Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

browser fingerprinting: research, defences, future avenues of development

Freewheeling spot to chew the fat on anything cryptostorm-related that doesn't fit elsewhere (i.e. support, howto, &c.). Criticism & praise & brainstorming & requests for explanation... this is where it goes when it's hot & ready for action! :-)
User avatar

Topic Author
Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

browser fingerprinting: research, defences, future avenues of development

Postby Pattern_Juggled » Sun Jun 02, 2013 2:22 pm

UPDATE (31 January 2014): this thread is pretty long and thus it takes a bit to really digest all the information it's accrued over the years... but it's also a great resource for a deeper understanding of what "browser leaks" are really about. Not the hot air, but the often much more troubling foundations. More importantly, it's got all the information needed to plug these leaks - doing so based on an understanding of what exactly they are. There's also a shorter parallel thread with excellent information - thanks to hulltech for that contribution!


If you read the marketing hype around VPNs nowadays, you'd think that clicking on the Buy Now!!! button will automagically protect you from every possible bad thing that happens online, from spam to identity theft and everything in between. Which is total bullshit.

This is a place where proper credit is due to the folks at the Tor Project - they are honest, and accurate, in their warnings about all the ways that privacy can be breached even when using Tor. Sometimes, it seems like finding a path to actual security using the tool is all but impossible - for nontechnical folks, in particular - but their clear warnings about the risk of "leaks" when using the network set a high standard. For example, here's some information they provide as part of the basic overview section of the website's project:

Staying anonymous

Tor can't solve all anonymity problems. It focuses only on protecting the transport of data. You need to use protocol-specific support software if you don't want the sites you visit to see your identifying information. For example, you can use Torbutton while browsing the web to withhold some information about your computer's configuration.

Also, to protect your anonymity, be smart. Don't provide your name or other revealing information in web forms. Be aware that, like all anonymizing networks that are fast enough for web browsing, Tor does not provide protection against end-to-end timing attacks: If your attacker can watch the traffic coming out of your computer, and also the traffic arriving at your chosen destination, he can use statistical analysis to discover that they are part of the same circuit.


The VPN industry isn't anywhere near that level of communications integrity. Hell, the industry can't even see that level from the low place it occupies. Instead, it has devolved to a baseline of disingenuous, incomplete, and often flat-out false statements when it comes to discussing the real-world pros and cons of using VPN technology to protect privacy online.

A classic example of that is to be found in browser-based leaks of personal information. As Tor points out, above, browser leaks are a serious problem and neither Tor nor VPNs can do anything to protect against that kind of thing. Is this surprising to you, reading this? It shouldn't be - but, most likely, for lots of folks it is. After all, name one VPN company that goes out of its way to remind customers about browser leaks and the thread they pose - a real threat, one exploited by online marketing and malware companies right now, aggressively (see below) - and you earn a gold star. I've never seen one do so, and that does include Cryptocloud.

After all, pointing out the limitations of a technology is unlikely to convince prospective customers to spend money on it, right? Better to gloss over the weaknesses, flaws, and limitations - just act like they don't exist, and more people will fork over cash. This, obviously (I hope) is a stupid approach to "marketing" anything - let alone VPN service. Trust and credibility is earned by doing exactly that - see also "honesty" in the dictionary, eh?

We'll be posting up additional information in this thread about browser leak issues - in hopes it'll be a useful resource for folks using VPNS or not, using Tor or not... basically, anyone online who might sometimes want to retain a degree of privacy.

Cheers,
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f

User avatar

Topic Author
Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

Exploring the Ecosystem of Web-based Device Fingerprinting

Postby Pattern_Juggled » Sun Jun 02, 2013 2:27 pm

Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting
Nick Nikiforakis∗ , Alexandros Kapravelos† , Wouter Joosen∗ , Christopher Kruegel† , Frank Piessens∗ , Giovanni Vigna†
∗ iMinds-DistriNet, KU Leuven, 3001 Leuven, Belgium
{firstname.lastname} @cs.kuleuven.be

† University of California, Santa Barbara, CA, USA
{kapravel,chris,vigna} @cs.ucsb.edu



Abstract

The web has become an essential part of our society and is currently the main medium of information delivery. Billions of users browse the web on a daily basis, and there are single websites that have reached over one billion user accounts. In this environment, the ability to track users and their online habits can be very lucrative for advertising companies, yet very intrusive for the privacy of users.

In this paper, we examine how web-based device fingerprinting currently works on the Internet. By analyzing the code of three popular browser-fingerprinting code providers, we reveal the techniques that allow websites to track users without the need of client-side identifiers. Among these techniques, we show how current commercial fingerprinting approaches use questionable practices, such as the circumvention of HTTP proxies to discover a user’s real IP address and the installation of intrusive browser plugins.

At the same time, we show how fragile the browser ecosystem is against fingerprinting through the use of novel browser-identifying techniques. With so many different vendors involved in browser development, we demonstrate how one can use diversions in the browsers’ implementation to distinguish successfully not only the browser-family, but also specific major and minor versions. Browser extensions that help users spoof the user-agent of their browsers are also evaluated. We show that current commercial approaches can bypass the extensions, and, in addition, take advantage of their shortcomings by using them as additional fingerprinting features.

cookieless_sp2013.pdf
(470.2 KiB) Downloaded 861 times
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f

User avatar

Topic Author
Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

Setting up Mozilla FireFox Securely

Postby Pattern_Juggled » Sun Jun 02, 2013 3:34 pm

Setting up Mozilla FireFox Securely
FreedomHacker.net


Why? Mozilla FireFox is simply the most secure and open browser on the internet. How is this? Mozilla FireFox is an Open Source browser. Which means any average Joe can go on the website, download the browsers code and look inside. This allows everyone to be able to customize the browser, and see if there are any trackers inside. Browsers such as Internet Explorer, and Google Chrome are closed source browsers. Which means no one can see what the browser contains. No on can look inside and see if there are any trackers, or see if there are any security loopholes. Of course with FireFox begin open source it may seem dangerous, but this creates a safe and quick updating environment. With hundreds of thousands of people begin able to see the source, and modify if themselves, this allows more people to report these security loopholes to Mozilla faster. When Mozilla sees these loopholes, they can send an update to users, and patch the loopholes immediately. With Internet Explore, and Google Chrome, it may take these browsers many days, weeks, or months, for them to find the loophole. With no one begin able to see what the source contains, this creates many problems. If there is a loophole, no one other than Google can fix this, and this gives times for the one knowledgeable about the exploit to abuse it. And, it can take them an extended period of time to find it. This also creates an untrusted connection. Why has Google closed off the source to their simple browser? Is it because it contains trackers inside? Does it watch every website you log onto, and monitor you? If the source is closed, no one knows what is going on behind the scenes. Did you know about Google Tracking? This is why it is best to use Mozilla FireFox, because you can see what they have to offer, and have nothing to hide. But, what if you dont know anything about coding, or all this mumbo jumbo source code talk? Is it hard to use? No, Mozilla FireFox leaves the browser simple and friendly. Many of my family and friends that know little to nothing about the internet, or internet tracking use this browser. Is is %100 user friendly. If you want to see the source code for yourself go to your search engine and type in “Mozilla FireFox Source Code”. I cant give you a direct page, because they are always changing their websites layout.


