beauty and the beast diverting modern web browsers to
play

Beauty and the Beast: Diverting modern web browsers to build unique - PowerPoint PPT Presentation

Beauty and the Beast: Diverting modern web browsers to build unique browser fingerprints Pierre Laperdrix, Walter Rudametkin, Benoit Baudry 2/19 Example of a fingerprint Attribute Value User agent Mozilla/5.0 (X11; Linux i686; rv:25.0)


  1. Beauty and the Beast: Diverting modern web browsers to build unique browser fingerprints Pierre Laperdrix, Walter Rudametkin, Benoit Baudry

  2. 2/19

  3. Example of a fingerprint Attribute Value User agent Mozilla/5.0 (X11; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0 HTTP headers text/html, application/xhtml+xml, application/xml;q=0.9,*/*;q=0.8 gzip, deflate en-US,en;q=0.5 Plugins Plugin 0: QuickTime Plug-in 7.6.6; libtotem-narrowspace-plugin.so; Plugin 1: Shockwave Flash; Shockwave Flash 11.2 r202; libflashplayer.so; Fonts Century Schoolbook, Source Sans Pro Light, DejaVu Sans Mono, Bitstream Vera Serif, URW Palladio L, Bitstream Vera Sans Mono, Bitstream Vera Sans, ... Platform Linux i686 Screen resolution 1920x1080x24 Timezone -480 (UTC+8) 3/19

  4. Evolution of the browser landscape Explosion of mobile devices More users on • mobile devices Time spent on • mobile devices is bigger than on desktops 4/19

  5. Evolution of the browser landscape New browser Explosion of APIs mobile devices Canvas API WebGL API 5/19

  6. Evolution of the browser landscape New browser Explosion of Disappearance of APIs mobile devices browser plugins NPAPI plugins are • being deprecated Sites using Flash • are dropping 6/19

  7. Example of a fingerprint Attribute Value User agent Mozilla/5.0 (X11; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0 HTTP headers text/html, application/xhtml+xml, application/xml;q=0.9,*/*;q=0.8 gzip, deflate en-US,en;q=0.5 Plugins Plugin 0: QuickTime Plug-in 7.6.6; libtotem-narrowspace-plugin.so; Plugin 1: Shockwave Flash; Shockwave Flash 11.2 r202; libflashplayer.so; Fonts Century Schoolbook, Source Sans Pro Light, DejaVu Sans Mono, Bitstream Vera Serif, URW Palladio L, Bitstream Vera Sans Mono, Bitstream Vera Sans, ... Platform Linux i686 Screen resolution 1920x1080x24 Timezone -480 (UTC+8) OS Linux 3.14.3-200.fc20.x86 32-bit WebGL vendor NVIDIA Corporation WebGL renderer GeForce GTX 650 Ti/PCIe/SSE2 Canvas 7/19

  8. AmIUnique.org 8/19

  9. Most revealing attributes Normalized Shannon Entropy [0,1] 0.8 0.7 150,000+ • 0.6 fingerprints 0.5 collected so far 0.4 90% of unique • 0.3 fingerprints à 0.2 Tracking possible 0.1 0 All Desktop Mobile 9/19

  10. Boolean attributes Normalized Shannon Entropy [0,1] 0.8 Collection of “Yes” or “No” • 0.7 Very low entropy • 0.6 0.5 0.4 0.3 0.2 0.1 0 Cookies enabled Do Not Track Use of local storage All Desktop Mobile 10/19

  11. Plugins and fonts Normalized Shannon Entropy [0,1] 0.8 Top 3 of the highest revealing • attributes for desktops 0.7 Confirm Panopticlick’s findings in 0.6 • 2010 0.5 Incredible wealth discovered • 0.4 ü 2 458 plugins detected 0.3 0.2 ü 221 804 fonts detected 0.1 0 List of plugins List of fonts All Desktop Mobile 11/19

  12. User agent Normalized Shannon Entropy [0,1] Example from the Facebook application: 0.8 Mozilla/5.0 (iPhone; CPU iPhone OS 9_2_1 like 0.7 Mac OS X) AppleWebKit/601.1.46 (KHTML, like 1 out of 4 smartphones 0.6 Gecko) Mobile/13D15 are uniquely [FBAN/FBIOS;FBAV/46.0.0.54.156;FBBV/189728 0.5 19;FBDV/iPhone7,1;FBMD/iPhone;FBSN/iPhone recognizable with just 0.4 OS;FBSV/9.2.1;FBSS/3; FBCR/Verizon;FBID/phone;FBLC/en_US;FBOP/5] the user agent. 0.3 0.2 à Presence of the model and the firmware 0.1 version à Phone operator added by the app 0 User agent All Desktop Mobile 12/19

  13. Canvas fingerprinting Normalized Shannon Entropy [0,1] 0.8 Canvas API to draw shapes and • render strings 0.7 0.6 First large-scale analysis on • AmIUnique 0.5 Depends on both hardware and • 0.4 software 0.3 0.2 0.1 0 Canvas All Desktop Mobile 13/19

  14. Canvas fingerprinting: how it works Send JavaScript script Receive canvas result 14/19

  15. Canvas fingerprinting: our test 1 2 3 15/19

  16. Canvas fingerprinting: our results 4 th highest revealing attribute • Really stable test • “Smiling face with Diversity of renderings between devices • open mouth” emoji U+1F603 Diversity of emojis between smartphones • 16/19

  17. Future scenario The end of browser plugins Entropy NPAPI support 1 Enabled 0.9 Disabled 0.8 Removed 0.7 0.6 The global entropy • 0.5 of plugins is rapidly 0.4 dropping. 0.3 0.2 0.1 Their use in • 0 fingerprinting is becoming limited. 17/19

  18. Future scenario Life without JavaScript Simulation of an unlikely return to a static web • Percentage of unique fingerprints 100 90 80 70 60 50 40 30 20 10 0 With JS Without JS Without JS + Generic UA 18/19

  19. Conclusion Browser fingerprinting in 2016 is still as easy as it • was in 2010 Canvas fingerprinting is stable and has high • entropy Mobile fingerprinting is possible but different • than desktops Simple browser modifications could drastically • improve privacy without impacting the way the web currently works 19/19

Recommend


More recommend