Beauty and the Beast: Diverting modern web browsers to build unique - - PowerPoint PPT Presentation

beauty and the beast diverting modern web browsers to
SMART_READER_LITE
LIVE PREVIEW

Beauty and the Beast: Diverting modern web browsers to build unique - - PowerPoint PPT Presentation

Dec 25, 2023 25 likes •216 views

Beauty and the Beast: Diverting modern web browsers to build unique browser fingerprints Pierre Laperdrix, Walter Rudametkin, Benoit Baudry 2/19 Example of a fingerprint Attribute Value User agent Mozilla/5.0 (X11; Linux i686; rv:25.0)

slide-1
SLIDE 1

Beauty and the Beast: Diverting modern web browsers to build unique browser fingerprints

Pierre Laperdrix, Walter Rudametkin, Benoit Baudry

slide-2
SLIDE 2

2/19

slide-3
SLIDE 3

Example of a fingerprint

Attribute Value User agent Mozilla/5.0 (X11; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0 HTTP headers text/html, application/xhtml+xml, application/xml;q=0.9,*/*;q=0.8 gzip, deflate en-US,en;q=0.5 Plugins Plugin 0: QuickTime Plug-in 7.6.6; libtotem-narrowspace-plugin.so; Plugin 1: Shockwave Flash; Shockwave Flash 11.2 r202; libflashplayer.so; Fonts Century Schoolbook, Source Sans Pro Light, DejaVu Sans Mono, Bitstream Vera Serif, URW Palladio L, Bitstream Vera Sans Mono, Bitstream Vera Sans, ... Platform Linux i686 Screen resolution 1920x1080x24 Timezone

  • 480 (UTC+8)

3/19

slide-4
SLIDE 4
  • More users on

mobile devices

  • Time spent on

mobile devices is bigger than on desktops

Evolution of the browser landscape

4/19

Explosion of mobile devices

slide-5
SLIDE 5

Evolution of the browser landscape

5/19

Explosion of mobile devices New browser APIs

Canvas API WebGL API

slide-6
SLIDE 6
  • NPAPI plugins are

being deprecated

  • Sites using Flash

are dropping

Evolution of the browser landscape

6/19

Explosion of mobile devices Disappearance of browser plugins New browser APIs

slide-7
SLIDE 7

OS Linux 3.14.3-200.fc20.x86 32-bit WebGL vendor NVIDIA Corporation WebGL renderer GeForce GTX 650 Ti/PCIe/SSE2 Canvas

Example of a fingerprint

7/19 Attribute Value User agent Mozilla/5.0 (X11; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0 HTTP headers text/html, application/xhtml+xml, application/xml;q=0.9,*/*;q=0.8 gzip, deflate en-US,en;q=0.5 Plugins Plugin 0: QuickTime Plug-in 7.6.6; libtotem-narrowspace-plugin.so; Plugin 1: Shockwave Flash; Shockwave Flash 11.2 r202; libflashplayer.so; Fonts Century Schoolbook, Source Sans Pro Light, DejaVu Sans Mono, Bitstream Vera Serif, URW Palladio L, Bitstream Vera Sans Mono, Bitstream Vera Sans, ... Platform Linux i686 Screen resolution 1920x1080x24 Timezone

  • 480 (UTC+8)
slide-8
SLIDE 8

AmIUnique.org

8/19

slide-9
SLIDE 9

Most revealing attributes

9/19 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8

Normalized Shannon Entropy [0,1]

All Desktop Mobile

  • 150,000+

fingerprints collected so far

  • 90% of unique

fingerprints à Tracking possible

slide-10
SLIDE 10

Boolean attributes

10/19 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 Cookies enabled Do Not Track Use of local storage

Normalized Shannon Entropy [0,1]

All Desktop Mobile

  • Collection of “Yes” or “No”
  • Very low entropy
slide-11
SLIDE 11

Plugins and fonts

11/19 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 List of plugins List of fonts

Normalized Shannon Entropy [0,1]

All Desktop Mobile

  • Top 3 of the highest revealing

attributes for desktops

  • Confirm Panopticlick’s findings in

2010

  • Incredible wealth discovered

ü 2 458 plugins detected ü 221 804 fonts detected

slide-12
SLIDE 12

Example from the Facebook application: Mozilla/5.0 (iPhone; CPU iPhone OS 9_2_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13D15 [FBAN/FBIOS;FBAV/46.0.0.54.156;FBBV/189728 19;FBDV/iPhone7,1;FBMD/iPhone;FBSN/iPhone OS;FBSV/9.2.1;FBSS/3; FBCR/Verizon;FBID/phone;FBLC/en_US;FBOP/5] àPresence of the model and the firmware version àPhone operator added by the app

User agent

12/19 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 User agent

Normalized Shannon Entropy [0,1]

All Desktop Mobile

1 out of 4 smartphones are uniquely recognizable with just the user agent.

slide-13
SLIDE 13

Canvas fingerprinting

13/19 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 Canvas

Normalized Shannon Entropy [0,1]

All Desktop Mobile

  • Canvas API to draw shapes and

render strings

  • First large-scale analysis on

AmIUnique

  • Depends on both hardware and

software

slide-14
SLIDE 14

Canvas fingerprinting: how it works

14/19

Send JavaScript script Receive canvas result

slide-15
SLIDE 15

Canvas fingerprinting: our test

15/19

1 2 3

slide-16
SLIDE 16

Canvas fingerprinting: our results

16/19

  • 4th highest revealing attribute
  • Really stable test
  • Diversity of renderings between devices
  • Diversity of emojis between smartphones

“Smiling face with

  • pen mouth” emoji

U+1F603

slide-17
SLIDE 17

Future scenario The end of browser plugins

17/19

  • The global entropy
  • f plugins is rapidly

dropping.

  • Their use in

fingerprinting is becoming limited.

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

Entropy

Enabled Disabled Removed

NPAPI support

slide-18
SLIDE 18

Future scenario Life without JavaScript

18/19

  • Simulation of an unlikely return to a static web

10 20 30 40 50 60 70 80 90 100

Percentage of unique fingerprints

With JS Without JS Without JS + Generic UA

slide-19
SLIDE 19

Conclusion

  • Browser fingerprinting in 2016 is still as easy as it

was in 2010

  • Canvas fingerprinting is stable and has high

entropy

  • Mobile fingerprinting is possible but different

than desktops

  • Simple browser modifications could drastically

improve privacy without impacting the way the web currently works

19/19