "naming and shaming" as an incentive for improvement. We performed the first study on this aspect by conducting a qualitative survey with 152 German health insurers. We scanned their websites with PrivacyScore.org to generate a public ranking and confronted the insurers with the results. We obtained a response rate of 27%. Responses ranged from positive feedback to legal threats. Only 12% of the sites - mostly non-responders - improved during our study. Our results show that insurers struggle due to unawareness, reluctance, and incapability, and demonstrate the general difficulties of transparency-based approaches.

David Harborth, Dominik Herrmann, Stefan Köpsell et al.

The AN.ON-Next project aims to integrate privacy-enhancing technologies into the internet's infrastructure and establish them in the consumer mass market. The technologies in focus include a basis protection at internet service provider level, an improved overlay network-based protection and a concept for privacy protection in the emerging 5G mobile network. A crucial success factor will be the viable adjustment and development of standards, business models and pricing strategies for those new technologies.

Max Maass, Anne Laubach, Dominik Herrmann

PrivacyScore ist ein öffentliches Web-Portal, mit dem automatisiert überprüft werden kann, ob Webseiten gängige Mechanismen zum Schutz von Sicherheit und Privatheit korrekt implementieren. Im Gegensatz zu existierenden Diensten ermöglicht PrivacyScore, mehrere Webseiten in Benchmarks miteinander zu vergleichen, die Ergebnisse differenziert und im Zeitverlauf zu analysieren sowie nutzerdefinierte Kriterien für die Auswertung zu definieren. PrivacyScore verbessert dadurch nicht nur die Transparenz für Endanwender, sondern erleichtert auch die Arbeit der Datenschutz-Aufsichtsbehörden. In diesem Beitrag stellen wir das Konzept des Dienstes vor und wir erörtern, unter welchen Umständen das automatische Scannen und öffentliche "Anprangern" von Schwächen aus rechtlicher Sicht zulässig ist. -- This German article describes the technical and legal considerations surrounding PrivacyScore, a public web portal that allows automatic scans of websites for privacy and security problems. For an English article discussing the same system in more technical detail, but lacking the legal interpretation, see arXiv:1705.05139.

Max Maass, Pascal Wichmann, Henning Pridöhl et al.

Website owners make conscious and unconscious decisions that affect their users, potentially exposing them to privacy and security risks in the process. In this paper we introduce PrivacyScore, an automated website scanning portal that allows anyone to benchmark security and privacy features of multiple websites. In contrast to existing projects, the checks implemented in PrivacyScore cover a wider range of potential privacy and security issues. Furthermore, users can control the ranking and analysis methodology. Therefore, PrivacyScore can also be used by data protection authorities to perform regularly scheduled compliance checks. In the long term we hope that the transparency resulting from the published benchmarks creates an incentive for website owners to improve their sites. The public availability of a first version of PrivacyScore was announced at the ENISA Annual Privacy Forum in June 2017.

Dominik Herrmann

This paper summarizes selected results of the dissertation "Beobachtungsmöglichkeiten im Domain Name System: Angriffe auf die Privatsphäre und Techniken zum Selbstdatenschutz". The dissertation provides new technical insights to answer the questions "Who can monitor us on the Internet?" and "How do we protect ourselves?". It focuses on the Domain Name System (DNS), the address book of the internet. It shows that recursive nameservers have monitoring capabilities that have been neglected so far. In particular, a behavior-based tracking method is introduced, which allows operators to track the activities of users over an extended period of time. On the one hand, this threatens the privacy of Internet users, on the other hand, law enforcement could benefit from this research. Furthermore, new privacy enhancing techniques are proposed, which are more effective and more user-friendly than existing approaches. ----- Dieser Beitrag fasst ausgewählte Ergebnisse der Dissertation "Beobachtungsmöglichkeiten im Domain Name System: Angriffe auf die Privatsphäre und Techniken zum Selbstdatenschutz" zusammen. Die Dissertation liefert neue Antworten auf die Fragen "Wer kann uns im Internet überwachen?" und "Wie schützen wir uns davor?". Die Arbeit befasst sich mit dem Domain Name System (DNS), dem Adressbuch des Internets. Es wird gezeigt, dass es im DNS bislang vernachlässigte Überwachungsmöglichkeiten gibt. Insbesondere wird ein Verfahren zum verhaltensbasierten Tracking vorgestellt, mit dem die Aktivitäten von Internetnutzern unbemerkt über längere Zeiträume verfolgt werden können. Einerseits wird dadurch die Privatsphäre vieler Internetnutzer bedroht, andererseits könnten daraus neue Werkzeuge für die Strafverfolgung entstehen. Weiterhin werden neue Datenschutz-Techniken vorgeschlagen, die sicherer und benutzerfreundlicher sind als die bisherigen Ansätze.

Dominik Herrmann, Max Maaß, Hannes Federrath

The Domain Name System (DNS) does not provide query privacy. Query obfuscation schemes have been proposed to overcome this limitation, but, so far, they have not been evaluated in a realistic setting. In this paper we evaluate the security of a random set range query scheme in a real-world web surfing scenario. We demonstrate that the scheme does not sufficiently obfuscate characteristic query patterns, which can be used by an adversary to determine the visited websites. We also illustrate how to thwart the attack and discuss practical challenges. Our results suggest that previously published evaluations of range queries may give a false sense of the attainable security, because they do not account for any interdependencies between queries.