Vulnerability and Background

The hypertext transmission protocol (HTTP) defines a standard for communication on the web, which, by default, is not encrypted. That means anyone capable of viewing network traffic (an internet service provider, another person on the same WIFI network, or those snooping on other parts of the network – spy agencies) can potentially read and modify content passed only on HTTP. Nevertheless, much of the web (particularly larger companies and those handling sensitive information) has moved to the HTTPS (secure) protocol, which defines an encryption standard.

Some of those sites that only offer HTTP or that do not default to HTTPS can reveal sensitive data or personally identifying information (PII) (Miller). For example, WebMD is the second most popular health website, but does not offer HTTPS (Narayanan). This exposes potentially sensitive medical information which can be very valuable in terms of ad revenue (Leichenko). Significant work also shows that meta data in HTTPS connections can leak identifying information (Danezis). The content of HTTPS pages is encrypted over the web, but the root destination address is not. That is to say, a network attacker could determine that a particular user is navigating to a pornography site, even if that connection is encrypted with HTTPS.

While “an estimated 70 percent of traffic will be encrypted by the end of 2016” (Swire) as much as 70% this traffic is taken up by streaming services like Netflix (“Global”). One might initially assume that with the majority of the web using encryption, we no longer need to worry about this aspect of security, but the traffic analysis of internet usage misrepresents how we use the web. A movie streamed on Netflix (encrypted) results in more than 50,000 times as much traffic as a request to WebMD (unencrypted) – this exemplifies the imbalance in analysis of encryption on the web (Narayanan).

In the WIFI protocol all information is broadcast. Thus users on the same network can examine any content sent. An open unsecured WIFI network does not require a login. Many devices automatically connect to open networks. For example, many coffee shops, stores, and public places allow anyone to access the internet through WIFI. There have been demonstrations of the vulnerability of user data and personally identifying information in such public WIFI settings previously (Butler).

Example Scenario

A user passing through the space notices the installation. Reading the default pages display on the monitors, she becomes intrigued and connects to the WIFI network with her phone thus consenting to the terms of use. She explores some of the examples, navigating to unencrypted sites like WebMD and sees her traffic captured on the displays. She then navigates to some encrypted sites (like Google or a bank website) and notices that her traffic is not captured – the display is unable to show an encrypted page. Now she understands a bit more about encryption and follows up with the resources detailed in this website to learn more and better protect herself on the web (for instance by using HTTPS Everywhere from the EFF).

See the description page for a video demonstrating one example.

Goals

The internet has become an essential part of life. Much of the data that we send through the internet can be examined by other parties ranging in goals and technical capacity, from ex-lovers to Mossad-like government entities. In developing an internet in which the security of information reflects users’ principles, we must understand the disconnect between what users assume occurs and what can occur. I intend this installation to inform users about privacy and web security by exposing them to a vulnerability in how the internet works. Ideally users of the space come to understand more about HTTP, encryption, and WIFI through exploration of the installation and from provided resources. With this knowledge they will be more effective advocates for a web designed for the people.

Legal and Ethical

Conducting this sort of traffic sniffing is not illegal, but people are uncomfortable with the idea of the installation. The WIFI network serves a captive portal when users attempt to join (similar to the type one might encounter in a coffee shop) which forces users to consent. The work of Sicker et al. suggests that this is sufficient legal backing.

Summation

This network vulnerability does not just expose locality-based attacks to harvest user information (Butler) which have become increasingly less viable in recent years, but also presents the internet to users in a way they understand (physical location, WIFI, and, to a lesser extent, routers). In providing an interactive exemplification of one threat I hope to guide users to a base of understanding. With this site, I extend this framework to areas which users may not understand as well (like ISPs, network attackers, even websites — actors who have access to user data). In this way, the tangible WIFI vulnerability becomes a vehicle to teach lay users about threat modeling.

The majority of web traffic may be over HTTPS, but work from Narayanan and others shows that this underestimates the problem. Furthermore, Miller and Danezis have shown a significant amount of personal identifying information can be inferred even over HTTPS. Multiple studies (like that of Englehardt) have shown that web trackers and advertisers can also accumulate massive amounts of user data. I clearly will not be able to deeply inform users about all of these issues, but I hope to scare them a little bit and allow for greater exploration.

---

Works Cited

• Abu-Salma, Ruba, et al. "Obstacles to the Adoption of Secure Communication Tools." Security and Privacy (SP), 2017 IEEE Symposium on (SP’17). IEEE Computer Society. (2017).
• Butler, Eric. "Firesheep." http://codebutler.com/firesheep (2010).
• Danezis, George. "Traffic Analysis of the HTTP Protocol over TLS." (2009). Electronic Frontier Foundation. https://www.eff.org/ (2017).
• Englehardt, Steven, et al. "Cookies that give you away: The surveillance implications of web tracking." Proceedings of the 24th International Conference on World Wide Web. International World Wide Web Conferences Steering Committee. (2015).
• “Global Internet Phenomena.” Sandive. https://www.sandvine.com/downloads/general/global-internet-phenomena/2016/global-internet-phenomena-report-latin-america-and-north-america.pdf (2016).
• Herley, Cormac. "So long, and no thanks for the externalities: the rational rejection of security advice by users." Proceedings of the 2009 workshop on New security paradigms workshop. ACM, 2009.
• Leichenko, Jim. “The Most Expensive Keywords in Paid Search, By Cost Per Click & Spend.” https://www.adgooroo.com/resources/blog/the-most-expensive-keywords-in-paid-search-by-cost-per-click-and-ad-spend/ (2015).
• Miller, et al. “I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis. https://www.petsymposium.org/2014/papers/Miller.pdf (2014).
• Narayanan, Reisman. “ISPs and web privacy: insights from research.” https://ecfsapi.fcc.gov/file/60002354966.pdf (2016).
• Sicker, Douglas C., Paul Ohm, and Dirk Grunwald. "Legal issues surrounding monitoring during network research." Proceedings of the 7th ACM SIGCOMM conference on Internet measurement. ACM, 2007.
• Swire, et al., “Online Privacy and ISPs: ISP Access to Consumer Data is Limited and Often Less than Access by Others” http://www.iisp.gatech.edu/sites/default/files/images/online_privacy_and_isps.pdf (2016).