Browser fingerprint

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Browser fingerprinting is a technique of identifying and tracking an individual computer by collecting data regarding the configuration of a user’s browser and system when they visit a website. The construction of a browser fingerprint can be done using different technologies, making it difficult to avoid across websites. Identification can be used for various purposes just like tracking by generating deleted cookies, to fraud prevention with the detection of bots on internet. The measures to implement in order to counter this fingerprint can be quite complex, because the more a user uses different components to hide its identity, the more its browser becomes unique.

Definition[edit]

A fingerprint is some bits that identify a device.[2] Browser fingerprint is a fingerprint deduced by a third party when a user visits a site.[3] The entropy measure a fingerpint's uniquenes.[4]

It's a stateless technique since it doesn't rely on information stored on the user's browser, like HTTP cookies.[5] It relies on browsers and system information[5], provided by the browser behavior[2].So, they are weak against change in browser configuration since they generally depend on it[6].

Usages[edit]

Fingerprinting are either used with good or bad intentions relative to the user.[1] However, it's never that Manichean and the border are thin since it depends only on the one using the fingerprint.[7]

In the wild[edit]

Browser fingerprint is used in the wild.[8][9][10] In 2014, at least 5.5% of top 100,00 Alexa site use canvas fingerprint.[11] In 2013, at least 0.4% of top 10,000 Alexa site utilize scripts from one of this fingerprint provider : BlueCava, Iovation and ThreatMetrix.[12] Most of them are in "Pornography" and "Personnals/Dating" category, respectively 15% and 12.5%.[12] Less popular websites that use this companies' code are mainly categorized as : spam, malicious sites, adult/mature content, computers/internet, datings/personnals.[13] Companies provide their code to this "Spam" and "Malicious" site likely to increase their users database.[13]

Fingerprinting is done either with website own scripts or third party scripts.[11][12] Some third party include fingerprint in their services, without the site being necessarily aware.[11] In this case, it's probably done to prevent click-fraud.[12] First party can also ask companies fingerprinting.[12] Third parties may add the calculated fingerprint directly in the DOM, and so the website can use it.[12] Also, the fingerprint is sometimes hidden from the first-party, and the latter have to request directly the third-party for information.[12]

Tracking[edit]

A fingerprinting with enough high entropy makes a user unique among others.[14] It's used by companies for tracking users and learn their interests.[15] The main purpose is to provide targeted advertising.[16]

Fingerprint aren't just used to track user across websites, but also to regenerate deleted cookies.[17] Or relink old cookies.[14][17]

Malicious intentions[edit]

Malicious sites and spaming site use fingerprint[13]. With it, they do phising, snatch user's data and device's vulnerabilities[13]. These data are sometimes used to subscribe users to paid services[13]. With devices vulnerabilities, malware can do targeted exploits[18]. With that, attackers hide attacks that are not effective for the targeted machine[19]. And so, hide their attack potential[19].

Augmented authentification[edit]

Fingerprint is a conveniant method for augmented authentification as it doesn't require user interaction[20]. Sites use this method to know if a paid account is used by a single user, or that it's not hacked[12]. It's especially true for sites that contains private and important user's informations[13]. Also, it's used to verify that several accounts do not come from the same computer[12]. This is problematic on dating sites, where people may want to manipulate other users[12].

Protection techniques[edit]

Extensions[edit]

Extensions exists against tracking, and are based on a set of rules[21]. These rulesets are maintained publicly by a community or privatly by a company[21]. Example of well-known community ruleset is EasyList, used by ADBlock Plus[21]. Ghostery, Disconnect and Blur are handled by companies[21]. Also, a ruleset can be learned by algorithms, e.g. EFF's Privacy Badger[21]. In 2017, these extensions don't incorporate rules against known fingerprinting methods.[22] For all that, it's up to researcher and rule sets' maintainers to incorpore rules against founded fingerprinting techniques, making these extensions more useful against them[23].

Extension that spoof user agent claim to help masking a browser[24]. In effect, studied ones are easily bypassed through Javascript methods[25]. Also, the mismatch between user-agent and real browser information add information in fingerprint[25]. By using extensions, even privacy oriented, users make their browser more differentiable from those who do not have these extensions[25]. In some contexts (depending on browser, website visited ...) there are more fingerprinting invocations with browser extensions[22]. On mobile, the extension Mother of all AD-BLOCKING is proved to block ThreatMetrix, a fingerprint service used in android applications[22].

