Browser

Fingerprint

@xufocoder

Part 1

Am I an anonymous user actually?

What if I told you

that somebody permanently track you

through your browser

There's no privacy?

Who can be interested?

These who want to

track you

Data brokers

Advertising

DoubleClick, ComScore, cXense

Google AdSense

Site Analytics

Google Analytics, Yandex metrika

Social Networks

Facebook, Google Plus

etc

See for yourself

who are tracking you

Ghostery browser extension

* Ghostery browser extension on www.ghostery.com

Let's check who are tracking on

www.bbc.com

Ligthbeam Firefox add-on

* Ligthbeam on Firefox

Websites connected

via doubleclick.net

Trackography

* Trackography of www.aif.ru

Let's visit russian website www.aif.ru

Wonderland and I show you how deep the rabbit-hole goes.

Disqus Comments

* Don Williamson. Replacing Disqus with Github Comments, April 2017

Decrease from 105 network requests to 16 after widget removing

google-analytics.com
connect.facebook.net
accounts.google.com
bluekai.com
crwdcntrl.net
exelator.com
doubleclick.net
tag.apxlv.net
adnxs.com
adsymptotic.com

rlcdn.com
adbrn.com
nexac.com
tapad.com
liadm.com
pippio.com
sohern.com
demdex.net
bidswitch.net
agkn.com
mathtag.com

Tracker list

...

There are Big Brothers
dealing with Big Data

The reality

Anonymous user is created own profile by tracking

The Problem

How do track companies can identify me via my browser?

Once you will login to websites or your email or use social media with your real profile

But what about

Browser fingerprint

?

Part 2

What the heck is

browser fingerprint

The capability of a site to identify or re-identify a visiting user, user agent or device via configuration settings or other observable characteristics.

Browser fingerprinting

* Mitigating Browser Fingerprinting in Web Specifications. 1.1 What is fingerprinting?

With browser fingerprinting

* WebKit Wiki: Fingerprinting. What is the fingerprint

Sites attempting

  • to identify users on devices previously used for fraud
  • to establish a unique visitor count
  • to profile the behaviour of unregistered users
  • to link the visits of users when they are both registered and unregistered and identify the user when visiting the site without authenticating

Advertising networks attempting

* WebKit Wiki: Fingerprinting. What is the fingerprint

  • to establish a unique click-through count
  • to profile users to increase ad relevance

With browser fingerprinting

Fingerprinting types

* Mitigating Browser Fingerprinting in Web Specifications. Types of fingerprints

Based on characteristics observable in the contents of Web requests, without the use of any code executed on the client.

Passive fingerprint

actionhero/browser_fingerprint (github, < 100 stars)

Examples of implementations

Fingerprinting types

HTTP Request Headers

Passive fingerprint

  • Accept
  • Accept-Encoding
  • Accept-Language
  • Connection
  • Host
  • User-Agent
  • Version
  • etc

Source Address from IP Headers

+

Passive

\large hash( \sum_{i=1}^n f_i() )
hash(i=1nfi())\large hash( \sum_{i=1}^n f_i() )

fingerprint schema

Fingerprint Surface

* Hash of the sum of identified feature functions' results

JavaScript code or other code on the local client to observe additional characteristics about the browser.

Active fingerprint

Valve/fingerprint 2 (github ~3,5k stars)

Song-Li/cross_browser (github ~600 stars)

jackspirou/clients (github ~300 stars)

carlo/jquery-browser-fingerprint (github ~150 starts)

RobinLinus/ubercookie (github <100 stars)

Examples of implementations

Fingerprinting types

Possible browser characteristics

Active fingerprint

  • Cookies enabled
  • Timezone
  • Browser plugin list
  • Screen color depth
  • Screen resolution
  • Support for Do Not Track
  • Support for local storage
  • Support for session storage 
  • User agent name
  • etc

Active

\large hash( \sum_{i=1}^n f_i() )
hash(i=1nfi())\large hash( \sum_{i=1}^n f_i() )

fingerprint schema

Fingerprint Surface

* Hash of the sum of identified feature functions' results

Allows re-identification of a user or inferences about a user in the same way that HTTP cookies allow state management for the stateless HTTP protocol