2. Configure the options to your liking.

Mozilla FireFox may seem a little confusing at first. As almost anything new is. So first you will want to navigate you your options. Click the FireFox button on the top left of the browser, go to the options tab, and click options. This will bring another small popup. From there, go to the Advanced Tab on the right. Go to the update tab. Now, if you want this browser, to work right out of the box, leave it on Automatic updates. But, if you want to be notified when there is a new update, and choose when to install it, you may want to select this option. This will notify you when they have an update, and let you install it when you are ready. Instead of just installing it right away. This can be helpful later down the rode, when we talk about Add Ons. I would also recommend not checking/un-checking the “Automatically update: Search Engines”. This will just stop websites from inserting their search engine in your search engine bar without asking, usually where the Google search is. You can now go to the network section (we are still on the advanced tab). Now I would suggest checking the option “Tell me when a website asks to store data for offline use”. This option will prompt you with a notification if a website wants to store data on your computer. You should have the right to know if a website is going to be installing some junk on your computer. So, if you dont know anything about the site, when it trys to store data I would click dont allow. If you dont select anything, it will automatically allow to data to be stored. No website needs to see what you are doing on your computer, while you are not on their website. Next hit general, to the left of the network tab. Now, this is where you can choose some general options. I would suggest checking the box “Warn me when websites try to redirect or reload the page”. What this does is, lets say you go to Yahoo.com, but the website has redirected to some malware somehow. This will stop pages from redirecting you right away. FireFox will prompt you and ask if you want to page to redirect you. If you trust it, then hit yes. This may cause problems with PayPal or other log in methods. When you log in to a site like PayPal, it redirects you to a secure page, then directs you back to the main page. If you know what the website is doing, go ahead and allow it, by clicking yes. But, this option can stop pages from directing you somewhere you dont want to end up. New Update: Navigate to the Network Tab now. On the Network Tab you can choose whether you want to submit crash reports or not. This is not Mozilla tracking you. If the browser for some reason closes when you didnt tell it to, it will ask if you want to send this to Mozilla. Click send. This will only send them the error that occurred when it closed without asking. It wont send them what you were doing. Sending them reports will lead to performance updates if there is a persistent problem. So, if you want to help Mozilla and their FireFox browser I recommend it. The new Enable Telemetry Option is up to you. This will send them the amount of resources the browser is using on your computer. Again, no tracking is intended here, it is only to help FireFox become faster, and more lightweight.


Security Tab

Now we can move to the Security Tab (the icon with the lock on it). Once you have navigated here, I would recommend having the top three options checked. This will stop websites from attacking you, or installing something you don’t want. It will just block it, and not bother you while browsing the internet. Now for the bottom part, you set these to your liking. If you want the browser to remember your logins then hit yes. So, if you want Facebook to be logged in right when you open your browser, then go ahead and leave it on. If you want your browser to not save any data, and make you login every website when you open FireFox, you can de-select this option. The master password options can be helpful. When using FireFox it stores your passwords inside a file, inside the browser. Now, every browser does this, but FireFox just lets you know where the file is, so you dont have to hunt for it inside confusing computer files. So, if you save your passwords, it creates a small file. If you click the “Saved Passwords…” button, you will see all the sites you logged into, and hit “Remember Password” on. No one but you can see these. But, what if a Friend is using your computer, and uses FireFox on their computer, and knows how to use this option? Or you have a virus, and the person wants to access this folder, and peek at your sensitive info? The master password option can stop them. If you set a master password, if you click the “save password” option, it will lock that file. So when the user opens FireFox, and clicks “saved passwords”, it will prompt them with a password. If they fail to type in the correct password, they cannot get in. Make sure you remember the master password, because if you dont, you just wont be able to access that file and see your passwords. Not a big deal, but if you forgot your Amazon password when you logged out, you wont be able to access the data here. Also, if you hit remember password on the browser, it will prompt you to type in the master password. So, if a friend goes on their Facebook, and they want to save their login on your computer, it will not let them. They can still use their Facebook, but they wont be able to save their login unless they know the code. This can stop people from logging you out, and then you having to input all your info over and over again.


Privacy Tab (my favorite)

The Privacy Tab. It can have one option, or many depending on what you choose. If you want every website to track you, then leave it on the “Remember history” option, and you can select the “Ask websites not to track me button” on the top of the privacy tab (do select it no matter what options you choose to use). But, you are only asking them not to track you. If they where tracking you before without you knowing, why will they not track you now, because you asked nicely? Nope. The websites want to know you, then want to be part of your family, but you may not want that. But, if you want to be a little sneaky, and stop these intruders you didnt ask for, then this is your section. If you never want FireFox to remember anything, and just remove everything when you close a tab or page, then select the “Never remember history” option. But, if you go on Amazon, log in, and reload the page, you will be logged out the second you logged in. This is because you are not saving any information. Which in the end, is no fun. So, if you want to be a spy, click “Use custom settings for history”. This should load a somewhat large page of options. I do not recommend the “Always use private browsing mode”. This will save, and delete some content, and passwords. It doesnt work well on Chrome (incognito mode), or Internet Explorer, it is just broken everywhere you go. So, dont select it, unless you know what your doing with it. But, I like my browser to be customized to my settings. Now for the sake of reading, I will just show your my personal options, and go through what they do,

Image

Remember my browsing and download history: If you want FireFox to remember what websites you went to leave this checked. If you went to Facebook, when you start typing fa into the bar and facebook pops up, this is why. If you dont want it to remember any website you navigated to, uncheck it. Also, this will delete your download history. So, if you download a file such as a program, or video, you will notice it will stay in the download box. If you dont want it to remember what you downloaded dont check this. This will not delete the download, only the small file in the downloads box. It will only delete your history and download history when you close FireFox. Different updates, change different things sometimes. Remember search form history is just remembering your searches, and the forms it keeps. Not a big deal, but why keep it if it isnt needed? Accepting cookies from sites is crucial. I highly recommend keeping this checked. This will go back to the Amazon login, or just about any login. When you login into a site, and go to another page, your will be instantly logged out. Keep it on, it doesnt hurt anything. You can delete the cookies when you exit FireFox with another method. Cookies while browsing Real-Time are crucial for certain things. The Accept third party cookies is where it gets fishy. Why do you want to accept random cookies that have nothing to do with the site? I would recommend having this one unchecked. For no reason do you want to be accepting random cookies, belonging to a random stranger. De-selecting this will not harm any logins, it just wont accept random junk off of any sites or ads. The Keep Until: section is where you get full customization. You can keep your cookies until a certain point. Till they expire, when you close FireFox, or have it always prompt you. Till they expire will probably be when you close the browser, or if the website has a certain time point. PayPal, and Liberty Reserve log you out usually after 15 minutes. So when you get logged out, or any website that has the auto log out after some time, thats when the cookie will expire. This is good for keeping all your cookies, but having them slowly die off when they are unneeded. The “Clear history when FireFox closes” option is by far the best part. This is where FireFox unleashes its Freedom. The ability to clear your browser off when closing FireFox. As you can see in the picture above, I have my browser set to clear everything when I close my browser. So, when my browser is open, all my logins stay on, and everything is smooth. Then when I close, and restart, its like no one has ever used my browser. So lets go over what I delete. Browsing history are the websites I went on. So when I type in Fa, facebook will not pop up. But if I didnt clear this off, when I type in FA, it will still pop ip. This deletes all the proof of sites I visited. Cookies are what we went over above. Download history, same as above, it just clears off the part showing you downloaded it in the pop up. Active Logins, is similar to Cookies, but cookies hold more info. This option will be sure to clean all your logins. So when you go to Amazon, Twitter, Facebook, everything that you logged into before closing the browser is gone. So not one person can get into any of your accounts by opening your browser. Great for security, not so great if you have password memorization problems. Form and search history are just forms websites save. Search history, is everything you searched on Google, or other search engines. This wont delete what the search engines server saved, but will delete what your computer saved about that search engine. Cache is honestly junk no one needs. I would suggest having that get wiped off. It clogs every computer with just random memory it doesnt need. Always clean that off. Saved Passwords is the somewhat like Active Logins. Some sites auto log you out, but still save your password on your browser, this will delete what your computer saved. The box that shows all your passwords, it will clear the box out. Offline Website Data is data websites store on your computer to view you offline. I suggest clearing that always. No website needs to snoop on you while you are not using their services. Site Preferences, well the name speaks for itself. The DownThemAll in the picture above is a random addon. You wont have that. That wraps up the Privacy tab. Setting up Mozilla FireFox the right way gives you choices for everything.


Application Tab

This can be nice for some people. This is what happens when you visit a website with certain content. So lets say a podcast is live, depending on your settings you can have the podcast autoplay, or ask you to play it. If you have the setting on Deny, it just wont run automatically. FireFox doesnt harass you while browsing. If you wanted to hear the podcast, you would just click play on the podcast. The Application Tab tells you what Application will open when the browser is prompted with certain types of content.


Content Tab

Blocking pop ups is a good idea, nothing worse than annoying pop ups on webpages. Loading images option can be good. If you go on a website filled with pictures and content, you can have it only load the content. Great option if you have slower internet, or hate pictures on webpages. Enabling Javascript is your choice. If you dont know what Javascript is, look into it. If you know about the vulnerability’s, you choose.


Tabs Tab

The only recommendation is having it prompt you when closing multiple tabs. Other than that, you choose what suits you.


General Tab

The general tab is to set you homepage, and download location. So, again you choose where files download, and what your homepage is, if you even want one.


Setting up Mozilla FireFox can seem tricky, but FireFox is all about letting you choose what you want.
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f

User avatar

Kantura
Posts: 7
Joined: Sat Apr 13, 2013 8:53 am

Re: Identity leaks via browser disclosures

Postby Kantura » Sun Jun 02, 2013 11:32 pm

Browsing Safely With Firefox
By Encrypt Everything

This page covers how to configure the settings in Firefox for private web browsing. We are covering Firefox because it is the best browser for privacy. The Mozilla foundation (creators of Firefox) have a long track record of Internet activism and supporting open source software. In addition, Firefox does not track you (unlike Google Chrome).

Test how easily identified your browser is at the EFF's Panopticlick.

General Settings

First,we will go over the basic privacy settings in general settings, which can be found in the options bar in Firefox 11 (Firefox > Options > Options) or for iOS, Preferences.

Content: Enable block popup windows and disable Javascript when it isn’t needed.

Privacy: Enable the DNT (Do-Not-Track). For history, use custom settings. “Always use private browsing mode” should be enabled. “Remember my browsing history”, “Remember download history” and “Remember search and form history” should be turned off. “Accept cookies from sites”, but un-check “Accept third party cookies” as they aren’t needed often. Location bar: select “Suggest nothing”.

Security: Enable “Warn me when sites try to install add-ons”, “Block reported attack sites” and “Block reported web forgeries”. Under Passwords, disable “Remember passwords for sites” and use a master password.

Advanced – General – System Defaults: Disable “Submit crash reports and performance data”.

Advanced – Network – Offline Storage: Check “Override automatic cache management and limit cache to 0MB space”. Further—you can un-check “Tell me when a website asks to store data for offline storage use”.

Advanced – Encryption: Ensure both “Use SSL 3.0 and Use TLS 1.0″ are enabled. Then click validation > check “When an OCSP server connection fails, treat the certificate as invalid”.

Registry Panel Settings

For these settings, you will need to type “about:config” without the quotes into the URL bar to get the Firefox registry panel.

about:config -> geo.enabled -> double click to false – what does this do? When this is enabled, websites will be able to identify your location based on your IP address.

about:config -> browser.sessionhistory.max_entries -> change value to 2 – this increases your privacy.

about:config -> dom.storage.enabled -> double click to false – this should always be set to false. Leaving this enabled lets the browser store data onto your computer.

about:config -> browser.display.use_document_fonts -> change value to 0 – This limits the fonts it sends to websites you visit. The fonts on your computer can be very unique and it could identify your workplace.

about:config -> browser.cache.offline.capacity -> change to 0 – without going into depth, this one is like the two below. It prevents the browser from storing local data.

about:config -> browser.cache.offline.enable -> change to false – This prevents the browser from storing cache on your system.

about:config -> browser.cache.memory.enable -> change to false – again this is better off left at false. It prevents the browser from storing cache memory on the computer.

Privacy Protecting Add-Ons

AdBlockPlus - Automatically blocks ads from being displayed. Unfortunately now allows "non-intrusive" ads by default, so set your filter to "Fanboy's List".

Ghostery - Blocks analytical software (e.g. Google Analytics).

HTTPS Everywhere - Automatically makes Firefox use HTTPS encryption when possible. Protects against people seeing what you're doing on different websites.

HTTPS Finder - Automatically detects and enforces HTTPS connections when available. It also provides one-click creation and in-browser editing for HTTPS Everywhere rules.

NoScript - Blocks malicious scripts and provides firewall-like protection within Firefox.

Collusion - Allows you to see all the third parties that are tracking your movements across the Web. It will show, in real time, how that data creates a spider-web of interaction between companies and other trackers.

EXIF Viewer - Allows for easy viewing of EXIF data (which can contain personal info) in images with a right click.

BetterPrivacy - Deletes flash cookies.

MD5 Reborned Hasher - This extension allows to check the MD2, MD5, SHA1, SHA256, SHA384 or SHA512 sum of a downloaded file.

Key Scrambler - Protect your Internet browsing from keyloggers.

FireGloves - Impedes fingerprinting-based tracking.

Redirect Cleaner - Redirect Cleaner cleans Redirects from Links

Open IT Online - Open several types of documents directly in Firefox and Internet Explorer without needing any software to be installed.

Ref Control - Control what gets sent as the HTTP Referer on a per-site basis.

UAControl - Control what gets sent as the User-Agent on a per-site basis.

Cookie Whitelist, With Buttons - Enables you to use a cookie whitelist with ease, through a set of toolbar buttons.

CsFire - CsFire autonomously protects you against dangerous or malicious cross-domain requests, such as Cross-Site Request Forgery (CSRF).

Request Policy - Improves the privacy and security of your browsing by giving you control over when cross-site requests are allowed by webpages you visit. Protects against Cross-Site Request Forgery (CSRF) attacks.
“Everybody’s a target; everybody with communication is a target.” -- NSA


Guest

Re: Identity leaks via browser disclosures

Postby Guest » Mon Aug 12, 2013 6:36 pm

Any thoughts on HashCheck Shell Extension?

http://code.kliu.org/hashcheck/

User avatar

Topic Author
Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

Re: Identity leaks via browser disclosures

Postby Pattern_Juggled » Tue Aug 13, 2013 7:24 pm

Guest wrote:Any thoughts on HashCheck Shell Extension?

http://code.kliu.org/hashcheck/


Looks interesting! This question has also been pushed out into @baneki's twitter feed, to see if some of the smart folks out there have additional experiences or perspectives to add.

