Article

How unique is your web browser?

Author:

Peter EckersleyAuthors Info & Claims

PETS'10: Proceedings of the 10th international conference on Privacy enhancing technologies

July 2010

Pages 1 - 18

Published: 21 July 2010 Publication History

Abstract

We investigate the degree to which modern web browsers are subject to "device fingerprinting" via the version and configuration information that they will transmit to websites upon request. We implemented one possible fingerprinting algorithm, and collected these fingerprints from a large sample of browsers that visited our test side, panopticlick.eff.org. We observe that the distribution of our fingerprint contains at least 18.1 bits of entropy, meaning that if we pick a browser at random, at best we expect that only one in 286,777 other browsers will share its fingerprint. Among browsers that support Flash or Java, the situation is worse, with the average browser carrying at least 18.8 bits of identifying information. 94.2% of browsers with Flash or Java were unique in our sample.

By observing returning visitors, we estimate how rapidly browser fingerprints might change over time. In our sample, fingerprints changed quite rapidly, but even a simple heuristic was usually able to guess when a fingerprint was an "upgraded" version of a previously observed browser's fingerprint, with 99.1% of guesses correct and a false positive rate of only 0.86%.

We discuss what privacy threat browser fingerprinting poses in practice, and what countermeasures may be appropriate to prevent it. There is a tradeoff between protection against fingerprintability and certain kinds of debuggability, which in current browsers is weighted heavily against privacy. Paradoxically, anti-fingerprinting privacy technologies can be self-defeating if they are not used by a sufficient number of people; we show that some privacy measures currently fall victim to this paradox, but others do not.

References

[1]

Lukáš, J., Fridrich, J., Goljan, M.: Digital camera identification from sensor pattern noise. IEEE Transactions on Information Forensics and Security 1(2), 205-214 (2006).

Digital Library

[2]

Kai San Choi, E.Y.L., Wong, K.K.: Source Camera Identification Using Footprints from Lens Aberration. In: Proc. of SPIE-IS&T Electronic Imaging, vol. 6069. SPIE (2006).

[3]

Hilton, O.: The Complexities of Identifying the Modern Typewriter. Journal of Forensic Sciences 17(2) (1972).

[4]

Kohno, T., Broido, A., Claffy, K.: Remote Physical Device Fingerprinting. IEEE Transactions on Dependable and Secure Computing 2(2), 108 (2005).

Digital Library

[5]

Murdoch, S.: Hot or not: Revealing hidden services by their clock skew. In: Proc. 13th ACM conference on Computer and Communications Security, p. 36. ACM, New York (2006).

Digital Library

[6]

The 41st Parameter: PCPrint™ (2008), http://www.the41st.com/land/DeviceID.asp

[7]

Mills, E.: Device identification in online banking is privacy threat, expert says. CNET News (April 2009).

[8]

Mayer, J.: Any person... a pamphleteer: Internet Anonymity in the Age of Web 2.0. Undergraduate Senior Thesis, Princeton University (2009).

[9]

Krishnamurthy, B., Wills, C.: Generating a privacy footprint on the Internet. In: Proc. ACM SIGCOMM Internet Measurement Conference. ACM, New York (2006).

Digital Library

[10]

McKinkley, K.: Cleaning Up After Cookies. iSec Partners White Paper (2008).

[11]

Pool, M.B.: Meantime: non-consensual HTTP user tracking using caches (2000), http://sourcefroge.net/projects/meantime/

[12]

Soltani, A., Canty, S., Mayo, Q., Thomas, L., Hoofnagle, C.: Flash Cookies and Privacy. SSRN preprint (August 2009), http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1446862

[13]

Robinson, S.: Flipping Typical, demonstration of CSS font detection (2009), http://flippingtypical.com/

[14]

TCP/IP stack fingerprinting, http://en.wikipedia.org/wiki/TCP/IP_stack_fingerprinting

[15]

Fleischer, G.: Attacking Tor at the Application Layer. Presentation at DEFCON 17 (2009), http://pseudo-flaw.net/content/defcon/

[16]

CSS history hack demonstration, http://www.whattheinternetknowsaboutyou.com/

[17]

W3C: Geolocation API, http://en.wikipedia.org/wiki/W3C_Geolocation_API

[18]

Narayanan, A., Shmatikov, V.: Robust De-anonymization of Large Sparse Datasets 2(2), 108 (2008).

