DOCSLIB.ORG

A Secure Design of Wot Services for Smart Cities Saad El Jaouhari

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
A Secure Design of Wot Services for Smart Cities Saad El Jaouhari A secure design of WoT services for smart cities Saad El Jaouhari To cite this version: Saad El Jaouhari. A secure design of WoT services for smart cities. Networking and Internet Architecture [cs.NI]. Ecole nationale supérieure Mines-Télécom Atlantique, 2018. English. NNT : 2018IMTA0120. tel-02093561 HAL Id: tel-02093561 https://tel.archives-ouvertes.fr/tel-02093561 Submitted on 9 Apr 2019 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. THESE DE DOCTORAT DE L’ÉCOLE NATIONALE SUPERIEURE MINES-TELECOM ATLANTIQUE BRETAGNE PAYS DE LA LOIRE - IMT ATLANTIQUE COMUE UNIVERSITE BRETAGNE LOIRE ECOLE DOCTORALE N° 601 Mathématiques et Sciences et Technologies de l'Information et de la Communication Spécialité : Informatique Par « Saad EL JAOUHARI » « A secure design of WoT services for smart cities » Thèse présentée et soutenue à Cesson Sévigné, le « 13 décembre 2018 » Unité de recherche : IRISA/D2/OCIF Thèse N° : 2018IMTA0120 Rapporteurs avant soutenance : Maryline Laurent Professeure, IMT Telecom Sud Paris Joachim Posegga Professeur, Université de Passau Composition du Jury : Présidente : Valérie Issarny Directrice de Recherche, INRIA Paris Examinateurs : Farid Naït-Abdeslam Professeur, Université Paris Descartes Tayeb Lemlouma Maître de Conférences HDR, Université Rennes 1 Maryline Laurent Professeure, IMT Telecom Sud Paris Joachim Posegga Professeur, Université de Passau Directeur de thèse : Jean-Marie Bonnin Professeur, IMT Atlantique Encadrant de thèse : Ahmed Bouabdallah Maître de conférences, IMT Atlantique Invité Emmanuel Cordonnier Directeur e-Health, BCom I would like to dedicate this thesis to my family who supported me all along this thesis. Acknowledgements First, I would like to express my gratitude and thanks to my thesis director, Professor Jean-Marie Bonnin and my supervisor, Dr. Ahmed Bouabdallah for their guidances all along this thesis. They did not save any effort to put their skills, experiences, and expertise in order to have the best results. The quality of the contributions and the thesis would have not been possi- ble without the valuable discussions we had. I wish also to thank my colleagues from the OCIF team in particular, and all the researchers in the SRCD department, for all the debates, discussions, remarks and guidances especially during the OCIF seminars. And a spe- cial thanks to my office colleagues: Francois, Xavier, Renzo, Samy, Qipeng, ..., for all the good time spent together and the rich discussions that we had. Furthermore, I would like to express my sincere gratitudes to the jury mem- bers. Their insightful questions and encouraging remarks on my work made my thesis defense a lifelong memory as well as a learning process. It is my utmost honor to have all these experts reviewing my work. I would like to sincere thanks and love my precious parents Malika and Ahmed, my brother Youssef, my sister Manal, my wife Zineb, and my best friends Youssef, Anas, Mouad, Walis and Alaeddine for their support in the good and the bad, no matter what decisions I have made. Last but not the least, I would like to thank all those who helped me during this thesis and that I had the privilege to encounter. I hereby declare that except where specific reference is made to the work of others, the contents of this dissertation are original and have not been submitted in whole or in part for consideration for any other degree or qualification in this, or any other university. This dissertation is my own work and contains nothing which is the out- come of work done in collaboration with others, except as specified in the text and Acknowledgements. Abstract The richness and the versatility of WebRTC, a new peer-to-peer, real-time and browser- based communication technology, allowed the imagination of new and innovative ser- vices. In this thesis, we analyzed the capabilities required to allow a participant in a WebRTC session to access the smart Things belonging to his own environment as well as those of any other participant in the same session. The access to such environment, which we call “Smart Space (SS)”, can be either passive, for example by monitoring the contextual information provided by the sensors, or active by requesting the execution of commands by the actuators, or a mixture of both. This approach deserves attention because it allows to solve in an original way various issues such as allowing experts to remotely exercise and provide their expertises. From a technical point of view the issue is not trivial because it requires a smooth and mastered articulation between two different technologies: WebRTC and the Internet of Things (IoT) / Web of Things (WoT). Hence, the