Fingerprinting for Web Applications: From Devices to Related Groups

Identifying users and user devices is as important in web applications as in many other contexts. In web applications, user identification usually involves an authentication process, e.g., providing a username and a password. Identification is also possible without explicit authentication using cookies or device fingerprints. Device fingerprinting is also useful for other purposes, e.g., to serve as a second factor of authentication. Recently some interest appeared in the problem of cross-device fingerprinting, i.e., of the identification of the same user in different devices using fingerprinting. We target a variation of the problem that we call related group fingerprinting. We define a related group as a set of persons (e.g., a family) that share the same home network. We devised a related group fingerprinting scheme that we evaluated experimentally with data from hundreds of users. This evaluation suggests that group fingerprinting is feasible.

[1]  Richard W. Hamming,et al.  Error detecting and error correcting codes , 1950 .

[2]  David M. Kristol,et al.  HTTP State Management Mechanism , 1997, RFC.

[3]  Peter Eckersley,et al.  How Unique Is Your Web Browser? , 2010, Privacy Enhancing Technologies.

[4]  Wouter Joosen,et al.  PriVaricator: Deceiving Fingerprinters with Little White Lies , 2015, WWW.

[5]  B. Miller,et al.  Vital signs of identity [biometrics] , 1994, IEEE Spectrum.

[6]  Ahmed Awad E. Ahmed,et al.  A New Biometric Technology Based on Mouse Dynamics , 2007, IEEE Transactions on Dependable and Secure Computing.

[7]  Frank Piessens,et al.  FPDetective: dusting the web for fingerprinters , 2013, CCS.

[8]  Suman Nath,et al.  Bloom Cookies: Web Search Personalization without User Tracking , 2015, NDSS.

[9]  Jan Vitek,et al.  An analysis of the dynamic behavior of JavaScript programs , 2010, PLDI '10.

[10]  Arun Ross,et al.  An introduction to biometric recognition , 2004, IEEE Transactions on Circuits and Systems for Video Technology.

[11]  Daehyeok Kim,et al.  Poster : Detection and Prevention of Web-based Device Fingerprinting , 2014 .

[12]  Tao Wang,et al.  A Systematic Approach to Developing and Evaluating Website Fingerprinting Defenses , 2014, CCS.

[13]  Gabi Nakibly,et al.  PowerSpy: Location Tracking Using Mobile Device Power Analysis , 2015, USENIX Security Symposium.

[14]  Gunes Acar,et al.  Browse at your own risk , 2014, IEEE Spectrum.

[15]  Eugene H. Spafford,et al.  OPUS: Preventing weak password choices , 1992, Comput. Secur..

[16]  Fabian Monrose,et al.  Keystroke dynamics as a biometric for authentication , 2000, Future Gener. Comput. Syst..

[17]  Hari Balakrishnan,et al.  6th ACM/IEEE International Conference on on Mobile Computing and Networking (ACM MOBICOM ’00) The Cricket Location-Support System , 2022 .

[18]  Fabian Monrose,et al.  Authentication via keystroke dynamics , 1997, CCS '97.

[19]  Hovav Shacham,et al.  Fingerprinting Information in JavaScript Implementations , 2011 .

[20]  Claude E. Shannon,et al.  Prediction and Entropy of Printed English , 1951 .

[21]  David M. Kristol,et al.  HTTP Cookies: Standards, privacy, and politics , 2001, TOIT.

[22]  Haining Wang,et al.  An efficient user verification system via mouse movements , 2011, CCS '11.

[23]  Sharath Pankanti,et al.  Biometrics: Future of Identification , 2000 .

[24]  T. Kohno,et al.  Remote physical device fingerprinting , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[25]  Marco Gruteser,et al.  Protecting privacy, in continuous location-tracking applications , 2004, IEEE Security & Privacy Magazine.

[26]  Lukasz Olejnik,et al.  Web Browser History Detection as a Real-World Privacy Threat , 2010, ESORICS.

[27]  Hovav Shacham,et al.  Pixel Perfect : Fingerprinting Canvas in HTML 5 , 2012 .

[28]  Wouter Joosen,et al.  Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting , 2013, 2013 IEEE Symposium on Security and Privacy.

[29]  Helena Handschuh,et al.  Security Analysis of SHA-256 and Sisters , 2003, Selected Areas in Cryptography.

[30]  E. Weippl,et al.  Fast and Reliable Browser Identification with JavaScript Engine Fingerprinting , 2013 .

[31]  Nalini K. Ratha,et al.  Enhancing security and privacy in biometrics-based authentication systems , 2001, IBM Syst. J..

[32]  Mick Vaites The effectiveness of a browser fingerprint as a tool for tracking , 2013 .

[33]  Dan Boneh,et al.  Protecting browser state from web privacy attacks , 2006, WWW '06.

[34]  Amin Faiz Khademi Browser Fingerprinting: Analysis, Detection, and Prevention at Runtime , 2014 .

[35]  Tom Fawcett,et al.  An introduction to ROC analysis , 2006, Pattern Recognit. Lett..

[36]  Sándor Imre,et al.  User Tracking on the Web via Cross-Browser Fingerprinting , 2011, NordSec.

[37]  Xiang Pan I Do Not Know What You Visited Last Summer : Protecting Users from Third-party Web Tracking with TrackingFree Browser , 2015 .

[38]  Xiang Pan,et al.  I Do Not Know What You Visited Last Summer: Protecting users from stateful third-party web tracking with TrackingFree browser , 2015, NDSS.

[39]  Elisa Bertino,et al.  Privacy preserving multi-factor authentication with biometrics , 2006, DIM '06.

[40]  Gopal K. Gupta,et al.  Identity authentication based on keystroke latencies , 1990, Commun. ACM.

[41]  Arvind Narayanan,et al.  The Web Never Forgets: Persistent Tracking Mechanisms in the Wild , 2014, CCS.

[42]  Claude Castelluccia,et al.  On the uniqueness of Web browsing history patterns , 2014, Ann. des Télécommunications.