Fingerprinting Methods Identify Users Across Different Browsers On the Same PC

An anonymous reader quotes a report from BleepingComputer: A team of researchers from universities across the U.S. has identified different fingerprinting techniques that can track users when they use different browsers installed on the same machine. Named "cross-browser fingerprinting" (CBF), this practice relies on new technologies added to web browsers in recent years, some of which had been previously considered unreliable for cross-browser tracking and only used for single browser fingerprinting. These new techniques rely on making browsers carry out operations that use the underlying hardware components to process the desired data. For example, making a browser apply an image to the side of a 3D cube in WebGL provides a similar response in hardware parameters for all browsers. This is because the GPU card is the one carrying out this operation and not the browser software. According to the three-man research team led by Assistant Professor Yinzhi Cao from the Computer Science and Engineering Department at Lehigh University, the following browser features could be (ab)used for cross-browser fingerprinting operations: [Screen Resolution, Number of CPU Virtual Cores, AudioContext, List of Fonts, Line, Curve, and Anti-Aliasing, Vertex Shader, Fragment Shader, Transparency via Alpha Channel, Installed Writing Scripts (Languages), Modeling and Multiple Models, Lighting and Shadow Mapping, Camera and Clipping Planes.] Researchers used all these techniques together to test how many users they would be able to pin to the same computer. For tests, researchers used browsers such as Chrome, Firefox, Edge, IE, Opera, Safari, Maxthon, UC Browser, and Coconut. Results showed that CBF techniques were able to correctly identify 99.24% of all test users. Previous research methods achieved only a 90.84% result.

Time for counter-measures

[davidwr]

Browsers should present a "generic" capabilities list to web sites unless the user white-lists that site to receive some or all of the "real" capabilities. An online video-gaming site may need to know if I can play a GPU-intensive online game through the web browser, but very few other sites need to know.

For example, "generic capabilities" would be:

Screen size would be "small" for tablets, phones, and small notebooks, or "normal" for everything else. Pixel density would not be disclosed.
"List of fonts" would be the most common "web fonts" in the main language of the operating system.
As for the rest, they would be shown as "not disclosed."

Re:What sites??

[0100010001010011]

Someone that has advanced personal knowledge of this should definitely chime in about the glories of the HOSTS file over all other options.

Why isn't Mozilla doing more?!

What I always wonder is why Mozilla isn't doing more to protect user privacy. This is one thing that could really differentiate them from Chrome and other browsers.

I always hear from Mozilla supporters that Firefox is already "the best" when it comes to this. But the summary claims that Firefox is affected by these methods.

Then there are problems like how Firefox includes "telemetry" support that can be disabled, but it can't be easily removed completely. This should be opt-in, in the sense of the functionality not even being present unless you download a special non-default build that includes it. Yeah, that means Mozilla likely won't get as much user data to mine. That's the whole point, though: the browser shouldn't unnecessarily share data with anyone, including Mozilla. It's not like whatever data they've been collecting so far has done them any good; Firefox's share of the market is continually dropping as users get more and more disappointed with its awful user experience. All of the smart Firefox users (the ones being driven away) likely already disabled "telemetry", so they're probably already basing their decisions on incomplete data from the dumbest Firefox users.

It also doesn't help that they're so eager to include all of this unnecessary Web 2.0 and HTML5 functionality that lets websites track your location, or use your microphone, or other nonsense like that. This is the kind of crap that has one purpose only: providing personal data to advertisers. Any other use case is better handled by non-browser applications.

User privacy is one area where Firefox could really shine. It's perhaps the one thing that could really draw users back from Chrome, Edge, Safari, and the other browsers they've moved to after Firefox's user experience went to hell. Yet what the Firefox devs have done in this direction so far has been uninspiring.

You're far too generous

[bsdasym]

The game site does not need to know what your capabilities are. If you try to run it, and it doesn't work, you don't try again. It doesn't need to know *any* of the fonts or even font-families you have installed, it just needs to do what the web has always done; Present a list of fonts the site designer would like the browser to use, if they are available and the user allows it. No site needs to know even the simple small/med/large screen size, as that can all be (and usually is) handled entirely within the browser via CSS.

Give them even less info than you propose and it'll still be too much, generally speaking.

Re:VirtualBox

[techno-vampire]

Using multiple VMs with different distros won't help a bit here, because when you come right down to it, they're all using the same hardware, and that's what this is exploiting. Now, if you had multiple graphics cards and let different distros use different cards, that might throw them off.