Browser-based protections[edit]

The different browsers family are more or less fingerprintable.[26] Based on 6 fingerprint attributes (Fonts, Device ID, Canvas, WebGL Renderer and Local IP), Edge is the more easily fingerprintable, then follow ex aequo Firefox and Chrome, then Internet Explorer and finally Safari.[27].On mobile, with this same attributes, Chrome and Opera Mini are ex aequo with the highest fingerprintability, then its Firefox, Edge and Safari[28].This is measured without changing the default browsers parameters.[29]

It's also possible to reduce fingerprintability of a browser directly in its code.[30] Some browsers attributes are randomized, i.e. screen width[31].Like that, between sites visit, the browser can't be easily tracked because it will not have the same attributes in its fingerprint[31].PriVaricator, developed by Nikiforakis et al., randomize plugins list and fonts, but can be expanded.[31] With different parameter combinations, it succeed in obtaining 96.32% unique fingerprint obtained on BlueCanva's fingerprint script, 78.36% for fingerprintingjs library and 37.83% for PetPortal.[32] This protection technique is useful for fingerprint based on browser's environment, but not for other method like benchmarking.[33]

Proposed ideas[edit]

There are unexpected privacy problems from data exposed on websites due to web standards and APIs implementation and their deep integration with device. Research and engineers help by explaining the risk of these APIs and their effects on user privacy.[34] In 2017, Starov proposes two countermeasures on encapsulation and namespace in order to hide browser extensions or confuse tracking about them.[35] Also, according to the results about flash presence on browser, the best coutermeasure about this technique is to disable fash itself.[19] On the detection level, it exists several architectures to observe drive-by download, such as low-interaction honeypots, high-interaction honeypots and honeyclients.[19]

In another point of view, the browser vendors should take their predispositions in order to hide the browser nature given the complexity for fingerprinting techniques and different data collected. But it is hard to say if vendors agree to hide the nature of the browsers they produce.[8] They also should make a decision on a set of APIs tolerated on the web applications.[19]

Also in an ideal context, novel research would create blocking rules against detecting stateless fingerprinter.[23]

Techniques[edit]

This techniques are used to add bits of information to a fingerprint, making it more unique.[36] For that they observe the browser behavior and responses, with or without intervention.[2]

Graphics rendering[edit]

CSS[edit]

More info on CSS

CSS properties are not always homogeneously supported by browsers.[37] It's used to differentiate their family, even their versions.[37] For example, the CSS property grid is not supported on Internet Explorer 11 and Firefox 51 but fully on Firefox 72 and Opera 64, as see on CanIUse site.

CSS Media query Operating System theme
-moz-windows-default-theme Windows default theme
-moz-mac-graphite-theme Mac OS Graphite theme
-moz-windows-compositor Desktop window manager enabled

Also, CSS Media queries can give informations about operating system, like the OS theme.[38] They can give more informations, such as screen-size (device-height and device-width), screen orientation (as portrait or landscape) and the ratio of pixel’s device[39].Part of installed fonts on user's device are revealed by the @font-face specification.[40] A property is implemented by a browser if it can be called through Javascript.[37] Also, a site can set CSS properties to ask their values to an URL.[41] The server behind the URL know that the user's browser can interpret the property if it's requested.[41]

cursor : url("server.php?property=cursor") ; 

With several properties, "server.php" can know which properties are implemented in the user's browser.[42]

The CSS selector :visited reveal part of user's history.[43] Fingerprinter choose set of sites and see if the user have visited them or not.[43] With a set of at least 50 top popular website, user's history profile are mostly unique.[44] This work as well on mobile as on desktop[44].These unique profiles tend to stay the same over time.[45] In addition to fingerprint a user, this can leak a user's interests.[46] On modern browser this method is fixed, but it remains possible on older browsers that still exists on the Web.[46]

Flash/Java[edit]

More info on Java More info on Flash

Flash or Java are mainly used to retrieve installed fonts on the user's system.[47][48] It's well known by fingerprinting companies.[48]

