黑猫警长 stl

by Konark Modi

通过Konark Modi

如何使用当地警长保护您的信息 (How to protect your information with Local Sheriff)

看着他们看着我们 (Watching them watching us)

什么是TellTale URL？ (What is a TellTale URL ?)

A URL is the most commonly tracked piece of information. The innocent choice to structure a URL based on page content can make it easier to learn a users’ browsing history, address, health information or more sensitive details. They contain sensitive information or can lead to a page which contains sensitive information.

URL是最常跟踪的信息。基于页面内容来结构化URL的合理选择可以使您更轻松地了解用户的浏览历史记录，地址，健康信息或更敏感的细节。它们包含敏感信息，或可能导致包含敏感信息的页面。

We call such URLs as TellTaleURLs.

我们称这类URL为TellTaleURLs。

Let’s take a look at some examples of such URLs.

让我们看一下此类URL的一些示例。

范例1： (EXAMPLE #1:)

Website: donate.mozilla.org (Fixed)

网站： donate.mozilla.org(已修复)

After you have finished the payment process on donate.mozilla.org, you are redirected to a “thank you” page. If you look carefully at the URL shown in the below screenshot, it contains some private information like email, country, amount, payment method.

在donate.mozilla.org上完成付款过程后，您将被重定向到“谢谢”页面。如果您仔细查看以下屏幕快照中显示的URL，它包含一些私人信息，例如电子邮件，国家/地区，金额，付款方式。

Now because this page loads some resources from third-parties and the URL is not sanitised, the same information is also shared with those third-parties via referrer and as a value inside payload sent to the third-parties.

现在，由于此页面从第三方加载了一些资源，并且URL没有被清除，因此相同的信息也通过引荐来源网址与这些第三方共享，并作为有效负载中的值发送给第三方。

In this particular case, there were 7 third-parties with whom this information was shared.

在此特定情况下，与7个第三方共享了此信息。

Mozilla was prompt to fix these issues, more details can be found here: https://bugzilla.mozilla.org/show_bug.cgi?id=1516699

Mozilla被提示修复这些问题，更多详细信息可以在这里找到： https : //bugzilla.mozilla.org/show_bug.cgi?id=1516699

范例2： (EXAMPLE 2:)

Website: trainline.eu, JustFly.com (Last checked: Aug’18)

网站：trainline.eu， JustFly.com(最后检查时间：18年8月)

Once you finish a purchase like train tickets / flight tickets, you receive an email which has a link to manage your booking. Most of the time, when you click on the link, you are shown the booking details - without having to enter any more details like booking code, username/password.

完成火车票/飞机票之类的购买后，您会收到一封电子邮件，其中包含一个链接来管理您的预订。在大多数情况下，单击链接时，会看到预订详细信息-无需输入其他详细信息，例如预订代码，用户名/密码。

This means that the URL itself contains some token which is unique to the user and provides access to the users’ booking.

这意味着URL本身包含一些用户唯一的令牌，并提供对用户预订的访问。

It so happens that these URLs are also shared with third-parties, giving these third-parties highly sensitive data and access to your bookings.

碰巧这些URL也与第三方共享，从而使这些第三方具有高度敏感的数据并可以访问您的预订。

范例3： (EXAMPLE 3:)

Website: foodora.de, grubhub.com (Last checked: Aug’18)

网址： foodora.de，grubhub.com(最后检查时间：18年8月)

One of the pre-requisites to order food online is entering the address where you want the food to be delivered.

在线订购食物的先决条件之一是输入您要运送食物的地址。

Some popular food delivery websites, convert the address to fine latitude-longitude values and add them to the URL.

一些流行的外卖网站，将地址转换为精细的经度值并将其添加到URL。

The URL is also shared with third-parties, potentially leaking where the user lives.

该URL还与第三方共享，可能会泄漏用户的住所。

To be clear, it’s not just these websites that suffer from such leaks. This problem exists everywhere - it’s a default situation, not a rarity. We’ve seen it with Lufthansa, Spotify, Flixbus, Emirates, and even with medical providers.

需要明确的是，遭受此类漏洞的不仅是这些网站。这个问题无处不在-这是默认情况，而不是稀有情况。我们已经在汉莎航空，Spotify，Flixbus，阿联酋航空甚至医疗提供商那里看到了它。

TellTale URL的风险： (Risks of TellTale URLs:)

Websites are carelessly leaking sensitive information to plethora of third-parties.网站不小心将敏感信息泄漏给过多的第三方。
Most often without users’ consent.大多数情况下未经用户同意。
More dangerously: Most websites are not aware of these leaks while implementing third-party services.更危险的是：大多数网站在实施第三方服务时都不了解这些泄漏。

这些问题难解决吗？ (Are these problems hard to fix?)

As a Software Engineer who has worked for some of the largest eCommerce companies, I understand the need to use third party services for optimising and enhancing not only the Digital Product but also how users interact with the product.

作为在某些大型电子商务公司工作的软件工程师，我理解使用第三方服务来优化和增强数字产品以及用户与产品交互的方式的需求。

It is not the usage of third party services that is of concern in this case but the implementation of these services. Owners should always have the control of their website and what the website shares with third party services.

在这种情况下，关注的不是第三方服务的使用，而是这些服务的实现。所有者应始终控制其网站以及该网站与第三方服务共享的内容。

It is this control that needs to be exercised to limit the leakage of User information.

需要执行此控件来限制用户信息的泄漏。

It is not a mammoth task, it is just a matter of commitment to preserving the basic right to privacy.

这不是一项艰巨的任务，仅是对维护基本隐私权的承诺。

For example:

例如：

Private pages should have noindex meta tags.

