Slashdot Mirror

← Back to Stories (view on slashdot.org)

A New Use For Browser Fingerprints: Defeating Spoofing (browserprint.info)

Posted by EditorDavid on from the busted-by-behavior dept.

AnonymousCube writes: Researchers at the University of Adelaide have found a new use for browser fingerprints: uncovering and defeating spoofing by web browsers. By using machine learning on browser fingerprints they were able to correctly guess the OS or browser family of a browser 90% of the time, and defeat operating system and browser family spoofing 76% of the time. This was done with small training sets of less than 1000 fingerprints, so accuracy with a much larger training set, like the size of the EFF's Panopticlick database should give even better results; you can help prove this, and see what their site thinks your browser family and OS is, by submitting your fingerprint to their site.

9 of 64 comments (clear)

  1. You built the better mouse trap. by Opportunist · · Score: 5, Informative

    We now have to evolve the better mouse.

    Dear fingerprinters: It might surprise you, but we don't want this to happen. We want the non-mobile version of your damn webpage on our mobile phone if we go out of our way to pretend we're not on a mobile device. Because guess what: Your mobile version almost invariably sucks and is unusable. Forcing us to use what YOU want us to use instead of allowing us to choose what WE want to choose leads to us not using your service at all.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:You built the better mouse trap. by GargamelSpaceman · · Score: 5, Informative

      They can even get you by canvas fingerprinting and web3d fingerprinting where they use various drawing apis to create an image and then send back the checksum of that image to create a fairly unique fingerprint.

      CanvasBlocker sends a fake one, but then they know you are faking it. Or you can shut off access to the api, but then THAT flags you as unique for returning nothing but zeroes.

      I have yet to be able to produce a browser fingerprint that isn't unique using any combination of addons.

      We need some standardization. Then people could download an addon that produces at least the same fingerprint as all other users of that addon giving some space to hide in.

      --
      ...
    2. Re:You built the better mouse trap. by allo · · Score: 2

      > I have yet to be able to produce a browser fingerprint that isn't unique using any combination of addons.
      You do not need to. You just need a fingerprint, which is different *every* time. Instead of being one in a group of 100, you're unique, but you are unique every time you re-visit the site.

    3. Re:You built the better mouse trap. by BarbaraHudson · · Score: 4, Interesting

      Problem is, they can't produce a unique fingerprint for every user's browser. And ANY browser fingerprint can be mimicked - in the end it's just bits and bytes coming down the wire.

      So what if they know you're faking the checksum if millions of other people are faking it as well, and giving different bogus checksums for every page load. Or returning all zeroes, along with millions of other people doing the same? No need for an add-on that produces the same fingerprint as all other users of that add-on. You're overthinking the problem. What are they going to do, block users who don't let their browsers return fingerprints? We saw how well that worked with paywalls and not allowing ad-blockers. People just go elsewhere.

      It's the internet - it was designed to route around such brain-damage.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    4. Re:You built the better mouse trap. by rudametkin · · Score: 2
      It's actually quite hard to fake fingerprints thoroughly and coherently. There's a whole bunch of different Javascript API's a website can use to obtain fingerprintable data through, and some API's are browser specific or sometimes something simple, like the order of the objects returned, may be browser specific and give you away.

      If you were to spoof coherently, you'd need to ensure that you can defend against all (most) of the attacks that attempt to verify your browser. This would require all kinds of astute manipulations to forge a fingerprint that can't be detected by the server, particularly if your running a different browser than the one you say you are (for example, your on FF but say IE).

      Complete randomization has it's limits too, particularly if your randomly spoofing attributes. You can exhibit a new fingerprint easily, but is that fingerprint coherent (e.g., user agent is in accord with some other attribute, no Chrome API's in your spoofed Firefox browser)? Some sites probably won't care, most may not even check, but fingerprints could be used as an additional security mechanism (e.g., for banks). If the site doubts that you are who you say you are, then they may decide to deny access or require further authentication. Such mechanisms could be helpful against projects like FraudFox.

      In either case, just because the site knows you are spoofing doesn't mean they know the truth nor that they can fingerprint enough attributes to track you over time.

      Plug: We worked on a small prototype that, instead of spoofing, randomly assembled components and generated unique environments using Virtualbox, we also have a docker version that is lighter now. Here's our paper. https://hal.inria.fr/hal-01121...

      We think it's more flexible than Tor since instead of attempting to construct one fingerprint, a user can have trillions. Also, we don't improse any specific browser or version, giving users more choice. Tor however addresses other concerns too that our small project didn't look at (e.g., IP address).

    5. Re:You built the better mouse trap. by Vairon · · Score: 4, Interesting

      By comparing the behavior of the two clients.

      When w3m requests a web page it sends the following:
      GET / HTTP/1.0
      User-Agent: w3m/0.5.3+git20161120
      Accept: text/html, text/*;q=0.5, image/*
      Accept-Encoding: gzip, compress, bzip, bzip2, deflate
      Accept-Language: en;q=1.0
      Host: www.website.com

      When lynx, with a w3m user agent, requests a web page it sends the following:
      GET / HTTP/1.0
      Host: www.website.com
      Accept: text/html, text/plain, text/css, text/sgml, */*;q=0.01
      Accept-Encoding: gzip, bzip2
      Accept-Language: en
      User-Agent: w3m/0.5.3+git20161120

  2. Why would I want to help defeat spoofing? by scrib · · Score: 5, Interesting

    If a user has gone to the trouble of configuring a browser (or plugin) to spoof which browser they are using, why would I want to help researchers circumvent that?

    If there's a good reason to defeat an intentional user choice, I'd love to hear it.

    --
    Help! Help! I'm being repressed!
    1. Re:Why would I want to help defeat spoofing? by BarbaraHudson · · Score: 2

      Next you'l be claiming that a person must own an 80" XHD TV because the content producer has the right to display their content in the manner in which they intended. You're full of shit.

      If they were supplying the internet connection, the computer, and the electricity, they still wouldn't have that right, because what happens in my home is my business, not theirs.

      And in case you haven't noticed, people already have decided to "go elsewhere" when sites insist on blocking ad blockers (and most of the blocks are pitifully easy to get around) or putting stuff behind a paywall.

      Anonymous Coward is a moron. Don't be like Anonymous coward. Don't be a moron.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
  3. double plus ungood by Anonymous Coward · · Score: 4, Informative

    You do not call it "fighting spoofing". You must call it "reducing privacy, usability and anonymity". Doesn't sound so good now, does it?