Flash give the sum of all user's width screen.[49] Compared with the width provided by the browser, which is the screen's width where the browser is opened, it reveals if the user has more than one monitor.[49] Flash is favored because it doesn't need the user consent[50].Java plugin provide directly some system informations.[51]

Java is in general not used by fingerprinting service provider, certainly because it's not used in the Web field[49].Instead, in 2013, Flash is widely used, and despite it is vastly criticized and becoming obsolete, it remains enabled on much browsers[49].On a browser who disable Flash by default, third party fingerprinters can still use it by making Flash important for the visited website.[19]

Javascript[edit]

More info on Javascript More info on fonts

JavaScript objects, like the navigator and screen objects, are used in fingerprinting[13].For one thing, the browser's way to enumerate an object property is browser brand and version specific, it can even leak the operating system[52].Since browser adds new features when releasing a new version, it's a way to determine precisely a browser version by testing if this added features exist[53].Also, the different browsers families have their own vendor-prefixed properties, like screen.mozBrightness for Mozilla Firefox[52].Furthermore, the possibilty in manipulating an object is specific to browsers family too, e.g. :

Browser family Property deletion (of navigator object) Reassignation (of navigator/screen object)
Google Chrome allowed allowed
Mozzila Firefox ignored ingored
Opera allowed allowed
Internet Explorer ignored ignored

Browsers don't implement the exact same parts of the Javascript ECMAScript standards, even between versions of the same browser[54].With that, a fingerprinter provider can test in what extend a user's browser cover a standard and so can infer which browser and version is used[54].It's proved to be an efficient method.[55]

Javascript allow to check a letter bounding box.[56] On different browser, these bouding box differ for a letter of the same font when rendered largely.[56] As these dimensions are also affected by antialiasing and hinting configuration, same browsers on same operating system can be distinguished.[56] When a letter is not found on the system, a "glyph not found" take the letter's place with a specific dimension.[56] It so reveal that the font is not installed on the system.[56] This methods is not the most effective fingerprint, but it remain effective on Tor browser.[56]

Canvas and WebGL[edit]

More info on Canvas More info on WebGL

Canvas can display sentences with different fonts.[57] A sentence will be rendered based on a user's browser environment and hardware[58].Depending on the rendering, it reveals the operating system and the browsers family.[58] More information can be deduced, like graphics card on the user's device and installed fonts.[58] Some companies use Canvas by combining different sentence and geometric figures in the Canvas element to reveal browser nature and operating system.[59] How the image is rendered by the user are obtain via the canvas method toDataURL(type).[60] It provide a data URI containing a representation of the image, directly usable in a fingerprint[60].An other way is with the getImageData() method that return list of canva's pixels.[60]

In a canvas, WebGL can display 3D elements[60].At a pixel level, this elements can be represented differently based on graphics card.[58] So the graphic card can be know.[58] WebGL attribute UNMASKED_RENDERER_WEBGL display the GPU information.[61] Or CPU information if no GPU.[61] And UNMASKED_VENDOR_WEBGL the GPU (or CPU) vendor[61].Indeed it also leak GPU presence.[61]

Hardware[edit]

Benchmarking[edit]

On the hardware level it exists a method to determinate if CPU uses AES-NI or Turbo Boost, based on benchmarking analysis. By comparing the time of execution between a cryptographic and a simple operations, it is possible to identify the presence of AES-NI for cryptographic operation boosting.[62] In the case of Turbo Boost, it is the Octane 2,0 Javascript benchmark that is used in order to detect this technology.[62] On a set of 341 tests, the AES-NI and Turbo boost technologies are found to be the most easier to detect in the CPU on Chrome browser. Here is the accuracy of correct technology presence guessing in this set:[63]

Browser AES-NI presence Turbo Boost presence
Google Chrome 99.28% 84.78%
Mozzila Firefox 71.17% 82.88%
Internet Explorer 77% 55%

Device ID[edit]

Creation of device ID

Device ID is found with the WebRTC hardware ID attribute.[64] This ID is a cryptographic hash function applied on user's hardware component, along some other values.[64] Depending on the browser, this ID can be consistent between visits to a website and so used for fingerprint.[64] On Chrome it's very consistent as it's doesn't change unless specific actions of a user, like clearing the browser cache.[27] On Firefox, it changes when the browser is reoppened[27].On edge, it changes between two visits to a website.[27]

