Browser fingerprint

From HandWiki
Revision as of 18:25, 7 February 2021 by imported>Gametune (fixing)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Short description: Web browsing technology

Browser fingerprinting is a technique of identifying and tracking an individual computer by collecting data regarding the configuration of a user’s browser and system when they visit a website. The construction of a browser fingerprint can be done using different technologies, making it difficult to avoid across websites. Identification can be used for various purposes just like tracking by generating deleted cookies, to fraud prevention with the detection of bots on the internet. The measures to implement in order to counter this fingerprint can be quite complex, because the more a user uses different components to hide its identity, the more its browser becomes unique.

Definition

A fingerprint is some bits that identify a device[2]. Browser fingerprint is a fingerprint deduced by a third party when a user visits a site[3]. The entropy measure a fingerpint's uniquenes[4].

It's a stateless technique since it doesn't rely on information stored on the user's browser, like HTTP cookies[5]. It relies on browsers and system information[5], provided by the browser behavior[2].So, they are weak against change in browser configuration since they generally depend on it[6].

Usages

Fingerprinting are either used with good or bad intentions relative to the user[1]. However, it's never that Manichean and the border are thin since it depends only on the one using the fingerprint[7].

In the wild

Browser fingerprint is used in the wild[8][9][10]. In 2014, at least 5.5% of top 100,00 Alexa site use canvas fingerprint[11]. In 2013, at least 0.4% of top 10,000 Alexa site utilize scripts from one of this fingerprint provider : BlueCava, Iovation and ThreatMetrix[12]. Most of them are in "Pornography" and "Personnals/Dating" category, respectively 15% and 12.5%[12]. Less popular websites that use this companies' code are mainly categorized as : spam, malicious sites, adult/mature content, computers/internet, datings/personnals[13]. Companies provide their code to this "Spam" and "Malicious" site likely to increase their users database[13].

Fingerprinting is done either with website own scripts or third-party scripts[11][12]. Some third-party include fingerprint in their services, without the site being necessarily aware[11]. In this case, it's probably done to prevent click-fraud[12]. The first party can also ask companies fingerprinting[12]. Third parties may add the calculated fingerprint directly in the DOM, and so the website can use it[12]. Also, the fingerprint is sometimes hidden from the first-party, and the latter has to request directly the third-party for information[12].

Tracking

A fingerprinting with enough high entropy makes a user unique among others[14]. It's used by companies for tracking users and learn their interests[15]. The main purpose is to provide targeted advertising[16].

Fingerprint are also used to regenerate deleted cookies[17], or relink old cookies[14][17].

Malicious intentions

Malicious sites and spaming site use fingerprint[13]. With it, they do phising, snatch user's data and device's vulnerabilities[13]. These data are sometimes used to subscribe users to paid services[13]. With devices vulnerabilities, malware can do targeted exploits[18]. With that, attackers hide attacks that are not effective for the targeted machine[19]. And so, hide their attack potential[19].

Augmented authentification

Fingerprint is a convenient method for augmented authentification as it doesn't require user interaction[20]. Sites use this method to know if a paid account is used by a single user, or that it's not hacked[12]. It's especially true for sites that contain private and important user's pieces of information [13]. Also, it's used to verify that several accounts do not come from the same computer[12]. This is problematic on dating sites, where people may want to manipulate other users[12].

Protection techniques

Extensions

Extensions exists against tracking, and are based on a set of rules[21]. These rulesets are maintained publicly by a community or privatly by a company[21]. Example of well-known community ruleset is EasyList, used by ADBlock Plus[21]. Ghostery, Disconnect and Blur are handled by companies[21]. Also, a ruleset can be learned by algorithms, e.g. EFF's Privacy Badger[21]. In 2017, these extensions don't incorporate rules against known fingerprinting methods[22]. For all that, it's up to researcher and rule sets' maintainers to incorpore rules against founded fingerprinting techniques, making these extensions more useful against them[23].

