Browser fingerprint

Browser fingerprinting is a technique of identifying and tracking an individual computer by collecting data regarding the configuration of a user's web browser and system when they visit a website. The construction of a browser fingerprint can be done using different technologies, making it difficult to avoid across websites. Identification can be used for various purposes just like tracking by generating deleted cookies, to fraud prevention with the detection of bots on the internet. The measures to implement in order to counter this fingerprint can be quite complex, because the more a user uses different components to hide its identity, the more its browser becomes unique.

DefinitionEdit

A browser fingerprint is a digital identifier created when a user visits a site.[2]:1 With high enough entropy, a fingerprint can be used to uniquely identify a user.[2]:6 Browser fingerprints do not rely on information stored on the user's browser, such as HTTP cookies.[3]:320 Rather, they rely on browser and system information[3]:320 provided by browser behavior [4]:1 Changes in browser configuration often alter the fingerprint produced by typical fingerprinting algorithms.[2]:11

UsageEdit

Browser fingerprinting can be implemented on almost any website for any purpose, such as gaining personal information[5]:547 or preventing click-fraud.[5]:546 with varying impacts on end users.[6]:1139[7]:686[1]:878[5]:542,554 One common application of fingerprinting is to provide targeted advertising.[8]:821[6]:9 Fingerprints can also be used to regenerate deleted cookies[9]:107 or relink old cookies.[2]:3 Fingerprints can be used to augment electronic authentication without relying on user interaction.[10]:299 For example, a browser fingerprint can be used to determine if a paid account is being shared by more than one user, or if it has been hacked.[5]:546 Malicious sites may use fingerprints for phishing[5]:547 or other targeted exploits.[4]:8

In 2013, at least 0.4% of the top 10,000 visited sites as determined by Alexa Internet utilized scripts from one of the following fingerprint providers: BlueCava, Iovation and ThreatMetrix.[5]:546 Fifteen percent of these websites were categorized as internet pornography, and 12.5% were categorized as "personals/dating" sites.[5]:546 In 2014, the percentage of the Alexa top 10,000 sites using canvas fingerprints grew to at least 5.5%.[7]:678 Fingerprinting can be implemented with a website's own scripts or third-party scripts.[7]:678 However, a 2018 study revealed that only one-third of browser fingerprints in a French database were unique, indicating that browser fingerprinting may become less effective as the number of users increases and web technologies evolve to implement fewer distinguishing features.[11]

TechniquesEdit

Various techniques may be used to add bits of information regarding browser behavior to a fingerprint, increasing its uniqueness.[2]:11 These techniques may involve passive observation of browser behavior or active intervention to provoke a browser response.[4]:1

CSSEdit

CSS properties are not always homogeneously supported by browsers. Thus, browsers may be differentiated by font families and versions.[12]:58[13]:256 CSS media queries can also give information about the user's operating system, screen size, screen orientation, and display aspect ratio.[12]:59-60 The CSS selector :visited can be used to query whether a user has visited a list of sites provided by the fingerprinter.[14]:5 Typically, a list of 50 popular websites is sufficient to generate a unique user history profile, as well as provide information about the user's interests.[14]:7,14

JavascriptEdit

JavaScript objects can be used to determine browser identity, version, and user operating system based on browser-specific default properties and version-specific features, such as implementation of various ECMAScript standards.[5]:547,549-50[15]:2[16][17] JavaScript can also be used to check letter bounding boxes, which can differ between browsers based on anti-aliasing and font hinting configuration.[18]:108 Furthermore, JavaScript object manipulation is specific to each browser family:

Browser family Property deletion (of navigator object) Reassignment (of navigator/screen object)
Google Chrome allowed allowed
Mozilla Firefox ignored ignored
Opera allowed allowed
Internet Explorer ignored ignored

Canvas and WebGLEdit

Canvas elements are used to display sentences and other geometric figures, and WebGL is used within a canvas to display 3D elements. Rendering of these elements depends on a user's browser environment and hardware. The user's rendered image is recovered by a data URI scheme, which can then be used directly in a fingerprint.[19]:2-3,6 Canvas-based techniques may also be used to identify the user's graphics card and installed fonts. WebGL attributes can be used to gain information about the user's GPU; furthermore, if the user does not have a GPU, CPU information is provided to the fingerprinter instead.[20]:110

