-
Free Proxies Unmasked: A Vulnerability and Longitudinal Analysis of Free Proxy Services
Authors:
Naif Mehanna,
Walter Rudametkin,
Pierre Laperdrix,
Antoine Vastel
Abstract:
Free-proxies have been widespread since the early days of the Web, helping users bypass geo-blocked content and conceal their IP addresses. Various proxy providers promise faster Internet or increased privacy while advertising their lists comprised of hundreds of readily available free proxies. However, while paid proxy services advertise the support of encrypted connections and high stability, fr…
▽ More
Free-proxies have been widespread since the early days of the Web, helping users bypass geo-blocked content and conceal their IP addresses. Various proxy providers promise faster Internet or increased privacy while advertising their lists comprised of hundreds of readily available free proxies. However, while paid proxy services advertise the support of encrypted connections and high stability, free proxies often lack such guarantees, making them prone to malicious activities such as eavesdropping or modifying content. Furthermore, there is a market that encourages exploiting devices to install proxies.
In this paper, we present a 30-month longitudinal study analyzing the stability, security, and potential manipulation of free web proxies that we collected from 11 providers. Our collection resulted in over 640,600 proxies, that we cumulatively tested daily. We find that only 34.5% of proxies were active at least once during our tests, showcasing the general instability of free proxies. Geographically, a majority of proxies originate from the US and China. Leveraging the Shodan search engine, we identified 4,452 distinct vulnerabilities on the proxies' IP addresses, including 1,755 vulnerabilities that allow unauthorized remote code execution and 2,036 that enable privilege escalation on the host device. Through the software analysis on the proxies' IP addresses, we find that 42,206 of them appear to run on MikroTik routers. Worryingly, we also discovered 16,923 proxies that manipulate content, indicating potential malicious intent by proxy owners. Ultimately, our research reveals that the use of free web proxies poses significant risks to users' privacy and security. The instability, vulnerabilities, and potential for malicious actions uncovered in our analysis lead us to strongly caution users against relying on free proxies.
△ Less
Submitted 4 March, 2024;
originally announced March 2024.
-
A critical review of mobile device-to-device communication
Authors:
Lauric Desauw,
Adrien Luxey-Bitri,
Rémy Raes,
Romain Rouvoy,
Olivier Ruas,
Walter Rudametkin
Abstract:
Since the advent of mobile devices, both end-users and the IT industry have been longing for direct device-to-device (D2D) communication capabilities, expecting new kinds of interactive, personalized, and collaborative services. Fifteen years later, many D2D solutions have been implemented and deployed, but their availability and functionality are underwhelming. Arguably, the most widely-adopted D…
▽ More
Since the advent of mobile devices, both end-users and the IT industry have been longing for direct device-to-device (D2D) communication capabilities, expecting new kinds of interactive, personalized, and collaborative services. Fifteen years later, many D2D solutions have been implemented and deployed, but their availability and functionality are underwhelming. Arguably, the most widely-adopted D2D use case covers the pairing of accessories with smartphones; however, many other use cases-such as mobile media sharing-did not progress. Pervasive computing and cyber-physical convergence need local communication paradigms to scale. For inherently local use cases, they are even more appealing than ever: eschewing third-parties simultaneously fosters environmental sustainability, privacy and network resiliency. This paper proposes a survey on D2D communication, investigates its deployment and adoption, with the objective of easing the creation and adoption of modern D2D frameworks. We present the results of an online poll that estimates end-users' utilisation of D2D processes, and review enabling technologies and security models.
△ Less
Submitted 21 September, 2023;
originally announced September 2023.
