Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosens, Christopher Kruegel, Frank Piessens, Giovanni Vigna; The Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting; In Proceedings of the IEEE Symposium on Security & Privacy (SP); 2013; pages 541-555 (15 pages); landing.
The web has become an essential part of our society and is currently the main medium of information delivery. Billions of users browse the web on a daily basis, and there are single websites that have reached over one billion user accounts. In this environment, the ability to track users and their online habits can be very lucrative for advertising companies, yet very intrusive for the privacy of users.
In this paper, we examine how web-based device fingerprinting currently works on the Internet. By analyzing the code of three popular browser-fingerprinting code providers, we reveal the techniques that allow websites to track users without the need of client-side identifiers. Among these techniques, we show how current commercial fingerprinting approaches use questionable practices, such as the circumvention of HTTP proxies to discover a user’s real IP address and the installation of intrusive browser plugins.
At the same time, we show how fragile the browser ecosystem is against fingerprinting through the use of novel browser-identifying techniques. With so many different vendors involved in browser development, we demonstrate how one can use diversions in the browsers’ implementation to distinguish successfully not only the browser-family, but also specific major and minor versions. Browser extensions that help users spoof the user-agent of their browsers are also evaluated. We show that current commercial approaches can bypass the extensions, and, in addition, take advantage of their shortcomings by using them as additional fingerprinting features.
- “Giving the Web a Memory Cost Its Users Privacy”; John Schwartz; In The New York Times (NYT); 2001-09-04.
- B. Krishnamurthy, “Privacy leakage on the Internet,” presented at IETF 77, 2010-03.
- B. Krishnamurthy and C. E. Wills, “Generating a privacy footprint on the Internet,” In Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement (IMC), New York, NY, USA, 2006, pages 65–70.
- F. Roesner, T. Kohno, and D. Wetherall, “Detecting and defending against third-party tracking on the web,” In Proceedings of the 9th USENIX conference on Networked Systems Design and Implementation (NSDI). Berkeley, CA, USA: USENIX Association, 2012, pages 12–12.
- “What They Know”; The Wall Street Journal (WSJ).
- J. Turow, J. King, C. J. Hoofnagle, A. Bleakley, M. Hennessy, “Americans Reject Tailored Advertising, Three Activities that Enable It,” 2009.
- B. Ur, P. G. Leon, L. F. Cranor, R. Shay, Y. Wang, “Smart, useful, scary, creepy: perceptions of online behavioral advertising,” In Proceedings of the Eighth Symposium on Usable Privacy, Security (SOUPS). New York, NY, USA: ACM, 2012, pages 4:1–4:15.
- comScore, “The Impact of Cookie Deletion on Site-Server, Ad-Server Metrics in Australia,” 2011-01.
- Collusion: Discover who’s tracking you online; Mozilla.
- J. R. Mayer, “Any person… a pamphleteer,” Senior Thesis, Stanford University, 2009.
- P. Eckersley, “How Unique Is Your Browser?” In Proceedings of the 10th Privacy Enhancing Technologies Symposium (PETS), 2010.
- C. Kolbitsch, B. Livshits, B. Zorn, C. Seifert, “Rozzle: De-cloaking internet malware,” In IEEE Symposium on Security & Privacy (SP), 2012-05.
- E. Mills, “Device identification in online banking is privacy threat, expert says,” In CNET News. 2009-04.
- Opt out of being tracked, BlueCava.
- J. R. Mayer, Tracking the Trackers: Early Results; Center for Internet & Society, Stanford University.”
- T.-F. Yen, Y. Xie, F. Yu, R. P. Yu, M. Abadi, “Host Fingerprinting, Tracking on the Web: Privacy, Security Implications,” In Proceedings of the 19th Annual Network, Distributed System Security Symposium (NDSS), 2012.
- J. R. Mayer, J. C. Mitchell, “Third-party web tracking: Policy, technology,” In Proceedings of the IEEE Symposium on Security & Privacy (SP), 2012, pages 413–427.
- G. Cluley, In his Blog; 2012-08-30.
- B. Krebs, How to Unplug Java from the Browser; In His Blog.
- Torbutton: I can’t view videos on YouTube, other flash-based sites. Why?; Tor Project.
- Anubis: Analyzing Unknown Binaries, iSEC Lab.
- VirusTotal – Free Online Virus, Malware, URL Scanner
- G. Pierson, J. DeHaan, “Patent US20080040802 – NET- WORK SECURITY AND FRAUD DETECTION SYSTEM AND METHOD.”
- “ECMAScript Language Specification,” Standard ECMA-262, Third edition.
- M. Zalewski, The Tangled Web: A Guide to Securing Modern Web Applications. No Starch Press, 2011.
- A. Andersen, History of the browser user-agent string.
- Web Tracking Protection; W3C; 2011-02-24.
- P. Eckersley (EFF), Panopticlick — Self-Defense; In Their Blog.
- J. Scott (Mozilla), How many Firefox users have add-ons installed? 85%!; In Their Blog; 2011-06-21.
- Adblock Plus – for annoyance-free web surfing.
- A. Klein (Trusteer), How Fraudsters are Disguising PCs to Fool Device Fingerprinting; In Their Blog.
- A. Soltani, S. Canty, Q. Mayo, L. Thomas, C. J. Hoofnagle, “Flash Cookies, Privacy,” in SSRN preprint (2009-08) .
- J. Xu, T. Nguyen (Adobe), Private Browsing, Flash Player 10.1; Adobe.
- J.-L. Gass ́ ee, F. Filloux, “Measuring Time Spent On A Web Page,” http://www.cbsnews.com/2100-215 162-5037448.html.
- K. Mowery, H. Shacham, “Pixel Perfect: Fingerprinting Canvas in HTML5,” In Proceedings of Web 2.0 Security & Privacy (W2SP), M. Fredrikson (editor). IEEE Computer Society, May 2012-05.
- Ł. Olejnik, C. Castelluccia, A. Janc, “Why Johnny Can’t Browse in Peace: On the Uniqueness of Web Browsing History Patterns,” In Proceedings of the 5th Workshop on Hot Topics in Privacy Enhancing Technologies (HOTPETS), 2012.
- Z. Weinberg, E. Y. Chen, P. R. Jayaraman, C. Jackson, “I still know what you visited last summer: Leaking browsing history via user interaction, side channel attacks,” In Proceedings of the 2011 IEEE Symposium on Security & Privacy (SP),, 2011, pages 147–161.