Browser Fingerprinting: Online Tracking Without Cookies Device Fingerprinting –The process of obtaining device characteristics for purposes such as device tracking or vulnerability discovery –Any unique characteristic can be a fingerprint (e.g. CPU clock skew) –This lecture focuses on browser fingerprinting Browser Fingerprinting –A variety of browser and system characteristics can be harvested (e.g. screen resolution, installed fonts, installed plugins, OS version, browser version, info. on installed cameras and mics, etc.) –Employed by websites as a countermeasure to anonymization techniques such as disabling cookies –Not a silver bullet because fingerprints change over time (possibly short timescales) Dr. Rob Cole, IST 815 BE AWARE ! Browser fingerprinting is actively being conducted on the Internet today.
Why? –To overcome your efforts to remain anonymous –Various analytic uses limited only by the imagination. –Example: Fraud Detection Dr. Rob Cole, IST 815 “a system that uniquely identifies network devices connecting to a network, and correlates logins with each network device used … used to observe login behavior, such as accounts connecting from ‘too many’ devices, or ‘too many’ accounts connecting from the same device… to cross-reference physical devices used by known fraudulent accounts, and cross-reference other accounts used by specific devices. Physical devices involved in suspicious or fraudulent activity, or devices associated with accounts involved in suspicious activity can be prevented from connecting to a network” -US Patent Application B2, Iovation Inc.
Methodology HTTP and Browser Object Inspection –HTTP headers contain accept encodings and the user agent string –Objects in mobile code engines are a rich source of info because they contain system information (see next slide) Canvas Fingerprinting –Render text onto browser canvas and read the image data back looking for idiosyncrasies in how the image is rendered. Cache and History Snooping –History: Browser scripts render and then inspect invisible HTML links for a “visited” style indicating that link is in your browsing history (difficult in modern browsers). –Cache: Browser scripts make timing measurements to determine whether a file is present in the system cache or whether a host/domain is present in the DNS cache. Javascript Performance Testing –Research has shown that timing the performance of core Javascript operations can distinguish between major browser versions, operating systems and microarchitectures. Dr. Rob Cole, IST 815
Methodology HTTP Inspection –HTTP headers contain various items, the most useful of which for fingerprinting is the user agent string –Example user agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/ (KHTML, like Gecko) Chrome/ Safari/ This user agent tells us the specific version of the Chrome browser and the operating system (NT 6.1 = Windows 7 in this case) Note: The user agent string can be changed by the user as a means to defeat fingerprinting, however care must be taken that the resulting altered user agent string isn’t still highly unique or identifiable (the Privoxy privacy tool, for example, apparently includes the word “privoxy” in the user agent string it uses.) Dr. Rob Cole, IST 815
Methodology Browser Object Inspection via Javascript and Flash –Many Javascript and Flash objects contain system information that can be easily obtained by inspection. –Here’s how you can easily inspect Javascript objects yourself: 1.Open your browser to any page 2.Right-click anywhere in the page and select inspect element in the popup menu. This will open your browser’s developer tools window at the bottom. 3.Select the Console tab in the developer tools window. 4.The console prompt is at the very bottom of the browser window. Enter Javascript commands or object names here and details about the object will be displayed in the window just above (see examples on next slides). Dr. Rob Cole, IST 815
Methodology Browser Object Inspection via Javascript –Examples from my system: Dr. Rob Cole, IST 815 The screen object reveals my screen resolution, including the fact that my windows taskbar is not hidden and is positioned horizontally! (inferred via difference between height and availHeight – these would be identical if the taskbar is hidden)
Methodology Browser Object Inspection via Javascript –Examples from my system: Dr. Rob Cole, IST 815 The navigator object contains the plugins array. navigator.plugins will show you how many plugins are present. To see the details of a particular plugin, enter: navigator.plugins[x] where x is an array index starting at 0.
Methodology Browser Object Inspection via Flash –Like Javascript, Flash provides objects with system information. –The Fonts object contains a list of system fonts available by calling the Font.enumerateFonts method in Actionscript (the language of Flash). Your font list is highly valuable for fingerprinting due to its size and variability. (The font list for my system, for example, is 4,902 characters long!) Flash objects cannot be inspected as easily as JS objects since Flash must be compiled. To see your font list, go to the Panopticlick web page and test your system. Dr. Rob Cole, IST NOTE: Disabling Flash will not guarantee your fonts cannot be enumerated since other methods (e.g. canvas-based) can be used!
How Prevalent? Prevalence has been examined in recent studies: –Study [1] crawled thousands of the top-ranked Alexa websites and found 404 sites using Javascript-based fingerprinting and 95 sites using Flash-based fingerprinting. –Study [2] similarly examined canvas-based fingerprinting and found 5,542 sites containing canvas fingerprinting scripts, 95% of which were being served from a single domain (addthis.com) Dr. Rob Cole, IST 815 [1] G. Acar, M. Juarez, N. Nikiforakis, C. Diaz, S. Gürses, F. Piessens, and B. Preneel, “FPDetective: Dusting the Web for Fingerprinters,” in Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, New York, NY, USA, 2013, pp. 1129–1140. [2] G. Acar, C. Eubank, S. Englehardt, M. Juarez, A. Narayanan, and C. Diaz, “The Web never forgets: Persistent tracking mechanisms in the wild.” [Online]. Available:
Entropy: Fingerprint Effectiveness A standard metric used to evaluate the effectiveness of a fingerprint scheme is Shannon Entropy, H, units of bits: Dr. Rob Cole, IST 815 In this context, N is the number of unique fingerprint values observed and p i is the probability associated with the i-th value. For example, assume we have a perfect fingerprint scheme, meaning we have a fingerprint that gives a different value for each unique visitor to a website. Let’s say there are N=100 total users. The entropy of this fingerprint scheme would be: * perhaps a serial number from their computer if we could somehow obtain it Fingerprint distribution Thus 6.6 bits represents the entropy of a perfect fingerprint for N=100 users. This is the maximum possible entropy.
Entropy: Fingerprint Effectiveness What about the entropy of an imperfect fingerprinting scheme? Consider a fingerprint consisting of browser type. The following distribution might be observed today: Dr. Rob Cole, IST 815 Fingerprint distribution Only 1.6 bits of entropy for this scheme due to the low information conveyed by the browser type alone. We could add entropy in this scheme by including browser version in the fingerprint.
Entropy: Fingerprint Effectiveness The Panopticlick study [3] is an early examination of fingerprint effectiveness. In this study, the highest-entropy fingerprint elements were browser plugins (15.4 bits), fonts (13.9 bits) and user agent (10 bits). To examples of your fingerprint data, along with uniqueness measures of your data, go to Note: the “bits of identifying information” reported for your data by this site is not entropy. It is a related quantity called surprisal. Read study [3] for more information. [3] P. Eckersley, “How Unique is Your Web Browser?,” in Proceedings of the 10th International Conference on Privacy Enhancing Technologies, Berlin, Heidelberg, 2010, pp. 1–18. Dr. Rob Cole, IST 815