Browser Fingerprinting: Exploring
Device Diversity to Augment
Authentication and Build
Client-Side Countermeasures
Pierre Laperdrix
Congrès SIF
Insa Rennes et IRISA
7 février 2019
I. What is browser fingerprinting?
II. Defending against fingerprinting: Blink and FPRandom
III. Conclusion
Outline
Pierre Laperdrix
Congrès SIF
7 février 2019
I. Internet and web browsers 3
Header
Sidebar
Main content
Text
Navigation
Footer
Image
Browser
Pierre Laperdrix
Congrès SIF
7 février 2019
I. Internet in 1995 4
I am
I am
Header
Sidebar
Main content
Text
Navigation
Footer
Image
Browsers send device-specific
information to servers to improve user
experience on the web.
HTTP User agent
NCSA_Mosaic/2.0
(Windows 3.1)
Mozilla/1.22
(compatible; MSIE
2.0; Windows 95)
Pierre Laperdrix
Congrès SIF
7 février 2019
I. Internet in 2019 5
A bigger and richer web
•Audio
•Video
•3D rendering
•Real-time communications
•Web payments
•Virtual reality
…
1995 2019
Browser:
Netscape
Language: Fr
Browser: Chrome v71
OS: Linux
Screen:
1920x1080
Language: Fr
Timezone
: GMT+1
Graphic card: GTX 1080Ti
…
Browser
What happens when we start collecting all the
information available in a web browser?
Pierre Laperdrix
Congrès SIF
7 février 2019
I. Definition of browser fingerprinting
Definitions
•A browser fingerprint is a set of information related to a user’s device
from the hardware to the operating system to the browser and its
configuration.
•Browser fingerprinting refers to the process of collecting information
through a web browser to build a fingerprint of a device.
6
Pierre Laperdrix
Congrès SIF
7 février 2019
I. Example of a browser fingerprint 8
Attribute
Value
User agent
Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:55.0) Gecko/20100101
Firefox/55.0
HTTP headers
text/html, application/
xhtml+xml, application/xml;q=0.9,*/*;q=0.8 gzip,
deflate,
br en-US,en;q=0.5
Plugins
Plugin 0: QuickTime Plug
-in 7.6.6; libtotem-narrowspace-plugin.so; Plugin
1: Shockwave Flash; Shockwave Flash 26.0 r0; libflashplayer.so.
Fonts
Century Schoolbook, Source Sans Pro Light,
DejaVu Sans Mono, Bitstream
Vera Serif, URW Palladio L,
Bitstream Vera Sans Mono, Bitstream
Vera Sans,
...
Platform Linux x86_64
Screen resolution
1920x1080x24
Timezone
-
480 (UTC+8)
OS
Linux 3.14.3
-200.fc20.x86 32-bit
WebGL vendor
NVIDIA Corporation
WebGL renderer
GeForce GTX 650
Ti/PCIe/SSE2
Canvas
Pierre Laperdrix
Congrès SIF
7 février 2019
I. Example of values collected on AmIUnique 9
Some user-agents
•Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101
Firefox/34.0
•Mozilla/5.0 (iPhone; CPU iPhone OS 8_1_2 like Mac OS X)
AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12B440
Safari/600.1.4
•Mozilla/5.0 (Android; Mobile; rv:27.0) Gecko/27.0 Firefox/27.0
•Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
•Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:34.0) Gecko/20100101
Firefox/34.0
Pierre Laperdrix
Congrès SIF
7 février 2019
I. Example of values collected on AmIUnique 10
Other custom user-agents
•godzilla/5.0 (X122; BSD; rv:500.0) Gecko/20100101
•pouet
•“54. When a warlike prince attacks a powerful state, his generalship shows
itself in preventing the concentration of the enemy's forces. He overawes
his opponents, and their allies are prevented from joining against him.”
•Deepnet Explorer 1.5.3; Smart 2x2; Avant Browser; .NET CLR 2.0.50727;
InfoPath.1)
•NSA
•Game Boy Advance
•eat it
Pierre Laperdrix
Congrès SIF
7 février 2019
I. Canvas fingerprinting –Test on AmIUnique 11
1
2
3
Pierre Laperdrix
Congrès SIF
7 février 2019
I. Impact on privacy
What makes fingerprinting a threat to online privacy?
1. It is really easy to collect all this data. No need for extra
permissions.
2. Two studies have investigated the diversity of browser fingerprints.
12
470,161 fingerprints
94.2% were unique
Tracking is possible
118,934 fingerprints
89.4% were unique
I. What is browser fingerprinting?
II. Defending against fingerprinting: Blink and FPRandom
III. Conclusion
Outline
Pierre Laperdrix
Congrès SIF
7 février 2019
II. Blink –Defending against fingerprinting
•Goal: to protect users against browser fingerprinting, i.e. to prevent
them from being tracked online
•Challenge: finding the right balance between protection and usability
•The proposed defense solution should:
not break browsing.
not be detectable (no inconsistencies or no side-effects).
work automatically without requiring user interaction.
