Morellian Analysis for Browsers: Making Web Authentication Stronger with Canvas Fingerprinting

@inproceedings{Laperdrix2019MorellianAF,
  title={Morellian Analysis for Browsers: Making Web Authentication Stronger with Canvas Fingerprinting},
  author={Pierre Laperdrix and Gildas Avoine and Beno{\^i}t Baudry and Nick Nikiforakis},
  booktitle={DIMVA},
  year={2019}
}
In this paper, we present the first fingerprinting-based authentication scheme that is not vulnerable to trivial replay attacks. Our proposed canvas-based fingerprinting technique utilizes one key characteristic: it is parameterized by a challenge, generated on the server side. We perform an in-depth analysis of all parameters that can be used to generate canvas challenges, and we show that it is possible to generate unique, unpredictable, and highly diverse canvas-generated images each time a… 

FPSelect: Low-Cost Browser Fingerprints for Mitigating Dictionary Attacks against Web Authentication Mechanisms

This work proposes FPSelect, an attribute selection framework allowing verifiers to tune their browser fingerprinting probes for web authentication, and finds out that in the experimental settings, the framework selects attribute sets of lower usability cost.

An iterative technique to identify browser fingerprinting scripts

This paper proposes a new browser fingerprinting detection technique that relies on both automatic and manual decisions to be both reliable and fast and publicly share the algorithm and implementation to improve the general knowledge on the subject.

Phish in Sheep’s Clothing: Exploring the Authentication Pitfalls of Browser Fingerprinting

This paper presents the first comprehensive and in-depth exploration of the security implications of real-world systems relying on browser fingerprints for authentication, and develops a tool for auto-constructing browser-based fingerprinting vectors that replicate the process of target websites, enabling the extraction of fingerprinting from users’ devices that exactly match those generated by target websites.

DRAWNAPART: A Device Identification Technique based on Remote GPU Fingerprinting

A new technique that can signif- icantly extend the tracking time of fingerprint-based tracking methods and is called D RAWN A PART, which is a new GPU fingerprinting technique that identifies a device from the crowd.

Fingerprinting the Fingerprinters: Learning to Detect Browser Fingerprinting Behaviors

FP-Inspector, a machine learning based syntactic-semantic approach to accurately detect browser fingerprinting performs well, allowing it to detect 26% more fingerprinting scripts than the state-of-the-art, and an API-level fingerprinting countermeasure is shown to help reduce website breakage.

My Site Knows Where You Are: A Novel Browser Fingerprint to Track User Position

This research finds a novel method based on localization fingerprints that may still threaten user privacy and implements a multilateration cross-site image resource request scheme to collect link-state information of users and develops a prototype called PingLoc, which is robust against various anti-fingerprint mechanisms.

Browser Fingerprinting: A survey

The research performed in the domain of browser fingerprinting is surveyed, while providing an accessible entry point to newcomers in the field to understand the composition of modern fingerprints.

A Large-scale Empirical Analysis of Browser Fingerprints Properties for Web Authentication

This article makes the link between the digital fingerprints that distinguish browsers, and the biological fingerprint that distinguish Humans, to evaluate browser fingerprints according to properties inspired by biometric authentication factors, and concludes that their browser fingerprints carry the promise to strengthen web authentication mechanisms.

Browser Fingerprinting

The research performed in the domain of browser fingerprinting is surveyed, while providing an accessible entry point to newcomers in the field to understand the composition of modern fingerprints.

PhishPrint: Evading Phishing Detection Crawlers by Prior Profiling

This work built a novel, scalable, low-cost framework named PhishPrint to enable the evaluation of such web security crawlers against multiple cloaking attacks and found several previously unknown cloaking weaknesses across the crawler ecosystem.

References

SHOWING 1-10 OF 33 REFERENCES

FPDetective: dusting the web for fingerprinters

The design, implementation and deployment of FPDetective, a framework for the detection and analysis of web-based fingerprinters, are reported on, showing that there needs to be a change in the way users, companies and legislators engage with fingerprinting.

(Cross-)Browser Fingerprinting via OS and Hardware Level Features

This paper proposes a browser fingerprinting technique that can track users not only within a single browser but also across different browsers on the same machine, and can achieve higher uniqueness rate than the only cross-browser approach in the literature with similar stability.

PriVaricator: Deceiving Fingerprinters with Little White Lies

In PriVaricator the power of randomization is used to "break" linkability by exploring a space of parameterized randomization policies, and renders all the fingerprinters tested ineffective, while causing minimal damage on a set of 1000 Alexa sites on which they were tested.

Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting

By analyzing the code of three popular browser-fingerprinting code providers, it is revealed the techniques that allow websites to track users without the need of client-side identifiers and how fragile the browser ecosystem is against fingerprinting through the use of novel browser-identifying techniques.

Unnecessarily Identifiable: Quantifying the fingerprintability of browser extensions due to bloat

To protect users against unnecessary extension fingerprinting due to bloat, the design and implementation of an in-browser mechanism that provides coarse-grained access control for extensions on all websites are described.

Hiding in the Crowd: an Analysis of the Effectiveness of Browser Fingerprinting at Large Scale

The key insight is that the percentage of unique fingerprints in the dataset is much lower than what was reported in the past: only 33.6% of fingerprints are unique by opposition to over 80% in previous studies.

FPRandom: Randomizing Core Browser Objects to Break Advanced Device Fingerprinting Techniques

FPRandom is presented, a modified version of Firefox that adds randomness to mitigate the most recent fingerprinting algorithms, namely canvas fingerprinting, AudioContext fingerprinting and the unmasking of browsers through the order of JavaScript properties.

Fast and Reliable Browser Identification with JavaScript Engine Fingerprinting

A new method for identifying web browsers based on the underlying Javascript engine, which can be executed on the client side within a fraction of a second, is proposed, three orders of magnitude faster than previous work on Javascript engine fingerprinting, and can be implemented with well below a few hundred lines of code.

Device fingerprinting for augmenting web authentication: classification and analysis of methods

This work summarizes and classify 29 available methods and their properties; defines attack models relevant to augmenting passwords for user authentication; and qualitatively compare them based on stability, repeatability, resource use, client passiveness, difficulty of spoofing, and distinguishability offered.

Mobile device fingerprinting considered harmful for risk-based authentication

Research shows that particularly for mobile devices the fingerprints carry a lot of similarity, even across models and brands, making them less reliable for risk assessment and step-up authentication.