Others[edit]

With Battery Status API, fingerprinter can use the actual battery state of a device as a short-term fingerprint[65].The API also provide the battery capacity, this information can add a bit in a fingerprint.[66] OscillatorNode produce an audio signal which is specific to a couple browser/operating system.[67]

Protocols[edit]

More info on HTTP headers

Browsers choose the way they order HTTP header fields and their number.[68] So it's used to infer the browser family.[68] For example, Internet Explorer choose to order the UserAgent before the Host field, while Chrome do the opposite order.[68]

In HTTP header, the user agent string provides basic information about the connected user.[69] For example, information directly about the system's hardware[17].It can reveal a phone model.[70]

Browser's add-ons[edit]

Since each user can enable and set add-ons on their browser, they probably have their own unique set of add-ons.[71][72] The list of installed add-ons on a browser is used to add a bit of information in a fingerprint.[73] Besides, add-ons can modify the way the browser act and its ressources, and render it even more unique.[74]

Plugins[edit]

Fingerprinters providers use plugins to access informations of the user's device, like installed systems drivers and computer's name.[75] They search for specific plugins that have been allowed by the user or downloaded together with an application and use them directly.[75] This is a powerful fingeprint.[75]

As plugins are not often used by mobile browsers, it's not a good fingerprint method on these devices.[76]

Extensions[edit]

More info on extensions More info on DOM More info on BOM

Extensions can modify a page, by either add new element, delete and/or change some.[77] Via this modification, extensions installed on the user's browser are revealed.[78] Modifications are done on the DOM but can also be on the BOM.[78] XHOUND, developed by Starov et al., use this method by detecting DOM alterations[79].It show that in 2017 16.6% of the top 10,000 popular Chrome's extensions are detectable on at least one of the 50 top popular site.[78] It rise to 23% with the top 1000 popular Chrome's extensions.[78] These percentages tend to decrease with extensions popularity[78] and are stable through months.[80] An other method for listing extension ask a browser an extension's ressource[81].Most browsers will see if the concerned extension is installed. If it is, they then check if the extension is allowed to provide the resource.[81] The browser will respond more rapidly if the extension is not installed.[81] The particularity of extensions listing is that they can reveal a person's interest.[82][83] Extensions based fingerprint are possibly used on mobile since many popular mobile browser have extensions.[76]

Sometimes, extensions that claim to protect the user instead do the contrary, it's the case when they spoof a user agent string.[25] As they modify the user agent, information will not be consistent with real information provided by the browser.[25] These differences can be added to a fingerprint and reveal some extension's presence.[25]

HTML[edit]

More info on HTML

Browsers have their own HTML parser[2].They can choose to implement new HTML5 features at their own rhythm.[68] It is used to discover the browser family depending on which features are effectivly implement on the user's browser.[68]

Each browser can have specific behaviour when parsing HTML.[84] These specific behaviors, or "HTML parser quirks"[2], can be tested and resumed in a browser's signature[84]. With many browser's signatures, an unknown browser family and version is deduced by comparing its signature with the collected ones.[85] The comparison is done with a Hamming distance or with machine learning[85] Hamming distance method can determine the exact browser version with likely 71% of accuracy.[86]

Studies history[edit]

The first large-scale study is conducted by Eckersley[87] in 2010 to derteminate the uniqueness of web browser configuration. The use of benchmark execution time is proposed by Mowery et al. in 2011[88] for javascript implementation. An analysis of log during a month of Bing and Hotmail services is performed by Yen et al. in 2012.[89] It is Olejnik et al., who demonstrates the history's interest for fingerprinting method the same year.[90] Mowey proposes also, with Shacham, a fingerprinting method by rendering text and webGL scenes a year later.[91] Still in 2013, the behaviour of fingerprinting methods is described by Nikiforakis et al.[92] A framework called FPDectective and developed by Acar et al. in 2013, detects web-based fingerprinters in the wild.[93] A really large measure on stateless tracking is performed by Englehardt and Narayanan in 2016.[94]

See also[edit]

References[edit]

