Web-based Fingerprinting Techniques

Vítor Bernardo, Dulce Domingos

Abstract

The concept of device fingerprinting is based in the assumption that each electronic device holds a unique set of physical and/or logical features that others can capture and use to differentiate it from the whole. Web-based fingerprinting, a particular case of device fingerprinting, allows website owners to differentiate devices based on the set of information that browsers transmit. Depending on the techniques being used, a website can track a device based on its browser features (browser fingerprinting) or based on system settings (cross-browser fingerprinting). The latter allows identification of the device even when more than one browser is used. Several different works have introduced new techniques over the last years proving that fingerprinting can be done in multiple ways, but there is not a consolidated work gathering all of them. The current work identifies known web-based fingerprinting techniques, categorizing them as which ones are browser and which are cross-browser and showing real examples of the data that can be captured with each technique. The study is synthesized in a taxonomy, which provides a clear separation between techniques, making it easier to identify the threats to security and privacy inherent to each one.

References

  1. Acar, G., Eubank, C., Englehardt, S., Juarez, M., Narayanan, A., and Diaz, C. (2014). The web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 674- 689. ACM.
  2. Acar, G., Juarez, M., Nikiforakis, N., Diaz, C., Gürses, S., Piessens, F., and Preneel, B. (2013). Fpdetective: dusting the web for fingerprinters. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 1129-1140. ACM.
  3. Article 29 Data Protection Working Party, A. (2014). Opinion 9/2014 on the application of directive 2002/58/ec to device fingerprinting.
  4. Boda, K., Földes, Í. M., Gulyás, G. G., and Imre, S. (2012). User tracking on the web via cross-browser fingerprinting. In Information Security Technology for Applications, pages 31-46. Springer.
  5. Eckersley, P. (2010). How unique is your web browser? In Privacy Enhancing Technologies, pages 1-18. Springer.
  6. Fielding, R. and Reschke, J. (2014). Hypertext transfer protocol (http/1.1): Semantics and content.
  7. Howard, F. (2012). Exploring the blackhole exploit kit. Sophos Technical Paper.
  8. Janc, A. and Olejnik, L. (2010). Web browser history detection as a real-world privacy threat. In Computer Security-ESORICS 2010 , pages 215-231. Springer.
  9. Jenkins, I. R., Shapiro, R., Bratus, S., Speers, R., and Goodspeed, T. (2014). Fingerprinting IEEE 802.15.4 Devices with Commodity Radios. Technical Report TR2014-746, Dartmouth College, Computer Science, Hanover, NH.
  10. Khademi, A. F., Zulkernine, M., and Weldemariam, K. (2015). An empirical evaluation of web-based fingerprinting. Software, IEEE, 32(4):46-52.
  11. Kohno, T., Broido, A., and Claffy, K. C. (2005). Remote physical device fingerprinting. Dependable and Secure Computing, IEEE Transactions on, 2(2):93-108.
  12. Mayer, J. R. (2009). Any person... a pamphleteer: Internet anonymity in the age of web 2.0. Undergraduate Senior Thesis, Princeton University.
  13. Mayer, J. R. and Mitchell, J. C. (2012). Third-party web tracking: Policy and technology. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 413-427. IEEE.
  14. Mowery, K., Bogenreif, D., Yilek, S., and Shacham, H. (2011). Fingerprinting information in javascript implementations. Proceedings of W2SP, 2.
  15. Mowery, K. and Shacham, H. (2012). Pixel perfect: Fingerprinting canvas in html5. Proceedings of W2SP.
  16. Nikiforakis, N., Joosen, W., and Livshits, B. (2015). Privaricator: Deceiving fingerprinters with little white lies. In Proceedings of the 24th International Conference on World Wide Web, pages 820-830. International World Wide Web Conferences Steering Committee.
  17. Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., and Vigna, G. (2013). Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In Security and privacy (SP), 2013 IEEE symposium on, pages 541-555. IEEE.
  18. Olejnik, L., Castelluccia, C., and Janc, A. (2012). Why johnny can't browse in peace: On the uniqueness of web browsing history patterns. In 5th Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs 2012).
  19. Roesner, F., Kohno, T., and Wetherall, D. (2012). Detecting and defending against third-party tracking on the web. In Proceedings of the 9th USENIX conference on Networked Systems Design and Implementation, pages 12-12. USENIX Association.
  20. Zalewski, M. (2012). The Tangled Web: A Guide to Securing Modern Web Applications. No Starch Press.
Download


Paper Citation


in Harvard Style

Bernardo V. and Domingos D. (2016). Web-based Fingerprinting Techniques . In Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016) ISBN 978-989-758-196-0, pages 271-282. DOI: 10.5220/0005965602710282


in Bibtex Style

@conference{secrypt16,
author={Vítor Bernardo and Dulce Domingos},
title={Web-based Fingerprinting Techniques},
booktitle={Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016)},
year={2016},
pages={271-282},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005965602710282},
isbn={978-989-758-196-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016)
TI - Web-based Fingerprinting Techniques
SN - 978-989-758-196-0
AU - Bernardo V.
AU - Domingos D.
PY - 2016
SP - 271
EP - 282
DO - 10.5220/0005965602710282