Thanks for sharing - cheers,
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f

User avatar

Topic Author
Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

Re: Identity leaks via browser disclosures

Postby Pattern_Juggled » Tue Oct 29, 2013 9:45 am

FPDetective: Dusting the Web for Fingerprinters

Gunes Acar1 , Marc Juarez1,2 , Nick Nikiforakis3 , Claudia Diaz1 , Seda Gürses1,4 ,
Frank Piessens3 and Bart Preneel1

KU Leuven, Dept. of Electrical Engineering (ESAT), COSIC, iMinds, Leuven, Belgium
{gunes.acar,marc.juarez,claudia.diaz,seda.guerses,bart.preneel}@esat.kuleuven.be

IIIA-CSIC, Bellaterra, Spain
mjuarez@iiia.csic.es

KU Leuven, Dept. of Computer Science, iMinds-DistriNet, Leuven, Belgium
{nick.nikiforakis,frank.piessens}@cs.kuleuven.be

New York University, Dept. of Media, Culture, and Communication, NY, USA

article-2334.pdf
(346.6 KiB) Downloaded 615 times


ABSTRACT

In the modern web, the browser has emerged as the vehicle of choice, which users are to trust, customize, and use, to access a wealth of information and online services. However, recent studies show that the browser can also be used to invisibly fingerprint the user: a practice that may have serious privacy and security implications.

In this paper, we report on the design, implementation and deployment of FPDetective, a framework for the detection and analysis of web-based fingerprinters. Instead of relying on information about known fingerprinters or third-party-tracking blacklists, FPDetective focuses on the detection of the fingerprinting itself. By applying our framework with a focus on font detection practices, we were able to conduct a large scale analysis of the million most popular websites of the Internet, and discovered that the adoption of fingerprinting is much higher than previous studies had estimated. Moreover, we analyze two countermeasures that have been proposed to defend against fingerprinting and find weaknesses in them that might be exploited to bypass their protection. Finally, based on our findings, we discuss the current understanding of fingerprinting and how it is related to Personally Identifiable Information, showing that there needs to be a change in the way users, companies and legislators engage with fingerprinting.
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f

User avatar

Topic Author
Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

http://ipleak.net/

Postby Pattern_Juggled » Wed Jan 29, 2014 3:07 pm

This is intended to check for "IP leaks," but it's also quite handy as a tool to demonstrate the power of browser-based fingerprinting. Give it a try...

http://ipleak.net/
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f

User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: Identity leaks via browser disclosures

Postby DesuStrike » Wed Jan 29, 2014 10:10 pm

May I add SECRET AGENT for Firefox?
https://www.dephormation.org.uk/?page=81

Totally randomizes everything your browser spills out about you (you can configure everything to your liking) thus making browser fingerprinting way harder if you also follow the other solutions provided in this thread.
home is where the artillery hits

User avatar

marzametal
Posts: 504
Joined: Mon Aug 05, 2013 11:39 am

Re: Identity leaks via browser disclosures

Postby marzametal » Thu Jan 30, 2014 10:06 am

Does anyone know of a browser add-on that can mask: 1) Browser Plugin Details and 2) Screen Size and Color Depth ?

Desu - the Secret Agent thing is mega cool, along with the Dephormation addon...

User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: Identity leaks via browser disclosures

Postby DesuStrike » Thu Jan 30, 2014 10:58 am

The browser plugin details can be hidden with FireGlove(s?). Unfortunately it seems like this addon has been removed from the database. It wasn't developed anymore anyways but still a shame.
home is where the artillery hits

User avatar

marzametal
Posts: 504
Joined: Mon Aug 05, 2013 11:39 am

Re: Identity leaks via browser disclosures

Postby marzametal » Fri Jan 31, 2014 6:19 am

DesuStrike wrote:The browser plugin details can be hidden with FireGlove(s?). Unfortunately it seems like this addon has been removed from the database. It wasn't developed anymore anyways but still a shame.


Cheers for the info DS... I managed to find THIS...

User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: Identity leaks via browser disclosures

Postby DesuStrike » Fri Jan 31, 2014 9:09 am

Ahhh, good find!

I wonder if this a new version, too. I don't remember what the recent version was when I last used this addon.
You really have to invest some time in tweaking all those addons so you don't break your web experience and also don't leak comprimsing information. Really an act of balance here.
home is where the artillery hits

User avatar

marzametal
Posts: 504
Joined: Mon Aug 05, 2013 11:39 am

Re: Identity leaks via browser disclosures

Postby marzametal » Sun Feb 02, 2014 5:39 am

In relation to the "Better Privacy" extension, I found a way to do this across the board; not just for browser tweaking. This will provide one less extension to be concerned with...

Might be different for other Windows OS, this is for Windows 7 SP1 64bit
1) In Windows Explorer - show Protected Operating System Files & show hidden files, folders and drives
2) Navigate to - C:\Users\Owner\AppData\Roaming\Macromedia
3) Delete the folder "Flash Player"
4) Create a file, any file (I chose .txt) and name it "Flash Player"

That is all... Windows will not create a folder that has the same name as the newly-created file. This prevents Flash from creating and saving any data in a "Flash Player" folder.

User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: Identity leaks via browser disclosures

Postby DesuStrike » Sun Feb 02, 2014 8:16 am

Wow! Very good find Marzametal!
This basically makes the addon redundant! I'll have to try this out on Linux but first I have to find the appropriate folder.

This thread is a gold mine! I'm this close from making it a sticky.
home is where the artillery hits

User avatar

marzametal
Posts: 504
Joined: Mon Aug 05, 2013 11:39 am

Re: Identity leaks via browser disclosures

Postby marzametal » Mon Feb 03, 2014 4:06 am

One thing I didn't count on was the increase in loopbacks that my browser creates. It seems to have increased with the inclusions of browser extensions. Been looking into this to see if I can reduce the amount of loopback callouts, but it's more of a burden than a blessing. I realised it is something that happens on non-*nix machines. Also, from what I have read (don't quote me), it seems that Firefox is the only browser that does it?

I found a couple of other about:config tweaks in this page, How to stop Firefox from automatically making connections without my permission but that's about it so far...

I set my software firewall to Advanced to see what ports Firefox requests as I browse. Then I wanted to find out what the hell these ports refer to, and came across this... Port Registry. Is there a better/more detailed list?

User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: Identity leaks via browser disclosures

Postby DesuStrike » Mon Feb 03, 2014 7:06 am

AWWW FUCK MY LIFE! I had a quite long answer but I clicked on an image and now its gone. Meh... Ok here is the short version:

Loopbacks: Can't help you with those because like you already said: Only non *nix machines. So I can't reproduce that.

Port-List: I don't think there is anything more complete than iana provides. It's iana after all. As to the description you won't get around a lot of google search anyways because even the most descriptive list has only like 4-5 lines for words and this isn't enough sometimes.

As to about:config magic I can add a lot of stuff... The bold items are the interesting ones! Only regard the things with "cache" in it in the first picture.

Selection_040.png


Selection_041.png
Selection_041.png (2.67 KiB) Viewed 56029 times


Selection_042.png


Selection_043.png
Selection_043.png (6.22 KiB) Viewed 56029 times
home is where the artillery hits

User avatar

marzametal
Posts: 504
Joined: Mon Aug 05, 2013 11:39 am

Re: Identity leaks via browser disclosures

Postby marzametal » Mon Feb 03, 2014 10:14 am

Nice! Cheers for the info DesuStrike... I think I will calm down with this stuff for a while (not long though)... You know you are getting too deep when your dreams contain conversations about TAP drivers and browser configurations!

EDIT: My hiatus didn't last long. Went for a smoke, came back, and now I will install Wireshark... maybe :P

User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: Identity leaks via browser disclosures

Postby DesuStrike » Mon Feb 03, 2014 12:19 pm

I'd love an informed opinion on the camellia chiper though. It's the AES equivalent created for the European Union. I don't really trust that thing as it hasn't been proven itself for as long as AES even though both have some pretty scary back stories. It's also strange that I only see it used in SSL context. Like nobody else is using this for some reason.
I'm going like "when in doubt keep it out" but I'd still love to exchange my doubts for certainty. May it be negative or positive.

PS: Yes you must be careful to not get insane over such things or lodge to deep into things you can't possibly judge by yourself. Still you won't just stop caring! When you once understood what scary shit is going on out there and how they compromise you on a daily basis you cannot just pretend it doesn't happen. I think this is a good thing! You just have to stay sane! So if you are able to read the outputs of wireshark: Go ahead and give it a whirl because you might find something interesting. Wireshark is a gold vein of very accurate and useful information! And if can't read it but have the time to educate yourself: Do it! It's a skill that will ALWAYS come in handy! But don't neglect other important things over it. This is the red line I always draw. Worked good for me so far. :)
home is where the artillery hits

User avatar

marzametal
Posts: 504
Joined: Mon Aug 05, 2013 11:39 am

Re: Identity leaks via browser disclosures

Postby marzametal » Tue Feb 11, 2014 12:53 pm

Some of these apply to Mozilla Thunderbird as well, for the most part (security.xxxxx, cache.xxxxx and geo.enabled)...

User avatar

marzametal
Posts: 504
Joined: Mon Aug 05, 2013 11:39 am

Re: Identity leaks via browser disclosures

Postby marzametal » Wed Jun 04, 2014 11:23 am

No Trace: Limit the diffusion of personally identifiable information and protect user's privacy against Web tracking and other privacy threats.
NOTE: I think only single domain endings can be added to whitelist (eg: .com, .org). I sent an email to developer to see if any instructions could be provided in regards to adding .com.au sites to whitelist; no reply yet. This addon is pretty strong, need to tinker with it because web browsing/display functionality will most certainly break if conditions aren't relaxed or sites aren't whitelisted.

Track Me Not: Protects privacy in web-search. By issuing randomized queries to popular search-engines, including Google, Bing, and Baidu, TrackMeNot obfuscates users' search data profiles.
NOTE: Not sure if this addon is required if you regularly search via... hmmmm, secure(?) search engines, such as StartPage etc...

AdBlock Plus PopUp Addon: Adblock Plus Pop-up Addon extends the blocking functionality of Adblock Plus to those annoying pop-up windows that open on mouse clicks and other user actions.

Calomel SSL Validation: Validate the grade of security of the SSL connection. The toolbar button will change color depending on the strength of encryption from red (weak) to green (strong). The drop down window shows a detailed summary of the SSL connection.


User avatar

Topic Author
Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

Random Agent Spoofer (firefox plug-in)

Postby Pattern_Juggled » Mon Jan 05, 2015 7:10 pm

Random Agent Spoofer

RAS is a privacy enhancing firefox addon which aims to hinder browser fingerprinting. It does this by changing the browser/device profile on a timer. Each browser profile has been tailored to match the actual values used by the target browser as much as possible, within the limits set by firefox.

It also supports other privacy enhancing options...


agentspoofer.png

User avatar

marzametal
Posts: 504
Joined: Mon Aug 05, 2013 11:39 am

Re: Identity leaks via browser disclosures

Postby marzametal » Thu Jan 08, 2015 5:58 am

Uh Oh... supercookies!

For years, Chrome, Firefox, and virtually all other browsers have offered a setting that doesn't save or refer to website cookies, browsing history, or temporary files. Privacy-conscious people rely on it to help cloak their identities and prevent websites from tracking their previous steps. Now, a software consultant has devised a simple way websites can in many cases bypass these privacy modes unless users take special care.

User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: Identity leaks via browser disclosures

Postby DesuStrike » Thu Jan 08, 2015 7:05 pm

CanvasBlocker (Also for Firefox for Android)

The technique of des canvas-fingerprinting (more informations: http://www.browserleaks.com/canvas ) to identify users can be prevented with this Add-On.

Therefore the <canvas>-API which is necessary for the fingerprinting gets blocked. The different blocking modes are:

  • block everything: ignore all lists and block everything.
  • allow only white list: sites in the white list can use the API.
  • ask for permission: if a page is not listed on white or black list the user will be asked if the site should have access.
  • block readout API: <canvas> can be used to display something but can not be read out.
  • fake readout API: my favorite! Also the readout-API can be used but only return random values. So the fingerprinting also returns different values all the time.
  • ask for readout API permission: as for "ask for permission" there will be a confirm promt if a <canvas> is read.
  • block only black list: everything on the black list has no access.

The native PDF display of Firefox uses canvas. Therefore a document that has MIME-content type of "*/pdf" will have access. This can be deactivated seperately.

As presetting my domain (kkapsner.de) is whitelisted.

Please report issues and feature requests at https://github.com/kkapsner/CanvasBlocker/issues
home is where the artillery hits


Guest

Re: Identity leaks via browser disclosures

Postby Guest » Sat Jan 10, 2015 12:50 am

I had checkout out some of those browser UA randomisers in the past- the issue I had with them is that the agents they use are very unusual (so much so that I doubt anyone other then the plugin users have them). considering this, I think using such is probably worse then just picking the most common UA and sticking with it, as that gives you a much much larger pool of users to be hidden in. The thinking is that 100's of thosands of people are useing, say FF 34 on win 7- where as only several hundred people (mostly those that downloaded that plugin) would be useing any of those other very unique UA's. So while it might help in some circumstances, I can think of more where it would be counterproductive.

also- one of the recomendations in an early post or linked guide in this thread was to enable 'check for counterfit sites' in FF- that setting will send every site you visit to google- BAD! Predictive text/search sends every keystroke in the bars to google... and note that overiding cache to 0 in the standard user settings doesn't actaully do anything- you must go into about:config and change the settings there. Cache can be used to track people that disallow cookies- it can do everything cookies can, though it's more server side intensive= they send a combinations of invisable .gif or other small files uniquely to visitors and then watch to see what visiting systems have those files in cache and who needs to download them.

User avatar

marzametal
Posts: 504
Joined: Mon Aug 05, 2013 11:39 am

Re: Identity leaks via browser disclosures

Postby marzametal » Tue Jan 13, 2015 4:21 am

Anyone heard of this? BitBox
Apparently...
Browser in the Box or BitBox was created by Sirrix AG for the German government.
From executing shortcut... BitBox opens :
-Virtual Box, which in turn opens
-Hardened Debian Linux, which in turn opens
-Chrome or Firefox.

