Browser Fingerprinting : Exploring Device Diversity to Augment Authentification and Build Client-Side Countermeasures

Users are presented with an ever-increasing number of choices to connect to the Internet. From desktops, laptops, tablets and smartphones, anyone can find the perfect device that suits his or her needs while factoring mobility, size or processing power. Browser fingerprinting became a reality thanks to the software and hardware diversity that compose every single one of our modem devices. By collecting device-specific information with a simple script running in the browser, a server can fully or partially identify a device on the web and follow it wherever it goes. This technique presents strong privacy implications as it does not require the use of stateful identifiers like cookies that can be removed or managed by the user. In this thesis, we provide the following contributions: an analysis of 118,934 genuine fingerprints to understand the current state of browser fingerprinting, two countermeasures called Blink and FPRandom and a complete protocol based on canvas fingerprinting to augment authentication on the web. Browser fingerprinting is still in its early days. As the web is in constant evolution and as browser vendors keep pushing the limits of what we can do online, the contours of this technique are continually changing. With this dissertation, we shine a light into its inner-workings and its challenges along with a new perspective on how it can reinforce account security.

[1]  Yih Huang,et al.  Introducing Diversity and Uncertainty to Create Moving Attack Surfaces for Web Services , 2011, Moving Target Defense.

[2]  Sándor Imre,et al.  User Tracking on the Web via Cross-Browser Fingerprinting , 2011, NordSec.

[3]  Chris Jay Hoofnagle,et al.  Flash Cookies and Privacy , 2009, AAAI Spring Symposium: Intelligent Information Privacy Management.

[4]  Alfredo De Santis,et al.  Countering Browser Fingerprinting Techniques: Constructing a Fake Profile with Google Chrome , 2014, 2014 17th International Conference on Network-Based Information Systems.

[5]  Nick Nikiforakis,et al.  XHOUND: Quantifying the Fingerprintability of Browser Extensions , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[6]  E. Mcwhinney Author’s Publications , 2007 .

[7]  Marcin Zalasinski,et al.  Estimating CPU Features by Browser Fingerprinting , 2016, 2016 10th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS).

[8]  Takamichi Saito,et al.  OS and Application Identification by Installed Fonts , 2016, 2016 IEEE 30th International Conference on Advanced Information Networking and Applications (AINA).

[9]  Arvind Narayanan,et al.  Battery Status Not Included: Assessing Privacy in Web Standards , 2017, IWPE@SP.

[10]  Hovav Shacham,et al.  Fingerprinting Information in JavaScript Implementations , 2011 .

[11]  Paul C. van Oorschot,et al.  Device fingerprinting for augmenting web authentication: classification and analysis of methods , 2016, ACSAC.

[12]  Somesh Jha,et al.  End-to-End Software Diversification of Internet Services , 2011, Moving Target Defense.

[13]  Walter Rudametkin,et al.  Mitigating Browser Fingerprint Tracking: Multi-level Reconfiguration and Diversification , 2015, 2015 IEEE/ACM 10th International Symposium on Software Engineering for Adaptive and Self-Managing Systems.

[14]  Chris Jay Hoofnagle,et al.  Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning , 2011 .

[15]  Hovav Shacham,et al.  Pixel Perfect : Fingerprinting Canvas in HTML 5 , 2012 .

[16]  Wouter Joosen,et al.  Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting , 2013, 2013 IEEE Symposium on Security and Privacy.

[17]  E. Weippl,et al.  Fast and Reliable Browser Identification with JavaScript Engine Fingerprinting , 2013 .

[18]  David Evans,et al.  N-Variant Systems: A Secretless Framework for Security through Diversity , 2006, USENIX Security Symposium.

[19]  Steven J. Murdoch,et al.  Do You See What I See? Differential Treatment of Anonymous Users , 2016, NDSS.

[20]  Wouter Joosen,et al.  Mobile device fingerprinting considered harmful for risk-based authentication , 2015, EUROSEC.

[21]  Walter Rudametkin,et al.  Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[22]  Stefan Katzenbeisser,et al.  Disguised Chromium Browser: Robust Browser, Flash and Canvas Fingerprinting Protection , 2016, WPES@CCS.

[23]  Elie Bursztein,et al.  Picasso: Lightweight Device Class Fingerprinting for Web Clients , 2016, SPSM@CCS.

[24]  Ming Yang,et al.  Efficient Fingerprinting-Based Android Device Identification With Zero-Permission Identifiers , 2016, IEEE Access.

[25]  Frank Piessens,et al.  FPDetective: dusting the web for fingerprinters , 2013, CCS.

[26]  Edgar R. Weippl,et al.  SHPF: Enhancing HTTP(S) Session Security with Browser Fingerprinting , 2013, 2013 International Conference on Availability, Reliability and Security.

[27]  Mohammad Zulkernine,et al.  FPGuard: Detection and Prevention of Browser Fingerprinting , 2015, DBSec.

[28]  R Barreras,et al.  The leaking battery. , 1988, Journal of biological photography.

[29]  Peter Eckersley,et al.  How Unique Is Your Web Browser? , 2010, Privacy Enhancing Technologies.

[30]  A. Keromytis,et al.  I'm Not a Human: Breaking the Google reCAPTCHA , 2016 .

[31]  Sjouke Mauw,et al.  FP-Block: Usable Web Privacy by Controlling Browser Fingerprinting , 2015, ESORICS.

[32]  Serge Egelman,et al.  Fingerprinting Web Users Through Font Metrics , 2015, Financial Cryptography.

[33]  Edgar R. Weippl,et al.  Block Me If You Can: A Large-Scale Study of Tracker-Blocking Tools , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[34]  Paul F. Syverson,et al.  Anonymous connections and onion routing , 1998, IEEE J. Sel. Areas Commun..

[35]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[36]  Benoit Baudry,et al.  FPRandom: Randomizing Core Browser Objects to Break Advanced Device Fingerprinting Techniques , 2017, ESSoS.

[37]  Felix C. Freiling,et al.  Fingerprinting Mobile Devices Using Personalized Configurations , 2016, Proc. Priv. Enhancing Technol..

[38]  Andrei Sabelfeld,et al.  Discovering Browser Extensions via Web Accessible Resources , 2017, CODASPY.

[39]  Wouter Joosen,et al.  Leveraging Battery Usage from Mobile Devices for Active Authentication , 2017, Mob. Inf. Syst..

[40]  Claude Castelluccia,et al.  Near-Optimal Fingerprinting with Constraints , 2016, Proc. Priv. Enhancing Technol..

[41]  Arvind Narayanan,et al.  The Web Never Forgets: Persistent Tracking Mechanisms in the Wild , 2014, CCS.

[42]  Song Li,et al.  (Cross-)Browser Fingerprinting via OS and Hardware Level Features , 2017, NDSS.

[43]  William W. Streilein,et al.  Finding Focus in the Blur of Moving-Target Techniques , 2014, IEEE Security & Privacy.

[44]  Arvind Narayanan,et al.  Online Tracking: A 1-million-site Measurement and Analysis , 2016, CCS.

[45]  Bill Fitzgerald,et al.  Tracking the Trackers , 2016 .

[46]  Wouter Joosen,et al.  PriVaricator: Deceiving Fingerprinters with Little White Lies , 2015, WWW.

[47]  R.K. Guy,et al.  On numbers and games , 1978, Proceedings of the IEEE.