Paper Summary Encore: Lightweight Measurement of Web Censorship with Cross- Origin Requests

Transcript

1. Paper Summary
 Encore: Lightweight Measurement of Web Censorship with Cross-

   Origin Requests Hirotaka Nakajima
 Keio University 1

2. Summary • Encore: Lightweight Measurement of Web Censorship with Cross-Origin

   Requests • Sam Burnett (Georgia Tech), Nick Feamster (Princeton) • http://conferences.sigcomm.org/sigcomm/2015/ pdf/papers/p653.pdf • SIGCOMM 2015, Security, Privacy and Censorship session 2

3. Summary of research • The authors proposed the lightweight measurement

   method (Encore) for detecting Web censorship(filter). • Encore utilizes Cross-Origin Request(s) to measure the existence of Web filter. • Encore shifts the deployment burden from users to webmaster since previous works require user participation such as installing custom software. • The authors also pointed out that the importance of the broad discussions about ethical concerns on further Internet measurement research which may harm unsuspecting users. 3

4. What is Internet censorship? Censored net Uncensored net Server Firewall

   Client Block or Manipulate Traffic Censor blocked.com DNS Server 4

5. Threat model DNS lookup TCP handshake HTTP GET HTTP response

   DNS block or redirect IP block HTTP block Block page Entire domains or services Individual URLs 5

6. Cross-Origin request • Web browsers are allowed to fetch resources

   from origin. • Origin is a tuple. (scheme, hostname, port)
 e.g.) https://example.com (https, example.com, 443) • Browsers prevent reading data across origins. • Ajax(XMLHttpRequest) • iframe • Cookies • But exceptions • Embed resources (img, stylesheet, JavaScript) • e.g. Images embed with <img> tag trigger an onload event once the browser successfully retrieves and renders the image. 6

7. Information leakage with img, iframe tags <img src="//censored.com/favicon.ico" style="display: none"

   onload="submitSuccess()" onerror="submitFailure()"/> <iframe src=”http://foo.com/bar.htm”> ... <img src=”http://foo.com/cached.png” onload=”recordLoadTime()”/> Using iframe, Encore can check the individual URL 
 since cached.png should be cached when User-Agent 
 were able to access the bar.html. 7

8. Other methods <link rel=”stylesheet”/> window.getComputedStyle() <script src=”http://foo.com/notascript” onload=”recordSuccess()”> <iframe src=”http://foo.com”

   onload=”recordLoadTime()”> Mechanism Summary Limitations Images Render an image. Browser fires onload if successful. Only small images (e.g.,  1 KB). Style sheets Load a style sheet and test its effects. Only non-empty style sheets. Inline frames Load a Web page in an iframe, then load an image embed- ded on that page. Cached images render quickly, implying the page was not filtered. Only pages with cacheable images. Only small pages (e.g.,  100 KB). Only pages without side effects. Scripts Load and evaluate a resource as a script. Chrome fires onload iff it fetched the resource with HTTP 200 status. Only with Chrome. Only with strict MIME type checking. Table 1: Measurement tasks use several mechanisms to discover whether Web resources are filtered. We empirically evaluate parameters for images and inline frames in Section 6. 8

9. Goals of Encore • Encore utilizes Cross-Origin requests to check

   whether; • the domain is blocked • the individual URL is blocked • Users don’t need to install the software. • But needs a coordination with Webmaster. • Due to restriction of Cross-Origin request from security reasons, • Encore can’t observe the details of each censorship mechanism. Encore only can obtain binary feedback. 9

10. System architecture Load a Web page in an iframe, then

    load an image embed- ded on that page. Cached images render quickly, implying the page was not filtered. Only pages with cacheable images. Only small pages (e.g.,  100 KB). Only pages without side effects. Load and evaluate a resource as a script. Chrome fires onload iff it fetched the resource with HTTP 200 status. Only with Chrome. Only with strict MIME type checking. asks use several mechanisms to discover whether Web resources are filtered. We empirically evaluate parameters for s in Section 6. enced objects and rendering everything. be very careful in selecting pages to imply too expensive or open too many Section 5 discusses the infrastructure we use to decide whether a Web page is chanisms for testing Web filtering of mitations of each mechanism: page can include any other Web page iframe tag, even across origins. How- trict communication barriers between embedding page for security, and pro- cation about whether an inline frame fers whether the resource loaded suc- g timing. It first attempts to load the , after that iframe finishes load,the task kes to download and render an image n that page. If rendering this image is few milliseconds) we assume that the m the previous fetch and therefore the ssfully. This approach only works with cts that will be cached by the browser ave been cached from a prior visit to or example, common images like the p” icon appear on many pages and may e even if the iframe failed to load. This Client HTTP GET /foo.html HTTP GET /task.js HTTP GET /favicon.ico HTTP GET /submit?result=failure ⋯ <script src="//coordinator/task.js"> ⋯ ⋯ <img src="//censored.com/favicon.ico"/> ⋯ Collection server 4 example.com Origin server 1 Coordination server 2 censored.com Target 3 Figure 2: An example of observing Web filtering with Encore. The origin Web page includes Encore’s measurement script, which the coordinator decides should test filtering of censored.com by attempting to fetch an image. The request for this image fails so the client notifies the collection server. prohibit execution of scripts with an invalid MIME type [2]. Other browsers are not so forgiving, so we use this task type on Chrome only. This technique is convenient, but it raises security concerns because other browsers may attempt to exe- cute the fetched object as JavaScript. Section 5 describes how we make this decision. • To check the domain is blocked or not. • Use image or stylesheet
 • To check the individual URL • Use iframe • But costly. 10

11. Generating measurement tasks • Generating measurement tasks takes 3 steps

    1. Collecting candidate measurement URL(s) from pre- defined targeted URL(s). 2. Extracting that candidate URL by accessing from unfiltered network. 3. Determining the actual measurement URL from extracted web content. Measurement target list ( § 5.1) Pattern Expander Target Fetcher Task Generator Task scheduling ( § 5.3) Patterns URLs HARs Tasks Figure 3: Encore transforms a list of URL patterns to a set of measurement tasks in three steps. A URL pattern denotes a set of URL (e.g., all URLs on a domain). A HAR is an HTTP Archive [22]. ample, a single client in Pakistan could report failure to access origins, with good reason; only a few niche ad networks are 11

12. Are sites amenable to Encore? • Generate the Tasks from

    “high value” URLs (likely filtered). • 178 of 200 sites were online (Feb 2014) • 6,548 URLs generated by Pattern Expander 12

13. Filtering of entire domains • Use either images or stylesheets

    to observe Web filtering. • Evaluation just considers images. • 70% of web sites hosts at least one image. • Over 60% of domains host images that could be delivered to clients inside a single packet, and a third of domains have hundreds of such images to choose from. 0 500 1000 1500 2000 Number of images per domain 0.0 0.2 0.4 0.6 0.8 1.0 CDF  1 KB  5 KB all Figure 4: Distribution of the number of images hosted by each of Figure 5: Distribution of page sizes, comput 13