  1. ^ a b (Laperdrix 2016, p. 878)
  2. ^ a b c d e (Abgrall 2012, p. 1)
  3. ^ (Eckersley 2010, p. 1)
  4. ^ (Eckersley 2010, p. 6)
  5. ^ a b (Merzdovnik 2017, p. 320)
  6. ^ (Eckersley 2010, p. 11)
  7. ^ (Nikiforakis 2013, p. 542)
  8. ^ a b (Nikiforakis 2013, p. 554)
  9. ^ (Acar 2013, p. 1139)
  10. ^ (Acar 2014, p. 686)
  11. ^ a b c (Acar 2014, p. 678)
  12. ^ a b c d e f g h i j (Nikiforakis 2013, p. 546)
  13. ^ a b c d e f g (Nikiforakis 2013, p. 547)
  14. ^ a b (Eckersley 2010, p. 3)
  15. ^ (Acar 2013, p. 9)
  16. ^ (Nikiforakis 2015, p. 821)
  17. ^ a b c (Kaur 2017, p. 107)
  18. ^ (Abgrall 2012, p. 8)
  19. ^ a b c d e f (Nikiforakis 2013, p. 553)
  20. ^ (Alaca 2016, p. 299)
  21. ^ a b c d e (Merzdovnik 2017, p. 322)
  22. ^ a b c (Merzdovnik 2017, p. 327)
  23. ^ a b (Merzdovnik 2017, p. 329)
  24. ^ (Yen 2012, p. 13)
  25. ^ a b c d e f (Nikiforakis 2013, p. 552)
  26. ^ (Al-Fannah 2017, p. 117)
  27. ^ a b c d (Al-Fannah 2017, p. 114)
  28. ^ (Al-Fannah 2017, p. 115)
  29. ^ (Al-Fannah 2017, p. 107)
  30. ^ (Nikiforakis 2015, p. 823)
  31. ^ a b c (Nikiforakis 2015, p. 820)
  32. ^ (Nikiforakis 2015, p. 825)
  33. ^ (Nikiforakis 2015, p. 827)
  34. ^ (Olejnik 2016, p. 262)
  35. ^ (Starov 2017, p. 955)
  36. ^ (Eckersley 2010, p. 11)
  37. ^ a b c (Unger 2013, p. 256)
  38. ^ (Taei 2016, p. 60)
  39. ^ (Takei 2015, p. 59)
  40. ^ (Takei 2015, p. 58)
  41. ^ a b (Takei 2016, p. 59)
  42. ^ (Takei 2016, p. 61)
  43. ^ a b (Olejnik 2012, p. 5)
  44. ^ a b (Olejnik 2012, p. 7)
  45. ^ (Olejnik 2012, p. 11)
  46. ^ a b (Olejnik 2012, p. 14)
  47. ^ (Fiore 2014, p. 3)
  48. ^ a b (Nikiforakis 2013, p. 544)
  49. ^ a b c d (Nikiforakis 2013, p. 543)
  50. ^ (Fiore 2014, p. 3)
  51. ^ (Kaur 2017, p. 6)
  52. ^ a b (Nikiforakis 2013, p. 549)
  53. ^ (Nikiforakis 2013, p. 550)
  54. ^ a b (Mulazzani 2013, p. 2)
  55. ^ (Mulazzani 2013, p. 7)
  56. ^ a b c d e f (Fifield 2015, p. 108)
  57. ^ (Mowery 2012, p. 2)
  58. ^ a b c d e (Mowery 2012, p. 6)
  59. ^ (Acar 2014, p. 2)
  60. ^ a b c d (Mowery 2012, p. 3)
  61. ^ a b c d (Al-Fannah 2017, p. 110)
  62. ^ a b (Saito 2016, p. 588)
  63. ^ (Saito 2016, p. 590)
  64. ^ a b c (Al-Fannah 2017, p. 109)
  65. ^ (Olejnik 2016, p. 256)
  66. ^ (Olejnik 2016, p. 259)
  67. ^ (Englehardt 2016, p. 1399)
  68. ^ a b c d e (Unger 2013, p. 257)
  69. ^ (Fiore 2014, p. 357)
  70. ^ (Al-Fannah 2017, p. 111)
  71. ^ (Starov 2017, p. 954)
  72. ^ (Sanchez-Rola 2017, p. 688)
  73. ^ (Acar 2013, p. 1131)
  74. ^ (Kaur 2017, p. 108)
  75. ^ a b c (Nikiforakis 2013, p. 545)
  76. ^ a b (Starov 2017, p. 942)
  77. ^ (Starov 2017, p. 947)
  78. ^ a b c d e (Starov 2017, p. 946)
  79. ^ (Starov 2017, p. 941)
  80. ^ (Starov 2017, p. 948)
  81. ^ a b c (Sanchez-Rola 2017, p. 683)
  82. ^ (Starov 2017, p. 953)
  83. ^ (Sanchez-Rola 2017, p. 687)
  84. ^ a b (Abgrall 2012, p. 2)
  85. ^ a b (Abgrall 2012, p. 3)
  86. ^ (Abgrall 2012, p. 6)
  87. ^ (Eckersley 2010)
  88. ^ (Mowery 2011)
  89. ^ (Yen 2012)
  90. ^ (Olejnik 2012)
  91. ^ (Mowery 2013)
  92. ^ (Nikiforakis 2013)
  93. ^ (Acar 2013)
  94. ^ (Narayanan 2016)

