Do you think you are safe surfing on the internet?

Find out how much information websites have about you

Start

What is this web about?

During my computer engineering degree, I have come across with numerous ways to obtain data from the clients who access to our websites. Many times these practices are unknown by users. As a future cybersecurity analyst, I am concerned about the ignorance about our privacy. In this website you will learn:

How much info you expose to the internet

In the next part i will show you that info. Do not worry, that info is secure here and will not be shared :)

How to prevent websites to get these info

Measures you can implement to prevent websites from knowing where you are, which one provider you have ...

Risks you will take if you implement some measures

Risk that you take implementing the most common ways to be anonymous (for example VPNs)

All i Know from you

These is all the information that i can know from you, just because you are in my web

what language do you speak?

That's easy you speak _language_

Your OS?

That quite easy as well you are using a _OS_

From what website do you came from?

You come from _Website_

Who is your Internet provider?

Your internet provider is _InternetProvider_

Where are you?

Note that with out asking for geolocation persmisions i know that you are in _Country_, _City_ and your ZIP code is _ZIP_

I can go futher

If you click me i will show you where you are right now, This keeps getting murkier :)

Calm down, knowing all this is normal, I have not hacked you. The website needs to know who is requesting them. Remember that you cannot send a letter without knowing the recipient.

It is also possible that the geolocation will not be 100% accurate, since it is based on your ip. I can be 100% accurate, but I would have to ask their permission, click me to see the lawful way.

History poisoning

As you have seen in the previous part i know a lot of information about you, just only because you have browse to my web. If I have not succeeded with any, it is because you are already protected, congratulations! But i am pretty sure that you are not safe from this one.

This exploit was my own idea, webs are allowed to save themselves as an history entry, but what if they could impersonate others?. I'm going to propose 2 ideas of what could be done with this. You can click in the second one to see the demo (I could do it without you clicking, but I don't want to poison your history without your consent).

Add/Spam inyection

In these one i am going to put my linkedIn profile as a history record

Web spoofing

The last record of your history will seems to be the famous Bank of America, but instead it will be my website (Imagine for a second what it would mean to enter a website that "looks like your trusted bank" but is not. Does this sound familiar to you? spoofing atack).

Here you can see how this exploit works.

  • First the web changes the following data:
    • Favicon, for one of the web to impersonate.
    • Title, for the title of the desired web to impersonate.
    • Url, adding a param called redirect, with this the web will know where to send the petition.
  • Then the web adds itself to the history register.
  • And then, in order not to be suspicions, it redirects to itself.
After that when the user opens the history he will see our web, and also his usual bank page (but is not). If he decides to access his banking website from the history (a common operation), in reality he will be going to our website, where we have control over where to send it, like to a website where to steal his banking credentials, but in this case don't worry, I'll send you to the best Linkedin profile.

historyPoissoning


How can you prevent this atack?, It's very simple just disable history or use private tabs.

Measures to be safe and risks you will take

Nowadays VPNs are one of the most widely used products. They promise to hide your identity. That's true, if you're using a VPN right now, my website won't be able to tell who you are. But your VPN provider can do it. Always keep in mind that if a product is free it is because you are the product. If you are using a free VPN, think now why a guy would pay for a server network to protect you. The answer is pretty easy, because he is selling all your data.

To understand this, it is important to know that a VPN is nothing more than an intermediary, requesting services for you on your behalf. Yes, the service does not know that you are the one who requested it, but your VPN provider knows everything you have requested, when and if you are not careful, even why.

After reading this you will be thinking so VPNs are not secure! I am not saying that, as a good cybersecurity teacher told me one day, antivirus and vpns are not products, they are services. And as said Kevin Mitnick at the end of the chain you will have to trust in some provider. The last and one of the most important principes of cibersecurity is that total security does not exists.

So if you are using a paid VPN and from a reputable provider, you should be safe. If not, be aware of the info you are using, (credentials, credit cards...)

So are proxys safer? NOT at all. Public proxies are not encrypting your connection to them, you are hiding your request to the web, but not your connection to the proxy. Also, proxies are the preferred form of malware injection, so avoid them. Unless you create your own, you are more likely to be in danger using them than to be safe.

To sum up, if you want to hide your data, you must use a VPN, but from a reputable provider. This will come at a cost, but that is completely normal and you will have to deal with it, at the end of the day, the software engineers have to eat.

And remember you are the best antivirus! Be safe!