14. Filtering of specific Web pages • Loading Web page in

    an iframe and verifying that browser cached the embed resources from that page. • Evaluation considers; • Network overhead • Page sizes are distributed relatively evenly between 0–2 MB with a very long tail. • Prototype only permits measurement tasks smaller than 100KB. • Embed cacheable images • Nearly 70% of pages embed at least one cacheable image and half of pages cache five or more images. • Only 30% of pages that are at most 100 KB embed at least one cacheable image • Significantly more difficult than detecting the filtering of entire domains Figure 4: Distribution of the number of images hosted by each of the 178 domains tested, for images that are at most 1 KB, at most 5 KB, and any size. Over 60% of domains host images that could be delivered to clients inside a single packet, and a third of domains have hundreds of such images to choose from. we generated as described above. Recall from Section 4.3 that we can use either images or style sheets to observe Web filtering of an entire domain; for simplicity, this analysis only considers images, although style sheets work similarly. We can measure a domain using this technique if (1) it contains images that can be embedded by an origin site and (2) those images are small enough not to significantly affect user ex- perience. We explore both of these requirements for the 178 domains in our list. Because our implementation expands URL patterns using the top 50 search results for that pattern, we will be analyzing a sample of at most 50 URLs per do- main. Most of these domains have more than 50 pages, so our results are a lower bound of the amenability of Encore to collect censorship measurements from each domain. Figure 4 plots the distribution of the number of images that each domain hosts. 70% of domains embed at least one image, and almost all such images are less than 5 KB. Nearly as many domains embed images that fit within a single packet, and a third of domains have hundreds of such images. Even if 0 500 1000 1500 2000 Total page size (KB) 0.0 0.2 0.4 0.6 0.8 1.0 CDF Figure 5: Distribution of page sizes, computed as the sum of sizes of all objects loaded by a page. This indicates the network overhead each page would incur if a measurement task loaded it in a hidden iframe. Over half of pages load at least half a megabyte of objects. Figure 6: Distribution of the number of cacheable images loaded by pages that require at most 100 KB of traffic to load, pages that incur at most 500 KB of traffic, and all pages. Perhaps unsurprisingly, smaller pages contain fewer (cacheable) images. Over 70% of all pages cache at least one image and half of all pages cache five or more images; these numbers drop considerably when excluding pages greater than 100 KB. 100 KB, although future implementations might tune this bound to a client’s performance and preferences. We then evaluate whether these sites embed content that Figure 4: Distribution of the number of images hosted by each of the 178 domains tested, for images that are at most 1 KB, at most 5 KB, and any size. Over 60% of domains host images that could be delivered to clients inside a single packet, and a third of domains have hundreds of such images to choose from. we generated as described above. Recall from Section 4.3 that we can use either images or style sheets to observe Web filtering of an entire domain; for simplicity, this analysis only considers images, although style sheets work similarly. We can measure a domain using this technique if (1) it contains images that can be embedded by an origin site and (2) those images are small enough not to significantly affect user ex- perience. We explore both of these requirements for the 178 domains in our list. Because our implementation expands URL patterns using the top 50 search results for that pattern, we will be analyzing a sample of at most 50 URLs per do- main. Most of these domains have more than 50 pages, so our results are a lower bound of the amenability of Encore to collect censorship measurements from each domain. Figure 4 plots the distribution of the number of images that each domain hosts. 70% of domains embed at least one image, and almost all such images are less than 5 KB. Nearly as many domains embed images that fit within a single packet, and a third of domains have hundreds of such images. Even if we conservatively restrict measurement tasks to load images less than 1 KB, Encore can measure Web filtering of over half of the domains. Filtering of specific Web pages. We explore how often En- core can measure filtering of individual URLs by loading a Web page in an iframe and verifying that the browser cached embedded resources from that page. We can use this mech- anism to measure filtering of pages that (1) do not incur too much network overhead when loading in a hidden iframe and (2) embed cacheable images. We first study the expected network overhead from loading sites in an iframe. Figure 5 plots the distribution of page sizes for each URL, where the page size is the sum of sizes of all resources a page loads and is a rough lower bound on the net- work overhead that would be incurred by loading each page Figure 5: Distribution of page sizes, computed as the sum of sizes of all objects loaded by a page. This indicates the network overhead each page would incur if a measurement task loaded it in a hidden iframe. Over half of pages load at least half a megabyte of objects. 0 10 20 30 40 50 Cacheable images per page 0.0 0.2 0.4 0.6 0.8 1.0 CDF  100 KB  500 KB all Figure 6: Distribution of the number of cacheable images loaded by pages that require at most 100 KB of traffic to load, pages that incur at most 500 KB of traffic, and all pages. Perhaps unsurprisingly, smaller pages contain fewer (cacheable) images. Over 70% of all pages cache at least one image and half of all pages cache five or more images; these numbers drop considerably when excluding pages greater than 100 KB. 100 KB, although future implementations might tune this bound to a client’s performance and preferences. We then evaluate whether these sites embed content that can be retrieved with cross-origin requests. Figure 6 shows the distribution of the number of cacheable images per URL for pages that are at most 100 KB, at most 500 KB, and any size. Nearly 70% of pages embed at least one cacheable image and half of pages cache five or more images, but these numbers drop significantly when restricting page sizes. Only 30% of pages that are at most 100 KB embed at least one cacheable image. Encore can measure filtering of upwards of 50% of do- mains depending on the sizes of images, but fewer than 10% of URLs when we limit pages to 100 KB. This finding sup- ports our earlier observation in Section 4.3 that detecting the filtering of individual Web resources may be significantly more difficult than detecting the filtering of entire domains. 6.2 Who performs Encore measurements? 14

15. Pilot experiment • The authors deployed Encore on the home

    page of a professor in February 2014. • 1,171 visits • 10 users from 10 other countries, and 16% of visitors reside in countries with well-known Web filtering policies • Of these visitors, 999 attempted to run a measurement task. • 45% of visitors remained on the page for longer than 10 seconds, which is more than sufficient time to execute at least one measurement task and report its results. 15

16. Measurement • Conducted 7 months of measurement from May 2014

    to Jan 2015. • at least 17 web sites were participated. • 141,626 measurements • from 88,260 distinct IPs in 170 countries • > 1,000 measurements 
 from China, India, the United Kingdom, and Brazil • > 100 measurements 
 from Egypt, South Korea, Iran, Pakistan, Turkey, and Saudi Arabia 16

17. Measurement [cont.] • Prior to measurement, the authors built a

    Web censorship testbed ( 7 varieties of DNS, IP, and HTTP filtering) • Image, style sheet, and script task types • 8,573 measurements • No true positives and few false positives. • Inline frame task type • Cached images normally load within a few tens of milliseconds. • Uncached same images load at least 50 ms longer. • However few clients with little difference between cached and uncached load time. 17 Uncached Cached Difference 0 200 400 600 800 1000 1200 Time (ms) Figure 7: Comparison between load times for cached and uncached images from 1,099 Encore clients. Cached images typically load within tens of milliseconds, whereas uncached usually take at least 50 ms longer to load, indicated by the bold red line. We use this difference to infer filtering. uncached. The few clients with little difference between cached and uncached load time were located on the same local network as the server. Difference in load time will be more pronounced for larger images and with greater latency between clients and content. In both cases, false positives highlight (1) that distinguish- ing Web filtering from other kinds of network problems is

18. Measurement [cont.] • Use 70% of clients to test on

    real environment. • Measured Facebook,YouTube and Twitter • routinely connected via cross-origin requests. Less harmful. • Clients should successfully load resources at least 70% of the time in the absence of filtering. • One-sided hypothesis test • Pr[Binomial(nr , p) ≤ xr ] ≤ 0.05 • nr : number of measurement • xr : number of successful measurement • Confirmed well-known censorships: • youtube.com in Pakistan, Iran and China • twitter.com and facebook.com in China and Iran

19. Ethics: 
 Which resources are safe to measure? • Encore

    may induce clients to request URL(s) that might be incriminating in some countries or circumstances. • Balance of targeted URL • Facebook vs human rights group Web site • Benefits • Encore provides diversity of vantage points that was previously prohibitively expensive to obtain and coordinate. • Risks • Laws against accessing filtered content varies across the countries. • Unenforceable that preventing Web site to requesting cross-orang resources without consent. • No ground truth about the legal and safety risks posed by collecting network measurements 19

20. Ethics: 
 Is this a human subject research? Date Event

    February 2014 and prior Informal discussions with Georgia Tech IRB conclude that Encore (and similar work) is not human subjects research and does not merit formal IRB review. March 13, 2014 – March 24, 2014 Encore begins collecting measurements from real users using a list of over 300 URLs. We’re unsure of the exact date when collection began because of data loss. March 18, 2014 We begin discussing Encore’s ethics with a researcher at the Oxford Internet Institute. April 2, 2014 To combat data sparsity, we configure Encore to only measure favicons [43]. The URLs we removed were a subset of those we crawled from § 5.2. May 5, 2014 Out of ethical concern, we restrict Encore to measure favicons on only a few sites. May 7, 2014 Submission to IMC 2014, which includes results derived from our March 13 URL list. September 17, 2014 Georgia Tech IRB officially declines to review Encore. We requested this review in response to skeptical feedback from IMC. September 25, 2014 Submission to NSDI 2015, using our URL list on April 2. January 30, 2015 Submission to SIGCOMM 2015, using our URL list on May 5. February 6, 2015 Princeton IRB reaffirms that Encore is not human subjects research. We sought this re- view at the request of the SIGCOMM PC chairs after Nick Feamster moved to Princeton. Table 2: Timeline of Encore measurement collection, ethics discussions, and paper submissions. As our understanding of Encore’s ethical implications evolved, we increasingly restricted the set of measurements we collect and report. See http://encore.noise.gatech. edu/urls.html for information on how the set of URLs that Encore measures has evolved over time. in the set of measurements we report on in this paper. The Institutional Review Boards (IRBs) at both Georgia Tech and Princeton declined to formally review Encore because it does not collect or analyze Personally Identifiable Information (PII) and is not human subjects research [9]. Yet, Encore is clearly capable of exposing its users to some level of risk. of alternative means of measuring censorship, or low-risk deployment modes. Encore underscores the need for stricter cross-origin se- curity policy [45]. Our work exploits existing weaknesses, and if these policies could endanger users then strengthening those policies is clearly a problem worthy of further research. 20

21. Ethics: 
 Why not informed consent? • Informed consent; •

    Apprising a user about nuanced technical concepts • The authors pointed out that • Dramatically reduce the scale and scope of measurements. • Relegating the authors to the already extremely dangerous status quo of activists and researchers who put themselves into harm’s way to study censorship. • Also concluded that • Informed consent does not ever decrease risk to users; it only alleviates researchers from some responsibility for that risk • The prevalence of malware and third-party trackers itself lends credibility to the argument that a user cannot reasonably control the traffic that their devices send. 21