first part of the problem studied in this thesis, consists in analyzing the possibilities of extending WebRTC capabilities with the WoT. So as to provide a secure and privacy-respectful access to the vari- ous smart objects located in the immediate environment of a participant to any other end-user involved in the same ongoing WebRTC session. Moreover, positioning our approach in the context of communication services operating in smart cities requires the ability to support a multiplicity of SSs, each with its own network and security policy. Hence, in order to allow a participant to access one of his own SSs or one of another participant (through a delegation of access process), it becomes necessary to dynamically identify, select, deploy, and enforce the SS’s specific routing and security rules, so as to have an effective, fast and secure access. Therefore, the second part of the problem studied in this Ph.D. consists in defining an efficient management of the routing and security issues regarding the possibility of having multiple SSs distributed over the entire network. Thus, the main contributions of the thesis are the following: The first one concerns the design, from scratch, of an architecture allowing a junction between WebRTC and the WoT. This architecture is then illustrated through a set of innovative use cases. The latter relies essentially on a gateway connecting the two technologies. Since WebRTC is natively secure, its analysis allowed us to propose a set of mechanisms to secure the link between the gateway and the WebRTC client together with the access control to the SS. The implementation of an experimental prototype validates the feasibility of our approach. This prototype is used to concretely explore the initial use cases in the health field as well as other applications associated with the smart home. The need for the health related use cases was confirmed later through 5 interviews with doctors. Finally, a privacy analysis of our system was proposed. An ad- ditional step was taken in order to provide a business model for one of the telemedicine use cases. The second contribution proposes a new smart home architecture encompassing several services, among them the healthcare and the energy management. The first service is based on the previously presented contribution, and its main idea is to allow interac- tions between the user inside the smart home and a remote medical staff which can be a doctor for instance. Hence, bringing telemedicine services to the smart home such as the tele-consultation and the remote monitoring. The second one is proposed in order to monitor and manage the energy consumption using smart meters. The over- all work targets the introduction of a real smart home, based in Aalborg University labs. Finally, the third contribution introduces an SDN controller in order to manage the various SSs that can be involved in a WebRTC session. The main idea consists in allowing an end-user to own more than one SS while keeping their management simple and effective. The principle of our approach consists in centralizing the decisions con- cerning the management of the various SSs. Due to the fact that routing concerns are intimately intertwined with those of security, the SDN clearly appears as a promising tool to solve these issues. Therefore, an original architecture allowing an end user to dynamically manage the access to his different SSs is developed. A prototype illus- trating our approach is implemented together with a set of experiments to evaluate the performance and security of the system. This approach is finally illustrated in the e-Health domain by demonstrating the possibility of managing an health infrastructure such as a Hospital. 6 R´esum´e WebRTC est une technologie r´ecente de communication qui permet d’´etablir des ´echanges multim´edia conversationnels directement entre navigateurs. Sa richesse et sa versatilit´e laissent pr´esager des opportunit´es in´edites en termes de services de communication in- novants. Nous nous int´eressons dans cette th`ese `ades locuteurs dans un ”Smart Space” (SS) d´efini comme un environnement centr´e-utilisateur instrument´epar un ensemble de capteurs et d’actionneurs connect´es. Nous analysons les capacit´es n´ecessaires pour per- mettre `aun participant d’une session WebRTC d’impliquer dans cette mˆeme session, les flux induits par les objets connect´es appartenant au SS d’un utilisateur quelconque de la session. L’acc`es `aun tel environnement, peut ˆetre soit passif via l’observation d’informations contextuelles fournies par les capteurs, soit actif par l’ex´ecution d’une commande d’un actionneur, soit une combinaison des deux. Cette approche rec`ele un gisement de nombreux nouveaux usages. Nous limitons notre analyse `aceux concer- nant l’exercice distant d’une expertise et d’un savoir-faire.
