探索和减轻HTML5地理定位API的隐私威胁

Proceedings of the 30th Annual Computer Security Applications Conference Pub Date : 2014-12-08 DOI:10.1145/2664243.2664247

Hyungsub Kim, Sangho Lee, Jong Kim

{"title":"探索和减轻HTML5地理定位API的隐私威胁","authors":"Hyungsub Kim, Sangho Lee, Jong Kim","doi":"10.1145/2664243.2664247","DOIUrl":null,"url":null,"abstract":"The HTML5 Geolocation API realizes location-based services via theWeb by granting web sites the geographical location information of user devices. However, the Geolocation API can violate a user's location privacy due to its coarse-grained permission and location models. The API provides either exact location or nothing to web sites even when they only require approximate location. In this paper, we first conduct case studies on numerous web browsers and web sites to explore how they implement and utilize the Geolocation API. We detect 14 vulnerable web browsers and 603 overprivileged web sites that can violate a user's location privacy. To mitigate the privacy threats of the Geolocation API, we propose a novel scheme that (1) supports fine-grained permission and location models, and (2) recommends appropriate privacy settings to each user by inspecting the location sensitivity of each web page. Our scheme can accurately estimate each web page's necessary geolocation degree (estimation accuracy: ~93.5%). We further provide suggestions to improve the Geolocation API.","PeriodicalId":104443,"journal":{"name":"Proceedings of the 30th Annual Computer Security Applications Conference","volume":"4 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-12-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":"{\"title\":\"Exploring and mitigating privacy threats of HTML5 geolocation API\",\"authors\":\"Hyungsub Kim, Sangho Lee, Jong Kim\",\"doi\":\"10.1145/2664243.2664247\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The HTML5 Geolocation API realizes location-based services via theWeb by granting web sites the geographical location information of user devices. However, the Geolocation API can violate a user's location privacy due to its coarse-grained permission and location models. The API provides either exact location or nothing to web sites even when they only require approximate location. In this paper, we first conduct case studies on numerous web browsers and web sites to explore how they implement and utilize the Geolocation API. We detect 14 vulnerable web browsers and 603 overprivileged web sites that can violate a user's location privacy. To mitigate the privacy threats of the Geolocation API, we propose a novel scheme that (1) supports fine-grained permission and location models, and (2) recommends appropriate privacy settings to each user by inspecting the location sensitivity of each web page. Our scheme can accurately estimate each web page's necessary geolocation degree (estimation accuracy: ~93.5%). We further provide suggestions to improve the Geolocation API.\",\"PeriodicalId\":104443,\"journal\":{\"name\":\"Proceedings of the 30th Annual Computer Security Applications Conference\",\"volume\":\"4 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2014-12-08\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"6\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 30th Annual Computer Security Applications Conference\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/2664243.2664247\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 30th Annual Computer Security Applications Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2664243.2664247","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 6

摘要

HTML5地理定位API通过授予网站用户设备的地理位置信息，从而通过web实现基于位置的服务。然而，由于其粗粒度的权限和位置模型，Geolocation API可能会侵犯用户的位置隐私。这个API要么提供准确的位置，要么什么都不提供，即使网站只需要大概的位置。在本文中，我们首先对许多web浏览器和web站点进行案例研究，以探索它们如何实现和利用地理定位API。我们检测到14个易受攻击的web浏览器和603个权限过大的网站，这些网站可能侵犯用户的位置隐私。为了减轻地理定位API的隐私威胁，我们提出了一种新的方案:(1)支持细粒度的权限和位置模型;(2)通过检查每个网页的位置敏感性，为每个用户推荐适当的隐私设置。我们的方案可以准确地估计出每个网页所需的地理定位度(估计精度:~93.5%)。我们进一步提供了改进地理定位API的建议。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

Exploring and mitigating privacy threats of HTML5 geolocation API

The HTML5 Geolocation API realizes location-based services via theWeb by granting web sites the geographical location information of user devices. However, the Geolocation API can violate a user's location privacy due to its coarse-grained permission and location models. The API provides either exact location or nothing to web sites even when they only require approximate location. In this paper, we first conduct case studies on numerous web browsers and web sites to explore how they implement and utilize the Geolocation API. We detect 14 vulnerable web browsers and 603 overprivileged web sites that can violate a user's location privacy. To mitigate the privacy threats of the Geolocation API, we propose a novel scheme that (1) supports fine-grained permission and location models, and (2) recommends appropriate privacy settings to each user by inspecting the location sensitivity of each web page. Our scheme can accurately estimate each web page's necessary geolocation degree (estimation accuracy: ~93.5%). We further provide suggestions to improve the Geolocation API.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Proceedings of the 30th Annual Computer Security Applications Conference

自引率

0.00%

发文量