Browser Fingerprinting: the price of being unique

Browser Fingerprinting: the price of being unique

Someone enters to X’s website. Another person enters to Y’s website. In one (or both) websites I do not have the client real IP server logs. How can I know if it’s the same person who entered both websites? Welcome to the world of browser fingerprinting.

Browser what?

browser fingerprinting

Fingerprinting. The act of taking a fingerprint. It consists of obtaining information that can vary from browser to browser and use that information to identify, in a unique way, an installed browser in a particular machine or device. Or at least drastically reduce the number of possibilities.

This requires access to that information from something running on the clients’ side, either Flash, Silverlight or JavaScript. Obviously the last one is the most effective option because it works even in incognito browsers.

What information is unique in my browser?

None. But the combination of many can be potentially unique. For example:

      • User agent
      • Language
      • Resolution available
      • Color depth
      • Timezone
      • Installed plugins and their versions
      • Installed Fonts
      • Canvas
      • CPU

These last 2 cases are interesting:

The HTML5 canvas element allows you to draw vector shapes and text on a page element. Then you can get the information of what was drawn. Believe it or not, at the same instructions the results vary by browser, operating system, motherboard, and video drivers. The Tor browser mitigates this by returning always an empty image when information is retrieved from the canvas’s element.

The mechanism is simple:

      • Save the current timestamp
      • Run a CPU intensive code
      • Take the new timestamp and calculate how long the execution last

The results will be different according to the processing power. The Tor browser mitigates this by removing some resolution to the methods for time calculation.

What information is unique to me?

browser fingerprinting

The browser is not the only one that provides unique and identifiable information. The user involuntarily also adds entropy that can be used for this purpose, for example:

      • Scroll speed
      • Mouse speed
      • Cadence typing

Mouse movements are also affected by many variables, such as its resolution, and at some point by the speed of the CPU, but the way the user interacts with the input devices can also expose patterns of use, especially cadence type (“speed” and “pace” in which a text is typed) used as an additional factor of authentication in some systems.

Some links

Some pages to see how easily identifiable is our browser:

Fingerprinting browser example
Statistical information

Some libraries to start implementing fingerprinting in our web applications:
JavaScript library for fingerprinting
JavaScript library for cadence typing detection


Comments?  Contact us for more information. We’ll quickly get back to you with the information you need.