Extension that spoof user agent claim to help masking a browser[24]. In effect, studied ones are easily bypassed through Javascript methods[25]. Also, the mismatch between user-agent and real browser information add information in fingerprint[25]. By using extensions, even privacy oriented, users make their browser more differentiable from those who do not have these extensions[25]. In some contexts (depending on browser, website visited ...) there are more fingerprinting invocations with browser extensions[22]. On mobile, the extension Mother of all AD-BLOCKING is proved to block ThreatMetrix, a fingerprint service used in android applications[22].

Browser-based protections

The different browsers family are more or less fingerprintable[26]. Based on 6 fingerprint attributes (Fonts, Device ID, Canvas, WebGL Renderer and Local IP), Edge is the more easily fingerprintable, then follow ex aequo Firefox and Chrome, then Internet Explorer and finally Safari[27]. On mobile, with this same attributes, Chrome and Opera Mini are ex aequo with the highest fingerprintability, then its Firefox, Edge and Safari[28].This is measured without changing the default browsers parameters[29].

It's also possible to reduce fingerprintability of a browser directly in its code[30]. Some browsers attributes are randomized, i.e. screen width[31]. Like that, between sites visit, the browser can't be easily tracked because it will not have the same attributes in its fingerprint[31]. PriVaricator, developed by Nikiforakis et al., randomize plugins list and fonts, but can be expanded[31]. With different parameter combinations, it succeed in obtaining 96.32% unique fingerprint obtained on BlueCanva's fingerprint script, 78.36% for fingerprintingjs library and 37.83% for PetPortal[32]. This protection technique is useful for fingerprint based on browser's environment, but not for other method like benchmarking[33].

Proposed ideas

There are unexpected privacy problems from data exposed on websites due to web standards and APIs implementation and their deep integration with the device. Research and engineers help by explaining the risk of these APIs and their effects on user privacy[34]. In 2017, Starov proposes two countermeasures on encapsulation and namespace in order to hide browser extensions or confuse tracking about them[35]. Also, according to the results about flash presence on browser, the best coutermeasure about this technique is to disable fash itself[19]. On the detection level, it exists several architectures to observe drive-by download, such as low-interaction honeypots, high-interaction honeypots and honeyclients[19].

In another point of view, the browser vendors should take their predispositions to hide the browser nature given the complexity for fingerprinting techniques and different data collected. But it is hard to say if vendors agree to hide the nature of the browsers they produce[8]. They also should make a decision on a set of APIs tolerated on the web applications[19].

Also in an ideal context, novel research would create blocking rules against detecting stateless fingerprinter.[23]

Techniques

This techniques are used to add bits of information to a fingerprint, making it more unique[36]. For that, they observe the browser behavior and responses, with or without intervention[2].

Graphics rendering

CSS

Main page: Cascading Style Sheets

CSS properties are not always homogeneously supported by browsers[37]. It's used to differentiate their family, even their versions[37]. For example, the CSS property grid is not supported on Internet Explorer 11 and Firefox 51 but fully on Firefox 72 and Opera 64, as see on CanIUse site.

CSS Media query Operating System theme
-moz-windows-default-theme Windows default theme
-moz-mac-graphite-theme Mac OS Graphite theme
-moz-windows-compositor Desktop window manager enabled

Also, CSS Media queries can give informations about operating system, like the OS theme[38]. They can give more informations, such as screen-size (device-height and device-width), screen orientation (as portrait or landscape) and the ratio of pixel’s device[39]. Part of installed fonts on user's device are revealed by the @font-face specification[40]. A property is implemented by a browser if it can be called through Javascript[37]. Also, a site can set CSS properties to ask their values to an URL[41]. The server behind the URL know that the user's browser can interpret the property if it's requested[41].

cursor : url("server.php?property=cursor") ; 

With several properties, "server.php" can know which properties are implemented in the user's browser[42].

The CSS selector :visited reveal part of user's history[43]. Fingerprinter choose set of sites and see if the user have visited them or not[43]. With a set of at least 50 top popular website, user's history profile are mostly unique[44]. This work as well on mobile as on desktop[44]. These unique profiles tend to stay the same over time[45]. In addition to fingerprint a user, this leak a user's interests[46]. On modern browser this method is fixed, but it remains possible on older browsers that still exists on the Web[46].

