How to Detect a Client’s Browser Senior Seminar CS498

advertisement
How to Detect a
Client’s Browser
Senior Seminar CS498
Conrad
Kennington
Kount
• Stops e-commerce fraud
Passively identifies devices
Your device automatically
sends information about
itself
Why?
= mobile
site
= mobile
site
= desktop site
= mobile
site
en-US
= desktop site
= mobile
site
en-US = English site
= desktop site
= mobile
site
en-US = English site
ja-JA
= desktop site
= mobile
site
en-US = English site
ja-JA = Japanese site
= desktop site
=
What information?
What they know
Device location (~30 miles)
Business type
If you’re a return visitor
When you last visited
If they care:
Browser version
Browser plugins installed
Plugins can gather
additional system
information
Operating system version
Local timezone
Language settings
Limited device specs
Resolution
Screen size
What they know
Device location (~30 miles)
Business type
If you’re a return visitor
When you last visited
If they care:
Browser version
Browser plugins installed
Plugins can gather
additional system
information
Operating system version
Local timezone
Language settings
Limited device specs
Resolution
Screen size
What they don’t know
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Name
Age
Gender
Weight
Address
Profession
Phone
Credit card number
Major
Salary
Social Security Number
Medical history
Facebook relationship status
Mother’s maiden name
Licensed watercraft
Outstanding parking tickets
Favorite ice-cream
Overdue library books
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Grades
Favorite bands
High school sweethearts
Eye color
Nicknames
Netflix recently watched
Email addresses
Tax returns
Candy Crush score
Batting average
Attendance records
Instant messages
Pirated music/movies
Magazine subscriptions
Purchase history
World of Warcraft achievements
Books read
Adderall dosage
MySpace Top 10
Travel schedule
Birthday
Voting records
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Tattoos
Fingerprints
Drivers license number
License plate
Dental records
Guns owned
Magic the Gathering decks
Costco membership status
Unredeemed rewards points
Average commute time
Hobbies
Mile run
Favorite restaurants
Merit badges
Religion
Pets
Mood
Amazon wish list
Marital status
401k balance
Therapist
Phone logs
Pretty much nothing
about your person
Location
71.33.*.*
71.33.*.*
This means Boise,
Idaho
71.33.*.*
This means Boise,
Idaho
For now.
82.148.97.69
82.148.97.69
This means Qatar
82.148.97.69
This means Qatar
The whole country.
Mask my IP,
mask my location?
Mask my IP,
mask my location?
Not exactly.
Mask my IP,
mask my location?
Not exactly.
Timezone, language, etc
Browser
HTTP Request
Headers
Request method
GET
Request URI
/
Request protocol
HTTP/1.1
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept
charset
Accept encoding
gzip,deflate,sdch
Accept language
en-US,en;q=0.8
Connection
keep-alive
Host
myhttp.info
Referer
https://www.google.com/
User agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/34.0.1801.3 Safari/537.36
Parsing a user agent
string sucks
Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/19.0
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:15.0) Gecko/20100101 Firefox/15.0.1
Googlebot/2.1 (+http://www.google.com/bot.html)
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 2.0.50727; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 6.1; Windows XP)
None of your business.
Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2)
Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.
Opera/9.80 (Android; Opera Mini/7.5.33361/31.1350; U; en) Presto/2.8.119 Version/11.10
‘; DELETE FROM user_agents;
Mozilla/5.0 (PLAYSTATION 3; 2.00)
Mozilla/5.0 (BlackBerry; U; BlackBerry 9900; en) AppleWebKit/534.11+ (KHTML, like Gecko) Version/7.1.0.346 Mobile
Safari/534.11+
Mozilla/5.0 (Linux armv6l; Maemo; Opera Mobi/8; U; en-GB; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 Opera 11.00
Mozilla/5.0 (X11; U; Linux i686; ru; rv:33.2.3.12) Gecko/20120201 SeaMonkey/8.2.8
Mozilla/5.0 (X11; U; OpenBSD arm; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Safari/531.2+ Epiphany/2.30.0
Mozilla/5.0 (compatible; Konqueror/4.3; Linux) KHTML/4.3.1 (like Gecko) Fedora/4.3.1-3.fc11
Mozilla/5.0 (Windows; U; MSIE 9.0; WIndows NT 9.0; en-US))
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Mozilla/5.0 ( ; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
HTTP Header Order
Chrome 34 on a Macbook
Host:
pgl.yoyo.org
Connection:
keep-alive
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1801.3
Safari/537.36
Referer:
https://www.google.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Firefox 5 on a Macbook
Host:
pgl.yoyo.org
User-Agent:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:19.0) Gecko/20100101 Firefox/19.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection:
keep-alive
Safari 7 on a Macbook
Host:
pgl.yoyo.org
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us
Connection:
keep-alive
Accept-Encoding: gzip, deflate
User-Agent:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.73.11 (KHTML, like Gecko) Version/7.0.1
Safari/537.73.11
JavaScript
Good at detecting browser
features and capabilities.
