Browser Fingerprinting: the price of being unique

Someone enters to X’s website. Another person enters to Y’s website. In one (or both) websites I do not have the client real IP server logs. How can I know if it’s the same person who entered to both websites? Welcome to the world of browser fingerprinting.

Browser what?

browser fingerprinting

Fingerprinting. The act of taking a fingerprint. It consists in obtaining information that can vary from browser to browser and use that information to identify, in a unique way, an installed browser in a particular machine or device. Or at least drastically reduce the number of possibilities.

This requires to access to that information from something running on the clients side, either Flash, Silverlight or JavaScript. Obviously the last one is the most effective option, because it works even in incognito browsers.

What information is unique in my browser?

None. But the combination of many can be potentially unique. For example:

      • User agent
      • Language
      • Resolution available
      • Color depth
      • Timezone
      • Installed plugins and their versions
      • Installed Fonts
      • Canvas
      • CPU

This last 2 cases are interesting:

Canvas
The HTML5 canvas element allows you to draw vector shapes and text on a page element. Then you can get the information of what was drawn. Believe it or not, at the same instructions the results vary by browser, operating system, motherboard and video drivers. The Tor browser mitigates this by returning always an empty image when information is retrieved from the canvas’s element.

CPU
The mechanism is simple:

      • Save the current timestamp
      • Run a CPU intensive code
      • Take the new timestamp and calculate how long the execution last

The results will be different according to the processing power. The Tor browser mitigates this by removing some resolution to the methods for time calculation.

What information is unique to me?

browser fingerprinting

The browser is not the only one that provides unique and identifiable information. The user involuntarily also adds entropy that can be used for this purpose, for example:

      • Scroll speed
      • Mouse speed
      • Cadence typing

Mouse movements are also affected by many variables, such as its resolution, and at some point by the speed of the CPU, but the way the user interacts with the input devices can also expose patterns of use, especially cadence type (“speed” and “pace” in which a text is typed) used as an additional factor of authentication in some systems.

Some links

Some pages to see how easily identifiable is our browser:

Fingerprinting browser example: https://panopticlick.eff.org/
Statistical information: https://amiunique.org/
Some libraries to start implementing fingerprinting in our web applications:
JavaScript library for fingerprinting: https://github.com/Valve/fingerprintjs2
JavaScript library for cadence typing detection: https: //github.com/RyanMcG/Cadence-js

 

Share this articleShare on LinkedInTweet about this on TwitterShare on FacebookShare on Google+Email this to someone
Go Back