Load more

Recommended publications
  • Safe Browsing Services: to Track, Censor and Protect Thomas Gerbet, Amrit Kumar, Cédric Lauradoux
    Safe Browsing Services: to Track, Censor and Protect Thomas Gerbet, Amrit Kumar, Cédric Lauradoux To cite this version: Thomas Gerbet, Amrit Kumar, Cédric Lauradoux. Safe Browsing Services: to Track, Censor and Protect. [Research Report] RR-8686, INRIA. 2015. hal-01120186v1 HAL Id: hal-01120186 https://hal.inria.fr/hal-01120186v1 Submitted on 4 Mar 2015 (v1), last revised 8 Sep 2015 (v4) HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Safe Browsing Services: to Track, Censor and Protect Thomas Gerbet, Amrit Kumar, Cédric Lauradoux RESEARCH REPORT N° 8686 February 2015 Project-Teams PRIVATICS ISSN 0249-6399 ISRN INRIA/RR--8686--FR+ENG Safe Browsing Services: to Track, Censor and Protect Thomas Gerbet, Amrit Kumar, Cédric Lauradoux Project-Teams PRIVATICS Research Report n° 8686 — February 2015 — 25 pages Abstract: Users often inadvertently click malicious phishing or malware website links, and in doing so they sacrifice secret information and sometimes even fully compromise their devices. The purveyors of these sites are highly motivated and hence construct intelligently scripted URLs to remain inconspicuous over the Internet. In light of the ever increasing number of such URLs, new ingenious strategies have been invented to detect them and inform the end user when he is tempted to access such a link.
    [Show full text]
  • Security and Privacy for Outsourced Computations. Amrit Kumar
    Security and privacy for outsourced computations. Amrit Kumar To cite this version: Amrit Kumar. Security and privacy for outsourced computations.. Cryptography and Security [cs.CR]. Université Grenoble Alpes, 2016. English. NNT : 2016GREAM093. tel-01687732 HAL Id: tel-01687732 https://tel.archives-ouvertes.fr/tel-01687732 Submitted on 18 Jan 2018 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. THESE` Pour obtenir le grade de DOCTEUR DE L’UNIVERSITE´ DE GRENOBLE Specialit´ e´ : Informatique Arretˆ e´ ministerial´ : 7 aoutˆ 2006 Present´ ee´ par Amrit Kumar These` dirigee´ par Pascal Lafourcade et codirigee´ par Cedric´ Lauradoux prepar´ ee´ au sein d’Equipe´ Privatics, Inria, Grenoble-Rhoneˆ Alpes et de l’Ecole´ Doctorale MSTII Security and Privacy of Hash-Based Software Applications These` soutenue publiquement le 20 octobre, 2016, devant le jury compose´ de : Mr. Refik Molva Professeur, Eurecom, President´ Mr. Gildas Avoine Professeur, INSA Rennes, Rapporteur Mr. Sebastien´ Gambs Professeur, Universite´ du Quebec´ a` Montreal,´ Rapporteur Mr. Kasper B. Rasmussen Professeur associe,´ University of Oxford, Examinateur Ms. Reihaneh Safavi-Naini Professeur, University of Calgary, Examinatrice Mr. Pascal Lafourcade Maˆıtre de Conference,´ Universite´ d’Auvergne, Directeur de these` Mr.
    [Show full text]
  • Automating Interpretations of Trustworthiness Marc Sel Royal Holloway, University of London
    Automating interpretations of trustworthiness Submitted by Marc Sel for the degree of Doctor of Philosophy of Royal Holloway, University of London 2021 Declaration I, Marc Sel, hereby declare that this thesis and the work presented in it is entirely my own. Where I have consulted the work of others, this is always clearly stated. Signed . (Marc Sel) Date: 1 To Trijntje. 2 Abstract Digital services have a significant impact on the lives of many individuals and organisations. Trust influences decisions regarding potential service providers, and continues to do so once a service provider has been selected. It is common to refer to the entity that is trusting as the trustor, and to the entity that is trusted as the trustee. There is no globally accepted model to describe trust in the context of digital services, nor to evaluate the trustworthiness of entities. Trust is commonly used in the context of digital services, yet it is overloaded with meaning and difficult to interpret. This thesis presents a novel model to describe and evaluate an entity’s trustworthiness. The model is referred to as the trustworthy ecosystem model. It is based on four building blocks: a data model, a rulebook, trustworthiness evaluation functions and instance data. The data model is expressed in First Order Logic. Rulebooks, which consist of constraints that reflect a particular context for reasoning about trustworthiness, are described using predi- cates. The entity that is evaluating is referred to as the evaluator, and the entity that is evaluated is the evaluation subject. The evaluator corresponds to a potential trustor, and the evaluation subject to a potential trustee.
