Home | View fingerprints | Statistics | Blog (RSS)

Detecting and defeating browser spoofing

Posted: 2017-05-03
By Lachlan Kang

Today we'll be discussing how Browserprint uses machine learning and your fingerprint to guess what browser family your browser is from, and what operating system you're using. The motivation for guessing these properties is to see if we can defeat fingerprint spoofing, particularly user-agent string spoofing, as this is simplest and most common form of spoofing. Because of this we ignored user-agent string when guessing browser families and operating systems, except when otherwise specified. We find that our method of browser guessing provides accuracy much better than random guessing. In fact we'll show that we can detect the true browser and operating system of a browser that is spoofing these things around 76% of the time, and that we can guess the operating system and browser family of browsers in general approximately 90% of the time, all with a final training set of less than 1000 fingerprints (imagine what could be done with 10,000).

Continue reading ...

Finding independent clusters of fingerprint features

Posted: 2017-01-24
By Lachlan Kang

Today we'll examine how features of the fingerprint taken by Browserprint are related. Our goal is to see if there are any hidden relationships between features that we weren't aware of, to see if we can find clusters of features that are more or less independent of each other, and perhaps see if there are any redundancies that we could remove. To this end we're going to do clustering on fingerprint features using the amount of information they share as the distance metric. We'll start by presenting the results, then we'll discuss how we got them.

Continue reading ...

Revisiting HSTS supercookies

Posted: 2016-09-08
By Lachlan Kang

Supercookies are a class of techniques for storing data in your browser that tends to be difficult to remove and can be used to track you. Recently we've been exploring HSTS based supercookies after an email tipped us off to their existence. Our interest in them stems from how they can be used to track and potentially deanonymise users of VPNs or Tor. HSTS is a browser feature that allows websites to specify that future visits to a domain should only ever be via HTTPS, never HTTP. This behaviour can be used to store a single bit of data per domain, whether HSTS was enabled for the domain or not.

Continue reading ...

Defences against fingerprinting

Posted: 2016-08-05
By Lachlan Kang

If you're on this website you probably have at least some idea of what browser fingerprinting is. Fingerprinting is a method of tracking you across the web that is much harder to defend against than previous techniques. Inter-domain tracking, the kind of tracking that involves following you between websites, is an invasion of your privacy; typically tracking is done to build a profile of your browsing habits that can then be sold and used to serve you ads. If you would have a problem with showing a stranger your Internet history you should have a problem with tracking. In particular you should have a problem with browser-fingerprint based tracking, which we refer to more succinctly as fingerprinting, since it's so difficult to disable.

There are several different ways to defend against fingerprinting, and each has their own positives and negatives. In this blog post we're going to discuss and compare each method.

Continue reading ...

User fingerprinting via CAPTCHAs

Posted: 2016-06-11
By Lachlan Kang

Important note: Almost all of this is currently theoretical and has not been implemented or trialled. We have absolutely no intention of adding these tests to the main fingerprinting suite of Browserprint. It's possible that in the future we may add some of these tests to the site as optional proof of concept tests for people to play around with completely separate from the main fingerprinting suite. In that case we probably won't be recording results and if we are we will make it very clear.

The main reason for fingerprinting browsers is to track users. So why then do we focus on fingerprinting the computer and software of the user rather than the user themselves? If we can fingerprint the user instead of their browser we can track them even if they switch computers.

Continue reading ...