The Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting | Nikiforakis, Kapravelos, Joosens, Kruegel, Piessens, Vigna

Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosens, Christopher Kruegel, Frank Piessens, Giovanni Vigna; The Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting; In Proceedings of the IEEE Symposium on Security & Privacy (SP); 2013; pages 541-555 (15 pages); landing.

Abstract

The web has become an essential part of our society and is currently the main medium of information delivery. Billions of users browse the web on a daily basis, and there are single websites that have reached over one billion user accounts. In this environment, the ability to track users and their online habits can be very lucrative for advertising companies, yet very intrusive for the privacy of users.

In this paper, we examine how web-based device fingerprinting currently works on the Internet. By analyzing the code of three popular browser-fingerprinting code providers, we reveal the techniques that allow websites to track users without the need of client-side identifiers. Among these techniques, we show how current commercial fingerprinting approaches use questionable practices, such as the circumvention of HTTP proxies to discover a user’s real IP address and the installation of intrusive browser plugins.

At the same time, we show how fragile the browser ecosystem is against fingerprinting through the use of novel browser-identifying techniques. With so many different vendors involved in browser development, we demonstrate how one can use diversions in the browsers’ implementation to distinguish successfully not only the browser-family, but also specific major and minor versions. Browser extensions that help users spoof the user-agent of their browsers are also evaluated. We show that current commercial approaches can bypass the extensions, and, in addition, take advantage of their shortcomings by using them as additional fingerprinting features.

Mentions

  • BlueCava
  • iovation
  • ThreatMetrix
  • Ghostery
  • Panopticlick

References

  1. “Giving the Web a Memory Cost Its Users Privacy”; John Schwartz; In The New York Times (NYT); 2001-09-04.
  2. B. Krishnamurthy, “Privacy leakage on the Internet,” presented at IETF 77, 2010-03.
  3. B. Krishnamurthy and C. E. Wills, “Generating a privacy footprint on the Internet,” In Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement (IMC), New York, NY, USA, 2006, pages 65–70.
  4. F. Roesner, T. Kohno, and D. Wetherall, “Detecting and defending against third-party tracking on the web,” In Proceedings of the 9th USENIX conference on Networked Systems Design and Implementation (NSDI). Berkeley, CA, USA: USENIX Association, 2012, pages 12–12.
  5. “What They Know”; The Wall Street Journal (WSJ).
  6. J. Turow, J. King, C. J. Hoofnagle, A. Bleakley, M. Hennessy, “Americans Reject Tailored Advertising, Three Activities that Enable It,” 2009.
  7. B. Ur, P. G. Leon, L. F. Cranor, R. Shay, Y. Wang, “Smart, useful, scary, creepy: perceptions of online behavioral advertising,” In Proceedings of the Eighth Symposium on Usable Privacy, Security (SOUPS). New York, NY, USA: ACM, 2012, pages 4:1–4:15.
  8. comScore, “The Impact of Cookie Deletion on Site-Server, Ad-Server Metrics in Australia,” 2011-01.
  9. Ghostery
  10. Collusion: Discover who’s tracking you online; Mozilla.
  11. J. R. Mayer, “Any person… a pamphleteer,” Senior Thesis, Stanford University, 2009.
  12. P. Eckersley, “How Unique Is Your Browser?” In Proceedings of the 10th Privacy Enhancing Technologies Symposium (PETS), 2010.
  13. K. Mowery, D. Bogenreif, S. Yilek, H. Shacham, “Fingerprinting Information in JavaScript Implementations,” In Proceedings of Web 2.0 Security & Privacy (W2SP) H. Wang, editor. IEEE Computer Society, May 2011.
  14. C. Kolbitsch, B. Livshits, B. Zorn, C. Seifert, “Rozzle: De-cloaking internet malware,” In IEEE Symposium on Security & Privacy (SP), 2012-05.
  15. E. Mills, “Device identification in online banking is privacy threat, expert says,” In CNET News. 2009-04.
  16. Opt out of being tracked, BlueCava.
  17. J. R. Mayer, Tracking the Trackers: Early Results; Center for Internet & Society, Stanford University.”
  18. T.-F. Yen, Y. Xie, F. Yu, R. P. Yu, M. Abadi, “Host Fingerprinting, Tracking on the Web: Privacy, Security Implications,” In Proceedings of the 19th Annual Network, Distributed System Security Symposium (NDSS), 2012.
  19. J. R. Mayer, J. C. Mitchell, “Third-party web tracking: Policy, technology,” In Proceedings of the IEEE Symposium on Security & Privacy (SP), 2012, pages 413–427.
  20. G. Cluley, In his Blog; 2012-08-30.
  21. B. Krebs, How to Unplug Java from the Browser; In His Blog.
  22. D. Jang, R. Jhala, S. Lerner, H. Shacham, “An empirical study of privacy-violating information flows in JavaScript Web applications,” In Proceedings of the Conference on Computer and Communications Security (CCS), 2010-10.
  23. Torbutton: I can’t view videos on YouTube, other flash-based sites. Why?; Tor Project.
  24. Anubis: Analyzing Unknown Binaries, iSEC Lab.
  25. VirusTotal – Free Online Virus, Malware, URL Scanner
  26. G. Pierson, J. DeHaan, “Patent US20080040802 – NET- WORK SECURITY AND FRAUD DETECTION SYSTEM AND METHOD.”
  27. M. Cova, C. Kruegel, G. Vigna, “Detection, analysis of drive-by-download attacks, malicious javascript code,” In Proceedings of the 19th International Conference on World Wide Web (WWW), 2010, pages 281–290.
  28. “ECMAScript Language Specification,” Standard ECMA-262, Third edition.
  29. M. Zalewski, The Tangled Web: A Guide to Securing Modern Web Applications. No Starch Press, 2011.
  30. A. Andersen, History of the browser user-agent string.
  31. Web Tracking Protection; W3C; 2011-02-24.
  32. P. Eckersley (EFF), Panopticlick — Self-Defense; In Their Blog.
  33. J. Scott (Mozilla), How many Firefox users have add-ons installed? 85%!; In Their Blog; 2011-06-21.
  34. Adblock Plus – for annoyance-free web surfing.
  35. A. Klein (Trusteer), How Fraudsters are Disguising PCs to Fool Device Fingerprinting; In Their Blog.
  36. A. Soltani, S. Canty, Q. Mayo, L. Thomas, C. J. Hoofnagle, “Flash Cookies, Privacy,” in SSRN preprint (2009-08) .
  37. J. Xu, T. Nguyen (Adobe), Private Browsing, Flash Player 10.1; Adobe.
  38. J.-L. Gass ́ ee, F. Filloux, “Measuring Time Spent On A Web Page,” http://www.cbsnews.com/2100-215 162-5037448.html.
  39. K. Mowery, H. Shacham, “Pixel Perfect: Fingerprinting Canvas in HTML5,” In Proceedings of Web 2.0 Security & Privacy (W2SP), M. Fredrikson (editor). IEEE Computer Society, May 2012-05.
  40. Ł. Olejnik, C. Castelluccia, A. Janc, “Why Johnny Can’t Browse in Peace: On the Uniqueness of Web Browsing History Patterns,” In Proceedings of the 5th Workshop on Hot Topics in Privacy Enhancing Technologies (HOTPETS), 2012.
  41. Z. Weinberg, E. Y. Chen, P. R. Jayaraman, C. Jackson, “I still know what you visited last summer: Leaking browsing history via user interaction, side channel attacks,” In Proceedings of the 2011 IEEE Symposium on Security & Privacy (SP),, 2011, pages 147–161.
  42. N. Nikiforakis, L. Invernizzi, A. Kapravelos, S. V. Acker, W. Joosen, C. Kruegel, F. Piessens, G. Vigna, “You Are What You Include: Large-scale Evaluation of Remote JavaScript Inclusions,” In Proceedings of the ACM Conference on Computer, Communications Security (CCS), 2012.