-
Caught in the Game: On the History and Evolution of Web Browser Gaming
Authors:
Naif Mehanna,
Walter Rudametkin
Abstract:
Web browsers have come a long way since their inception, evolving from a simple means of displaying text documents over the network to complex software stacks with advanced graphics and network capabilities. As personal computers grew in popularity, developers jumped at the opportunity to deploy cross-platform games with centralized management and a low barrier to entry. Simply going to the right…
▽ More
Web browsers have come a long way since their inception, evolving from a simple means of displaying text documents over the network to complex software stacks with advanced graphics and network capabilities. As personal computers grew in popularity, developers jumped at the opportunity to deploy cross-platform games with centralized management and a low barrier to entry. Simply going to the right address is now enough to start a game. From text-based to GPU-powered 3D games, browser gaming has evolved to become a strong alternative to traditional console and mobile-based gaming, targeting both casual and advanced gamers. Browser technology has also evolved to accommodate more demanding applications, sometimes even supplanting functions typically left to the operating system. Today, websites display rich, computationally intensive, hardware-accelerated graphics, allowing developers to build ever-more impressive applications and games.In this paper, we present the evolution of browser gaming and the technologies that enabled it, from the release of the first text-based games in the early 1990s to current open-world and game-engine-powered browser games. We discuss the societal impact of browser gaming and how it has allowed a new target audience to accessdigital gaming. Finally, we review the potential future evolution ofthe browser gaming industry.
△ Less
Submitted 28 April, 2023;
originally announced April 2023.
-
DRAWNAPART: A Device Identification Technique based on Remote GPU Fingerprinting
Authors:
Tomer Laor,
Naif Mehanna,
Antonin Durey,
Vitaly Dyadyuk,
Pierre Laperdrix,
Clémentine Maurice,
Yossi Oren,
Romain Rouvoy,
Walter Rudametkin,
Yuval Yarom
Abstract:
Browser fingerprinting aims to identify users or their devices, through scripts that execute in the users' browser and collect information on software or hardware characteristics. It is used to track users or as an additional means of identification to improve security. In this paper, we report on a new technique that can significantly extend the tracking time of fingerprint-based tracking methods…
▽ More
Browser fingerprinting aims to identify users or their devices, through scripts that execute in the users' browser and collect information on software or hardware characteristics. It is used to track users or as an additional means of identification to improve security. In this paper, we report on a new technique that can significantly extend the tracking time of fingerprint-based tracking methods. Our technique, which we call DrawnApart, is a new GPU fingerprinting technique that identifies a device based on the unique properties of its GPU stack. Specifically, we show that variations in speed among the multiple execution units that comprise a GPU can serve as a reliable and robust device signature, which can be collected using unprivileged JavaScript. We investigate the accuracy of DrawnApart under two scenarios. In the first scenario, our controlled experiments confirm that the technique is effective in distinguishing devices with similar hardware and software configurations, even when they are considered identical by current state-of-the-art fingerprinting algorithms. In the second scenario, we integrate a one-shot learning version of our technique into a state-of-the-art browser fingerprint tracking algorithm. We verify our technique through a large-scale experiment involving data collected from over 2,500 crowd-sourced devices over a period of several months and show it provides a boost of up to 67% to the median tracking duration, compared to the state-of-the-art method. DrawnApart makes two contributions to the state of the art in browser fingerprinting. On the conceptual front, it is the first work that explores the manufacturing differences between identical GPUs and the first to exploit these differences in a privacy context. On the practical front, it demonstrates a robust technique for distinguishing between machines with identical hardware and software configurations.
△ Less
Submitted 24 January, 2022;
originally announced January 2022.
-
An iterative technique to identify browser fingerprinting scripts
Authors:
Antonin Durey,
Pierre Laperdrix,
Walter Rudametkin,
Romain Rouvoy
Abstract:
Browser fingerprinting is a stateless identification technique based on browser properties. Together, they form an identifier that can be collected without users' notice and has been studied to be unique and stable. As this technique relies on browser properties that serve legitimate purposes, the detection of this technique is challenging. While several studies propose classification techniques,…
▽ More
Browser fingerprinting is a stateless identification technique based on browser properties. Together, they form an identifier that can be collected without users' notice and has been studied to be unique and stable. As this technique relies on browser properties that serve legitimate purposes, the detection of this technique is challenging. While several studies propose classification techniques, none of these are publicly available, making them difficult to reproduce. This paper proposes a new browser fingerprinting detection technique. Based on an incremental process, it relies on both automatic and manual decisions to be both reliable and fast. The automatic step matches API calls similarities between scripts while the manual step is required to classify a script with different calls. We publicly share our algorithm and implementation to improve the general knowledge on the subject.
