Someone enters to X’s website. Another person enters to Y’s website. In one (or both) websites I do not have the client real IP server logs. How can I know if it’s the same person who entered to both websites? Welcome to the world of browser fingerprinting.
Fingerprinting. The act of taking a fingerprint. It consists in obtaining information that can vary from browser to browser and use that information to identify, in a unique way, an installed browser in a particular machine or device. Or at least drastically reduce the number of possibilities.
What information is unique in my browser?
None. But the combination of many can be potentially unique. For example:
- User agent
- Resolution available
- Color depth
- Installed plugins and their versions
- Installed Fonts
This last 2 cases are interesting:
The HTML5 canvas element allows you to draw vector shapes and text on a page element. Then you can get the information of what was drawn. Believe it or not, at the same instructions the results vary by browser, operating system, motherboard and video drivers. The Tor browser mitigates this by returning always an empty image when information is retrieved from the canvas’s element.
The mechanism is simple:
- Save the current timestamp
- Run a CPU intensive code
- Take the new timestamp and calculate how long the execution last
The results will be different according to the processing power. The Tor browser mitigates this by removing some resolution to the methods for time calculation.
What information is unique to me?
The browser is not the only one that provides unique and identifiable information. The user involuntarily also adds entropy that can be used for this purpose, for example:
- Scroll speed
- Mouse speed
- Cadence typing
Mouse movements are also affected by many variables, such as its resolution, and at some point by the speed of the CPU, but the way the user interacts with the input devices can also expose patterns of use, especially cadence type (“speed” and “pace” in which a text is typed) used as an additional factor of authentication in some systems.
Some pages to see how easily identifiable is our browser:
Fingerprinting browser example: https://panopticlick.eff.org/
Statistical information: https://amiunique.org/
Some libraries to start implementing fingerprinting in our web applications: