+ All Categories
Home > Documents > Browser Fingerprinting: Online Tracking Without Cookies Device Fingerprinting –The process of...

Browser Fingerprinting: Online Tracking Without Cookies Device Fingerprinting –The process of...

Date post: 12-Jan-2016
Category:
Upload: conrad-cross
View: 215 times
Download: 1 times
Share this document with a friend
12
Browser Fingerprinting: Online Tracking Without Cookies •Device Fingerprinting –The process of obtaining device characteristics for purposes such as device tracking or vulnerability discovery –Any unique characteristic can be a fingerprint (e.g. CPU clock skew) –This lecture focuses on browser fingerprinting •Browser Fingerprinting –A variety of browser and system characteristics can be harvested (e.g. screen resolution, installed fonts, installed plugins, OS version, browser version, info. on installed cameras and mics, etc.) –Employed by websites as a countermeasure to anonymization techniques such as disabling cookies –Not a silver bullet because fingerprints change over time (possibly short timescales) Dr. Rob Cole, IST 81 BE AWARE ! Browser fingerprinting is actively being conducted on the Internet today.
Transcript
Page 1: Browser Fingerprinting: Online Tracking Without Cookies Device Fingerprinting –The process of obtaining device characteristics for purposes such as device.

Browser Fingerprinting: Online Tracking Without Cookies

•Device Fingerprinting–The process of obtaining device characteristics for purposes such as device tracking or vulnerability discovery–Any unique characteristic can be a fingerprint (e.g. CPU clock skew)–This lecture focuses on browser fingerprinting

•Browser Fingerprinting–A variety of browser and system characteristics can be harvested (e.g. screen resolution, installed fonts, installed plugins, OS version, browser version, info. on installed cameras and mics, etc.)–Employed by websites as a countermeasure to anonymization techniques such as disabling cookies–Not a silver bullet because fingerprints change over time (possibly short timescales)

Dr. Rob Cole, IST 815

BE AWARE ! Browser fingerprinting is actively being conducted on

the Internet today.

Page 2: Browser Fingerprinting: Online Tracking Without Cookies Device Fingerprinting –The process of obtaining device characteristics for purposes such as device.

Why?

Why?–To overcome your efforts to remain anonymous–Various analytic uses limited only by the imagination. –Example: Fraud Detection

Dr. Rob Cole, IST 815

Page 3: Browser Fingerprinting: Online Tracking Without Cookies Device Fingerprinting –The process of obtaining device characteristics for purposes such as device.

Methodology•HTTP and Browser Object Inspection

–HTTP headers contain accept encodings and the user agent string–Objects in mobile code engines are a rich source of info because they contain system information (see next slide)

•Canvas Fingerprinting–Render text onto browser canvas and read the image data back looking for idiosyncrasies in how the image is rendered.

•Cache and History Snooping–History: Browser scripts render and then inspect invisible HTML links for a “visited” style indicating that link is in your browsing history (difficult in modern browsers). –Cache: Browser scripts make timing measurements to determine whether a file is present in the system cache or whether a host/domain is present in the DNS cache.

•Javascript Performance Testing–Research has shown that timing the performance of core Javascript operations can distinguish between major browser versions, operating systems and microarchitectures.

Dr. Rob Cole, IST 815

Page 4: Browser Fingerprinting: Online Tracking Without Cookies Device Fingerprinting –The process of obtaining device characteristics for purposes such as device.

Methodology

HTTP Inspection–HTTP headers contain various items, the most useful of which for fingerprinting is the user agent string–Example user agent:

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36

This user agent tells us the specific version of the Chrome browser and the operating system (NT 6.1 = Windows 7 in this case)

Note: The user agent string can be changed by the user as a means to defeat fingerprinting, however care must be taken that the resulting altered user agent string isn’t still highly unique or identifiable (the Privoxy privacy tool, for example, apparently includes the word “privoxy” in the user agent string it uses.)

Dr. Rob Cole, IST 815

Page 5: Browser Fingerprinting: Online Tracking Without Cookies Device Fingerprinting –The process of obtaining device characteristics for purposes such as device.

Methodology

Browser Object Inspection via Javascript and Flash–Many Javascript and Flash objects contain system information that can be easily obtained by inspection.

–Here’s how you can easily inspect Javascript objects yourself:

1.Open your browser to any page2.Right-click anywhere in the page and select inspect element in the popup menu. This will open your browser’s developer tools window at the bottom.

3.Select the Console tab in the developer tools window.

4.The console prompt is at the very bottom of the browser window. Enter Javascript commands or object names here and details about the object will be displayed in the window just above (see examples on next slides).

Dr. Rob Cole, IST 815

Page 6: Browser Fingerprinting: Online Tracking Without Cookies Device Fingerprinting –The process of obtaining device characteristics for purposes such as device.

