(Cross-)Browser Fingerprinting via OS and Hardware Level Features | Cao, Song, Wijmans

Yinzhi Cao, Song Li, Erik Wijmans; (Cross-)Browser Fingerprinting via OS and Hardware Level Features; In Proceedings of the Network & Distributed System Security Symposium (NSDI); 2017-02-26; 15 pages.

Abstract

In this paper, we propose a browser fingerprinting technique that can track users not only within a single browser but also across different browsers on the same machine. Specifically, our approach utilizes many novel OS and hardware level features, such as those from graphics cards, CPU, and installed writing scripts. We extract these features by asking browsers to perform tasks that rely on corresponding OS and hardware functionalities.

Our evaluation shows that our approach can successfully identify 99.24% of users as opposed to 90.84% for state of the art on single-browser fingerprinting against the same dataset. Further, our approach can achieve higher uniqueness rate than the only cross-browser approach in the literature with similar stability.

Mentions

Browsers

  • Chrome
  • Edge
  • Firefox
  • Internet Explorer
  • Opera
  • Safari
  • Other
    • Maxthon
    • Tor
    • UC

Population

  • Amazon Mechanical Turk
  • MacroWorkers

Others

  • AmIUnique
  • Panopticlick
  • Boda

Actualities

Who

Yinzhi Cao, Assistant Professor, Computer Science and Engineering Department, Lehigh University.

Promotions

New Fingerprinting Techniques Identify Users Across Different Browsers on the Same PC; ; In BleepingComputer; 2017-01-12.