Cookie-like fingerprint

samyk/evercookie (github ~3k stars)

Examples of implementations

Fingerprinting types

Cookie-like

fingerprint schema

\large \forall i \in N, Sset_i(hash)
iN,Sseti(hash)\large \forall i \in N, Sset_i(hash)
\large \forall i \in N, Sget_i(hash)
iN,Sgeti(hash)\large \forall i \in N, Sget_i(hash)

* N - number of discovered storages  

Fingerprint surface

The set of observable characteristics that can be used in concert to identify a user, user agent or device or correlate its activity.

Fingerprint surface

  • User configuration
  • Device characteristics
  • Environmental characteristics
  • Operating System Vendor and Version Differences
  • User Behaviour
  • Browser Vendor and Version Differences

Data sources

* The Design and Implementation of the Tor Browser. 4.6. Cross-Origin Fingerprinting Unlinkability.  Sources of Fingerprinting Issues

  • entropy
  • detectability
  • persistence
  • availability
  • scope

Each identified feature based on the following factors

Fingerprint surface

Fingerprint surface

navigator.userAgent

As an example of identify feature

Factor Value
entropy 10 bits *
detectability
persistence Until update
availability
scope Cross origin

* Peter Eckersley. How Unique Is Your Web Browser? Panopticlick 2010 

Entopy

How distinguishing is this new surface?

How bits are need

for identifying by surface

\log_2 7 500 000 000 \approx 33 \phantom {''} {bits}
log2750000000033bits\log_2 7 500 000 000 \approx 33 \phantom {''} {bits}

Panopticlick Experiment

* Peter Eckersley. How Unique Is Your Web Browser? Panopticlick 2010 

Variable Entropy (bits)
user agent
plugins
fonts
video
supercookies
http accept
timezone
cookies enabled		 10.0
15.4
13.9
4.83
2.12
6.09
3.04
0.353

Entropy of various pieces of browser information

Active fingerprint

Success of browser fingerprinting is

Frequency Distribution

Not only identified features factors

Part 3

Fingerprint techniques

Active fingerprint

techniques

 * Not trivial and interesting

Canvas Fingerprint

* Mowery and Shacham. Pixel Perfect: Fingerprinting Canvas in HTML5. May 2012

** The Web Never Forgets: Persistent Tracking Mechanisms in the Wild

const canvas = document.createElement('canvas')
const context = canvas.getContext('2d')

context.fillText(..)
context.fillRect(..)
context.fillStyle(..)

canvas.toDataURL()

It is consistent, high-entropy, transparent to user, readily obtainable

The same text can be rendered in different ways on different computers depending on the operating system, font library, graphics card, graphics driver and the browser.

WebGL Fingerprint

* WebGL fingperprint example from fingerprint2 

** Pixel Perfect: Fingerprinting Canvas in HTML5

The same idea and dependencies as in canvas fingerprint

aliased line width range; aliased point size range; alpha bits; antialiasing; blue bits; depth bits; green bits; max anisotropy; max combined texture image units; max cube map texture size; max fragment uniform vectors; max render buffer size; max texture image units; max texture size; max varying vectors; max vertex attribs; max vertex texture image units; max vertex uniform vectors; and etc.

Fingerprint can collect WebGL constants also

WebGL Fingerprint

Client-side Rendering Tasks for the Purpose of Fingerprinting

* Uniquemachine. Is my computer Unique?

** Yinzhi Cao, Song Li, and Erik Wijmans, (Cross-)Browser Fingerprinting via OS and Hardware Level Features, in the Proc. of Network & Distributed System Security Symposium (NDSS), 2017 (68/423=16.1%).

Approach can successfully identify 99.24%

Audio Fingerprint

Audio signals processed on different machines or browsers may have slight differences due to hardware or software differences between the machine

* AudioContext Fingerprint Test Page

** A 1-million-site Measurement and Analysis. 6.4 AudioContext Fingerprinting

Using the window.AudioContext API to fingerprint does not collect sound played or recorded by your machine.

