Abstract
Browsers and their users can be tracked even in the absence of a persistent IP address or cookie. Unique and hence identifying pieces of information, making up what is known as a fingerprint, can be collected from browsers by a visited website, e.g. using JavaScript. However, browsers vary in precisely what information they make available, and hence their fingerprintability may also vary. In this paper, we report on the results of experiments examining the fingerprintable attributes made available by a range of modern browsers. We tested the most widely used browsers for both desktop and mobile platforms. The results reveal significant differences between browsers in terms of their fingerprinting potential, meaning that the choice of browser has significant privacy implications.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
All the scripts used in our experiments are publicly available — see Appendix A.
- 2.
https://www.netmarketshare.com/browser-market-share.aspx [accessed on 03/03/2017].
- 3.
https://browserleaks.com/webrtc#webrtc-device-id [accessed on 03/03/2017].
- 4.
https://webrtc.org [accessed on 03/03/2017].
- 5.
Red green blue alpha (opacity).
- 6.
A STUN server (i.e. a Session Traversal of User Datagram Protocol Through Network Address Translators (NATs) server) allows a NAT client to set up interactive communications such as a phone call to a VoIP provider hosted outside the local network.
- 7.
- 8.
The ULA is the approximate IPv6 counterpart of the IPv4 private address; see https://tools.ietf.org/html/rfc4193 [accessed 03/03/2017].
- 9.
All tested browsers feature a privacy mode; however, every browser has a different name for it. In the case of Chrome, it is called incognito.
- 10.
- 11.
- 12.
References
Acar, G., Eubank, C., Englehardt, S., Juárez, M., Narayanan, A., Díaz, C.: The web never forgets: persistent tracking mechanisms in the wild. In: Ahn, G., Yung, M., Li, N. (eds.) Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, 3–7 November, 2014, pp. 674–689. ACM (2014). http://doi.acm.org/10.1145/2660267.2660347
Acar, G., Juárez, M., Nikiforakis, N., Díaz, C., Gürses, S.F., Piessens, F., Preneel, B.: Fpdetective: dusting the web for fingerprinters. In: Sadeghi, A., Gligor, V.D., Yung, M. (eds.) 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, Berlin, Germany, 4–8 November 2013, pp. 1129–1140. ACM (2013). http://doi.acm.org/10.1145/2508859.2516674
Alaca, F., van Oorschot, P.C.: Device fingerprinting for augmenting web authentication: classification and analysis of methods. In: Schwab, S., Robertson, W.K., Balzarotti, D. (eds.) Proceedings of the 32nd Annual Conference on Computer Security Applications, ACSAC 2016, Los Angeles, CA, USA, 5–9 December, 2016, pp. 289–301. ACM (2016). http://dl.acm.org/citation.cfm?id=2991091
Cao, Y., Li, S., Wijmans, E.: (cross-)browser fingerprinting via os and hardware level features. In: 24th Annual Network and Distributed System Security Symposium, NDSS 2017, San Diego, California, USA, 26 February - 1. The Internet Society (2017). http://yinzhicao.org/TrackingFree/crossbrowsertracking_NDSS17.pdf
Eckersley, P.: How unique is your web browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010). doi:10.1007/978-3-642-14527-8_1
Englehardt, S., Narayanan, A.: Online tracking: a 1-million-site measurement and analysis. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016, pp. 1388–1401. ACM (2016). http://doi.acm.org/10.1145/2976749.2978313
Fifield, D., Egelman, S.: Fingerprinting web users through font metrics. In: Böhme, R., Okamoto, T. (eds.) FC 2015. LNCS, vol. 8975, pp. 107–124. Springer, Heidelberg (2015). doi:10.1007/978-3-662-47854-7_7
Fiore, U., Castiglione, A., Santis, A.D., Palmieri, F.: Countering browser fingerprinting techniques: constructing a fake profile with google chrome. In: Barolli, L., Xhafa, F., Takizawa, M., Enokido, T., Castiglione, A., Santis, A.D. (eds.) 17th International Conference on Network-Based Information Systems, NBiS 2014, Salerno, Italy, 10–12 September 2014, pp. 355–360. IEEE Computer Society (2014). http://dx.doi.org/10.1109/NBiS.2014.102
Jakus, G., Jekovec, M., Tomažič, S., Sodnik, J.: New technologies for web development. Elektrotehniški vestnik 77(5), 273–280 (2010)
Laperdrix, P., Rudametkin, W., Baudry, B.: Beauty and the beast: diverting modern web browsers to build unique browser fingerprints. In: IEEE Symposium on Security and Privacy, SP 2016, San Jose, CA, USA, 22–26 May 2016, pp. 878–894. IEEE Computer Society (2016). http://dx.doi.org/10.1109/SP.2016.57
Mowery, K., Shacham, H.: Pixel perfect: fingerprinting canvas in HTML5. In: Fredrikson, M. (ed.) Proceedings of W2SP 2012. IEEE Computer Society, May 2012
Nikiforakis, N., Joosen, W., Livshits, B.: Privaricator: deceiving fingerprinters with little white lies. In: Proceedings of the 24th International Conference on World Wide Web, WWW 2015, Florence, Italy, 18–22 May 2015, pp. 820–830. ACM Press (2015). http://doi.acm.org/10.1145/2736277.2741090
Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless monster: exploring the ecosystem of web-based device fingerprinting. In: 2013 IEEE Symposium on Security and Privacy, SP 2013, Berkeley, CA, USA, 19–22 May, 2013, pp. 541–555. IEEE Computer Society (2013). http://dx.doi.org/10.1109/SP.2013.43
Olejnik, Ł., Acar, G., Castelluccia, C., Diaz, C.: The leaking battery — a privacy analysis of the HTML5 battery status API. In: Garcia-Alfaro, J., Navarro-Arribas, G., Aldini, A., Martinelli, F., Suri, N. (eds.) DPM/QASA -2015. LNCS, vol. 9481, pp. 254–263. Springer, Cham (2016). doi:10.1007/978-3-319-29883-2_18
Perta, V.C., Barbera, M.V., Tyson, G., Haddadi, H., Mei, A.: A glance through the VPN looking glass: Ipv6 leakage and DNS hijacking in commercial VPN clients. PoPETs 2015(1), 77–91 (2015). http://www.degruyter.com/view/j/popets.2015.1.issue-1/popets-2015-0006/popets-2015-0006.xml
Acknowledgments
We would like to thank Professor Chris Mitchell for his guidance, encouragement and advice. The second author was supported by the EPSRC, grant number EP/N028554/1.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendices
A Test Code
The scripts used in our experiments were gathered from the following websites:
Some scripts were modified to suit our testing. All the code we used for testing is available at our website https://fingerprintable.org.
B Browser and OS Versions
Browser | OS |
---|---|
Desktop | |
Chrome 56.0.2924.87 (64-bit) | Windows 10.0.14393 Build 14393 |
Microsoft Internet Explorer 11.576.14393.0 | Windows 10.0.14393 Build 14393 |
Firefox 51.2 (32-bit) | Windows 10.0.14393 Build 14393 |
Microsoft Edge 38.14393.0.0 | Windows 10.0.14393 Build 14393 |
Safari 10.0.3 (12602.4.8) | macOS Sierra 10.12.3 |
Mobile | |
Chrome 56.0.2924.87 | Android 7.0 (Build 39.2.A.0.374) |
Safari 602.1 | iOS 10.2.1(14d27) |
Opera Mini 22.0.2254.113472 | Android 7.0 (Build 39.2.A.0.374) |
Firefox 51.0.3 | Android 7.0 (Build 39.2.A.0.374) |
Microsoft Edge 38.14393.693.0 | Windows 10 Mobile (OS Build: 10.0.14393.693) |
C Specifications of Devices Used for Experiments
OS | CPU | GPU | RAM |
---|---|---|---|
Desktop | |||
Windows | Intel Core i7-4720HQ 2.6 GHz | NVIDIA GeForce GTX 960 M | 16.0 GB |
Windows | Intel Core i5-5200U 2.2 GHz | Intel HD Graphics 5500 | 12.0 GB |
macOS | Intel Core i5 2.7 GHz | Intel Iris Graphics 6100 | 8.0 GB |
macOS | Intel Core i7 2.7 GHz | Intel HD Graphics 530 | 16.0 GB |
Mobile | |||
Android | Qualcomm Snapdragon 820 64-bit | Adreno 530 | 3.0 GB |
Android | Qualcomm Snapdragon 801 2.5 GHz | Adreno 330 | 3.0 GB |
iOS | A8 chip 64-bit | PowerVR GX6450 | 1.0 GB |
iOS | A9 chip 64-bit | PowerVR GT7600 | 2.0 GB |
Windows | Qualcomm Snapdragon 400 1.2 GHz | Adreno 305 | 1.0 GB |
Windows | Qualcomm Snapdragon 200 1.2 GHz | Adreno 302 | 1.0 GB |
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Al-Fannah, N.M., Li, W. (2017). Not All Browsers are Created Equal: Comparing Web Browser Fingerprintability. In: Obana, S., Chida, K. (eds) Advances in Information and Computer Security. IWSEC 2017. Lecture Notes in Computer Science(), vol 10418. Springer, Cham. https://doi.org/10.1007/978-3-319-64200-0_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-64200-0_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-64199-7
Online ISBN: 978-3-319-64200-0
eBook Packages: Computer ScienceComputer Science (R0)