USING BROWSER PROPERTIES FOR FINGERPRINTING RALPH BROENINK USER TRACKING ‘TRADITIONAL’ COOKIES HTTP Cookies HTML5 Local Storage Flash Local Shared Objects ‘TRADITIONAL’ COOKIES 3u938s24 3u938s24 ISN’T THERE A NEW LAW AGAINST IT? “Anyone who […] wants to save data in the peripherals of the user, is required to […] have obtained permission from the user.” – article 11.7a, Telecommunicatiewet (translated) HTTP HEADERS name version language character set JAVASCRIPT YEAH, BUT ... screen resolution operating system timezone font list + order Host: www.letmetrackyou.org Connection: keep-alive Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.18 (KHTML, like Gecko) Chrome/18.0.1010.1 Safari/535.18 Accept: text/html,application/xhtml+xml, application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-GB,en;q=0.8, en-US;q=0.6,nl;q=0.4 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 identical (consistent)? unique? ARE FINGERPRINTS UNIQUE? Immediately unique fingerprints 96% Fingerprint shared with exactly one other 2% No unique fingerprint 2% ARE FINGERPRINTS UNIQUE? >8.47 bits of entropy (of 8.95 possible) ARE FINGERPRINTS CONSISTENT? Browser version: 4.0.0 5.0.1 5.0.0 4.0.1 5.0.2 4.1.0 6.0.0 4.0.2 Segoe UI Arial Black Calibri Candara Comic Sans MS Consolas Constantia Corbel Franklin Gothic Medium Gabriola Georgia Palatino Linotype Segoe Print Trebuchet MS ARE FINGERPRINTS CONSISTENT? They are fairly consistent. False negative 5% False positive 8% Positive match 87% MOBILE DEVICES X-VF-ACR X-Brand-ID WHAT CAN YOU DO? private browsing mode Tor Browser ANONYMOUS BROWSING DOES NOT EXIST RALPH BROENINK MORE THAN JUST FINGERPRINTS #1 House S08E07 #2 Mythbusters #3 porn #4 Skyrim