Embed Size (px)
Citation preview
BeautyandtheBeast:DivertingmodernwebbrowserstobuilduniquebrowserfingerprintsPierreLaperdrix,WalterRudametkin,BenoitBaudry
2/19
ExampleofafingerprintAttribute Value
Useragent Mozilla/5.0(X11;Linuxi686;rv:25.0)Gecko/20100101Firefox/25.0
HTTPheaders text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8gzip,deflateen-US,en;q=0.5
Plugins Plugin0:QuickTimePlug-in7.6.6;libtotem-narrowspace-plugin.so;Plugin1:ShockwaveFlash;ShockwaveFlash11.2r202;libflashplayer.so;
Fonts CenturySchoolbook,SourceSansProLight,DejaVu SansMono,BitstreamVeraSerif,URWPalladioL,Bitstream VeraSansMono,Bitstream VeraSans,...
Platform Linuxi686
Screenresolution 1920x1080x24
Timezone -480(UTC+8)
3/19
• Moreusersonmobiledevices
• Timespentonmobiledevicesisbiggerthanondesktops
Evolutionofthebrowserlandscape
4/19
Explosionofmobiledevices
Evolutionofthebrowserlandscape
5/19
Explosionofmobiledevices
NewbrowserAPIs
CanvasAPI WebGLAPI
• NPAPIpluginsarebeingdeprecated
• SitesusingFlasharedropping
Evolutionofthebrowserlandscape
6/19
Explosionofmobiledevices
Disappearanceofbrowserplugins
NewbrowserAPIs
OS Linux3.14.3-200.fc20.x8632-bit
WebGLvendor NVIDIACorporation
WebGLrenderer GeForceGTX650Ti/PCIe/SSE2
Canvas
Exampleofafingerprint
7/19
Attribute Value
Useragent Mozilla/5.0(X11;Linuxi686;rv:25.0)Gecko/20100101Firefox/25.0
HTTPheaders text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8gzip,deflateen-US,en;q=0.5
Plugins Plugin0:QuickTimePlug-in7.6.6;libtotem-narrowspace-plugin.so;Plugin1:ShockwaveFlash;ShockwaveFlash11.2r202;libflashplayer.so;
Fonts CenturySchoolbook,SourceSansProLight,DejaVu SansMono,BitstreamVeraSerif,URWPalladioL,Bitstream VeraSansMono,Bitstream VeraSans,...
Platform Linuxi686
Screenresolution 1920x1080x24
Timezone -480(UTC+8)
AmIUnique.org
8/19
Mostrevealingattributes
9/19
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
NormalizedShannonEntropy[0,1]
All Desktop Mobile
• 150,000+fingerprintscollectedsofar
• 90%ofuniquefingerprintsàTrackingpossible
Booleanattributes
10/19
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
Cookiesenabled DoNotTrack Useoflocalstorage
NormalizedShannonEntropy[0,1]
All Desktop Mobile
• Collectionof“Yes”or“No”
• Verylowentropy
Pluginsandfonts
11/19
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
Listofplugins Listoffonts
NormalizedShannonEntropy[0,1]
All Desktop Mobile
• Top3ofthehighestrevealingattributesfordesktops
• ConfirmPanopticlick’sfindingsin2010
• Incrediblewealthdiscovered
ü 2458pluginsdetected
ü 221804fontsdetected
ExamplefromtheFacebookapplication:
Mozilla/5.0(iPhone;CPUiPhoneOS9_2_1likeMacOSX)AppleWebKit/601.1.46(KHTML,likeGecko)Mobile/13D15[FBAN/FBIOS;FBAV/46.0.0.54.156;FBBV/18972819;FBDV/iPhone7,1;FBMD/iPhone;FBSN/iPhoneOS;FBSV/9.2.1;FBSS/3;FBCR/Verizon;FBID/phone;FBLC/en_US;FBOP/5]
àPresenceofthemodelandthefirmwareversion
àPhoneoperatoraddedbytheapp
Useragent
12/19
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
Useragent
NormalizedShannonEntropy[0,1]
All Desktop Mobile
1outof4smartphonesareuniquely
recognizablewithjusttheuseragent.
Canvasfingerprinting
13/19
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
Canvas
NormalizedShannonEntropy[0,1]
All Desktop Mobile
• CanvasAPItodrawshapesandrenderstrings
• Firstlarge-scaleanalysisonAmIUnique
• Dependsonbothhardwareandsoftware
Canvasfingerprinting:howitworks
14/19
Send JavaScript script
Receive canvas result
Canvasfingerprinting:ourtest
15/19
1
2
3
Canvasfingerprinting:ourresults
16/19
• 4th highestrevealingattribute
• Reallystabletest
• Diversityofrenderingsbetweendevices
• Diversityofemojis betweensmartphones
“Smilingfacewithopenmouth”emoji
U+1F603
FuturescenarioTheendofbrowserplugins
17/19
• Theglobalentropyofpluginsisrapidlydropping.
• Theiruseinfingerprintingisbecominglimited.
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Entropy
EnabledDisabledRemoved
NPAPIsupport
FuturescenarioLifewithoutJavaScript
18/19
• Simulationofanunlikelyreturntoastaticweb
0
10
20
30
40
50
60
70
80
90
100
Percentageofuniquefingerprints
WithJS WithoutJS WithoutJS+GenericUA
Conclusion• Browserfingerprintingin2016isstillaseasyasit
wasin2010
• Canvasfingerprintingisstableandhashighentropy
• Mobilefingerprintingispossiblebutdifferentthandesktops
• Simplebrowsermodificationscoulddrasticallyimproveprivacywithoutimpactingthewaythewebcurrentlyworks
19/19