Bibliography[edit]

Yen, Ting-Fang; Xie, Yinglian; Yu, Fang; Yu, Roger Peng; Abadi, Martın (2012). "Host Fingerprinting and Tracking on the Web: Privacy and Security Implications": 16. Yen2012. Cite journal requires |journal= (help)

Acar, Gunes; Eubank, Christian; Englehardt, Steven; Juarez, Marc; Narayanan, Arvind; Diaz, Claudia (2014). "The Web Never Forgets: Persistent Tracking Mechanisms in the Wild". Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security - CCS '14. the 2014 ACM SIGSAC Conference. Scottsdale, Arizona, USA: ACM Press. pp. 674–689. doi:10.1145/2660267.2660347. ISBN 978-1-4503-2957-6. Acar2014.

Laperdrix, P.; Rudametkin, W.; Baudry, B. (May 2016). "Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints". 2016 IEEE Symposium on Security and Privacy (SP). pp. 878–894. doi:10.1109/SP.2016.57. Laperdrix2016.

Fifield, David; Egelman, Serge (2015). "Fingerprinting Web Users Through Font Metrics". In Rainer Böhme, Tatsuaki Okamoto (eds.) (eds.). Financial Cryptography and Data Security. Lecture Notes in Computer Science. Berlin, Heidelberg: Springer. pp. 107–124. doi:10.1007/978-3-662-47854-7_7. ISBN 978-3-662-47854-7. Fifield2015.CS1 maint: uses editors parameter (link)

Englehardt, Steven; Narayanan, Arvind (2016). "Online Tracking: A 1-million-site Measurement and Analysis". Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. CCS '16. New York, NY, USA: ACM. pp. 1388–1401. doi:10.1145/2976749.2978313. ISBN 978-1-4503-4139-4. Englehardt2016.

Mulazzani, Martin; Reschl, Philipp; Huber, Markus; Leithner, Manuel; Schrittwieser, Sebastian; Weippl, Edgar (2013). "Fast and Reliable Browser Identification with JavaScript Engine Fingerprinting". IEEE-Security. Mulazzani2013. Cite journal requires |journal= (help)

Sjösten, Alexander; Van Acker, Steven; Sabelfeld, Andrei (2017). "Discovering Browser Extensions via Webible Resources". Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy. CODASPY '17. New York, NY, USA: ACM. pp. 329–336. doi:10.1145/3029806.3029820. ISBN 978-1-4503-4523-1. Sjösten2017.

Abgrall, Erwan; Traon, Yves Le; Monperrus, Martin; Gombault, Sylvain; Heiderich, Mario; Ribault, Alain (2012-11-20). "XSS-FP: Browser Fingerprinting using HTML Parser Quirks". arXiv:1211.4812.

Kaur, Navpreet; Azam, Sami; Kannoorpatti, Krishnan; Yeo, Kheng Cher; Shanmugam, Bharanidharan (2017). "Browser Fingerprinting as user tracking technology". 2017 11th International Conference on Intelligent Systems and Control (ISCO). Kaur2017.