User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: Identity leaks via browser disclosures

Postby DesuStrike » Tue Jan 13, 2015 4:57 am

marzametal wrote:Anyone heard of this? BitBox

I know someone who actually does this manually to avoid browser identification by Google and such. His host browser never touched a google domain in years. Though it needs plugins for shared clipboard between VM and Host to provide comfortable usage and even with this I find it not suitable for everyday use.
home is where the artillery hits

User avatar

marzametal
Posts: 504
Joined: Mon Aug 05, 2013 11:39 am

Re: Identity leaks via browser disclosures

Postby marzametal » Tue Jan 13, 2015 5:01 am

DesuStrike wrote:
marzametal wrote:Anyone heard of this? BitBox

Though it needs plugins for shared clipboard between VM and Host to provide comfortable usage and even with this I find it not suitable for everyday use.

Ahh yes, the Guest Additions injection...

User avatar

marzametal
Posts: 504
Joined: Mon Aug 05, 2013 11:39 am

Re: Identity leaks via browser disclosures

Postby marzametal » Mon Jan 19, 2015 3:14 am

Damn RAS, falls on its ass in the same way that FireGloves did... it cannot properly mask timezone and screen resolution... :(

User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: Identity leaks via browser disclosures

Postby DesuStrike » Mon Jan 19, 2015 11:44 pm

marzametal wrote:Damn RAS, falls on its ass in the same way that FireGloves did... it cannot properly mask timezone and screen resolution... :(


AFAIK Secret Agent was able to do that but it was very lacking in all other regards RAS is covering very well. Also with Javascript active you always can read out the system time anyways thus creating pretty unique mismatches. You can test those on whoer.net for example.

All in all the virtual machine thingy probably is the best solution possible to this date. In my opinion we only need to find a way to run and display it directly inside the browser so you don't create an "application break point" that disrupts work flow.
home is where the artillery hits

User avatar

marzametal
Posts: 504
Joined: Mon Aug 05, 2013 11:39 am

Re: Identity leaks via browser disclosures

Postby marzametal » Wed Jan 21, 2015 5:03 am

I managed to flush out the addon clash that was causing RAS to not spoof screen resolution and time zone. After the developer recommended I create another profile, just add RAS and then slowly return the addons I use... it turns out the clashing addon was Canvas Blocker!

User avatar

Topic Author
Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

How Unique Is Your Web Browser?

Postby Pattern_Juggled » Fri Jan 23, 2015 12:28 am

How Unique Is Your Web Browser?
Peter Eckersley
Electronic Frontier Foundation, pde@eff.org

browser-uniqueness.pdf
(418.46 KiB) Downloaded 1040 times


Abstract

We investigate the degree to which modern web browsers are subject to “device fingerprinting” via the version and configuration information that they will transmit to websites upon request. We implemented one possible fingerprinting algorithm, and collected these fingerprints from a large sample of browsers that visited our test side, panopticlick.eff.org. We observe that the distribution of our fingerprint contains at least 18.1 bits of entropy, meaning that if we pick a browser at random, at best we expect that only one in 286,777 other browsers will share its fingerprint. Among browsers that support Flash or Java, the situation is worse, with the average browser carrying at least 18.8 bits of identifying information. 94.2% of browsers with Flash or Java were unique in our sample.

By observing returning visitors, we estimate how rapidly browser fingerprints might change over time. In our sample, fingerprints changed quite rapidly, but even a simple heuristic was usually able to guess when a fingerprint was an “upgraded” version of a previously observed browser’s fingerprint, with 99.1% of guesses correct and a false positive rate of only 0.86%.

We discuss what privacy threat browser fingerprinting poses in practice, and what countermeasures may be appropriate to prevent it. There is a tradeoff between protection against fingerprintability and certain kinds of debuggability, which in current browsers is weighted heavily against privacy. Paradoxically, anti-fingerprinting privacy technologies can be selfdefeating if they are not used by a sufficient number of people; we show that some privacy
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f


User avatar

Topic Author
Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

webRTC 'vuln'

Postby Pattern_Juggled » Sun Feb 01, 2015 2:28 pm

I've promoted this thread to 'global' status, & reached out via twitter to request resources for those using Chrome-based browsers (including Chromium, and other forks).

edited to add: here's an excellent user-agent fuzzer for Chrome-based browsers, courtesy the smart & generous folks of our twitter feed:
cryptostorm_is/status/561824472026472450

useragentswitcher.png


There's also an interesting discussion in twitter relating to this webRTC 'leak' that was subject to heated hysteria in some quarters a few days ago. Here's the twitter convo thread, which includes a number of additional links that will be useful to have in one place:

https://www.browserleaks.com/webrtc#webrtc-disable
http://whatsmyuseragent.com/
http://web-sniffer.net/
http://ipleak.net/

Cheers,

~ pj
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f

User avatar

Graze
Posts: 247
Joined: Mon Dec 17, 2012 2:37 am
Contact:

Browser Fingerprinting and the Online-Tracking Arms Race

Postby Graze » Sun Feb 01, 2015 5:49 pm

Browser Fingerprinting and the Online-Tracking Arms Race
Web advertisers are stealthily monitoring our browsing habits—even when we tell them not to
By Nick Nikiforakis & Günes Acar | IEEE Spectrum
Posted 25 Jul 2014 | 15:00 GMT


In July 1993, The New Yorker published a cartoon by Peter Steiner that depicted a Labrador retriever sitting on a chair in front of a computer, paw on the keyboard, as he turns to his beagle companion and says, “On the Internet, nobody knows you’re a dog.” Two decades later, interested parties not only know you’re a dog, they also have a pretty good idea of the color of your fur, how often you visit the vet, and what your favorite doggy treat is.

How do they get all that information? In a nutshell: Online advertisers collaborate with websites to gather your browsing data, eventually building up a detailed profile of your interests and activities. These browsing profiles can be so specific that they allow advertisers to target populations as narrow as mothers with teenage children or people who require allergy-relief products. When this tracking of our browsing habits is combined with our self-revelations on social media, merchants’ records of our off-line purchases, and logs of our physical whereabouts derived from our mobile phones, the information that commercial organizations, much less government snoops, can compile about us becomes shockingly revealing.

Here we examine the history of such tracking on the Web, paying particular attention to a recent phenomenon called fingerprinting, which enables companies to spy on people even when they configure their browsers to avoid being tracked.

The earliest approach to online tracking made use of cookies, a feature added to the pioneering Web browser Netscape Navigator a little over a year after Steiner’s cartoon hit newsstands. Other browsers eventually followed suit.

Cookies are small pieces of text that websites cause the user’s browser to store. They are then made available to the website during subsequent visits, allowing those sites to recognize returning customers or to keep track of the state of a given session, such as the items placed in an online shopping cart. Cookies also enable sites to remember that users are logged in, freeing them of the need to repeatedly provide their user names and passwords for each protected page they access.

So you see, cookies can be very helpful. Without them, each interaction with a website would take place in a vacuum, with no way to keep tabs on who a particular user is or what information he or she has already provided. The problem came when companies began following a trail of cookie crumbs to track users’ visits to websites other than their own.