私有页面应具有noindex元标记。
Limit the presence of third-party services on private pages.限制私人页面上存在第三方服务。
Referrer-Policy on pages with sensitive data.

具有敏感数据的页面上的引荐来源网址政策。
Implement CSP and SRI. Even with a huge footprint of third-party services CSP, SRI are not enabled on majority of the websites.

实施CSP和SRI。即使拥有大量第三方服务CSP ，大多数网站上也未启用SRI 。

地方警长介绍： (Introducing Local Sheriff:)

Given that such information leakage is dangerous to both users and the organisations, then why is it a wide-spread problem?

鉴于此类信息泄漏对用户和组织都非常危险，那么为什么它是一个普遍存在的问题？

One big reason that these issues exist is lack of awareness.

存在这些问题的一个重要原因是缺乏认识。

A good starting point for websites is to see what information is being leaked or detect presence of TellTaleURLs.

网站的一个很好的起点是查看正在泄漏的信息或检测TellTaleURLs的存在。

But in order to find out if the same is happening with the websites you maintain or visit, you need to learn some tools to inspect network traffic, understand first-party — third-party relationship and then make sure you have these tools open during the transaction process.

但是，为了弄清楚您维护或访问的网站是否也发生了同样的情况，您需要学习一些工具来检查网络流量，了解第一方与第三方之间的关系，然后确保在网站维护期间可以打开这些工具。交易过程。

To help bridge this gap, we wanted to build a tool with the following guidelines:

为了帮助弥合这种差距，我们希望使用以下准则构建工具：

Easy to install.易于安装。
Monitors and stores all data being exchanged between websites and third-parties — Locally on the user machine.监视和存储在网站和第三方之间交换的所有数据-在用户计算机上本地。
Helps identify the users which companies are tracking them on the internet.帮助识别用户哪些公司正在Internet上跟踪他们。
Interface to search information being leaked to third-parties.搜索信息泄露给第三方的界面。

Given the above guidelines, browser extension seemed like a reasonable choice. After you install Local-Sheriff, in the background:

根据上述准则，浏览器扩展似乎是一个合理的选择。在安装Local-Sheriff之后，在后台：

Using the WebRequest API, it monitors interaction between first-party and third-party.使用WebRequest API，它可以监视第一方和第三方之间的交互。
Classifies what URL is first-party and third-party.归类为第一方和第三方的URL。
Ships with a copy of database from WhoTracksMe. To map which domain belongs to which company.

随附WhoTracksMe中的数据库副本。映射哪个域属于哪个公司。

4. Provides an interface you can search for values that you think are private to you and see which websites leak it to which third-parties. Eg: name, email, address, date of birth, cookie etc.

4.提供一个界面，您可以搜索自己认为私有的值，并查看哪些网站将其泄漏给了第三方。例如：姓名，电子邮件，地址，出生日期，cookie等。

回顾示例1 (Revisiting EXAMPLE 1)

Website: donate.mozilla.org

网站： donate.mozilla.org

The user has Local-Sheriff installed and donates to mozilla.org.用户安装了Local-Sheriff，并捐赠给mozilla.org。

Clicks on the icon to open search interface.单击图标以打开搜索界面。

Enters emailID used on the website donate.mozilla.org.输入网站donate.mozilla.org上使用的emailID。

It can be seen that email address used at the time of donation was shared with ~7 third-party domains.

可以看出，捐赠时使用的电子邮件地址已与约7个第三方域共享。

You can try it yourselves by installing it:

您可以通过安装自己尝试一下：

Firefox: https://addons.mozilla.org/de/firefox/addon/local-sheriff/

Firefox： https ： //addons.mozilla.org/de/firefox/addon/local-sheriff/
Chrome: https://chrome.google.com/webstore/detail/local-sheriff/ckmkiloofgfalfdhcfdllaaacpjjejeg

Chrome浏览器： https ： //chrome.google.com/webstore/detail/local-sheriff/ckmkiloofgfalfdhcfdllaaacpjjejeg

Resources:

资源：

More details: https://www.ghacks.net/2018/08/12/local-sheriff-reveals-if-sites-leak-personal-information-with-third-parties/

更多详细信息 ： https : //www.ghacks.net/2018/08/12/local-sheriff-reveals-if-sites-leak-personal-information-with-third-parties/
Source Code: https://github.com/cliqz-oss/local-sheriff

源代码 ： https : //github.com/cliqz-oss/local-sheriff
Conferences: Defcon 26 Demo Labs , FOSDEM 2019

会议： Defcon 26演示实验室 ， FOSDEM 2019
Code: https://github.com/cliqz-oss/local-sheriff

代码： https ： //github.com/cliqz-oss/local-sheriff
Chrome store: https://chrome.google.com/webstore/detail/local-sheriff/ckmkiloofgfalfdhcfdllaaacpjjejeg

Chrome商店： https ： //chrome.google.com/webstore/detail/local-sheriff/ckmkiloofgfalfdhcfdllaaacpjjejeg

Thanks for reading and sharing ! :)

感谢您的阅读和分享！ :)

If you liked this story, feel free to ??? a few times (Up to 50 times. Seriously).

如果您喜欢这个故事，请随时??? 几次(最多50次。严重)。

Happy Hacking !

快乐黑客！

- Konark Modi

-Konark Modi

Credits:

学分：

Special thanks to Remi , Pallavi for reviewing this post :)

特别感谢Remi和Pallavi审阅了此帖子：)
Title “Watching them watching us “ comes from a joint talk between Local Sheriff and Trackula at FOSDEM 2019.

标题“看着他们看着我们”来自当地警长和Trackula在FOSDEM 2019上的联合演讲。

翻译自: https://www.freecodecamp.org/news/local-sheriff-watching-them-watching-us-5eacf3eb00ca/