Browser Fingerprinting

@article{Laperdrix2020BrowserF,
  title={Browser Fingerprinting},
  author={Pierre Laperdrix and Nataliia Bielova and Beno{\^i}t Baudry and Gildas Avoine},
  journal={ACM Transactions on the Web (TWEB)},
  year={2020},
  volume={14},
  pages={1 - 33}
}
With this article, we survey the research performed in the domain of browser fingerprinting, while providing an accessible entry point to newcomers in the field. We explain how this technique works and where it stems from. We analyze the related work in detail to understand the composition of modern fingerprints and see how this technique is currently used online. We systematize existing defense solutions into different categories and detail the current challenges yet to overcome. 

Figures and Tables from this paper

FPSelect: Low-Cost Browser Fingerprints for Mitigating Dictionary Attacks against Web Authentication Mechanisms

This work proposes FPSelect, an attribute selection framework allowing verifiers to tune their browser fingerprinting probes for web authentication, and finds out that in the experimental settings, the framework selects attribute sets of lower usability cost.

Escaping the Confines of Time: Continuous Browser Extension Fingerprinting Through Ephemeral Modifications

This study more accurately captures the extent of the privacy threat presented by extension fingerprinting, which warrants more attention by privacy-oriented browser vendors that, up to this point, have focused on deploying countermeasures against other browser fingerprinting vectors.

FPFlow: Detect and Prevent Browser Fingerprinting with Dynamic Taint Analysis

This paper proposes FPFlow, a dynamic JavaScript taint analysis framework to detect and prevent browser fingerprinting, and shows that the framework could effectively detect browser fingerprints and prevent fingerprinting with an acceptable overhead.

Your speaker or my snooper?: measuring the effectiveness of web audio browser fingerprints

The first systematic study of the effectiveness of Web Audio API-based browser fingerprinting mechanisms shows that audio fingerprinting vectors, unlike other prior vectors, reveal an apparent fickleness with some users' browsers giving away differing fingerprints in repeated attempts, and shows that it is possible to devise a graph-based analysis mechanism to craft a highly stable fingerprinting mechanism.

Browser Fingerprint Coding Methods Increasing the Effectiveness of User Identification in the Web Traffic

New algorithms for coding and comparing fingerprints are presented, in which the values of parameters with low stability and low entropy are especially taken into account.

A Large-scale Empirical Analysis of Browser Fingerprints Properties for Web Authentication

This article makes the link between the digital fingerprints that distinguish browsers, and the biological fingerprint that distinguish Humans, to evaluate browser fingerprints according to properties inspired by biometric authentication factors, and concludes that their browser fingerprints carry the promise to strengthen web authentication mechanisms.

Towards the Design of a Covert Channel by Using Web Tracking Technologies

The aim is to analyze and design a steganographic system in order to create a covert channel between two communicating peers through the HTTP protocol to provide a mechanism for protecting user privacy by creating hidden communication channels.

BrFAST: a Tool to Select Browser Fingerprinting Attributes for Web Authentication According to a Usability-Security Trade-off

BrFAST is an attribute selection platform that includes FPSelect, an algorithm that rigorously selects the attributes according to a trade-off between security and usability, and BrFAST helps visualize the exploration of the possibilities during the search of the best attribute set to use.

After You, Please: Browser Extensions Order Attacks and Countermeasures

This paper demonstrates how this order can be exploited by an unprivileged malicious extension to get access to any private information that other extensions have previously introduced and proposes a solution that does not require modifying the core browser engine, since it is implemented as another browser extension.

FP-Radar: Longitudinal Measurement and Early Detection of Browser Fingerprinting

FP-Radar, a machine learning approach that leverages longitudinal measurements of web API usage on top-100K websites over the last decade for early detection of new and evolving browser fingerprinting techniques, is proposed and is the first to detect the abuse of the Visibility API for ephemeral fingerprinting in the wild.

References

SHOWING 1-10 OF 110 REFERENCES

(Cross-)Browser Fingerprinting via OS and Hardware Level Features

This paper proposes a browser fingerprinting technique that can track users not only within a single browser but also across different browsers on the same machine, and can achieve higher uniqueness rate than the only cross-browser approach in the literature with similar stability.

Unnecessarily Identifiable: Quantifying the fingerprintability of browser extensions due to bloat

To protect users against unnecessary extension fingerprinting due to bloat, the design and implementation of an in-browser mechanism that provides coarse-grained access control for extensions on all websites are described.

Hiding in the Crowd: an Analysis of the Effectiveness of Browser Fingerprinting at Large Scale

The key insight is that the percentage of unique fingerprints in the dataset is much lower than what was reported in the past: only 33.6% of fingerprints are unique by opposition to over 80% in previous studies.

XHOUND: Quantifying the Fingerprintability of Browser Extensions

It is shown that an extension's organic activity in a page's DOM can be used to infer its presence, and XHound, the first fully automated system for fingerprinting browser extensions is developed, is developed.

Pixel Perfect : Fingerprinting Canvas in HTML 5

A new system fingerprint is proposed, inspired by the observation that browser behavior varies depending on the behavior of resources, which is consistent, high-entropy, orthogonal to other fingerprints, transparent to the user, and readily obtainable.

Countering Browser Fingerprinting Techniques: Constructing a Fake Profile with Google Chrome

While Web browsers are fundamental components in the Internet nowadays, the widespread availability of several techniques that can be used to detect the individual browser connected to a server

Web Browser Fingerprinting Using Only Cascading Style Sheets

A method of fingerprinting that employs only CSS is proposed and the effectiveness of this method is discussed.

Disguised Chromium Browser: Robust Browser, Flash and Canvas Fingerprinting Protection

This work demonstrates the first anti-fingerprinting strategy, which protects against Flash fingerprinting without deactivating it, provides robust and undetectable anti-canvas fingerprinting, and uses a large set of real word data to hide the actual system and browser properties without losing usability.

User Tracking on the Web via Cross-Browser Fingerprinting

It is shown that a part of the IP address, the availability of a specific font set, the time zone, and the screen resolution are enough to uniquely identify most users of the five most popular web browsers, and that user agent strings are fairly effective but fragile identifiers of a browser instance.

Morellian Analysis for Browsers: Making Web Authentication Stronger with Canvas Fingerprinting

This paper presents the first fingerprinting-based authentication scheme that is not vulnerable to trivial replay attacks, and performs an in-depth analysis of all parameters that can be used to generate canvas challenges, demonstrating that canvas fingerprinting is a suitable mechanism for stronger authentication on the web.
...