How they do that is best explained through an example. Suppose a user directs her browser to a travel website—let’s call it Travel-Nice-Places.com—that displays an advertising banner at the top of the page. The source of that banner ad is probably not Travel-Nice-Places.com itself. It’s more likely located on the Web servers of a different company, which we’ll call AdMiddleman.com. As part of the process of rendering the page at Travel-Nice-Places.com, the user’s browser will fetch the banner ad from AdMiddleman.com.

Here’s where things get sneaky. The Web server of AdMiddleman.com sends the requested banner ad, but it also uses this opportunity to quietly set a third-party cookie on the user’s browser. Later, when that same user visits an entirely different website showing another ad from AdMiddleman.com, this ad supplier examines its previously set cookie, recognizes the user, and over time is able to build a profile of that user’s browsing habits.

Today on the Internet, interested parties not only know you’re a dog, they also have a pretty good idea of the color of your fur.
You might ask: If this brings me more relevant online advertisements, what’s the harm? True, online tracking could, in principle, help deliver ads you might actually appreciate. But more often than not, the advertisers’ algorithms aren’t smart enough to do that. Worse, information about your Web browsing habits can be used in troubling ways. A car dealer you approach online and then visit in the flesh, for example, could end up knowing all about your investigations, not only of its inventory but of all the other car-related websites you’ve been checking out. No wonder such tracking has garnered a reputation for being creepy.

Not long after the use of third-party tracking cookies became common, various media outlets and privacy organizations began questioning the practice. And over the years, people have increasingly come to appreciate that the set of websites they visit reveals an enormous amount about themselves: their gender and age, their political leanings, their medical conditions, and more. The possession of such knowledge by online advertising networks, or indeed by any company or government agency that purchases it from those networks, comes with potentially dire consequences for personal privacy—especially given that users have no control of this very opaque process of data collection.

It should come as no surprise that some of the early news articles about advertisers’ use of cookies had headlines announcing “the death of privacy” and made allusions to George Orwell’s all-seeing Big Brother. Even the programmers and engineers involved in the development of technical standards got an earful.

In particular, in 1997 a coalition of privacy organizations wrote an open memo to the Internet Engineering Task Force (sending copies to the leading browser developers) that expressed their support for the first cookie standard, RFC 2109, which stated that third-party cookies should be blocked to “prevent possible security or privacy violations.” But advertising companies pushed back harder. And in the end, neither of the two mainstream browsers of that era, Netscape Navigator and Internet Explorer, followed the specification, both allowing third-party cookies.

The winds began to shift in 2005, though, when browser developers started adding a “private browsing” mode to their products. These give users the option of visiting websites without letting those sites leave long-term cookies. Independent developers, too, started producing privacy-preserving extensions that users could add to their browsers.

Today, the most popular extension to Mozilla’s Firefox browser is AdBlock Plus, which rejects both ads and third-party cookies used for tracking. And recently developed tools like Ghostery and Mozilla’s Lightbeam reveal the number of trackers on each website and show how these trackers collaborate between seemingly unrelated sites. Finally, recent studies have shown that a large percentage of people delete their browser cookies on a regular basis, a fact that points to their having at least some understanding of how cookies can compromise privacy online.

But when people started deleting their cookies, the companies involved in tracking didn’t just roll over. They responded by developing new ways of sniffing out users’ identities. Most had one thing in common: They tried to bury the same tracking information found in cookies in some other corner of the user’s browser.

One popular technique was to use Flash cookies. These are conceptually similar to normal cookies, but they are specific to Adobe’s Flash plug-in. In the past, a website could hide information in Flash cookies, which would survive the clearing of normal cookies. The information retained in the Flash cookies would then be used to regenerate the deleted normal cookies. Companies made use of this sneaky tactic for a few years before researchers caught on [PDF] and started publicizing these shady practices in 2008. Today, most browsers give users the ability to delete all flavors of cookies.

Taking Your Print
taking-your-print-1405517867866.jpg


In the past, clearing cookies after each session or selecting your browser’s “Do Not Track” setting could prevent third-party tracking. But the advent of browser fingerprinting makes it very difficult to prevent others from monitoring your online activities. The diagram above outlines how an online advertising network can track the sites you visit using fingerprinting.

As you might expect of this long-standing cat-and-mouse game, the advertising networks have not sat idle. In recent years, they have shifted to a form of tracking that doesn’t require Web servers to leave any kind of metaphorical bread crumb on the user’s machine. Instead, these ad networks rely on a process known more generally as device fingerprinting: collecting identifying information about unique characteristics of the individual computers people use. Under the assumption that each user operates his or her own hardware, identifying a device is tantamount to identifying the person behind it.

While this all sounds very sinister, it’s important to realize that such fingerprinting has some very benign, indeed laudable, applications. It can be used, for example, to verify that someone logging into a Web-based service is not an attacker using stolen log-in credentials. Fingerprinting is also helpful for combating click fraud: Someone displays an advertisement on his website in return for payment each time that ad is clicked on—and then tries to run up the bill by having an identity-feigning computer click many times on the ad. The problem is that fingerprinting has become so precise that it makes a sham of browsers’ privacy-protection measures.

In 2010, Peter Eckersley of the Electronic Frontier Foundation showed that tracking various browser attributes provided enough information to identify the vast majority of machines surfing the Web. Of the 470,000-plus users who had participated at that point in his public Panopticlick project, 84 percent of their browsers produced unique fingerprints (94 percent if you count those that supported Flash or Java). The attributes Eckersley logged included the user’s screen size, time zone, browser plug-ins, and set of installed system fonts.

We have expanded on Eckersley’s study by examining not just what kinds of fingerprinting are theoretically possible but, more to the point, what is actually going on in the wilds of the Internet’s tracking ecosystem. We started our analysis at the University of Leuven, in Belgium, by first identifying and studying the code of three large fingerprinting providers: BlueCava, Iovation, and ThreatMetrix.

The results were rather chilling. The tactics these companies use go far beyond Eckersley’s probings. For instance, we found that one company uses a clever, indirect method of identifying the installed fonts on a user machine, without relying on the machine to volunteer this information, as Eckersley’s software did.

We also discovered fingerprinting code that exploits Adobe Flash as a way of telling whether people are trying to conceal their IP addresses by communicating via intermediary computers known as proxies. In addition, we exposed Trojan horse–like fingerprinting plug-ins, which run surreptitiously after a user downloads and installs software unrelated to fingerprinting, such as an online gambling application.

With the information we gathered about these three companies, we created and ran a program that autonomously browses the Web and detects when a website is trying to fingerprint it. The purpose of this experiment was to find more players in the fingerprinting game, ones less well known than the three we studied initially.

We quickly uncovered 16 additional fingerprinters. Some were in-house trackers, used by individual companies to monitor their users without sharing the information more widely. The rest were offered as products by such companies as Coinbase, MaxMind, and Perferencement.

And it seems the companies selling this software are finding buyers. Our results showed that 159 of Alexa’s 10,000 most-visited websites track their users with such fingerprinting software. We also found that more than 400 of the million most popular websites on the Internet have been using JavaScript-only fingerprinting, which works on Flash-less devices such as the iPhone or iPad. Worse, our experiment revealed that users continue to be fingerprinted even if they have checked “Do Not Track” in their browser’s preferences.

Browser fingerprinting is becoming common, and yet people are mostly in the dark about it. Even when they’re made aware that they’re being tracked, say, as a fraud-protection measure, they are, in essence, asked to simply trust that the information collected won’t be used for other purposes. One of those is targeted advertising, which works even when users switch into their browsers’ private mode or delete their cookies. What are those unwilling to go along with this new form of tracking doing about it?