HardwareEdit

 
Creation of device ID

Benchmark tests can be used to determine whether a user's CPU utilizes AES-NI or Intel Turbo Boost by comparing the CPU time used to execute various simple or cryptographic algorithms.[21]:588 A device's hardware ID, which is a cryptographic hash function specified by the device's vendor, can also be queried to construct a fingerprint.[20]:109,114 Specialized APIscan also be used in fingerprinting, such as the Battery API, which constructs a short-term fingerprint based on the actual battery state of the device,[22]:256 or OscillatorNode, which can be invoked to produce a waveform based on user entropy.[23]:1399

Browser propertiesEdit

The order and number of HTTP header fields is unique to a browser family, enabling their use in fingerprinting.[13]:257[24]:357 User agents may also provide system hardware information, such as phone model, in the HTTP header.[9]:107[20]:111 Browsers additionally have unique HTML parsers and may vary in their implementation of HTML5 features.[4]:1[13]:257 A Hamming distance comparison of parser behaviors has been shown to effectively fingerprint and differentiate a majority of browser versions.[4]:6

A user's unique combination of browser extensions or plugins can be added to a fingerprint directly.[5]:545 Extensions may also modify how any other browser attributes behave, adding additional complexity to the user's fingerprint.[25]:954[26]:688[6]:1131[9]:108 Adobe Flash and Java plugins were widely used to access user information before their deprecation.[24]:3[5]:553[17]

Fingerprint blockingEdit

Browser extensions that block fingerprint tracking are typically based on a ruleset that detects and blocks known fingerprinting techniques. Many rulesets such as EasyList, Ghostery, Disconnect, and Blur are maintained by online community or companies. Extensions such as Privacy Badger use algorithms to add advertisers to a blacklist.[3]:322 Other strategies to block fingerprints include spoofing one's user agent.[27]:13 However, the mismatch between user agent and real browser information can add information to a fingerprint, differentiating the user from others who do not use fingerprint-blocking extensions.[5]:552 In some contexts, blocking extensions invoke more instances of fingerprint data collection.[3]:327

Different web browser families can be distinguished from each other by certain attributes of the fingerprints they generate, such as browser fonts, device ID, canvas elements, WebGL renderer, and local IP address.[20]:117 Microsoft Edge is considered to be the most fingerprintable browser, followed by Firefox and Google Chrome, Internet Explorer, and Safari.[20]:114 Among mobile browsers, Google Chrome and Opera Mini are most fingerprintable, followed by mobile Firefox, mobile Edge, and mobile Safari.[20]:115 Techniques to reduce browser fingerprintability include randomization of browser attributes, which causes different fingerprints to be generated on each site visit.[8]:820,823