References

  • Core estimator.
  • [email threads] proposal: navigator.cores; InArchives of WhatWG of the W3C, circa 2014-05.
  • Am I Unique?, at GitHub.
  • anti-aliasing, at Graphics Wikia.
  • Panopticlick: Is your browser safe against tracking?
  • Watched; Wall Street Journal (WSJ).
  • cube mapping; In Jimi Wales’ Wiki.
  • list of writing systems; In Jimi Wales’ Wiki.
  • G. Acar, C. Eubank, S. Englehardt, M. Juarez, A. Narayanan, C. Diaz; “The web never forgets: Persistent tracking mechanisms in the wild,” in Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS ’14), 2014, pp. 674–689.
  • G. Acar, M. Juarez, N. Nikiforakis, C. Diaz, S. Gürses, F. Piessens, B. Preneel; “FPDetective: Dusting the web for fingerprinters,” in Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS ’13), 2013, pp. 1129–1140.
  • M. Ayenson, D. Wambach, A. Soltani, N. Good, C. Hoofnagle; “Flash cookies and privacy II: Now with HTML5 and ETag respawning,” Available at SSRN 1898390, 2011.
  • S. Berger. You should install two browsers.
  • T. Bigelajzen. Cross browser zoom and pixel ratio detector.
  • K. Boda, A. M. F ̈oldes, G. G. Gulyás, S. Imre, “User tracking on the web via cross-browser fingerprinting,” in Proceedings of the 16th Nordic Conference on Information Security Technology for Applications, (NordSec’11), 2012, pp. 31–46.
  • F. Boesch. Soft shadow mapping.
  • Federal Trade Commission (FTC). Cross-device tracking. A celebration. 2015-11.
  • P. Eckersley, “How unique is your web browser?” in Proceedings of the 10th International Conference on Privacy Enhancing Technologies (PETS’10), 2010.
  • S. Englehardt A. Narayanan, “Online tracking: A 1-million-site measurement and analysis,” in Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, (CCS ’16), 2016.
  • A. Etienne J. Etienne. Classical suzanne monkey from blender to get your game started with threex.suzanne
  • D. Fifield S. Egelman, “Fingerprinting web users through font metrics,” in Financial Cryptography and Data Security. Springer, 2015, pp. 107–124.
  • S. Kamkar. Evercookie.
  • B. Krishnamurthy, K. Naryshkin, C. Wills, “Privacy leakage vs. protection measures: the growing disconnect,” in Web 2.0 Security and Privacy Workshop, 2011.
  • B. Krishnamurthy C. Wills, “Privacy diffusion on the web: a longitudinal perspective,” in Proceedings of the 18th International Conference on World Wide Web (WWW). ACM, 2009, pp. 541–550.
  • B. Krishnamurthy C. E. Wills. “Generating a privacy footprint on the internet,” in Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement (IM). ACM, 2006, pp. 65–70.
  • B. Krishnamurthy C. E. Wills. “Characterizing privacy in online social networks,” in Proceedings of the First Workshop on Online Social Networks. ACM, 2008, pp. 37–42.
  • P. Laperdrix, W. Rudametkin, B. Baudry, “Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints”, in Proceedings of the 37th IEEE Symposium on Security and Privacy (S&P 2016), 2016.
  • A. Lerner, A. K. Simpson, T. Kohno, F. Roesner, “Internet jones and the raiders of the lost trackers: An archaeological study of web tracking from 1996 to 2016,” in Proceedings of the 25th USENIX Security Symposium (USENIX Security 16), Austin, TX, 2016.
  • J. R. Mayer J. C. Mitchell, “Third-party web tracking: Policy and technology,” in Proceedings of the 2012 IEEE Symposium on Security and Privacy (SP), 2012, pp. 413–427.
  • W. Meng, B. Lee, X. Xing, W. Lee, “Trackmeornot: Enabling flexible control on web tracking,” in Proceedings of the 25th International Conference on World Wide Web (WWW ’16), 2016, pp. 99–109.
  • H. Metwalley, S. Traverso, “Unsupervised detection of web track- ers,” in Globecom, 2015.
  • K. Mowery, D. Bogenreif, S. Yilek, H. Shacham, “Fingerprinting information in javascript implementations,” 2011.
  • K. Mowery, H. Shacham, “Pixel perfect: Fingerprinting canvas in HTML5,” In Some Venue, 2012.
  • M. Mulazzani, P. Reschl, M. Huber, M. Leithner, S. Schrittwieser, E. Weippl, F. Wien, “Fast and reliable browser identification with javascript engine fingerprinting,” in Proceedings of W2SP, 2013.
  • G. Nakibly, G. Shelef, S. Yudilevich, “Hardware fingerprinting using HTML5,” arXiv preprint arXiv:1503.01408, 2015.
  • N. Nikiforakis, W. Joosen, B. Livshits, “Privaricator: Deceiving fingerprinters with little white lies,” in Proceedings of the 24th International Conference on World Wide Web, (WWW ’15), 2015, pp. 820–830.
  • N. Nikiforakis, A. Kapravelos, W. Joosen, C. Kruegel, F. Piessens, G. Vigna, “Cookieless monster: Exploring the ecosystem of web-based device fingerprinting,” in In Proceedings of the IEEE Symposium on Security and Privacy (SP), 2013.
  • X. Pan, Y. Cao, Y. Chen, “I do not know what you visited last summer – protecting users from third-party web tracking with trackingfree browser,” in Proceedings of the Network & Distributed Systems Symposium (NDSS), 2015.
  • M. Perry, E. Clark, S. Murdoch, “The design and implementation of the Tor Browser [draft][online], United States,” 2015.
  • F. Roesner, T. Kohno, D. Wetherall, “Detecting and defending against third-party tracking on the web,” in Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation (NSDI’12), 2012, pp. 12–12.
  • I. Sánchez-Rola, X. Ugarte-Pedrero, I. Santos, P. G. Bringas “Tracking users like there is no tomorrow: Privacy on the current internet,” in International Joint Conference,/em>. Springer, 2015, pp. 473– 483.
  • A. Soltani, S. Canty, Q. Mayo, L. Thomas, C. J. Hoofnagle. “Flash cookies and privacy,” in Proceedings of the AAAI Spring Symposium: Intelligent Information Privacy Management,/em>, 2010.
  • US-CERT. Securing your web browser.
  • Do Not Track Policy. In Jimi Wales’ Wiki.
  • Privacy Mode
  • M. Xu, Y. Jang, X. Xing, T. Kim, W. Lee, “Ucognito: Private browsing without tears,” in Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security (CCS ’15), 2015, pp. 438–449.
  • T.-F. Yen, Y. Xie, F. Yu, R. P. Yu, M. Abadi, “Host fingerprinting and tracking on the web: Privacy and security implications,” in Proceedings of the Network & Distributed Systems Symposium (NDSS), 2012.

Comments are closed.