Battery Fingerprint

* The leaking battery A privacy analysis of the HTML5 Battery Status API. 2015

** Battery Status API. W3C Candidate Recommendation 07 July 2016

Number of possible identifiers - 3,592,980

The fix was quickly implemented and deployed by Mozilla engineers in response to bug report

Group of researchers presented an analysis of Battery Status API as implemented by Firefox on GNU/Linux in 2015

 The high precision battery level readings provided by Firefox can lead to an unexpected fingerprinting surface: the detection of battery capacity.

Cookie-like

techniques

* Chrome. Subresource requests whose URLs contain embedded credentials are blocked

HTTP Cache Auth

https://name:value@host

Deprecated

Backend dependent

ETag HTTP header

Backend and HTTP Cookies dependent

Set value

Get value

  1. Save cookies value on client side
  2. Send request with name value in URL and cookies to backend
  3. Response ETag header with value

1. Send request to backend

2. Resonse from backend

     2.1 Return 304 HTTP Status if IF-NONE-MATCH is set in headers

     2.2 Return 200 HTTP status if HTTP cookies not set

* Implementation schema in evercookie of ETag Storage

PNG Image

Set value

Get value

  1. Save cookies value on client side
  2. Send request with name value in URL and cookies to backend
  3. Response encoded PNG

1. Send request with value  in URL to backend

2. Request PNG Image

   2.1 Return 304 HTTP Status if value is set in cookies

   2.2 Return 200 HTTP Status with encoded value in PNG if value is not set in HTTP Cookies

Backend and HTTP Cookies dependent

* Implementation schema in evercookie of PNG Storage

History leaks

based techniques

Cookie-like

CSS History

Jeremiah Grossman, August 2006

* Jeremiah Grossman. I know where you've been

Deprecated

link:visited + window.getComputedStyle

** Mozilla Hacks. Privacy-related changes coming to CSS :visited

Attempt for getting pixel color from converted html to Canvas is preveneted

* White Paper. Pixel Perfect Timing Attacks with HTML5

** Presentation. Context information security. Pixel Perfect Timing Attacks

Pixel Perfect Timing Attacks

Paul Stone, July 2013

Deprecated

window.requestAnimationFrame + calculate time between frames drawing

History Sniffing Timing Attack

Timing Attacks with SVG Filters

CSS + SVG Filters + Reading pixels

Browser storage

based techniques

Cookie-like

First version of specification. April 2009

OpenDatabase

* Web SQL Database specification

This specification is no longer

in active maintenance

Flash LSO

Local Shared Object

* Manage, disable Local Shared Objects | Flash Player

W3C Recommendation 28 October 2014

HTML5 Storages

* Web Storage (Second Edition), W3C Recommendation 19 April 2016

HTTPS

based techniques

Cookie-like

** Sam Greenhalgn. RadicalResearch, HSTS Super Cookies

HTTP Strict Transport Security

* RFC6797, November 2012

Backend dependent

The release of version 34.0 of Firefox seems to have changed. Unlike Google Chrome, Firefox has chosen to prefer privacy over security and no longer carries HSTS over to private windows.

Allows a website to indicate that it should always be accessed using a secure connection

http(s)://name-[0-4096].domain.com/?(SET/DEL)

HPKP

HTTP Public Key Pinning

* Weird New Tricks for Browser Fingerprinting

Server: One of these hashes must be in the TLS cert chain you receive from me.

Browser: DOPE!! NEXT TIME I SEE YOU I WILL CHECK IT BEFORE I WRECK IT

RFC 7469

Supercookie schema: fake backup pins

  • https://example.com sets a unique backup pin for each user + includeSubdomains + report-uri.
  • <img src=“https://bad.example.com”> serves a chain that deliberately fails pin validation.
  • A validation failure report is sent which includes a unique cached backup pin!

Part 4

How unique is your web browser?

Panopticlick

Is your browser safe against tracking?

Panopticlick Experiment

* Peter Eckersley. How Unique Is Your Web Browser?