Javascript

Main pages: JavaScript and Font family (HTML)

JavaScript objects, like the navigator and screen objects, are used in fingerprinting[13]. For one thing, the browser's way to enumerate an object property is browser brand and version specific, it can even leak the operating system[47]. Since browsers add new features when releasing a new version, it's a way to determine precisely a browser version by testing if these added features exist[48]. Also, the different browsers families have their vendor-prefixed properties, like screen.mozBrightness for Mozilla Firefox[47]. Furthermore, the possibility in manipulating an object is specific to browsers family too, e.g. :

Browser family Property deletion (of navigator object) Reassignation (of navigator/screen object)
Google Chrome allowed allowed
Mozzila Firefox ignored ignored
Opera allowed allowed
Internet Explorer ignored ignored

Browsers don't implement the same parts of the Javascript ECMAScript standards, even between versions of the same browser[49]. With that, a fingerprinter provider can test in what extend a user's browser cover a standard and so can infer which browser and version are used[49]. It's proved to be an efficient method[50].

Javascript allow to check a letter bounding box[51]. On different browser, these bouding box differ for a letter of the same font, when rendered largely[51]. As these dimensions are also affected by antialiasing and hinting configuration, same browsers on same operating system can be distinguished[51]. When a letter is not found on the system, a "glyph not found" take the letter's place with a specific dimension[51]. It so reveal that the font is not installed on the system[51]. This methods is not the most effective fingerprint, but it remain effective on Tor browser[51].

Canvas and WebGL

Main pages: Canvas element and Software:WebGL

Canvas can display sentences with different fonts[52]. A sentence will be rendered based on a user's browser environment and hardware[53]. Depending on the rendering, it reveals the operating system and the browsers family[53]. More information can be deduced, like graphics card on the user's device and installed fonts[53]. Some companies use Canvas by combining different sentence and geometric figures in the Canvas element to reveal browser nature and operating system[54]. How the image is rendered by the user are obtain via the canvas method toDataURL(type)[55]. It provide a data URI containing a representation of the image, directly usable in a fingerprint[55]. An other way is with the getImageData() method that return list of canva's pixels[55].

In a canvas, WebGL can display 3D elements[55]. At a pixel level, this elements can be represented differently based on graphics card[53]. So the graphic card can be know[53]. WebGL attribute UNMASKED_RENDERER_WEBGL display the GPU information[56]. UNMASKED_VENDOR_WEBGL display the GPU vendor[56]. Indeed, it also leak GPU presence[56]. If there is no GPU, CPU information are displayed instead, leaking GPU precence[56].

Hardware

Benchmarking

On the hardware level, a method determines if the CPU uses AES-NI or Turbo Boost, based on benchmarking analysis[57]. By comparing the time of execution between cryptographic and simple operations, it is possible to identify the presence of AES-NI for cryptographic operation boosting[57]. In the Turbo Boost case, it is the Octane 2,0 Javascript benchmark that is used to detect this technology[57]. On a set of 341 tests, the AES-NI and Turbo boost technologies are found to be the most easier to detect in the CPU on the Chrome browser. Here is the accuracy of correct technology presence guessing in this set:[58]

Browser AES-NI presence Turbo Boost presence
Google Chrome 99.28% 84.78%
Mozzila Firefox 71.17% 82.88%
Internet Explorer 77% 55%

Device ID

Creation of device ID

Device ID is found with the WebRTC hardware ID attribute[59]. This ID is a cryptographic hash function applied on user's hardware component, along some other values[59]. Depending on the browser, this ID is consistent between visits to a website and so is used for fingerprint[59]. On Chrome it's very consistent as it's doesn't change unless specific actions of a user, like clearing the browser cache[27]. On Firefox, it changes when the browser is reoppened[27]. On edge, it changes between two visits to a website[27].

Others

With Battery Status API, fingerprinter can use the actual battery state of a device as a short-term fingerprint[60]. The API also provide the battery capacity, this information can add a bit in a fingerprint[61]. OscillatorNode produce an audio signal which is specific to a couple browser/operating system[62].