Methodology

Browser Object Inspection via Javascript–Examples from my system:

Dr. Rob Cole, IST 815

The screen object reveals my screen resolution, including the fact that my windows taskbar is not hidden and is positioned horizontally! (inferred via difference between height and availHeight – these would be identical if the taskbar is hidden)

Page 7: Browser Fingerprinting: Online Tracking Without Cookies Device Fingerprinting –The process of obtaining device characteristics for purposes such as device.

Methodology

Browser Object Inspection via Javascript–Examples from my system:

Dr. Rob Cole, IST 815

The navigator object contains the plugins array.

navigator.plugins will show you how many plugins are present.

To see the details of a particular plugin, enter: navigator.plugins[x] where x is an array index starting at 0.

Page 8: Browser Fingerprinting: Online Tracking Without Cookies Device Fingerprinting –The process of obtaining device characteristics for purposes such as device.

Methodology

Browser Object Inspection via Flash–Like Javascript, Flash provides objects with system information.–The Fonts object contains a list of system fonts available by calling the Font.enumerateFonts method in Actionscript (the language of Flash).

Your font list is highly valuable for fingerprinting due to its size and variability. (The font list for my system, for example, is 4,902 characters long!)

Flash objects cannot be inspected as easily as JS objects since Flash must be compiled. To see your font list, go to the Panopticlick web page and test your system.

Dr. Rob Cole, IST 815

https://panopticlick.eff.org

NOTE: Disabling Flash will not guarantee your fonts cannot be enumerated since other methods (e.g. canvas-based) can be used!

Page 9: Browser Fingerprinting: Online Tracking Without Cookies Device Fingerprinting –The process of obtaining device characteristics for purposes such as device.

How Prevalent?

Prevalence has been examined in recent studies:–Study [1] crawled thousands of the top-ranked Alexa websites and found 404 sites using Javascript-based fingerprinting and 95 sites using Flash-based fingerprinting.–Study [2] similarly examined canvas-based fingerprinting and found 5,542 sites containing canvas fingerprinting scripts, 95% of which were being served from a single domain (addthis.com)

Dr. Rob Cole, IST 815

[1] G. Acar, M. Juarez, N. Nikiforakis, C. Diaz, S. Gürses, F. Piessens, and B. Preneel, “FPDetective: Dusting the Web for Fingerprinters,” in Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, New York, NY, USA, 2013, pp. 1129–1140.

[2] G. Acar, C. Eubank, S. Englehardt, M. Juarez, A. Narayanan, and C. Diaz, “The Web never forgets: Persistent tracking mechanisms in the wild.” [Online]. Available: https://securehomes.esat.kuleuven.be/~gacar/persistent/the_web_never_forgets.pdf.

Page 10: Browser Fingerprinting: Online Tracking Without Cookies Device Fingerprinting –The process of obtaining device characteristics for purposes such as device.

Entropy: Fingerprint Effectiveness

A standard metric used to evaluate the effectiveness of a fingerprint scheme is Shannon Entropy, H, units of bits:

Dr. Rob Cole, IST 815

i

N

ii ppH 2

1

log

In this context, N is the number of unique fingerprint values observed and pi is the probability associated with the i-th value.

For example, assume we have a perfect fingerprint scheme, meaning we have a fingerprint that gives a different value for each unique visitor to a website. Let’s say there are N=100 total users. The entropy of this fingerprint scheme would be:

* perhaps a serial number from their computer if we could somehow obtain it

bits6.6100log

01.0log

01.0log01.0

2

2

2

100

1

i

HFingerprint distribution

Thus 6.6 bits represents the entropy of a perfect

fingerprint for N=100 users. This is the maximum

possible entropy.

Page 11: Browser Fingerprinting: Online Tracking Without Cookies Device Fingerprinting –The process of obtaining device characteristics for purposes such as device.

Entropy: Fingerprint Effectiveness

What about the entropy of an imperfect fingerprinting scheme?

Consider a fingerprint consisting of browser type. The following distribution might be observed today:

Dr. Rob Cole, IST 815

Fingerprint distribution

bits6.1

04.log04.04.log04.25.log25.09.log09.6.log6. 22222

H

Only 1.6 bits of entropy for this scheme due to the low information conveyed by the browser type alone. We could add entropy in this scheme by

including browser version in the fingerprint.

Page 12: Browser Fingerprinting: Online Tracking Without Cookies Device Fingerprinting –The process of obtaining device characteristics for purposes such as device.

Entropy: Fingerprint Effectiveness

The Panopticlick study [3] is an early examination of fingerprint effectiveness. In this study, the highest-entropy fingerprint elements were browser plugins (15.4 bits), fonts (13.9 bits) and user agent (10 bits).

To examples of your fingerprint data, along with uniqueness measures of your data, go to https://panopticlick.eff.org/

Note: the “bits of identifying information” reported for your data by this site is not entropy. It is a related quantity called surprisal. Read study [3] for more information.

[3] P. Eckersley, “How Unique is Your Web Browser?,” in Proceedings of the 10th International Conference on Privacy Enhancing Technologies, Berlin, Heidelberg, 2010, pp. 1–18.

Dr. Rob Cole, IST 815


Recommended