Good at detecting browser
features and capabilities.
• Support multiple backgrounds?
Good at detecting browser
features and capabilities.
• Support multiple backgrounds?
• HTML5 canvas?
Good at detecting browser
features and capabilities.
• Support multiple backgrounds?
• HTML5 canvas?
• Border radius?
Good at detecting browser
features and capabilities.
• Support multiple backgrounds?
• HTML5 canvas?
• Border radius?
• Box shadow?
Good at detecting browser
features and capabilities.
• Support multiple backgrounds?
• HTML5 canvas?
• Border radius?
• Box shadow?
• Available events?
Good at detecting browser
features and capabilities.
• Support multiple backgrounds?
• HTML5 canvas?
• Border radius?
• Box shadow?
• Available events?
• CSS properties recognized?
Good at detecting browser
features and capabilities.
• Support multiple backgrounds?
• HTML5 canvas?
• Border radius?
• Box shadow?
• Available events?
• CSS properties recognized?
• CSS animations?
Good at detecting browser
features and capabilities.
• Support multiple backgrounds?
• HTML5 canvas?
• Border radius?
• Box shadow?
• Available events?
• CSS properties recognized?
• CSS animations?
• DOM prefixes available?
SSL Ciphers
Client Handshake
Packet
Chrome 34 on a Macbook
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-RC4128-SHA
ECDHE-RSA-RC4128-SHA
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
DHE-RSA-AES256-SHA
RSA-AES128-GCM-SHA256
RSA-AES128-SHA
RSA-AES256-SHA
RSA-3DES-EDE-SHA
RSA-RC4128-SHA
RSA-RC4128-MD5
curl 7.30 on a Macbook
Firefox 5 on a Macbook
ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-RC4128-SHA
ECDHE-ECDSA-3DES-EDE-SHA
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-RC4128-SHA
ECDHE-RSA-3DES-EDE-SHA
ECDH-ECDSA-AES256-SHA384
ECDH-ECDSA-AES128-SHA256
ECDH-RSA-AES256-SHA384
ECDH-RSA-AES128-SHA256
ECDH-ECDSA-AES256-SHA
ECDH-ECDSA-AES128-SHA
ECDH-ECDSA-RC4128-SHA
ECDH-ECDSA-3DES-EDE-SHA
ECDH-RSA-AES256-SHA
ECDH-RSA-AES128-SHA
ECDH-RSA-RC4128-SHA
ECDH-RSA-3DES-EDE-SHA
DH-RSA-MISTY1-SHA
DH-DSS-MISTY1-SHA
RSA-AES128-SHA
RSA-RC4128-SHA
RSA-RC4128-MD5
RSA-AES256-SHA
RSA-3DES-EDE-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES256-SHA256
DHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA
DHE-RSA-3DES-EDE-SHA
PSK-AES256-SHA
PSK-AES128-SHA
PSK-RC4128-SHA
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-AES256-SHA
DHE-RSA-CAMELLIA256-SHA
DHE-DSS-CAMELLIA256-SHA
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
ECDH-RSA-AES256-SHA
ECDH-ECDSA-AES256-SHA
RSA-CAMELLIA256-SHA
RSA-AES256-SHA
ECDHE-ECDSA-RC4128-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-RC4128-SHA
ECDHE-RSA-AES128-SHA
DHE-RSA-CAMELLIA128-SHA
DHE-DSS-CAMELLIA128-SHA
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
ECDH-RSA-RC4128-SHA
ECDH-RSA-AES128-SHA
ECDH-ECDSA-RC4128-SHA
ECDH-ECDSA-AES128-SHA
RSA-SEED-SHA
RSA-CAMELLIA128-SHA
RSA-RC4128-SHA
RSA-RC4128-MD5
RSA-AES128-SHA
ECDHE-ECDSA-3DES-EDE-SHA
ECDHE-RSA-3DES-EDE-SHA
DHE-RSA-3DES-EDE-SHA
DHE-DSS-3DES-EDE-SHA
ECDH-RSA-3DES-EDE-SHA
ECDH-ECDSA-3DES-EDE-SHA
RSA-FIPS-3DES-EDE-SHA
RSA-3DES-EDE-SHA
So…
What they know
Device location
If you’re a return visitor
When you last visited
Browser version
Browser plugins installed
Plugins can gather
additional system
information
Operating system version
Local timezone
Language settings
Limited device specs
Resolution
Screen size
Color depth
How they know it
• IP address, HTTP headers
• Cookie
• Cookie
• HTTP headers, ciphers, JS
• HTTP headers
• Depends on the plugin
• HTTP headers, ciphers
• JavaScript
• HTTP headers
• JavaScript
• JavaScript
• JavaScript
• Javascript
Questions
Download