USING BROWSER PROPERTIES FOR FINGERPRINTING
RALPH BROENINK
USER TRACKING
‘TRADITIONAL’ COOKIES
HTTP
Cookies
HTML5
Local Storage
Flash
Local Shared Objects
‘TRADITIONAL’ COOKIES
3u938s24
3u938s24
ISN’T THERE A NEW LAW AGAINST IT?
“Anyone who […] wants to save data in the peripherals of the user,
is required to […] have obtained permission from the user.”
– article 11.7a, Telecommunicatiewet (translated)
HTTP HEADERS
name
version
language
character set
JAVASCRIPT
YEAH, BUT ...
screen resolution
operating system
timezone
font list
+ order
Host: www.letmetrackyou.org
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
AppleWebKit/535.18 (KHTML, like Gecko)
Chrome/18.0.1010.1 Safari/535.18
Accept: text/html,application/xhtml+xml,
application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en;q=0.8,
en-US;q=0.6,nl;q=0.4
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
identical (consistent)?
unique?
ARE FINGERPRINTS UNIQUE?
Immediately
unique
fingerprints
96%
Fingerprint shared
with exactly one other
2%
No unique fingerprint
2%
ARE FINGERPRINTS UNIQUE?
>8.47 bits of entropy
(of 8.95 possible)
ARE FINGERPRINTS CONSISTENT?
Browser version: 4.0.0
5.0.1
5.0.0
4.0.1
5.0.2
4.1.0
6.0.0
4.0.2
Segoe UI
Arial Black
Calibri
Candara
Comic Sans MS
Consolas
Constantia
Corbel
Franklin Gothic Medium
Gabriola
Georgia
Palatino Linotype
Segoe Print
Trebuchet MS
ARE FINGERPRINTS CONSISTENT?
They are fairly consistent.
False
negative
5%
False
positive
8%
Positive
match
87%
MOBILE DEVICES
X-VF-ACR
X-Brand-ID
WHAT CAN YOU DO?
private browsing
mode
Tor Browser
ANONYMOUS BROWSING DOES NOT EXIST
RALPH BROENINK
MORE THAN JUST FINGERPRINTS
#1
House S08E07
#2
Mythbusters
#3
porn
#4
Skyrim