Home / Industry

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

Have you ever gone to socially share or email a URL and found that it was much longer than you had expected? Take the following contrived URL as an example:

http://www.example.com/path/submit.php?user=userabc&pageid=012345&utm_referrer=rss&localtime=+0500

In your personal experience, as in our example, you might have realized that the URL was as much about you, the client, as it was about the Web resource you were trying to access. Indeed, Internet addresses may contain a wealth of information about the identities and activities of the users visiting them. URLs often utilize query strings (i.e., key-value pairs appended to the URL path; in our example, everything after the question mark) as a means to pass session parameters and form data. While sometimes benign and necessary to render the Web page, query strings often contain tracking mechanisms, user names, email addresses, and other information that users may not wish to publicly reveal. In isolation this is not particularly problematic, but the growth of Web 2.0 platforms such as social networks and micro-blogging means such URLs are increasingly being publicly broadcast.

Andrew G. West, a Research Scientist in Verisign Labs, along with collaborator and U.S. Naval Academy professor Adam J. Aviv examined nearly 900 million user-submitted URLs to gauge the prevalence and severity of such privacy leaks. Within the corpus they found troves of personal information. Almost 55 percent of URLs have a query string, and of those, 53 percent disclose referrer data (i.e., how you got to the page) with at least 2.7 percent having more acute privacy ramifications. For example, 1.7 million email addresses were found in the data, but the most egregious incidents were the several dozen cases where query strings contained usernames and passwords for administrative and sensitive accounts in *plain-text.* The study also found that mobile devices contribute an atypically significant portion of the problem space, perhaps because small screen sizes and difficult input mechanisms prevent users from observing and manually eliminating private data.

With this as motivation, the researchers propose the development of a privacy-aware URL sanitization service named "CleanURL." The goal of the proposal is to transform input addresses by stripping non-essential key-value pairs and/or notifying users when sensitive data is critical to proper page rendering. Such a system could be user-facing, transparently built into online platforms, and/or retroactively applied to existing links. Regardless, the goal of this research and the proposed system echoes one of Verisign: Increasing the safety and security of the Internet for corporations and individuals alike.

This research was initially published at the 8th Workshop on Web 2.0 Security and Privacy (W2SP 2014), and an expanded journal version is currently in submission.

Read the full report, On the Privacy Concerns of URL Query Strings [PDF].

Verisign

About Verisign – Verisign, a global leader in domain names and internet security, enables internet navigation for many of the world's most recognized domain names and provides protection for websites and enterprises around the world. Verisign ensures the security, stability and resiliency of key internet infrastructure and services, including the .com and .net domains and two of the internet's root servers, as well as performs the root-zone maintainer functions for the core of the internet's Domain Name System (DNS). Learn More

Related topics: Cybersecurity, Privacy

 
   

Don't miss a thing – get the Weekly Wrap delivered to your inbox.

Related Blogs

Related News

Explore Topics

Dig Deeper

DNS Security

Sponsored by Afilias

Mobile Internet

Sponsored by Afilias Mobile & Web Services

IP Addressing

Sponsored by Avenue4 LLC

Cybersecurity

Sponsored by Verisign

Promoted Posts

Buying or Selling IPv4 Addresses?

ACCELR/8 is a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s to keep pace with the evolving demands of the market by applying processes that have delivered value for many of the largest market participants. more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum