How Unique Is Your Web Browser?
- Peter Eckersley
- … show all 1 hide
We investigate the degree to which modern web browsers are subject to “device fingerprinting” via the version and configuration information that they will transmit to websites upon request. We implemented one possible fingerprinting algorithm, and collected these fingerprints from a large sample of browsers that visited our test side, panopticlick.eff.org . We observe that the distribution of our fingerprint contains at least 18.1 bits of entropy, meaning that if we pick a browser at random, at best we expect that only one in 286,777 other browsers will share its fingerprint. Among browsers that support Flash or Java, the situation is worse, with the average browser carrying at least 18.8 bits of identifying information. 94.2% of browsers with Flash or Java were unique in our sample.
By observing returning visitors, we estimate how rapidly browser fingerprints might change over time. In our sample, fingerprints changed quite rapidly, but even a simple heuristic was usually able to guess when a fingerprint was an “upgraded” version of a previously observed browser’s fingerprint, with 99.1% of guesses correct and a false positive rate of only 0.86%.
We discuss what privacy threat browser fingerprinting poses in practice, and what countermeasures may be appropriate to prevent it. There is a tradeoff between protection against fingerprintability and certain kinds of debuggability, which in current browsers is weighted heavily against privacy. Paradoxically, anti-fingerprinting privacy technologies can be self-defeating if they are not used by a sufficient number of people; we show that some privacy measures currently fall victim to this paradox, but others do not.
- Lukáš, J., Fridrich, J., Goljan, M.: Digital camera identification from sensor pattern noise. IEEE Transactions on Information Forensics and Security 1(2), 205–214 (2006) CrossRef
- Kai San Choi, E.Y.L., Wong, K.K.: Source Camera Identification Using Footprints from Lens Aberration. In: Proc. of SPIE-IS&T Electronic Imaging, vol. 6069. SPIE (2006)
- Hilton, O.: The Complexities of Identifying the Modern Typewriter. Journal of Forensic Sciences 17(2) (1972)
- Kohno, T., Broido, A., Claffy, K.: Remote Physical Device Fingerprinting. IEEE Transactions on Dependable and Secure Computing 2(2), 108 (2005) CrossRef
- Murdoch, S.: Hot or not: Revealing hidden services by their clock skew. In: Proc. 13th ACM conference on Computer and Communications Security, p. 36. ACM, New York (2006)
- The 41st Parameter: PCPrintTM (2008), http://www.the41st.com/land/DeviceID.asp
- Mills, E.: Device identification in online banking is privacy threat, expert says. CNET News (April 2009)
- Mayer, J.: Any person... a pamphleteer: Internet Anonymity in the Age of Web 2.0. Undergraduate Senior Thesis, Princeton University (2009)
- Krishnamurthy, B., Wills, C.: Generating a privacy footprint on the Internet. In: Proc. ACM SIGCOMM Internet Measurement Conference. ACM, New York (2006)
- McKinkley, K.: Cleaning Up After Cookies. iSec Partners White Paper (2008)
- Pool, M.B.: Meantime: non-consensual HTTP user tracking using caches (2000), http://sourcefroge.net/projects/meantime/
- Soltani, A., Canty, S., Mayo, Q., Thomas, L., Hoofnagle, C.: Flash Cookies and Privacy. SSRN preprint (August 2009), http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1446862
- Robinson, S.: Flipping Typical, demonstration of CSS font detection (2009), http://flippingtypical.com/
- TCP/IP stack fingerprinting, http://en.wikipedia.org/wiki/TCP/IP_stack_fingerprinting
- Fleischer, G.: Attacking Tor at the Application Layer. Presentation at DEFCON 17 (2009), http://pseudo-flaw.net/content/defcon/
- CSS history hack demonstration, http://www.whattheinternetknowsaboutyou.com/
- W3C: Geolocation API, http://en.wikipedia.org/wiki/W3C_Geolocation_API
- Narayanan, A., Shmatikov, V.: Robust De-anonymization of Large Sparse Datasets 2(2), 108 (2008)
- Perry, M.: Torbutton Design Doccumentation (2009), https://www.torproject.org/torbutton/design
- How Unique Is Your Web Browser?
- Book Title
- Privacy Enhancing Technologies
- Book Subtitle
- 10th International Symposium, PETS 2010, Berlin, Germany, July 21-23, 2010. Proceedings
- Book Part
- pp 1-18
- Print ISBN
- Online ISBN
- Series Title
- Lecture Notes in Computer Science
- Series Volume
- Series ISSN
- Springer Berlin Heidelberg
- Copyright Holder
- Springer-Verlag Berlin Heidelberg 2010
- Additional Links
- Industry Sectors
- eBook Packages
To view the rest of this content please follow the download PDF link above.