As part of our research on browser fingerprinting, we examined various tools that people are using to combat it. One popular approach is installing browser extensions that let you change the values that identify your browser to the server. Such modifications allow users to occasionally trick servers into dishing out pages customized for different browsers or devices. Using these extensions, Firefox devotees on computers running Linux, for example, can pretend to be Internet Explorer fans running Microsoft Windows. Other extensions go further, reporting false dimensions for the screen size and limiting the probing of fonts.

Our analysis showed that a mildly accomplished fingerprinter could easily overcome any of these supposedly privacy-enhancing browser extensions. That’s because modern browsers are huge pieces of software, each with its own quirks. And these idiosyncrasies give away the true nature of the browser, regardless of what it claims to be.

This makes those privacy-protecting extensions useless. In fact, they are worse than useless. Resorting to them is like trying to hide your comings and goings in a small town by disguising your car. If you get a rental, that might work. But if you merely replace the chrome lettering on your Prius with lettering taken from the back of a Passat, not only will your ruse be obvious, you will have now marked your car in a way that makes it easy to distinguish from the many other Priuses on the road. Similarly, installing such a fingerprint-preventing browser extension only makes you stand out more.

Given that advertising is the Web’s No. 1 industry and that tracking is a crucial component of it, we believe that user profiling in general and fingerprinting in particular are here to stay. But more-stringent regulations and more-effective technical countermeasures might one day curb the worst abuses.

We and other researchers are indeed trying to come up with better software to thwart fingerprinting. A straightforward solution might be to stop the fingerprinting scripts from ever loading in browsers, similar to the way ad blockers work. By maintaining a blacklist of problematic scripts, an antifingerprinting extension could detect their loading and prohibit their execution.

One challenge is that the blacklist would have to be revised constantly to keep up with the changes that trackers would surely make in response. Another issue is that we don’t know whether the loading of fingerprinting scripts is necessary for the functionality of certain websites. Even if it’s not required now, websites could be changed to refuse loading of their pages unless the fingerprinting scripts are present and operational, which would discourage people from trying to interfere with them.

A more effective way of approaching the problem would be for many people to share the same fingerprint. To some extent that is happening now with smartphones, which can’t be customized to the degree that desktop or laptop computers can. So phones currently present fewer opportunities for fingerprinters. It might be possible to make other kinds of computers all look alike if Web browsing were done through a cloud service, one that treats the browser running on the user’s PC simply as a terminal. Trackers would then be able to detect only the cloud browser’s fingerprint.

Companies offering cloud-based browsing already exist, but it’s not clear to us whether the browsers that are exposed to potential fingerprinters actually operate in the cloud. Still, there’s no reason to think that a system for preventing fingerprinting with a cloud browser couldn’t be engineered. For some of us, anyway, it could be worth adopting, even if it involved monthly charges. After all, doing nothing has a price, too—perhaps one as steep as forfeiting online privacy for good.

This article originally appeared in print as “Browse at Your Own Risk.”


About the Authors

Nick Nikiforakis, who joins the faculty of New York’s Stony Brook University in September, works at the University of Leuven, in Belgium, where coauthor Günes Acar is a Ph.D. student. Nikiforakis was raised in Greece, where the Muppets are somewhat obscure, but he sometimes refers to the creepy new technique as a “cookieless monster”—an apt label if you value your privacy.
------------------------
My avatar is pretty much what I look like. ;) <-- ...actually true, says pj
WebMonkey, Foilhat, cstorm evangelnomitron.
Twitter: @grazestorm.
For any time sensitive help requests, best to email the fine bots in support@cryptostorm.is or via Bitmessage at BM-NBjJaLNBwWiwZeQF5BMLYqarawbgycwJ ;)

User avatar

Topic Author
Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

anti-fingerprinting (browser) tools & limitations

Postby Pattern_Juggled » Sun Feb 01, 2015 5:57 pm

Here's the bits that most directly relate to an ongoing discussion of anti-fingerprinting tools on twitter:

Graze wrote:As part of our research on browser fingerprinting, we examined various tools that people are using to combat it. One popular approach is installing browser extensions that let you change the values that identify your browser to the server. Such modifications allow users to occasionally trick servers into dishing out pages customized for different browsers or devices. Using these extensions, Firefox devotees on computers running Linux, for example, can pretend to be Internet Explorer fans running Microsoft Windows. Other extensions go further, reporting false dimensions for the screen size and limiting the probing of fonts.

Our analysis showed that a mildly accomplished fingerprinter could easily overcome any of these supposedly privacy-enhancing browser extensions. That’s because modern browsers are huge pieces of software, each with its own quirks. And these idiosyncrasies give away the true nature of the browser, regardless of what it claims to be.


and

A more effective way of approaching the problem would be for many people to share the same fingerprint. To some extent that is happening now with smartphones, which can’t be customized to the degree that desktop or laptop computers can. So phones currently present fewer opportunities for fingerprinters. It might be possible to make other kinds of computers all look alike if Web browsing were done through a cloud service, one that treats the browser running on the user’s PC simply as a terminal. Trackers would then be able to detect only the cloud browser’s fingerprint.

Companies offering cloud-based browsing already exist, but it’s not clear to us whether the browsers that are exposed to potential fingerprinters actually operate in the cloud. Still, there’s no reason to think that a system for preventing fingerprinting with a cloud browser couldn’t be engineered. For some of us, anyway, it could be worth adopting, even if it involved monthly charges. After all, doing nothing has a price, too—perhaps one as steep as forfeiting online privacy for good.


...interesting. I think there's obvious alternative approaches that come at this issue orthogonally, but I'm hoping others have feedback before I bore folks to death with my usual "need moar entropy" prattle. :-P

Cheers,

~ pj
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f

User avatar

marzametal
Posts: 504
Joined: Mon Aug 05, 2013 11:39 am

Re: Identity leaks via browser disclosures

Postby marzametal » Sat May 09, 2015 7:10 am

DesuStrike wrote:Wow! Very good find Marzametal!
This basically makes the addon redundant! I'll have to try this out on Linux but first I have to find the appropriate folder.

This thread is a gold mine! I'm this close from making it a sticky.

Ubuntu 14.04...

cd ~/.macromedia
rm -r Flash_Player
rm -r #SharedObjects (correct me if there is a space between the words)
sudo nano Flash_Player
... hit ctrl o and then ctrl x

done... :) remove better privacy from browser and enjoy!

User avatar

marzametal
Posts: 504
Joined: Mon Aug 05, 2013 11:39 am

Re: browser fingerprinting: research, defences, future avenues of development

Postby marzametal » Tue Mar 22, 2016 5:27 am

In Firefox 45 and above, the addon "Random Agent Spoofer" has borked. The Script Injection options don't seem to commit, even though the Developer has confirmed on GitHub that the code executes.

The relevant issue thread can be found here.

User avatar

sysfu
Posts: 52
Joined: Mon Nov 24, 2014 10:22 am

Re: browser fingerprinting: research, defences, future avenues of development

Postby sysfu » Fri Mar 25, 2016 4:41 am

Adguard has a stealth mode feature that foils some of these tracking methods.


Return to “general chat, suggestions, industry news”

Who is online

Users browsing this forum: No registered users and 13 guests

Login