Skip to main content

FP-Redemption: Studying Browser Fingerprinting Adoption for the Sake of Web Security

  • 715 Accesses

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12756)

Abstract

Browser fingerprinting has established itself as a stateless technique to identify users on the Web. In particular, it is a highly criticized technique to track users. However, we believe that this identification technique can serve more virtuous purposes, such as bot detection or multi-factor authentication. In this paper, we explore the adoption of browser fingerprinting for security-oriented purposes. More specifically, we study 4 types of web pages that require security mechanisms to process user data: sign-up, sign-in, basket and payment pages. We visited 1, 485 pages on 446 domains and we identified the acquisition of browser fingerprints from 405 pages. By using an existing classification technique, we identified 169 distinct browser fingerprinting scripts included in these pages. By investigating the origins of the browser fingerprinting scripts, we identified 12 security-oriented organizations who collect browser fingerprints on sign-up, sign-in, and payment pages. Finally, we assess the effectiveness of browser fingerprinting against two potential attacks, namely stolen credentials and cookie hijacking. We observe browser fingerprinting being successfully used to enhance web security.

Keywords

  • Browser fingerprinting
  • Web security
  • Cookies
  • Multifactor authentication

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-80825-9_12
  • Chapter length: 21 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   59.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-80825-9
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   79.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.

Notes

  1. 1.

    https://haveibeenpwned.com/.

  2. 2.

    https://zenodo.org/record/3872144.

  3. 3.

    https://www.creditcardvalidator.org/.

  4. 4.

    https://www.geetest.com/en/demo.

  5. 5.

    https://zenodo.org/record/3872144.

References

  1. Acar, G., Eubank, C., Englehardt, S., Juarez, M., Narayanan, A., Diaz, C.: The web never forgets: persistent tracking mechanisms in the wild. In: CCS 2014 (2014)

    Google Scholar 

  2. Alaca, F., van Oorschot, P.C.: Device fingerprinting for augmenting web authentication: classification and analysis of methods. In: ACSAC 2016 (2016)

    Google Scholar 

  3. Bursztein, E.: The bleak picture of two-factor authentication adoption in the wild (2018). https://elie.net/blog/security/the-bleak-picture-of-two-factor-authentication-adoption-in-the-wild/

  4. Bursztein, E., Malyshev, A., Pietraszek, T., Thomas, K.: Picasso: lightweight device class fingerprinting for web clients. In: SPSM 2016 (2016)

    Google Scholar 

  5. Cao, Y., Li, S., Wijmans, E.: (Cross-)browser fingerprinting via OS and hardware level features. In: NDSS 2017 (2017)

    Google Scholar 

  6. Durey, A., Laperdrix, P., Rudametkin, W., Rouvoy, R.: An iterative technique to identify browser fingerprinting scripts (2021)

    Google Scholar 

  7. Eckersley, P.: How unique is your web browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14527-8_1

    CrossRef  Google Scholar 

  8. Englehardt, S., Narayanan, A.: Online tracking: a 1-million-site measurement and analysis. In: CCS 2016 (2016)

    Google Scholar 

  9. Gómez-Boix, A., Laperdrix, P., Baudry, B.: Hiding in the crowd: an analysis of the effectiveness of browser fingerprinting at large scale. In: WWW 2018 (2018)

    Google Scholar 

  10. Anti-Phishing Working Group: Phishing activity trends report (2019). https://docs.apwg.org/reports/apwg_trends_report_q3_2019.pdf

  11. Invernizzi, L., Thomas, K., Kapravelos, A., Comanescu, O., Picod, J., Bursztein, E.: Cloak of visibility: detecting when machines browse a different web. In: S&P 2016 (2016)

    Google Scholar 

  12. Iqbal, U., Englehardt, S., Shafiq, Z.: Fingerprinting the fingerprinters: learning to detect browser fingerprinting behaviors (2021)

    Google Scholar 

  13. Jonker, H., Kalkman, J., Krumnow, B., Sleegers, M., Verresen, A.: Shepherd: enabling automatic and large-scale login security studies (2018)

    Google Scholar 

  14. Jonker, H., Krumnow, B., Vlot, G.: Fingerprint surface-based detection of web bot detectors. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11736, pp. 586–605. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29962-0_28

    CrossRef  Google Scholar 

  15. Laperdrix, P., Avoine, G., Baudry, B., Nikiforakis, N.: Morellian analysis for browsers: making web authentication stronger with canvas fingerprinting. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds.) DIMVA 2019. LNCS, vol. 11543, pp. 43–66. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-22038-9_3

    CrossRef  Google Scholar 

  16. Laperdrix, P., Baudry, B., Mishra, V.: FPRandom: randomizing core browser objects to break advanced device fingerprinting techniques. In: Bodden, E., Payer, M., Athanasopoulos, E. (eds.) ESSoS 2017. LNCS, vol. 10379, pp. 97–114. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-62105-0_7

    CrossRef  Google Scholar 

  17. Laperdrix, P., Bielova, N., Baudry, B., Avoine, G.: Browser fingerprinting: a survey. In: TWEB 2020 (2020)

    Google Scholar 

  18. Laperdrix, P., Rudametkin, W., Baudry, B.: Beauty and the beast: diverting modern web browsers to build unique browser fingerprints. In: S&P 2016 (2016)

    Google Scholar 

  19. Li, S., Cao, Y.: Who touched my browser fingerprint?: A large-scale measurement study and classification of fingerprint dynamics (2020)

    Google Scholar 

  20. Mowery, K., Shacham, H.: Pixel perfect: fingerprinting canvas in HTML5. In: W2SP 2012 (2012)

    Google Scholar 

  21. Mulazzani, M., et al.: Fast and reliable browser identification with Javascript engine fingerprinting. In: W2SP 2013 (2013)

    Google Scholar 

  22. Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless monster: exploring the ecosystem of web-based device fingerprinting. In: S&P 2013 (2013)

    Google Scholar 

  23. Nikiforakis, N., Joosen, W., Livshits, B.: Privaricator: deceiving fingerprinters with little white lies. In: WWW 2015 (2015)

    Google Scholar 

  24. Olejnik, Ł., Acar, G., Castelluccia, C., Diaz, C.: The leaking battery. In: Garcia-Alfaro, J., Navarro-Arribas, G., Aldini, A., Martinelli, F., Suri, N. (eds.) DPM/QASA -2015. LNCS, vol. 9481, pp. 254–263. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29883-2_18

    CrossRef  Google Scholar 

  25. Ometov, A., Bezzateev, S.V., Mäkitalo, N., Andreev, S., Mikkonen, T., Koucheryavy, Y.: Multi-factor authentication: a survey. Cryptography (2018)

    Google Scholar 

  26. Rizzo, V., Traverso, S., Mellia, M.: Unveiling web fingerprinting in the wild via code mining and machine learning. In: PETS 2021 (2021)

    Google Scholar 

  27. Rochet, F., Efthymiadis, K., Koeune, F.A., Pereira, O.: SWAT: seamless web authentication technology. Association for Computing Machinery (2019)

    Google Scholar 

  28. Sivakorn, S., Polakis, I., Keromytis, A.D.: The cracked cookie jar: http cookie hijacking and the exposure of private information. In: S&P 2016 (2016)

    Google Scholar 

  29. Unger, T., Mulazzani, M., Frühwirt, D., Huber, M., Schrittwieser, S., Weippl, E.: SHPF: Enhancing http(s) session security with browser fingerprinting. In: AReS 2013 (2013)

    Google Scholar 

  30. Urban, T., Degeling, M., Holz, T., Pohlmann, N.: Beyond the front page: Measuring third party dynamics in the field (2020)

    Google Scholar 

  31. Vastel, A., Laperdrix, P., Rudametkin, W., Rouvoy, R.: Fp-scanner: the privacy implications of browser fingerprint inconsistencies. In: USENIX 2018 (2018)

    Google Scholar 

  32. Vastel, A., Laperdrix, P., Rudametkin, W., Rouvoy, R.: FP-STALKER: tracking browser fingerprint evolutions. In: S&P 2018 (2018)

    Google Scholar 

  33. Vastel, A., Rudametkin, W., Rouvoy, R., Blanc, X.: FP-crawlers: studying the resilience of browser fingerprinting to block crawlers. In: MADWeb 2020 (2020)

    Google Scholar 

  34. Zeber, D., et al.: The representativeness of automated Web crawls as a surrogate for human browsing. In: WWW 2020 (2020)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Antonin Durey .

Editor information

Editors and Affiliations

A Selected Search Keywords

A Selected Search Keywords

We used the following list of keywords to get specific website types: – BankMoney transfer serviceStock tradingFinancialCryptocurrencySocial insuranceTaxesHealthcareJob searchNewsEmailAdultDatingMetro/train/flight ticketsFlight companiesTravel agenciesAirlinesEvent ticketSport ticketSocial networkEcommerceShoppingTV channelStreamingBet gamesPokerOnline game.

We used the following list of countries for our experiment: – United StatesJapanGermanyFranceRussiaSpainUnited KingdomIndiaChina

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Durey, A., Laperdrix, P., Rudametkin, W., Rouvoy, R. (2021). FP-Redemption: Studying Browser Fingerprinting Adoption for the Sake of Web Security. In: Bilge, L., Cavallaro, L., Pellegrino, G., Neves, N. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2021. Lecture Notes in Computer Science(), vol 12756. Springer, Cham. https://doi.org/10.1007/978-3-030-80825-9_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-80825-9_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-80824-2

  • Online ISBN: 978-3-030-80825-9

  • eBook Packages: Computer ScienceComputer Science (R0)