Fiore, Ugo; Castiglione, Aniello; Santis, Alfredo De; Palmieri, Francesco (September 2014). "Countering Browser Fingerprinting Techniques: Constructing a Fake Profile with Google Chrome". 2014 17th International Conference on Network-Based Information Systems. 2014 17th International Conference on Network-Based Information Systems. pp. 355–360. doi:10.1109/NBiS.2014.102.

Upathilake, R.; Li, Y.; Matrawy, A. (2015). "A classification of web browser fingerprinting techniques". 2015 7th International Conference on New Technologies, Mobility and Security (NTMS). Upathilake2015.

Eckersley, Peter (2010). "How Unique Is Your Web Browser?". In Mikhail J. Atallah, Nicholas J. Hopper (eds.) (eds.). Privacy Enhancing Technologies. Lecture Notes in Computer Science. Springer Berlin Heidelberg. pp. 1–18. ISBN 978-3-642-14527-8. Eckersley2010.CS1 maint: uses editors parameter (link)

Acar, Gunes; Eubank, Christian; Englehardt, Steven; Juarez, Marc; Narayanan, Arvind; Diaz, Claudia (2014). "The Web Never Forgets: Persistent Tracking Mechanisms in the Wild". the 2014 ACM SIGSAC Conference. Acar2014.

Unger, Thomas; Mulazzani, Martin; Frühwirt, Dominik; Huber, Markus; Schrittwieser, Sebastian; Weippl, Edgar (September 2013). "SHPF: Enhancing HTTP(S) Session Security with Browser Fingerprinting". 2013 International Conference on Availability, Reliability and Security. 2013 International Conference on Availability, Reliability and Security. pp. 255–261. doi:10.1109/ARES.2013.33. Unger2013.

Acar, Gunes; Juarez, Marc; Nikiforakis, Nick; Diaz, Claudia; Gürses, Seda; Piessens, Frank; Preneel, Bart (2013). "FPDetective: Dusting the Web for Fingerprinters". Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security. CCS '13. New York, NY, USA: ACM. pp. 1129–1140. doi:10.1145/2508859.2516674. ISBN 978-1-4503-2477-9. Acar2013.

Mowery, Keaton; Bogenreif, Dillon; Yilek, Scott; Shacham, Hovav (2011). "Fingerprinting Information in JavaScript Implementations": 11. Mowery2011. Cite journal requires |journal= (help)

Nikiforakis, Nick; Kapravelos, Alexandros; Wouter, Joosen; Kruegel, Christopher; Piessens, Frank; Vigna, Giovanni (2013). "Cookieless Monster:Exploring the Ecosystem of Web-based Device Fingerprinting". Nikiforakis2013. Cite journal requires |journal= (help)

Mowery, Keaton; Shacham, Hovav (2012). "Pixel Perfect: Fingerprinting Canvas in HTML5": 12. Mowery2012. Cite journal requires |journal= (help)

Merzdovnik, Georg; Huber, Markus; Buhov, Damjan; Nikiforakis, Nick; Neuner, Sebastian; Schmiedecker, Martin; Weippl, Edgar (April 2017). "Block Me If You Can: A Large-Scale Study of Tracker-Blocking Tools". 2017 IEEE European Symposium on Security and Privacy (EuroS P). 2017 IEEE European Symposium on Security and Privacy (EuroS P). pp. 319–333. doi:10.1109/EuroSP.2017.26. Merzdovnik2017.

Starov, Oleksii; Nikiforakis, Nick (May 2017). "XHOUND: Quantifying the Fingerprintability of Browser Extensions". 2017 IEEE Symposium on Security and Privacy (SP). 2017 IEEE Symposium on Security and Privacy (SP). pp. 941–956. doi:10.1109/SP.2017.18. Starov2017.

Sanchez-Rola, Iskander; Santos, Igor; Balzarotti, Davide (2017). Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies. 26th {USENIX} Security Symposium ({USENIX} Security 17). pp. 679–694. ISBN 978-1-931971-40-9. Sanchez-Rola2017.

Saito, Takamichi; Yasuda, Koki; Ishikawa, Takayuki; Hosoi, Rio; Takahashi, Kazushi; Chen, Yongyan; Zalasiński, Marcin (July 2016). "Estimating CPU Features by Browser Fingerprinting". 2016 10th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS). 2016 10th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS). pp. 587–592. doi:10.1109/IMIS.2016.108. Saito2016.