[19]

Perry, M.: Torbutton Design Doccumentation (2009), https://www.torproject.org/torbutton/design

Cited By

Zaeifi MKalantari FOest ASun ZAhn GShoshitaishvili YBao TWang RDoupé AVilela JSchulmann HLi N(2024)Nothing Personal: Understanding the Spread and Use of Personally Identifiable Information in the Financial EcosystemProceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy10.1145/3626232.3653266(55-65)Online publication date: 19-Jun-2024
https://dl.acm.org/doi/10.1145/3626232.3653266
Daffalla ABohuk MDell NBellini RRistenpart TCalandrino JTroncoso C(2023)Account security interfacesProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620439(3601-3618)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620439
Carey CDick TEpasto AJavanmard AKarlin JKumar SMuñoz Medina AMirrokni VNunes GVassilvitskii SZhong P(2023)Measuring Re-identification RiskProceedings of the ACM on Management of Data10.1145/35892941:2(1-26)Online publication date: 20-Jun-2023
https://dl.acm.org/doi/10.1145/3589294
Show More Cited By

Recommendations

Browser wars: Metaphor, Web browser, Microsoft, Internet Explorer, Netscape, Netscape Navigator, Mozilla Firefox, Google Chrome, Safari (web browser), Opera (web browser), Usage share of web browsers
Read More
The visible Web browser

As an aid to the study of the World-Wide Web, we have developed a software application that allows a user to observe the messages passed between a Web browser and a Web server. The application is based on the Mozilla Web Browser, and displays the HTTP ...
Read More
Web browser security update effectiveness
CRITIS'09: Proceedings of the 4th international conference on Critical information infrastructures security

We analyze the effectiveness of different Web browser update mechanisms on various operating systems; from Google Chrome's silent update mechanism to Opera's update requiring a full re-installation. We use anonymized logs from Google's world wide ...
Read More

Comments

Information & Contributors

Information

Published In

PETS'10: Proceedings of the 10th international conference on Privacy enhancing technologies

July 2010

291 pages

ISBN:3642145264

Editors:
Mikhail J. Atallah
Purdue University, Department of Computer Science, West Lafayette, IN
,
Nicholas J. Hopper
University of Minnesota, Department of Computer Science & Engineering, Minneapolis, MN

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 21 July 2010

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

140
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Other Metrics

View Author Metrics

Citations

Cited By

Zaeifi MKalantari FOest ASun ZAhn GShoshitaishvili YBao TWang RDoupé AVilela JSchulmann HLi N(2024)Nothing Personal: Understanding the Spread and Use of Personally Identifiable Information in the Financial EcosystemProceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy10.1145/3626232.3653266(55-65)Online publication date: 19-Jun-2024
https://dl.acm.org/doi/10.1145/3626232.3653266
Daffalla ABohuk MDell NBellini RRistenpart TCalandrino JTroncoso C(2023)Account security interfacesProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620439(3601-3618)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620439
Carey CDick TEpasto AJavanmard AKarlin JKumar SMuñoz Medina AMirrokni VNunes GVassilvitskii SZhong P(2023)Measuring Re-identification RiskProceedings of the ACM on Management of Data10.1145/35892941:2(1-26)Online publication date: 20-Jun-2023
https://dl.acm.org/doi/10.1145/3589294
Heron MBelford P(2023)Whistleblowers in an Academic Gift Culture - A Commentary on the Scandal in AcademiaACM SIGCAS Computers and Society10.1145/3585066.358507251:2(14-19)Online publication date: 21-Feb-2023
https://dl.acm.org/doi/10.1145/3585066.3585072
Tzschoppe JLöhr HPolakis Jvan der Kouwe E(2023)Browser-in-the-Middle - Evaluation of a modern approach to phishingProceedings of the 16th European Workshop on System Security10.1145/3578357.3589458(15-20)Online publication date: 8-May-2023
https://dl.acm.org/doi/10.1145/3578357.3589458
Li XAmin Azad BRahmati ANikiforakis N(2023)Scan Me If You Can: Understanding and Detecting Unwanted Vulnerability ScanningProceedings of the ACM Web Conference 202310.1145/3543507.3583394(2284-2294)Online publication date: 30-Apr-2023
https://dl.acm.org/doi/10.1145/3543507.3583394
Azhari LBarmawi A(2022)Activity Attribute-Based User Behavior Model for Continuous User AuthenticationProceedings of the 2022 12th International Conference on Communication and Network Security10.1145/3586102.3586113(69-76)Online publication date: 1-Dec-2022
https://dl.acm.org/doi/10.1145/3586102.3586113
Dimova YFranken GLe Pochat VJoosen WDesmet LHong YWang L(2022)Tracking the Evolution of Cookie-based Tracking on FacebookProceedings of the 21st Workshop on Privacy in the Electronic Society10.1145/3559613.3563200(181-196)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3559613.3563200
Solomos KIlia PNikiforakis NPolakis JYin HStavrou ACremers CShi E(2022)Escaping the Confines of TimeProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560576(2675-2688)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560576
Pachilakis MPapadopoulos PLaoutaris NMarkatos EKourtellis N(2021)YourAdvalue: Measuring Advertising Price Dynamics without Bankrupting User PrivacyProceedings of the ACM on Measurement and Analysis of Computing Systems10.1145/34910445:3(1-26)Online publication date: 15-Dec-2021
https://dl.acm.org/doi/10.1145/3491044
Show More Cited By

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents