A New Use For Browser Fingerprints: Defeating Spoofing

AnonymousCube writes: Researchers at the University of Adelaide have found a new use for browser fingerprints: uncovering and defeating spoofing by web browsers. By using machine learning on browser fingerprints they were able to correctly guess the OS or browser family of a browser 90% of the time, and defeat operating system and browser family spoofing 76% of the time. This was done with small training sets of less than 1000 fingerprints, so accuracy with a much larger training set, like the size of the EFF's Panopticlick database should give even better results; you can help prove this, and see what their site thinks your browser family and OS is, by submitting your fingerprint to their site.

You built the better mouse trap.

[Opportunist]

We now have to evolve the better mouse.

Dear fingerprinters: It might surprise you, but we don't want this to happen. We want the non-mobile version of your damn webpage on our mobile phone if we go out of our way to pretend we're not on a mobile device. Because guess what: Your mobile version almost invariably sucks and is unusable. Forcing us to use what YOU want us to use instead of allowing us to choose what WE want to choose leads to us not using your service at all.

Re:You built the better mouse trap.

[GargamelSpaceman]

They can even get you by canvas fingerprinting and web3d fingerprinting where they use various drawing apis to create an image and then send back the checksum of that image to create a fairly unique fingerprint.

CanvasBlocker sends a fake one, but then they know you are faking it. Or you can shut off access to the api, but then THAT flags you as unique for returning nothing but zeroes.

I have yet to be able to produce a browser fingerprint that isn't unique using any combination of addons.

We need some standardization. Then people could download an addon that produces at least the same fingerprint as all other users of that addon giving some space to hide in.

Re:You built the better mouse trap.

[allo]

> I have yet to be able to produce a browser fingerprint that isn't unique using any combination of addons.
You do not need to. You just need a fingerprint, which is different *every* time. Instead of being one in a group of 100, you're unique, but you are unique every time you re-visit the site.

Re:You built the better mouse trap.

[BarbaraHudson]

Problem is, they can't produce a unique fingerprint for every user's browser. And ANY browser fingerprint can be mimicked - in the end it's just bits and bytes coming down the wire.

So what if they know you're faking the checksum if millions of other people are faking it as well, and giving different bogus checksums for every page load. Or returning all zeroes, along with millions of other people doing the same? No need for an add-on that produces the same fingerprint as all other users of that add-on. You're overthinking the problem. What are they going to do, block users who don't let their browsers return fingerprints? We saw how well that worked with paywalls and not allowing ad-blockers. People just go elsewhere.

It's the internet - it was designed to route around such brain-damage.

Re:You built the better mouse trap.

[Some+nick+or+other]

I have yet to be able to produce a browser fingerprint that isn't unique using any combination of addons.

How do you tell different w3m or lynx users apart if they spoof their user agents?

Re:You built the better mouse trap.

[rudametkin]

It's actually quite hard to fake fingerprints thoroughly and coherently. There's a whole bunch of different Javascript API's a website can use to obtain fingerprintable data through, and some API's are browser specific or sometimes something simple, like the order of the objects returned, may be browser specific and give you away.

If you were to spoof coherently, you'd need to ensure that you can defend against all (most) of the attacks that attempt to verify your browser. This would require all kinds of astute manipulations to forge a fingerprint that can't be detected by the server, particularly if your running a different browser than the one you say you are (for example, your on FF but say IE).

Complete randomization has it's limits too, particularly if your randomly spoofing attributes. You can exhibit a new fingerprint easily, but is that fingerprint coherent (e.g., user agent is in accord with some other attribute, no Chrome API's in your spoofed Firefox browser)? Some sites probably won't care, most may not even check, but fingerprints could be used as an additional security mechanism (e.g., for banks). If the site doubts that you are who you say you are, then they may decide to deny access or require further authentication. Such mechanisms could be helpful against projects like FraudFox.

In either case, just because the site knows you are spoofing doesn't mean they know the truth nor that they can fingerprint enough attributes to track you over time.

Plug: We worked on a small prototype that, instead of spoofing, randomly assembled components and generated unique environments using Virtualbox, we also have a docker version that is lighter now. Here's our paper. https://hal.inria.fr/hal-01121...

We think it's more flexible than Tor since instead of attempting to construct one fingerprint, a user can have trillions. Also, we don't improse any specific browser or version, giving users more choice. Tor however addresses other concerns too that our small project didn't look at (e.g., IP address).

Re:You built the better mouse trap.

That's looking at it wrong. You create a small number of coherent fingerprints and then only allow the browser to send one of those. If you've got 5 of those fingerprints used by even a hundred people, the data is going to be so noisy as to be worthless. If you move up to a thousand people, the technique would probably be abandoned in favor of something else.

Re:You built the better mouse trap.

[Vairon]

By comparing the behavior of the two clients.

When w3m requests a web page it sends the following:
GET / HTTP/1.0
User-Agent: w3m/0.5.3+git20161120
Accept: text/html, text/*;q=0.5, image/*
Accept-Encoding: gzip, compress, bzip, bzip2, deflate
Accept-Language: en;q=1.0
Host: www.website.com

When lynx, with a w3m user agent, requests a web page it sends the following:
GET / HTTP/1.0
Host: www.website.com
Accept: text/html, text/plain, text/css, text/sgml, */*;q=0.01
Accept-Encoding: gzip, bzip2
Accept-Language: en
User-Agent: w3m/0.5.3+git20161120

Re:You built the better mouse trap.

Your mobile version almost invariably sucks and is unusable

And where you find an exception, sod's law says that they'll drop the mobile version. I'm looking at you, Flickr. Until a week or two ago the mobile version gave statistics on how many times each photo had been viewed which I couldn't find in one place on the (free version of the) full site. Now the mobile site is gone and instead it gives the full site, which doesn't work very well on a tiny screen.

Re:You built the better mouse trap.

Based on the title I thought the article was a good news piece about a more effective way to obtain non-mobile webpages. Instead it discussed new and exciting ways to be a dick and completely ignore the express desire of your users to obtain the content/experience they are actively seeking.

Obtaining the non-mobile version of a webpage should be as easy as clicking a nice friendly "I want the non-mobile version" button (or vice-versa on a desktop machine... no, wait, that literally never happens because mobile versions invariably suck). It should not involve defeating a leading edge AI detection system and a team of uber-dick UX experts.

Re:You built the better mouse trap.

[Some+nick+or+other]

I was asking how it could tell different lynxes apart, or different w3ms apart, the way it could tell e.g. Firefox on Linux and Firefox on Windows apart. It doesn't seem possible unless the headers or the response times differ.

If headers are all that make different text browsers look different, perhaps the developers could talk to each other to make their browser more like one another, to thwart just this kind of privacy invasion.

Re:You built the better mouse trap.

[Gr8Apes]

Obtaining the non-mobile version of a webpage should be as easy as clicking a nice friendly "I want the non-mobile version" button (or vice-versa on a desktop machine... no, wait, that literally never happens because mobile versions invariably suck).

Except for cnn.com. The mobile site is inherently better because it's actually clean compared to the full site. That doesn't mean the mobile site is great or anything, just that the mobile site sucks less.

Re:You built the better mouse trap.

[allo]

I think we will never ever eliminate the uniqueness of modern browser's fingerprint while keeping its features. You may have the same fingerprint when using something like tails in a VM. But start installing addons and you're changing it.

But you can try to randomize everything everytime. The problem is, while you may think "i fooled panopticlick to think i am always another unique person", the real fingerprinting service will not only take the full fingerprint, but try to analyse it. Something which is with big data and machine learning easier than ever before. And then they have the four properties, which correlate even while you're constantly changing them in a way, which can be used to fingerprint you again.

I tried the HTTP-Header stuff from the article about 10 years ago, it could even spot the google bot.
Now the results are incorrect because i never updated it, my current firefox seems to be an opera (12.x version).
https://laxu.de/useragent.php

this is rediculous

The javascript implementation in any every browser is so different, I cant imagine its difficult to check what works and is supported and report this back directly.

UA Spoofing for web devs

Thanks guys. By 'defeating' UA spoofing you've just made it harder to develop for the web.

Re:UA Spoofing for web devs

[Z00L00K]

Only the ad companies really likes to know which browser you have so that they can force their ads upon you depending on browser by exploiting the specific vulnerabilities.

Re:UA Spoofing for web devs

Which is insane. People wouldn't be spoofing their browser profile and blocking ads if the ad companies would show some restraint. They've already run their click through rates down to 0.07%, I'm curious how much further they can go. It's already gotten to the point where the main source of clicks is fraud. Do they really want to get to the point where the only source of clicks is fraud?

Here's a newsflash, they aren't entitled to our clicks. If they want our clicks, they need to stop acting like selfish dickheads and offer up something we want. The malware, tricking us into clicking, delaying page loads and whatnot really need to stop. There's no excuse for a modern web page to take longer to load than a web page did 20 years ago, just so they can continue the bidding a few more seconds.

Re:UA Spoofing for web devs

[Wootery]

But they do it for a reason: their short-term bottom-line. It's a tragedy-of-the-commons situation.

Each ad company benefits by being scummy. It harms the ad ecosystem overall, and wouldn't happen if there was a monopoly where only one ad company existed.

Re:UA Spoofing for web devs

[Merk42]

If you're still looking at user agents instead of feature-support, you're doing it wrong.

Why would I want to help defeat spoofing?

[scrib]

If a user has gone to the trouble of configuring a browser (or plugin) to spoof which browser they are using, why would I want to help researchers circumvent that?

If there's a good reason to defeat an intentional user choice, I'd love to hear it.

Re:Why would I want to help defeat spoofing?

To play the Devil's Advocate: the most important use of browser fingerprinting is not to force you to view a page in a format you don't want; it's a way for advertisers to push relevant ads to privacy-conscious people who e.g. disable third-party cookies or use plugins like "self-destructing cookies". You can use browser spoofing to limit this cookieless tracking. Now, as the Devil's Advocate, my argument is that if these researchers can beat browser fingerprinting, it's only a matter of time before a well-funded advertiser does the same, possibly in secrecy. By making their research openly accessible, the people who make spoofing plugins get a chance to harden their software before this next-gen fingerprinting tech becomes common among advertisers.

Re:Why would I want to help defeat spoofing?

It is the content producer's right to display their content in the manner in which they intend. If you do not wish to consume the content in that manner, you are free to go elsewhere. But you are not, however, free to falsify your credentials to thwart the content producer's TOS

Re:Why would I want to help defeat spoofing?

[TimSSG]

I just tested the Microsoft Edge Browser and I have never changed the defaults.
The website responded with
Your user-agent string specifies your browser as being a variant of CHROME.
Judging by your fingerprint we believe your browser is a variant of EDGE.

Tim S.

Re:Why would I want to help defeat spoofing?

[scrib]

Are you saying that browser spoofing is equivalent to falsifying credentials? That would be a frightening precedent...

Re:Why would I want to help defeat spoofing?

[allo]

> But you are not, however, free to falsify your credentials
Of course you are. Because most ToS do not include anything about browser modifications or even any requirements which browsers you are allowed to use.

Re:Why would I want to help defeat spoofing?

[BarbaraHudson]

Next you'l be claiming that a person must own an 80" XHD TV because the content producer has the right to display their content in the manner in which they intended. You're full of shit.

If they were supplying the internet connection, the computer, and the electricity, they still wouldn't have that right, because what happens in my home is my business, not theirs.

And in case you haven't noticed, people already have decided to "go elsewhere" when sites insist on blocking ad blockers (and most of the blocks are pitifully easy to get around) or putting stuff behind a paywall.

Anonymous Coward is a moron. Don't be like Anonymous coward. Don't be a moron.

Re:Why would I want to help defeat spoofing?

There's not a "good" reason (as in, something good people would do) but there is the advertising angle others have mentioned. However, the research is very useful because it demonstrates publicly something that, honestly, is probably already being done by several advertisers, which will in turn allow people to overcome it. Considering this is already something I knew was possible and have thought about for some time, this has finally inspired me to throw together some modules for improved spoofing.

Re:Why would I want to help defeat spoofing?

> why would I want to help researchers circumvent that?

Better that it be done in public so mozilla, tor, et al can use the results of their research to close the holes.
Because the multi-billion dollar Big Data industry is already doing the same research in secret.

Re:Why would I want to help defeat spoofing?

Because if the research is made in public (like this), it will be blatantly clear where the weak points in the browser are and the vendors/communities behind the browsers get a clear reason how and why they need to correct it.
You can for example see effects that EFF Panopticlick had in choices made by the developers behind Firefox and they fixed several issues that was highlighted by that project. It is important that similar research is made in the public so that the developers can clearly see what needs to be done (and so that users can give clear reasons and arguments for why something needs to change when arguing with developers).

Re:Why would I want to help defeat spoofing?

Security is an arms race.
Attacks need to be built before defenses can be built against them.
This work gives developers a way to test the effectiveness of their spoofing technologies and adjust accordingly.

Re:Why would I want to help defeat spoofing?

[sjames]

No, it isn't. Especially on the web where it is well known that screen sizes vary and many browsers are in use.

But even print publishers have no right to demand specific lighting, lack of tinted glasses, or even that I not cut the ads out before I read it. I can even black out teeth and add horns to people in the pictures if that amuses me.

Re:Why would I want to help defeat spoofing?

[wtfbill]

"Not free to falsify credentials" says the guy who comments as AC. How ironic, or is that your real name? I have TOS too: stop trying to thwart my desire to have some modicum of privacy, or we can't do business.

Re:Why would I want to help defeat spoofing?

[Gr8Apes]

Now, as the Devil's Advocate, my argument is that if these researchers can beat browser fingerprinting, it's only a matter of time before a well-funded advertiser does the same, possibly in secrecy. By making their research openly accessible, the people who make spoofing plugins get a chance to harden their software before this next-gen fingerprinting tech becomes common among advertisers.

That's not a Devil's Advocate argument. That's reality. Ideally, with randomized headers and a 2 or 3 hop Tor base implementation, all advertiser tracking could end tomorrow. (3 letters could obviously still easily track a 2 or 3 hop Tor implementation)

Re:Why would I want to help defeat spoofing?

[Gr8Apes]

It is the content producer's right to display their content in the manner in which they intend

It is, and if they wish to control display, then publicly served HTML is not the way to go.

Re:Why would I want to help defeat spoofing?

[sp0tter]

this should have more points

double plus ungood

You do not call it "fighting spoofing". You must call it "reducing privacy, usability and anonymity". Doesn't sound so good now, does it?

Just asks me to install Flash.

n/t

Why did we choose this path

The client should only send requests, it should never reply to the servers requests.

Running Firefox with NoScript

[TimSSG]

I am running Firefox 45.9.0 with NoScript and the site thinks it is IE.
Tim S.
Your user-agent string specifies your browser as being a variant of FIREFOX.
Judging by your fingerprint we believe your browser is a variant of IE.

Re:Running Firefox with NoScript

[BarbaraHudson]

Really screw them over. Fix it so that it thinks it's IE4.

This makes zero sense..

There are many valid reasons to spoof a browser, that are completely legal. I can't think of many illegal reasons to do so that would be very useful, when looking at the big picture. Privacy and access would be they biggest. What new corporate overlord propaganda, is the a preface to?

Re:This makes zero sense..

[PPH]

University of Adelaide

It's an ex-prison colony. They probably like searching your prison cell at random times just out of habit.

Re: This makes zero sense..

Not Adelaide, matee.

Stop Fingerprinting now

Stop fingerprinting AND fake another OS. Create your anonymous profile at ffprofile.com. Only for firefox.

Palemoon and some addons solve all lifes problems.

[Xenolith0]

Palemoon + Addons:
Cookie Monster - https://addons.mozilla.org/en-...
RequestPolicy - https://addons.mozilla.org/en-...
NoScript - https://addons.mozilla.org/en-...
Secret Agent - https://www.dephormation.org.u...
No java, no flash. Good luck finger printing that.

Obscure platform FTL

//browserprint.info/view?source1=UUID&UUID1UUID=55bd912a-d525-4ccf-b735-551c28616c2e

Really then, users of obscure platforms are more easily identified and fingered than users of more common platforms. In my case, W10M/Edge mean that my browser on my stock phone are unique of all their Data so far. But a user of an iPhone/safari or android/chrome wouldn't be so easily identified. So out of 34k samples, as stock Lumia 950XL is unique... That's concerning.

Re:Obscure platform FTL

It's not that concerning. It does not work unless your browsers fetches and executes the payload. Once you allow the remote site permission to run things on your device, all bets are off no matter what. But that choice is up to your own computer. An attack that requires cooperation of the target is a much smaller concern than one based on a vulnerability.

It's akin to the difference between "HotGirl.jpg.exe (which requires the target to run it) and a real OS security vulnerability than can be exploited without the target's consent.

Pair digital fingerprinting with AI and Internet p

[TheOuterLinux]

I've said this too many times, and I really don't know what to write that would be a thoughtful comment. All I know to do for now, and have done for nearly a decade, is use VPN, Tor, and DNSCrypt, and hope that all I've done so far will be enough to mud-up things, at least for a while, for when it gets really bad. The Internet used to be like the U.S. was in its infancy, a self-reliant frontier of sorts, and now we're are all statistics once again to be ruled and manipulated by governments that don't know what they're doing because the banking puppet strings are wrapped around too tight. Every so often, humanity is required to go through a "transcendental" phase in order to prevent catastrophe brought by too much change at once. One of the best ways to have done this is through cultural exchange. Unfortunately, leaders keep deciding to let this transcendence happen after wars or international economic gain. The Internet could provide a safe and anonymous way of doing this, but not anymore. The only reason there hasn't been a major war in while, regardless of the who's in charge right now, is because everyone with a social media account has been conditioned to be compliant. You know how your grandparents react when they have to pay for water? Look at the current generation now.

doesn't work without running their payload

I tried it. It pops up a page that says "Please wait..." with an icon to "Get Adobe Flash". That's it.

So yet again, it's a malicious technique that only works with the active cooperation of the target. Do not volunteer to run malicious payloads, and you are apparently safe from this.

Re:doesn't work without running their payload

[mi]

It does not require Flash for most of the functionality. My browser does not have Flash installed, and it told me quite a bit about my environment anyway. It does need JavaScript, but that's enabled for most people, because a vast number of sites break without it.

Re:doesn't work without running their payload

It does need JavaScript,

But it's javascript that leaks so much identifying information. Once you enable javascript, you have lost the battle pretty much no matter what you do.

The best approach is probably a combination of things. Use javascript on a strict whitelist basis, not by default. Whitelist sites you trust that need it for something real. Block all other javascript. That will VASTLY reduce the number of bits of entropy that you leak to web sites, and still let you use your bank and so on.

Sites break with JS because the public has taught those sites that it's OK to depend on it. We need to teach them otherwise, or this will only accelerate.

Re:doesn't work without running their payload

I don't use javascript (noscript plugin) and it was still able to identify my browser uniquely.

Now we need a spoofing AI

[Visarga]

Now we need a spoofing AI to defeat the anti-spoofing AI, thus recovering our privacy.

Re:Pair digital fingerprinting with AI and Interne

People didn't like paying for water as late as in 2000: https://en.wikipedia.org/wiki/...

Lynx

I am becoming more and more convinced we need a butlerian jihad. At the least, perhaps we need to all go back to using Lynx as our browser. Does there really need to be actuve content on a web page? Just send me the text, with appropriate markup and I can read it just fine. Why do I need to stream audio or video in my browser? Why do I need moving anything? Go back to seperate apps. i can stream audio an application, I can watch video in an application, I can do both at the same time, or should be able to.

Here is a clue, I do not care about some socks, I used to care about winsocks, but have not this century.
I do not care about what celebrity x looks like now, I do not care about asains dating, I do not care about some ford dealership in southern lithuania or any place else. I certainly do not need to see 40 ads for the printer I bought 2 months ago. Here is a big clue, I already bought it, is it so crappy that I need to buy another one now 2 months later and if so, why would I buy the same one?

Needs work...

[mi]

Though my User-Agent header clearly says: "FreeBSD", the site claimed, my OS is "likely Windows" :)

Other than that, yes, it is quite amazing, how much info is available to the JavaScript code...

Re:Needs work...

It doesn't look at your user-agent string, that's cheating.

can you block CSS screen size?

I tried the site. I have javascript disable, so most of the detections did not work. However, I was still "unique". The biggest data leak seemed to be screen size, which it detected accurately and they gave it "1 in 205".

Is there a plugin available to spoof this value?

Re: Palemoon and some addons solve all lifes probl

That's even more identifiable, because in a world where everything is identifiable only FSF nerds care enough to install all that crap.

It guessed mine wrong

[ITRambo]

Using Sandboxed Opera (Sandboxie) and Opera's built in VPN, it guessed my browser was Chrome.

Re:It guessed mine wrong

[DERoss]

Me too.

I tried Browserprint twice just now. Each time, it gave a different browser, none of which were correct. In one case, it even responded that I was using a Mac; but I am using a Windows PC.

How did I defeat it? It was simple. I have Secret Agent from https://www.dephormation.org.u... installed.

Browserprint is not new. I first tried Browserprint almost a year ago. I have also tried Panopticlick several times. Secret Agent always defeats the attempt to identify my browser.

Not terribly useful.

[NormanHaga2580]

I use the current version of Firefox (53.0.02) and a lot of addons. The OS I ran the test with is Windows 8.1. Two thirds of the time, the test listed Linux or BSD.

Why would you?

Why help these idiots?

Javascript is the culprit

Unless panopticlick is lying to me disabling javascript does wonders for you fingerprinting situation.