    [Show full text]
  • A Privacy Analysis of Google and Yandex Safe Browsing Thomas Gerbet, Amrit Kumar, Cédric Lauradoux
    A Privacy Analysis of Google and Yandex Safe Browsing Thomas Gerbet, Amrit Kumar, Cédric Lauradoux To cite this version: Thomas Gerbet, Amrit Kumar, Cédric Lauradoux. A Privacy Analysis of Google and Yandex Safe Browsing. [Research Report] RR-8686, INRIA. 2015. hal-01120186v3 HAL Id: hal-01120186 https://hal.inria.fr/hal-01120186v3 Submitted on 24 Apr 2015 (v3), last revised 8 Sep 2015 (v4) HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Safe Browsing Services: to Track, Censor and Protect Thomas Gerbet, Amrit Kumar, Cédric Lauradoux RESEARCH REPORT N° 8686 February 2015 Project-Teams PRIVATICS ISSN 0249-6399 ISRN INRIA/RR--8686--FR+ENG Safe Browsing Services: to Track, Censor and Protect Thomas Gerbet, Amrit Kumar, Cédric Lauradoux Project-Teams PRIVATICS Research Report n° 8686 — February 2015 — 20 pages Abstract: Users often inadvertently click phishing or malware website links, and in doing so they sacrifice secret information and sometimes even fully compromise their devices. In light of the increasing number of such URLs, new strategies have been invented to detect them and prevent users from harm. At the forefront lies the Safe Browsing mechanism, which identifies unsafe URLs and notifies its users in real-time.
    [Show full text]
  • Entwicklung Eines Browser Plug-Ins Für Transparentes Surfen
    Diplomarbeit am Institut fur¨ Informatik der Freien Universit¨at Berlin, Arbeitsgruppe Software Engineering Entwicklung eines Browser Plug-ins fur¨ transparentes Surfen Tobias Fielitz Matrikelnummer: 3816539 t.fi[email protected] Erstgutachterin: Prof. Dr. Ina Schieferdecker Zweitgutachter: Dr.-Ing. Edzard H¨ofig Berlin, den 1. Oktober 2012 Zusammenfassung Beim Surfen im World Wide Web kommunizieren wir h¨aufig nicht nur mit der aufgerufenen Webseite, sondern auch mit Drittanbietern. Diese Drittanbieter haben die M¨oglichkeit Benutzerprofile uber¨ uns zu erstellen. Ziel dieser Arbeit ist die Entwicklung eines Prototyps eines Browser Plug-ins zur Visualisierung von Informationen uber¨ die Web- seite und beteiligte Drittanbieter. Dazu werden zun¨achst grundlegende Techniken des Internets erl¨autert, existierende Browsererweiterungen aus den Bereichen Transparenz, Sicherheit und Privatsph¨are vorgestellt und die technischen M¨oglichkeiten und sammelbaren Informationen der verschiedenen Browser (Chrome, Internet Explorer, Firefox, Opera, Sa- fari) verglichen. Anschließend wird die Entwicklung des Prototyps fur¨ Chrome beschrieben. Eigenst¨andigkeitserkl¨arung Ich versichere hiermit an Eides statt, dass diese Arbeit von niemand ande- rem als meiner Person verfasst worden ist. Alle verwendeten Hilfsmittel wie Berichte, Bucher,¨ Internetseiten oder ¨ahnliches sind im Literaturverzeichnis angegeben, Zitate aus fremden Arbeiten sind als solche kenntlich gemacht. Die Arbeit wurde bisher in gleicher oder ¨ahnlicher Form keiner anderen Prufungskommission¨ vorgelegt und auch nicht ver¨offentlicht. Berlin, den 1. Oktober 2012 Tobias Fielitz Danksagung Ich bedanke mich bei Prof. Ina Schieferdecker fur¨ Ihre Betreuung dieser Ar- beit. Ebenso bedanke ich mich bei Dr. Edzard H¨ofig fur¨ seine konstruktive Beratung und erfreuliche Betreuung. Ich bedanke mich bei meiner Familie, bei meinen Eltern fur¨ ihre lange Un- terstutzung¨ w¨ahrend meines Studiums und den fortw¨ahrenden Glauben an meine F¨ahigkeiten.