Takei, Naoki; Saito, Takamichi; Takasu, Ko; Yamada, Tomotaka (2015). "Web Browser Fingerprinting Using Only Cascading Style Sheets". 2015 10th International Conference on Broadband and Wireless Computing, Communication and Applications (BWCCA). 2015 10th International Conference on Broadband and Wireless Computing, Communication and Applications (BWCCA). pp. 57–63. doi:10.1109/BWCCA.2015.105. Takei2015.

Olejnik, Lukasz; Castelluccia, Claude; Janc, Artur (2012-07-13). "Why Johnny Can't Browse in Peace: On the Uniqueness of Web Browsing History Patterns". Olejnik2012. Cite journal requires |journal= (help)

Olejnik, Łukasz; Acar, Gunes; Castelluccia, Claude; Diaz, Claudia (2016). "The Leaking Battery". In Joaquin Garcia-Alfaro, Guillermo Navarro-Arribas, Alessandro Aldini, Fabio Martinelli, Neeraj Suri (eds.) (eds.). Data Privacy Management, and Security Assurance. Lecture Notes in Computer Science. Cham: Springer International Publishing. pp. 254–263. doi:10.1007/978-3-319-29883-2_18. ISBN 978-3-319-29883-2. Olejnik2016.CS1 maint: uses editors parameter (link)

Nikiforakis, Nick; Kapravelos, Alexandros; Joosen, Wouter; Kruegel, Christopher; Piessens, Frank; Vigna, Giovanni (2013). ""Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting"". 2013 IEEE Symposium on Security and Privacy. 2013 IEEE Symposium on Security and Privacy. pp. 541–555. doi:10.1109/SP.2013.43. Nikiforakis2013.

Merzdovnik, Georg; Huber, Markus; Buhov, Damjan; Nikiforakis, Nick; Neuner, Sebastian; Schmiedecker, Martin; Weippl, Edgar (April 2017). "Block Me If You Can: A Large-Scale Study of Tracker-Blocking Tools". 2017 IEEE European Symposium on Security and Privacy (EuroS P). 2017 IEEE European Symposium on Security and Privacy (EuroS P). pp. 319–333. doi:10.1109/EuroSP.2017.26. Merzdovnik2017.

Al-Fannah, Nasser Mohammed; Li, Wanpeng (2017). "Not All Browsers are Created Equal: Comparing Web Browser Fingerprintability". In Satoshi Obana, Koji Chida (eds.) (eds.). Advances in Information and Computer Security. Lecture Notes in Computer Science. Springer International Publishing. pp. 105–120. ISBN 978-3-319-64200-0. Al-Fannah2017.CS1 maint: uses editors parameter (link)

Alaca, Furkan; van Oorschot, P. C. (2016). "Device Fingerprinting for Augmenting Web Authentication: Classification and Analysis of Methods". Proceedings of the 32Nd Annual Conference on Computer Security Applications. ACSAC '16. New York, NY, USA: ACM. pp. 289–301. doi:10.1145/2991079.2991091. ISBN 978-1-4503-4771-6. Alaca2016.

Nikiforakis, Nick; Joosen, Wouter; Livshits, Benjamin (2015). "PriVaricator: Deceiving Fingerprinters with Little White Lies". Proceedings of the 24th International Conference on World Wide Web. WWW '15. Republic and Canton of Geneva, Switzerland: International World Wide Web Conferences Steering Committee. pp. 820–830. doi:10.1145/2736277.2741090. ISBN 978-1-4503-3469-3. Nikiforakis2015.

Gómez-Boix, Alejandro; Laperdrix, Pierre; Baudry, Benoit (2018). "Hiding in the Crowd: An Analysis of the Effectiveness of Browser Fingerprinting at Large Scale". Proceedings of the 2018 World Wide Web Conference. WWW '18. Republic and Canton of Geneva, Switzerland: International World Wide Web Conferences Steering Committee. pp. 309–318. doi:10.1145/3178876.3186097. ISBN 978-1-4503-5639-8. Gómez-Boix2018.

External links[edit]