14
User agent
Mozilla/5.0 (Windows NT 6.1;
WOW64; rv:54.0)
Gecko/20100101 Firefox/54.0
Platform
Linux i686
WebGL
renderer
GeForce GTX 650
Ti/PCIe/SSE2
Pierre Laperdrix
Congrès SIF
7 février 2019
II. Blink –Approach
•Increase temporal diversity of fingerprints
•Browsing without Blink
•Browsing with Blink
•Reconfigure platform at runtime
15
Pierre Laperdrix
Congrès SIF
7 février 2019
II. Blink –Prototype 16
Browsing platform
Host machine
OS Browser
Browsers Plugins Fonts
OS
Diversity reservoir
VM1
B3
B1
B4
B2
P3
P1
P4
P2
F3
F1
F4
F2
VM2 VM3
User Profile
Pierre Laperdrix
Congrès SIF
7 février 2019
II. FPRandom
•Protection against specific techniques of fingerprinting at the browser
level
•Targeting “dynamic” attributes, i.e. those that are the result of a
computation, by introducing noise
17
plugins;oscpu;doNotTrack;getVRDisplays;mimeTypes;vibrate;vend
orSub;vendor;productSub;cookieEnabled;mozGetUserMedia;getBa
ttery;buildID;javaEnabled;getGamepads;permissions…
sendBeacon;vibrate;javaEnabled;getGamepads;mozGetUserMedia;
requestMediaKeySystemAccess;registerProtocolHandler;registerCo
ntentHandler;taintEnabled;permissions…..
Canvas fingerprinting AudioContext fingerprinting Enumeration order
Pierre Laperdrix
Congrès SIF
7 février 2019
II. Blink and FPRandom 18
Blink
OS level
FPRandom
Browser level
Size
Color
Text
Introduction
of noise
I. What is browser fingerprinting?
II. Defending against fingerprinting: Blink and FPRandom
III. Conclusion
Outline
Pierre Laperdrix
Congrès SIF
7 février 2019
Increase online security?
Regulate fingerprinting
Control fingerprinting?
III. Conclusion –Overview on fingerprinting 20
Past Present Future
Will you allow github.com to collect your
browser fingerprint? This may be used to
verify your online identity.
Use fingerprints
Protect against it
Tracking at large scale
Understand
fingerprinting
Add new attributes
Design defense
mechanisms
Pierre Laperdrix
Congrès SIF
7 février 2019
Additional slides
22
Pierre Laperdrix
Congrès SIF
7 février 2019
AmIUnique –Study 23
•Study performed on 118,934 in 2016
•90% of unique fingerprints Tracking is possible
•Validates Panopticlick’s findings
•Fingerprinting mobile devices is possible
•List of plugins and fonts are strongest on desktops
•User-agents and canvas are strongest on mobile devices
•Online privacy could be improved with simple browser modifications
Pierre Laperdrix
Congrès SIF
7 février 2019
AmIUnique –Entropy for all collected attributes 24
0
0,1
0,2
0,3
0,4
0,5
0,6
0,7
0,8
Normalized Shannon Entropy [0,1]
All Desktop Mobile
Pierre Laperdrix
Congrès SIF
7 février 2019
Fingerprint Central
•Project developed as part of the Google Summer of Code 2016
•Help Tor users to see if their fingerprint only has acceptable values
•Help Tor developers react to new fingerprinting vectors rapidly
•Will integrate the Quality Assurance process of the Tor Browser to
verify the non-regression of the Tor fingerprinting protection
25
Pierre Laperdrix
Congrès SIF
7 février 2019
Tor browser
•In theory, all
fingerprints
from the Tor
Browser should
be identical.
•In reality,
differences can
still be found
(screen
resolution,
platform…).
26
Tor browser on Fedora 25 Firefox browser on Fedora 25
Pierre Laperdrix
Congrès SIF
7 février 2019
Plugins –Current state in browsers
•Plugins are considered to be a source of hangs, crashes, security
incidents, and code complexity.
•HTML5 now replaces the features offered by plugins.
•Support for the plugin architecture called NPAPI was removed from
Chrome in April 2015 and Firefox in March 2017.
27
Pierre Laperdrix
Congrès SIF
7 février 2019
Plugins –Data from AmIUnique (2015) 28
0
0,1
0,2
0,3
0,4
0,5
0,6
0,7
0,8
0,9
1
Entropy
Enabled
Disabled
Removed
NPAPI support
•The global entropy
of plugins is rapidly
dropping.
•Their use in
fingerprinting is
becoming limited.
Pierre Laperdrix
Congrès SIF
7 février 2019
Battery API - History 29
Timeline from “Battery Status Not Included: Assessing Privacy in Web
Standards” by Olejnik et al.