    [Show full text]
  • 4.4. Calculation of a Trust Score
    - Master’s thesis - CONSTRUCTION AND ANALYSIS OF TRUST GRAPHS USING HTTP TRACES Freie Universität Berlin Malvin Thiel Department of Mathematics and Computer Science Prof. Dr. Ina Schieferdecker Dr. Edzard Höfig © 2013 Abstract Users of the World Wide Web often aren’t aware of the masses of private data they are revealing while browsing the Web. For the visual- isation of privacy violations, a browser plug-in that enables transparent surfing has been developed by Tobias Fielitz, an associate at Freie Uni- versität Berlin. The possibilities that the data of this plug-in provides can be intensified by the collection of any plug-in data at a central place. Beside returning thus gain knowledge to single instances of the plug-in, whatsoever analysis are feasible using the obtained data set. The explo- ration of possible analyses is part of this thesis. The central data server is developed by using the Google Web Toolkit (GWT) whereas the data itself is stores as RDF triples using a Virtuoso server. HTTP traces collected by the transparency plug-in are sent to the data server using RESTful web services. Exemplary analyses are created to demonstrate the possibilities of the created trust graph. To enable simple adding and removal, analyses are constructed as modules inside an evaluation framework. One such analysis is the calculation of a trust score that’s integrated into the transparency plug-in using the REST web service. The trust score that is pictured by the transparency plug-in informs users about the privacy rating of websites while browsing them. Contrary to existing trust ratings, the trust score is calculated using objective pa- rameters only.
    [Show full text]
  • Bakalá Bakalářská Práce
    MASARYKOVA UNIVERZITA FAKULTA INFORMATIKY Analýza a testování softwarových produkt ů na úrovni prohlíže če pro řešení problematiky ochrany d ětí před nevhodným obsahem na Internetu BAKALÁ ŘSKÁ PRÁCE Radek Janá ček Brno, 2011 Prohlášení: Prohlašuji, že tato práce je mým p ůvodním autorským dílem, které jsem vypracoval samostatn ě. Všechny zdroje, prameny a literaturu, které jsem p ři vypracování používal nebo z nich čerpal, v práci řádn ě cituji s uvedením úplného odkazu na p říslušný zdroj. ......................................................... Pod ěkování: Děkuji panu prof. RNDr. Václavu Matyášovi, M.Sc., Ph.D. za cenné rady, ochotu a vedení práce. Shrnutí Cílem této bakalá řské práce je zmapování sou časné situace v oblasti ochrany d ětí p řed nevhodným obsahem na Internetu s d ůrazem na prohlíže če pro d ěti a addony do b ěžn ě používaných prohlíže čů . V teoretické části práce jsou vymezeny hranice problematiky a ilustrován sou časný stav situace. Následn ě jsou popsána teoretická východiska obecného i technického charakteru, jednotlivé filtra ční úrovn ě a metody filtra čních technik. V praktické části je z kategorie prohlíže čů pro d ěti i kategorie addon ů do b ěžn ě používaných prohlíže čů vybráno n ěkolik typických zástupc ů, kte ří jsou podrobeni d ůkladné analýze a test ům funk čnosti s d ůrazem na bezpe čnostní a filtra ční vlastnosti. Klí čová slova Bezpe čnost d ětí na Internetu, filtra ční software, prohlíže če pro d ěti, addony do b ěžn ě používaných prohlíže čů , strojové u čení, dolování znalostí z dat, metody rozpoznání obrazu. Obsah ÚVOD 1. VYMEZENÍ PROBLEMATIKY 1.1.