User can be tracked by common browser characteristics

over a million different browser-instances

83.6% had completely unique fingerprints (entropy: 18.1 bits, or more)

94.2% of “typical desktop browsers” were unique (entropy: 18.8 bits, or more)

Panopticlick Experiment

* Peter Eckersley. How Unique Is Your Web Browser?

 The Paradox of Fingerprintable Privacy Enhancing Technologies

Panopticlick 2017

Browser Characteristic Entropy (bits) Each browser with this value
Hash of canvas fingerprint
Screen Size and Color Depth
Browser Plugin Details
Time Zone
DNT Header Enabled?
HTTP_ACCEPT Headers
Hash of WebGL fingerprint
Language
System Fonts
Platform
User Agent		 7.47
4.6
7.88
0.77
2.12
14.35
4.83
5.78
4.95
2.99
9.18		 177.31
24.19
236.12
108.76
1.7
20830.13
28.43
55.12
30.98
7.93
579.31

Panopticlick does not measure all forms of tracking and protection

~480k browser are tested

* Result of fingerprint test for my browser. The July of 2017

Am I Unique

* Am I Unique?

Yes! And you can be tracked!

Has shares some goals with panoticlick

but provides a number of novelties

We are now over 400,000 fingerprints

Princeton Web Transparency & Accountability Project

OpenWPM Platform

* Princeton Web Transparency & Accountability Project

Built on top of Firefox, with automation provided by Selenium. It includes several hooks for data collection, including a proxy, a Firefox extension, and access to Flash cookies

Research

Academic researchers, developers, public advocates, and others with expertise in online privacy all could advance our progress towards providing accurate web privacy information and best practices for the public.

Problem of time delay

between new fingerprint technique

and mitigation

Part 5

Fingerprinting mitigation

Naive paranoiac reaction

  • Block advertising
  • Block tracking scripts
  • Block websites, blacklist
  • Disable all scripts

Extensions. More extensions

NoScript

Ghostery

Privacy Badger

Chameleon

Do Not Track

CanvasFingerprintBlock

RubberGlove

Chromium

WebKit

Tor Browser

Mozilla

Developers already know

about browser fingerprinting

* The Design and Implementation of the Tor Browser. 4. Implementation

4.6. Cross-Origin Fingerprinting Unlinkability

Tor Browser

As an example of browser with design against fingerprint tecniques

Specific Fingerprinting Defenses in the Tor Browser:

Plugins; HTML5 Canvas Image Extraction; Fonts; Monitor, Widget, and OS Desktop Resolution; Display Media information; WebGL; MediaDevices API; MIME Types; User Agent and HTTP Headers; Locale Fingerprinting; Timezone and Clock Offset; HSTS and HPKP supercookies; and etc.

* Advanced Tor Browser Fingerprinting

** getClientRects Fingerprinting Test Page

Tor Browser

getClientRects fingerprinting

technique

Mitigating Browser Fingerprinting

in Web Specifications

W3C Draft

W3C Editor's Draft 11 May 2017

* First version of W3C draft was created on March of 2013

Mitigation Practices

  • Weighing increased fingerprinting surface
  • Standardization
  • Detectability
  • Clearing all local state
  • Do Not Track

From W3C Editor's Draft

  • HTTP Strict Transport Security (HSTS) Pinning
  • TLS Session Resumption Identifiers/Tickets

Browser private mode

Clear cookies and storages

Effective for cookies-like fingerprints except

* Mozilla Support. Firefox. Tracking Protection in Private Browsing

Do Not Track

 The Do Not Track header was originally proposed in 2009 by researchers Christopher Soghoian, Sid Stamm, and Dan Kaminsky

Based on web services trust and reputation

Fingerprinting mitigation

Fingerprinting mitigation

  • Decreased fingerprinting surface
  • Increased anonymity set
  • Detectable fingerprinting
  • Clearable local state

levels of success

Conclusions

Browser fingerprint problem

Arms and armor fighting

New web features bring new fingerprinting techniques

Privacy

The Web Never Forgets

Made with Slides.com