ReferencesEdit

  1. ^ a b Laperdrix P, Rudametkin W, Baudry B (May 2016). Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints. 2016 IEEE Symposium on Security and Privacy. San Jose CA USA: IEEE. pp. 878–894. doi:10.1109/SP.2016.57. ISBN 978-1-5090-0824-7. Retrieved 2020-01-21.
  2. ^ a b c d e Eckersley P (2017). "How Unique Is Your Web Browser?". In Atallah MJ, Hopper NJ (eds.). Privacy Enhancing Technologies. Lecture Notes in Computer Science. Springer Berlin Heidelberg. pp. 1–18. ISBN 978-3-642-14527-8.
  3. ^ a b c d Merzdovnik G, Huber M, Buhov D, Nikiforakis N, Neuner S, Schmiedecker M, Weippl E (April 2017). Block Me If You Can: A Large-Scale Study of Tracker-Blocking Tools. 2017 IEEE European Symposium on Security and Privacy. Paris France: IEEE. pp. 319–333. doi:10.1109/EuroSP.2017.26. ISBN 978-1-5090-5762-7. Retrieved 2020-01-21.
  4. ^ a b c d e Abgrall E, Le Traon Y, Monperrus M, Gombault S, Heiderich M, Ribault A (2012-11-20). "XSS-FP: Browser Fingerprinting using HTML Parser Quirks". arXiv:1211.4812 [cs.CR].
  5. ^ a b c d e f g h i j k Nikiforakis N, Kapravelos A, Wouter J, Kruegel C, Piessens F, Vigna G (May 2013). Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting. 2013 IEEE Symposium on Security and Privacy. Berkeley CA USA: IEEE. doi:10.1109/SP.2013.43. ISBN 978-0-7695-4977-4. Retrieved 2020-01-21.
  6. ^ a b c Acar G, Juarez M, Nikiforakis N, Diaz C, Gürses S, Piessens F, Preneel B (November 2013). FPDetective: Dusting the Web for Fingerprinters. 2013 ACM SIGSAC Conference on Computer & Communications Security. Berlin Germany: Association for Computing Machinery. pp. 1129–1140. doi:10.1145/2508859.2516674. ISBN 978-1-4503-2477-9. Retrieved 2020-01-21.
  7. ^ a b c Acar G, Eubank C, Englehardt S, Juarez M, Narayanan A, Diaz C (November 2014). The Web Never Forgets: Persistent Tracking Mechanisms in the Wild. 2014 ACM SIGSAC Conference on Computer & Communications Security. Scottsdale AZ USA: Association for Computing Machinery. pp. 674–689. doi:10.1145/2660267.2660347. ISBN 978-1-4503-2957-6. Retrieved 2020-01-21.
  8. ^ a b Nikiforakis N, Joosen W, Livshits B (May 2015). PriVaricator: Deceiving Fingerprinters with Little White Lies. WWW '15: The 24th International Conference on World Wide Web. Florence Italy: International World Wide Web Conferences Steering Committee. pp. 820–830. doi:10.1145/2736277.2741090. ISBN 978-1-4503-3469-3. Retrieved 2020-01-21.
  9. ^ a b c Kaur N, Azam S, KannoorpattiK, Yeo KC, Shanmugam B (January 2017). Browser Fingerprinting as user tracking technology. 11th International Conference on Intelligent Systems and Control. Coimbatore India: IEEE. doi:10.1109/ISCO.2017.7855963. ISBN 978-1-5090-2717-0. Retrieved 2020-01-21.
  10. ^ Alaca F, van Oorschot PC (December 2016). Device Fingerprinting for Augmenting Web Authentication: Classification and Analysis of Methods. 32nd Annual Conference on Computer Security. Los Angeles CA USA: Association for Computing Machinery. pp. 289–301. doi:10.1145/2991079.2991091. ISBN 978-1-4503-4771-6. Retrieved 2020-01-21.
  11. ^ Gómez-Boix A, Laperdrix P, Baudry B (April 2018). Hiding in the Crowd: An Analysis of the Effectiveness of Browser Fingerprinting at Large Scale. WWW '18: The Web Conference 2018. Geneva Switzerland: International World Wide Web Conferences Steering Committee. pp. 309–318. doi:10.1145/3178876.3186097. ISBN 978-1-4503-5639-8. Retrieved 2020-01-21.
  12. ^ a b Takei N, Saito T, Takasu K, Yamada T (Nov 2015). Web Browser Fingerprinting Using Only Cascading Style Sheets. 10th International Conference on Broadband and Wireless Computing, Communication and Applications. Krakow Poland: IEEE. pp. 57–63. doi:10.1109/BWCCA.2015.105. ISBN 978-1-4673-8315-8. Retrieved 2020-01-21.