    [Show full text]
  • Can Crowd Wisdom Solve Regulatory Problems? Malte Ziewitz
    prepared for the 1st Berlin Symposium on Internet and Society October 26th – 28th 2011 Can Crowd Wisdom Solve Regulatory Problems? Conference Draft Malte Ziewitz [email protected] Can crowd wisdom solve regulatory problems? A review and some provocations Malte Ziewitz* Discussion paper for 1st Berlin Symposium on Internet & Society Draft version: 18 September 2011 I. Current thinking about crowd wisdom in regulation ........................................................ 3 a) Founding narratives of “crowd wisdom” ....................................................................... 4 b) Participation, knowledge and technology in regulation................................................. 7 c) Crowd wisdom and regulation....................................................................................... 8 d) Conclusion: A research field in construction................................................................ 11 II. Some exemplary applications ........................................................................................ 12 a) Peer To Patent ............................................................................................................ 12 b) The New Zealand Policing Act Wiki.............................................................................. 13 c) Web‐based patient feedback for the NHS.................................................................... 14 d) Web of Trust............................................................................................................... 15
    [Show full text]
  • Monitorování Uživatelů Zásuvnými Moduly Pro Internetové Prohlížeče
    Monitorování uživatelů zásuvnými moduly pro Internetové prohlížeče Filip Kotásek Bakalářská práce 2020 Prohlašuji, že • beru na vědomí, že odevzdáním bakalářské práce souhlasím se zveřejněním své práce podle zákona č. 111/1998 Sb. o vysokých školách a o změně a doplnění dalších zákonů (zákon o vysokých školách), ve znění pozdějších právních předpisů, bez ohledu na výsledek obhajoby; • beru na vědomí, že bakalářská práce bude uložena v elektronické podobě v univerzitním informačním systému dostupná k prezenčnímu nahlédnutí, že jeden výtisk diplomové/bakalářské práce bude uložen v příruční knihovně Fakulty aplikované informatiky Univerzity Tomáše Bati ve Zlíně a jeden výtisk bude uložen u vedoucího práce; • byl/a jsem seznámen/a s tím, že na moji bakalářskou práci se plně vztahuje zákon č. 121/2000 Sb. o právu autorském, o právech souvisejících s právem autorským a o změně některých zákonů (autorský zákon) ve znění pozdějších právních předpisů, zejm. § 35 odst. 3; • beru na vědomí, že podle § 60 odst. 1 autorského zákona má UTB ve Zlíně právo na uzavření licenční smlouvy o užití školního díla v rozsahu § 12 odst. 4 autorského zákona; • beru na vědomí, že podle § 60 odst. 2 a 3 autorského zákona mohu užít své dílo – diplomovou/bakalářskou práci nebo poskytnout licenci k jejímu využití jen připouští-li tak licenční smlouva uzavřená mezi mnou a Univerzitou Tomáše Bati ve Zlíně s tím, že vyrovnání případného přiměřeného příspěvku na úhradu nákladů, které byly Univerzitou Tomáše Bati ve Zlíně na vytvoření díla vynaloženy (až do jejich skutečné výše) bude rovněž předmětem této licenční smlouvy; • beru na vědomí, že pokud bylo k vypracování bakalářské práce využito softwaru poskytnutého Univerzitou Tomáše Bati ve Zlíně nebo jinými subjekty pouze ke studijním a výzkumným účelům (tedy pouze k nekomerčnímu využití), nelze výsledky bakalářské práce využít ke komerčním účelům; • beru na vědomí, že pokud je výstupem bakalářské práce jakýkoliv softwarový produkt, považují se za součást práce rovněž i zdrojové kódy, popř.