Web Privacy and Transparency Conference

Web Privacy and Transparency Conference; Center for Information Technology Policy at Princeton; 2014-10-24.

tl;dr => a 1-day session

Who

PriVaricator: Deceiving Fingerprinters with Little White Lies | Nikiforakis, Joosen, Livshits

 

Nick Nikiforakis, Wouter Joosen, Benjamin Livshits; PriVaricator: Deceiving Fingerprinters with Little White Lies; Technical Report MSR-TR-2014-26; Microsoft;
2014-02-28; 14 pages; landing.

Abstract

This paper proposes a solution to the problem of browser-based fingerprinting. An important observation is that making fingerprints non-deterministic also makes them hard to link across subsequent web site visits. Our key insight is that when it comes to web tracking, the real problem with fingerprinting is not uniqueness of a fingerprint, it is linkability, i.e. the ability to connect the same fingerprint across multiple visits. In PriVaricator we use the power of randomization to “break” linkability by exploring a space of parameterized randomization policies. We evaluate our techniques in terms of being able to prevent fingerprinting and also in terms of not breaking existing (benign) sites. The best of our randomization policies renders all the fingerprinters we tested ineffective, while causing minimal damage on a set of 1,000 Alexa sites on which we tested, with no noticeable performance overhead.

Mentioned

Ad groups prepare for “cookieless” future, develop opt-out tool for alternative tracking | SFGate

James Temple; Ad groups prepare for “cookieless” future, develop opt-out tool for alternative tracking; In SFGate; 2013-10-04.

Gunes Acar, Marc Juarez, Nick Nikiforakis, Claudia Diaz, Seda Gürses, Frank Piessens, Bart Preneel; FPDetective: Dusting the Web for Fingerprinters; In Proceedings of Computer and Communications Security (CCS); 2013-11-04; 13 pages.