△ Less
Submitted 28 February, 2021;
originally announced March 2021.
-
Actions speak louder than words: Semi-supervised learning for browser fingerprinting detection
Authors:
Sarah Bird,
Vikas Mishra,
Steven Englehardt,
Rob Willoughby,
David Zeber,
Walter Rudametkin,
Martin Lopatka
Abstract:
As online tracking continues to grow, existing anti-tracking and fingerprinting detection techniques that require significant manual input must be augmented. Heuristic approaches to fingerprinting detection are precise but must be carefully curated. Supervised machine learning techniques proposed for detecting tracking require manually generated label-sets. Seeking to overcome these challenges, we…
▽ More
As online tracking continues to grow, existing anti-tracking and fingerprinting detection techniques that require significant manual input must be augmented. Heuristic approaches to fingerprinting detection are precise but must be carefully curated. Supervised machine learning techniques proposed for detecting tracking require manually generated label-sets. Seeking to overcome these challenges, we present a semi-supervised machine learning approach for detecting fingerprinting scripts. Our approach is based on the core insight that fingerprinting scripts have similar patterns of API access when generating their fingerprints, even though their access patterns may not match exactly. Using this insight, we group scripts by their JavaScript (JS) execution traces and apply a semi-supervised approach to detect new fingerprinting scripts. We detail our methodology and demonstrate its ability to identify the majority of scripts ($\geqslant$94.9%) identified by existing heuristic techniques. We also show that the approach expands beyond detecting known scripts by surfacing candidate scripts that are likely to include fingerprinting. Through an analysis of these candidate scripts we discovered fingerprinting scripts that were missed by heuristics and for which there are no heuristics. In particular, we identified over one hundred device-class fingerprinting scripts present on hundreds of domains. To the best of our knowledge, this is the first time device-class fingerprinting has been measured in the wild. These successes illustrate the power of a sparse vector representation and semi-supervised learning to complement and extend existing tracking detection techniques.
△ Less
Submitted 9 March, 2020;
originally announced March 2020.
-
An Approach and Benchmark to Detect Behavioral Changes of Commits in Continuous Integration
Authors:
Benjamin Danglot,
Martin Monperrus,
Walter Rudametkin,
Benoit Baudry
Abstract:
When a developer pushes a change to an application's codebase, a good practice is to have a test case specifying this behavioral change. Thanks to continuous integration (CI), the test is run on subsequent commits to check that they do no introduce a regression for that behavior. In this paper, we propose an approach that detects behavioral changes in commits. As input, it takes a program, its tes…
▽ More
When a developer pushes a change to an application's codebase, a good practice is to have a test case specifying this behavioral change. Thanks to continuous integration (CI), the test is run on subsequent commits to check that they do no introduce a regression for that behavior. In this paper, we propose an approach that detects behavioral changes in commits. As input, it takes a program, its test suite, and a commit. Its output is a set of test methods that capture the behavioral difference between the pre-commit and post-commit versions of the program. We call our approach DCI (Detecting behavioral changes in CI). It works by generating variations of the existing test cases through (i) assertion amplification and (ii) a search-based exploration of the input space. We evaluate our approach on a curated set of 60 commits from 6 open source Java projects. To our knowledge, this is the first ever curated dataset of real-world behavioral changes. Our evaluation shows that DCI is able to generate test methods that detect behavioral changes. Our approach is fully automated and can be integrated into current development processes. The main limitations are that it targets unit tests and works on a relatively small fraction of commits. More specifically, DCI works on commits that have a unit test that already executes the modified code. In practice, from our benchmark projects, we found 15.29% of commits to meet the conditions required by DCI.
△ Less
Submitted 16 December, 2019; v1 submitted 22 February, 2019;
originally announced February 2019.