    [Show full text]
  • A Privacy Analysis of Google and Yandex Safe Browsing Thomas Gerbet, Amrit Kumar, Cédric Lauradoux
    A Privacy Analysis of Google and Yandex Safe Browsing Thomas Gerbet, Amrit Kumar, Cédric Lauradoux To cite this version: Thomas Gerbet, Amrit Kumar, Cédric Lauradoux. A Privacy Analysis of Google and Yandex Safe Browsing. [Research Report] RR-8686, INRIA. 2015. hal-01120186v4 HAL Id: hal-01120186 https://hal.inria.fr/hal-01120186v4 Submitted on 8 Sep 2015 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. A Privacy Analysis of Google and Yandex Safe Browsing Thomas Gerbet, Amrit Kumar, Cédric Lauradoux RESEARCH REPORT N° 8686 February 2015 Project-Teams PRIVATICS ISSN 0249-6399 ISRN INRIA/RR–8686–FR+ENG A Privacy Analysis of Google and Yandex Safe Browsing Thomas Gerbet, Amrit Kumar, Cédric Lauradoux Project-Teams PRIVATICS Research Report n° 8686 — February 2015 — 24 pages Abstract: Google and Yandex Safe Browsing are popular services included in many web browsers to prevent users from visiting phishing or malware website links. If Safe Browsing services protect their users from losing private information, they also require that their servers receive browsing information on the very same users. In this paper, we present an analysis of Google and Yandex Safe Browsing services from a privacy perspective.
    [Show full text]
  • On the (In)Security of Google Safe Browsing
    On the (In)security of Google Safe Browsing Thomas Gerbet1, Amrit Kumar2, and C´edricLauradoux2 1 Universit´eJoseph Fourier, France [email protected] 2 INRIA, France famrit.kumar,[email protected] Abstract. Phishing and malware websites are still duping unwary tar- gets by infecting private computers or by committing cybercrimes. In order to safeguard users against these threats, Google provides the Safe Browsing service, which identifies unsafe websites and notifies users in real-time of any potential harm of visiting a URL. In this work, we study the Google Safe Browsing architecture through a security point of view. We propose several denial-of-service attacks that increase the traffic between Safe Browsing servers and their clients. Our attacks lever- age the false positive probability of the data structure deployed to store the blacklists on the client's side and the possibility for an adversary to generate (second) pre-images for a 32-bit digest. As a consequence of the attacks, an adversary is able to considerably increase the frequency with which the distant server is contacted and the amount of data sent by the servers to its clients. Keywords: Safe Browsing, Phishing, Malware, Hashing, Security 1 Introduction Internet users often become victims of phishing and malware attacks, where dangerously convincing websites either attempt to steal personal information or install harmful piece of software. Phishing and web-based malwares have become popular among attackers to a large degree since it has become easier to setup and deploy websites, and inject malicious code through JavaScript and iFrames. In order to safeguard users from these malicious URLs, Google has put in place a service-oriented architecture called Safe Browsing [11] at the HTTP pro- tocol level.
    [Show full text]
  • A Privacy Analysis of Google and Yandex Safe Browsing
    A Privacy Analysis of Google and Yandex Safe Browsing Thomas Gerbet Amrit Kumar, Cedric´ Lauradoux Universite´ Joseph Fourier, France INRIA, France e-mail: [email protected] e-mail: famrit.kumar, [email protected] Abstract—GOOGLE and YANDEX Safe Browsing are popular GOOGLE reiterates this statement in a document concerning services included in many web browsers to prevent users from the GSB usage in Mozilla Firefox [4]. These guarantees have visiting phishing or malware websites. If these services protect allowed GSB to be massively used by the end users and even their users from losing private information, they also require by other web service providers. that their servers receive browsing information on the very same users. In this paper, we analyze GOOGLE and YANDEX Safe Apart from these statements, there is no other privacy Browsing services from a privacy perspective. We quantify the analysis of GSB. Our goal is to provide an independent privacy privacy provided by these services by analyzing the possibility analysis of GSB and its sibling YSB. To this end, we first mo- of re-identifying URLs visited by a client. We thereby challenge tivate our work in Section II and then provide a comprehensive GOOGLE’s privacy policy which claims that GOOGLE cannot description of GSB and YSB in Section III and in Section IV recover URLs visited by its users. Our analysis and experimental respectively. In Section V, we present a threat model for results show that GOOGLE and YANDEX Safe Browsing can potentially be used as a tool to track specific classes of individuals.
    [Show full text]