Browser Fingerprinting: A survey

With this paper, we survey the research performed in the domain of browser fingerprinting, while providing an accessible entry point to newcomers in the field. We explain how this technique works and where it stems from. We analyze the related work in detail to understand the composition of modern fingerprints and see how this technique is currently used online. We systematize existing defense solutions into different categories and detail the current challenges yet to overcome.

[1]  Pierre Laperdrix,et al.  Unnecessarily Identifiable: Quantifying the fingerprintability of browser extensions due to bloat , 2019, WWW.

[2]  Romain Rouvoy,et al.  FP-STALKER: Tracking Browser Fingerprint Evolutions , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[3]  Chris J. Mitchell,et al.  Beyond Cookie Monster Amnesia: Real World Persistent Online Tracking , 2018, ISC.

[4]  Gildas Avoine,et al.  Morellian Analysis for Browsers: Making Web Authentication Stronger with Canvas Fingerprinting , 2019, DIMVA.

[5]  Takamichi Saito,et al.  Web Browser Tampering: Inspecting CPU Features from Side-Channel Information , 2017, BWCCA.

[6]  Stefan Katzenbeisser,et al.  Disguised Chromium Browser: Robust Browser, Flash and Canvas Fingerprinting Protection , 2016, WPES@CCS.

[7]  Elie Bursztein,et al.  Picasso: Lightweight Device Class Fingerprinting for Web Clients , 2016, SPSM@CCS.

[8]  Ningfei Wang,et al.  Rendered Private: Making GLSL Execution Uniform to Prevent WebGL-based Browser Fingerprinting , 2019, USENIX Security Symposium.

[9]  Sándor Imre,et al.  User Tracking on the Web via Cross-Browser Fingerprinting , 2011, NordSec.

[10]  Chris Jay Hoofnagle,et al.  Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning , 2011 .

[11]  Claude Castelluccia,et al.  To Extend or not to Extend: On the Uniqueness of Browser Extensions and Web Logins , 2018, WPES@CCS.

[12]  Andrei Sabelfeld,et al.  Latex Gloves: Protecting Browser Extensions from Probing and Revelation Attacks , 2019, NDSS.

[13]  Gabi Nakibly,et al.  Hardware Fingerprinting Using HTML5 , 2015, ArXiv.

[14]  Benoit Baudry,et al.  FPRandom: Randomizing Core Browser Objects to Break Advanced Device Fingerprinting Techniques , 2017, ESSoS.

[15]  Takamichi Saito,et al.  Web Browser Fingerprinting Using Only Cascading Style Sheets , 2015, 2015 10th International Conference on Broadband and Wireless Computing, Communication and Applications (BWCCA).

[16]  Ming Yang,et al.  Efficient Fingerprinting-Based Android Device Identification With Zero-Permission Identifiers , 2016, IEEE Access.

[17]  Frank Piessens,et al.  FPDetective: dusting the web for fingerprinters , 2013, CCS.

[18]  Marcin Zalasinski,et al.  Estimating CPU Features by Browser Fingerprinting , 2016, 2016 10th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS).

[19]  Mohammad Zulkernine,et al.  FPGuard: Detection and Prevention of Browser Fingerprinting , 2015, DBSec.

[20]  Peter Eckersley,et al.  How Unique Is Your Web Browser? , 2010, Privacy Enhancing Technologies.

[21]  Wouter Joosen,et al.  Mobile device fingerprinting considered harmful for risk-based authentication , 2015, EUROSEC.

[22]  Walter Rudametkin,et al.  Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[23]  Edgar R. Weippl,et al.  SHPF: Enhancing HTTP(S) Session Security with Browser Fingerprinting , 2013, 2013 International Conference on Availability, Reliability and Security.

[24]  Paul C. van Oorschot,et al.  Device fingerprinting for augmenting web authentication: classification and analysis of methods , 2016, ACSAC.

[25]  Steven J. Murdoch,et al.  Do You See What I See? Differential Treatment of Anonymous Users , 2016, NDSS.

[26]  Claude Castelluccia,et al.  The Leaking Battery - A Privacy Analysis of the HTML5 Battery Status API , 2015, DPM/QASA@ESORICS.

[27]  Arvind Narayanan,et al.  The Web Never Forgets: Persistent Tracking Mechanisms in the Wild , 2014, CCS.

[28]  Arvind Narayanan,et al.  Battery Status Not Included: Assessing Privacy in Web Standards , 2017, IWPE@SP.

[29]  Felix C. Freiling,et al.  Fingerprinting Mobile Devices Using Personalized Configurations , 2016, Proc. Priv. Enhancing Technol..

[30]  Daniel Gruss,et al.  JavaScript Template Attacks: Automatically Inferring Host Information for Targeted Exploits , 2019, NDSS.

[31]  Benoit Baudry,et al.  Hiding in the Crowd: an Analysis of the Effectiveness of Browser Fingerprinting at Large Scale , 2018, WWW.

[32]  Serge Egelman,et al.  Fingerprinting Web Users Through Font Metrics , 2015, Financial Cryptography.

[33]  Edgar R. Weippl,et al.  Block Me If You Can: A Large-Scale Study of Tracker-Blocking Tools , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[34]  Wouter Joosen,et al.  PriVaricator: Deceiving Fingerprinters with Little White Lies , 2015, WWW.

[35]  Michael Carl Tschantz,et al.  Evaluating Anti-Fingerprinting Privacy Enhancing Technologies , 2019, WWW.

[36]  Adam Doupé,et al.  Everyone is Different: Client-side Diversification for Defending Against Extension Fingerprinting , 2019, USENIX Security Symposium.

[37]  Andrei Sabelfeld,et al.  Discovering Browser Extensions via Web Accessible Resources , 2017, CODASPY.

[38]  Wouter Joosen,et al.  Leveraging Battery Usage from Mobile Devices for Active Authentication , 2017, Mob. Inf. Syst..

[39]  Davide Balzarotti,et al.  Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies , 2017, USENIX Security Symposium.

[40]  François Koeune,et al.  SWAT: Seamless Web Authentication Technology , 2019, WWW.

[41]  Song Li,et al.  (Cross-)Browser Fingerprinting via OS and Hardware Level Features , 2017, NDSS.

[42]  Josep M. Pujol,et al.  Tracking the Trackers , 2016, WWW.

[43]  Arvind Narayanan,et al.  Online Tracking: A 1-million-site Measurement and Analysis , 2016, CCS.

[44]  Romain Rouvoy,et al.  Fp-Scanner: The Privacy Implications of Browser Fingerprint Inconsistencies , 2018, USENIX Security Symposium.

[45]  Claude Castelluccia,et al.  On the Unicity of Smartphone Applications , 2015, WPES@CCS.

[46]  Alfredo De Santis,et al.  Countering Browser Fingerprinting Techniques: Constructing a Fake Profile with Google Chrome , 2014, 2014 17th International Conference on Network-Based Information Systems.

[47]  Davide Balzarotti,et al.  Clock Around the Clock: Time-Based Device Fingerprinting , 2018, CCS.

[48]  Nick Nikiforakis,et al.  XHOUND: Quantifying the Fingerprintability of Browser Extensions , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[49]  Wouter Joosen,et al.  Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting , 2013, 2013 IEEE Symposium on Security and Privacy.

[50]  Sjouke Mauw,et al.  FP-Block: Usable Web Privacy by Controlling Browser Fingerprinting , 2015, ESORICS.