  13. ^ a b c Unger T, Mulazzani M, Frühwirt D, Huber M, Schrittwieser S, Weippl E (September 2013). SHPF: Enhancing HTTP(S) Session Security with Browser Fingerprinting. 2013 International Conference on Availability, Reliability and Security. Regensburg Germany: IEEE. pp. 255–261. doi:10.1109/ARES.2013.33. ISBN 978-0-7695-5008-4. Retrieved 2020-01-21.
  14. ^ a b Olejnik L, Castelluccia C, Janc A (July 2012). Why Johnny Can't Browse in Peace: On the Uniqueness of Web Browsing History Patterns. 5th Workshop on Hot Topics in Privacy Enhancing Technologies. Vigo Spain: INRIA. Retrieved 2020-01-21.
  15. ^ Mulazzani M, Reschl P, Huber M, Leithner M, Schrittwieser S, Weippl E (2013). "Fast and Reliable Browser Identification with JavaScript Engine Fingerprinting" (PDF). SBA Research. Retrieved 2020-01-21.
  16. ^ Mowery K, Bogenreif D, Yilek S, Shacham H (2011). "Fingerprinting Information in JavaScript Implementations" (PDF). Retrieved 2020-01-21.
  17. ^ a b Upathilake R, Li Y, Matrawy A (July 2015). A classification of web browser fingerprinting techniques. 7th International Conference on New Technologies, Mobility and Security. Paris France: IEEE. doi:10.1109/NTMS.2015.7266460. ISBN 978-1-4799-8784-9. Retrieved 2020-01-21.
  18. ^ Fifield D, Egelman S (2015). "Fingerprinting Web Users Through Font Metrics". In Böhme R, Okamoto T (eds.). Financial Cryptography and Data Security. Lecture Notes in Computer Science. Springer Berlin Heidelberg. pp. 107–124. doi:10.1007/978-3-662-47854-7_7. ISBN 978-3-662-47854-7.
  19. ^ Mowery K, Shacham H (2012). "Pixel Perfect: Fingerprinting Canvas in HTML5" (PDF). Retrieved 2020-01-21.
  20. ^ a b c d e f Al-Fannah NM, Li W (2017). "Not All Browsers are Created Equal: Comparing Web Browser Fingerprintability". In Obana S, Chida K (eds.). Advances in Information and Computer Security. Lecture Notes in Computer Science. Springer International Publishing. pp. 105–120. ISBN 978-3-319-64200-0.
  21. ^ Saito T, Yasuda K, Ishikawa T, Hosoi R, Takahashi K, Chen Y, Zalasiński M (July 2016). Estimating CPU Features by Browser Fingerprinting. 10th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing. Fukuoka Japan: IEEE. pp. 587–592. doi:10.1109/IMIS.2016.108. ISBN 978-1-5090-0984-8. Retrieved 2020-01-21.
  22. ^ Olejnik L, Acar G, Castelluccia C, Diaz C (2016). "The Leaking Battery". In Garcia-Alfaro J, Navarro-Arribas G, Aldini A, Martinelli F, Suri N (eds.). Data Privacy Management, and Security Assurance. DPM 2015, QASA 2015. Lecture Notes in Computer Science. 9481. Springer, Cham. doi:10.1007/978-3-319-29883-2_18. ISBN 978-3-319-29883-2. Retrieved 2020-01-21.
  23. ^ Englehardt S, Arvind N (October 2016). Online Tracking: A 1-million-site Measurement and Analysis. 2014 ACM SIGSAC Conference on Computer & Communications Security. Vienna Austria: Association for Computing Machinery. pp. 1388–1401. doi:10.1145/2976749.2978313. ISBN 978-1-4503-4139-4. Retrieved 2020-01-21.
  24. ^ a b Fiore U, Castiglione A, De Santis A, Palmieri F (September 2014). Countering Browser Fingerprinting Techniques: Constructing a Fake Profile with Google Chrome. 17th International Conference on Network-Based Information Systems. Salerno Italy: IEEE. doi:10.1109/NBiS.2014.102. ISBN 978-1-4799-4224-4. Retrieved 2020-01-21.
  25. ^ Starov O, Nikiforakis N (May 2017). XHOUND: Quantifying the Fingerprintability of Browser Extensions. 2017 IEEE Symposium on Security and Privacy. San Jose CA USA: IEEE. pp. 941–956. doi:10.1109/SP.2017.18. ISBN 978-1-5090-5533-3. Retrieved 2020-01-21.
  26. ^ Sanchez-Rola I, Santos I, Balzarotti D (August 2017). Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies. 26th USENIX Security Symposium. Vancouver BC Canada: USENIX Association. pp. 679–694. ISBN 978-1-931971-40-9. Retrieved 2020-01-21.
  27. ^ Yen TF, Xie Y, Yu F, Yu R, Abadi M (February 2012). Host Fingerprinting and Tracking on the Web: Privacy and Security Implications (PDF). The 19th Annual Network and Distributed System Security Symposium. San Diego CA USA: Internet Society. Retrieved 2020-01-21.

External linksEdit

See alsoEdit