240 likes | 735 Vues
Browser Fingerprinting: Online Tracking Without Cookies. Device Fingerprinting The process of obtaining device characteristics for purposes such as device tracking or vulnerability discovery Any unique characteristic can be a fingerprint (e.g. CPU clock skew)
 
                
                E N D
Browser Fingerprinting: Online Tracking Without Cookies • Device Fingerprinting • The process of obtaining device characteristics for purposes such as device tracking or vulnerability discovery • Any unique characteristic can be a fingerprint (e.g. CPU clock skew) • This lecture focuses on browser fingerprinting • Browser Fingerprinting • A variety of browser and system characteristics can be harvested (e.g. screen resolution, installed fonts, installed plugins, OS version, browser version, info. on installed cameras and mics, etc.) • Employed by websites as a countermeasure to anonymization techniques such as disabling cookies • Not a silver bullet because fingerprints change over time (possibly short timescales) BE AWARE ! Browser fingerprinting is actively being conducted on the Internet today. Dr. Rob Cole, IST 815
Why? Why? • To overcome your efforts to remain anonymous • Various analytic uses limited only by the imagination. • Example: Fraud Detection • “a system that uniquely identifies network devices connecting to a network, and correlates logins with each network device used … used to observe login behavior, such as accounts connecting from ‘too many’ devices, or ‘too many’ accounts connecting from the same device… to cross-reference physical devices used by known fraudulent accounts, and cross-reference other accounts used by specific devices. Physical devices involved in suspicious or fraudulent activity, or devices associated with accounts involved in suspicious activity can be prevented from connecting to a network” • US Patent Application 7272728 B2, Iovation Inc. • http://www.google.com/patents/US7272728 Dr. Rob Cole, IST 815
Methodology • HTTP and Browser Object Inspection • HTTP headers contain accept encodings and the user agent string • Objects in mobile code engines are a rich source of info because they contain system information (see next slide) • Canvas Fingerprinting • Render text onto browser canvas and read the image data back looking for idiosyncrasies in how the image is rendered. • Cache and History Snooping • History: Browser scripts render and then inspect invisible HTML links for a “visited” style indicating that link is in your browsing history (difficult in modern browsers). • Cache: Browser scripts make timing measurements to determine whether a file is present in the system cache or whether a host/domain is present in the DNS cache. • Javascript Performance Testing • Research has shown that timing the performance of core Javascript operations can distinguish between major browser versions, operating systems and microarchitectures. Dr. Rob Cole, IST 815
Methodology HTTP Inspection • HTTP headers contain various items, the most useful of which for fingerprinting is the user agent string • Example user agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 This user agent tells us the specific version of the Chrome browser and the operating system (NT 6.1 = Windows 7 in this case) Note: The user agent string can be changed by the user as a means to defeat fingerprinting, however care must be taken that the resulting altered user agent string isn’t still highly unique or identifiable (the Privoxy privacy tool, for example, apparently includes the word “privoxy” in the user agent string it uses.) Dr. Rob Cole, IST 815
Methodology Browser Object Inspection via Javascript and Flash • Many Javascript and Flash objects contain system information that can be easily obtained by inspection. • Here’s how you can easily inspect Javascript objects yourself: • Open your browser to any page • Right-click anywhere in the page and select inspect element in the popup menu. This will open your browser’s developer tools window at the bottom. • Select the Console tab in the developer tools window. • The console prompt is at the very bottom of the browser window. Enter Javascript commands or object names here and details about the object will be displayed in the window just above (see examples on next slides). Dr. Rob Cole, IST 815
Methodology Browser Object Inspection via Javascript • Examples from my system: The screen object reveals my screen resolution, including the fact that my windows taskbar is not hidden and is positioned horizontally! (inferred via difference between height and availHeight – these would be identical if the taskbar is hidden) Dr. Rob Cole, IST 815
Methodology Browser Object Inspection via Javascript • Examples from my system: The navigator object contains the plugins array. navigator.plugins will show you how many plugins are present. To see the details of a particular plugin, enter: navigator.plugins[x] where x is an array index starting at 0. Dr. Rob Cole, IST 815
Methodology Browser Object Inspection via Flash • Like Javascript, Flash provides objects with system information. • The Fonts object contains a list of system fonts available by calling the Font.enumerateFonts method in Actionscript (the language of Flash). Your font list is highly valuable for fingerprinting due to its size and variability. (The font list for my system, for example, is 4,902 characters long!) Flash objects cannot be inspected as easily as JS objects since Flash must be compiled. To see your font list, go to the Panopticlick web page and test your system. https://panopticlick.eff.org NOTE: Disabling Flash will not guarantee your fonts cannot be enumerated since other methods (e.g. canvas-based) can be used! Dr. Rob Cole, IST 815
How Prevalent? Prevalence has been examined in recent studies: • Study [1] crawled thousands of the top-ranked Alexa websites and found 404 sites using Javascript-based fingerprinting and 95 sites using Flash-based fingerprinting. • Study [2] similarly examined canvas-based fingerprinting and found 5,542 sites containing canvas fingerprinting scripts, 95% of which were being served from a single domain (addthis.com) [1] G. Acar, M. Juarez, N. Nikiforakis, C. Diaz, S. Gürses, F. Piessens, and B. Preneel, “FPDetective: Dusting the Web for Fingerprinters,” in Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, New York, NY, USA, 2013, pp. 1129–1140. [2] G. Acar, C. Eubank, S. Englehardt, M. Juarez, A. Narayanan, and C. Diaz, “The Web never forgets: Persistent tracking mechanisms in the wild.” [Online]. Available: https://securehomes.esat.kuleuven.be/~gacar/persistent/the_web_never_forgets.pdf. Dr. Rob Cole, IST 815
Entropy: Fingerprint Effectiveness A standard metric used to evaluate the effectiveness of a fingerprint scheme is Shannon Entropy, H, units of bits: • In this context, N is the number of unique fingerprint values observed and pi is the probability associated with the i-th value. • For example, assume we have a perfect fingerprint scheme, meaning we have a fingerprint that gives a different value for each unique visitor to a website. Let’s say there are N=100 total users. The entropy of this fingerprint scheme would be: Fingerprint distribution Thus 6.6 bits represents the entropy of a perfect fingerprint for N=100 users. This is the maximum possible entropy. * perhaps a serial number from their computer if we could somehow obtain it Dr. Rob Cole, IST 815
Entropy: Fingerprint Effectiveness What about the entropy of an imperfect fingerprinting scheme? Consider a fingerprint consisting of browser type. The following distribution might be observed today: Fingerprint distribution Only 1.6 bits of entropy for this scheme due to the low information conveyed by the browser type alone. We could add entropy in this scheme by including browser version in the fingerprint. Dr. Rob Cole, IST 815
Entropy: Fingerprint Effectiveness The Panopticlick study [3] is an early examination of fingerprint effectiveness. In this study, the highest-entropy fingerprint elements were browser plugins (15.4 bits), fonts (13.9 bits) and user agent (10 bits). To examples of your fingerprint data, along with uniqueness measures of your data, go to https://panopticlick.eff.org/ Note: the “bits of identifying information” reported for your data by this site is not entropy. It is a related quantity called surprisal. Read study [3] for more information. [3] P. Eckersley, “How Unique is Your Web Browser?,” in Proceedings of the 10th International Conference on Privacy Enhancing Technologies, Berlin, Heidelberg, 2010, pp. 1–18. Dr. Rob Cole, IST 815