Protocols

Browsers choose the way they order HTTP header fields and their number[63]. So it's used to infer the browser family[63]. For example, Internet Explorer choose to order the UserAgent before the Host field, while Chrome do the opposite order[63].

In HTTP header, the user agent string provides basic information about the connected user[64]. For example, information directly about the system's hardware[17]. It can reveal a phone model[65].

Browser's add-ons

Since each user can enable and set add-ons on their browser, they probably have their own unique set of add-ons[66][67]. The list of installed add-ons on a browser is used to add a bit of information in a fingerprint[68]. Besides, add-ons can modify the way the browser act and its ressources, and render it even more unique[69].

Plugins

Fingerprinters providers use plugins to access user's device information, like installed systems drivers and computer's name[70]. They search for specific plugins that have been allowed by the user or downloaded together with an application and use them directly[70]. This is a powerful fingerprint[70]. As plugins are not often used by mobile browsers, these methods are not used on these devices[71].

Flash or Java plugins are mainly used to retrieve installed fonts on the user's system[72][73]. It's well known by fingerprinting companies[73].Flash give the sum of all user's width screen[74]. Compared with the width provided by the browser, which is the screen's width where the browser is opened, it reveals if the user has more than one monitor[74]. Flash is favored because it doesn't need the user consent[75].Java plugin provide directly some system informations[76]. Java is in general not used by fingerprinting service provider, certainly, because it's not used in the Web field[74]. Instead, in 2013, Flash is widely used, and despite it is vastly criticized and becoming obsolete, it remains enabled on much browsers[74]. On a browser who disable Flash by default, third party fingerprinters can still use it by making Flash important for the visited website[19].

Extensions

Extensions can modify a page, by either add new element, delete and/or change some[77]. Via this modification, extensions installed on the user's browser are revealed[78]. Modifications are done on the DOM but can also be on the BOM[78]. XHOUND, developed by Starov et al., use this method by detecting DOM alterations[79]. It show that in 2017 16.6% of the top 10,000 popular Chrome's extensions are detectable on at least one of the 50 top popular site[78]. It rise to 23% with the top 1000 popular Chrome's extensions[78]. These percentages tend to decrease with extensions popularity[78] and are stable through months[80]. An other method for listing extension ask a browser an extension's ressource[81]. Most browsers will see if the concerned extension is installed. If it is, they then check if the extension is allowed to provide the resource[81]. The browser will respond more rapidly if the extension is not installed[81]. The particularity of extensions listing is that they can reveal a person's interest[82][83]. Extensions based fingerprint are possibly used on mobile since many popular mobile browser have extensions[71].

Sometimes, extensions that claim to protect the user instead do the contrary, it's the case when they spoof a user agent string[25]. As they modify the user agent, the information will not be consistent with real information provided by the browser.[25] These differences can be added to a fingerprint and reveal some extension's presence[25].

HTML

Browsers have their own HTML parser[2]. They can choose to implement new HTML5 features at their own rhythm[63]. It is used to discover the browser family depending on which features are effectivly implement on the user's browser[63].

Each browser can have specific behaviour when parsing HTML[84]. These specific behaviors, or "HTML parser quirks"[2], can be tested and resumed in a browser's signature[84]. With many browser's signatures, an unknown browser family and version is deduced by comparing its signature with the collected ones[85]. The comparison is done with a Hamming distance or with machine learning[85]. Hamming distance method determine the exact browser version with likely 71% of accuracy[86].

History

The first large scale study on this subject, done by Eckersley et al. in 2010, show that user's browsers features can be used to assign it a unique fingerprint[3].Then, Nikiforakis et al. in 2010, demonstrate novel techniques and analyze companies' code to show how browser fingerprinting is used in the wild[87].

New technique are then showed, like Mowery et al. who use in 2011 Javascript in their study[88]. In 2012, the Canvas element is introduced by Mowery and Shacham as a way to fingerprint[89]. Also in 2012, Olejnik et al. show that a user's history is fingerprintable[90].

Some studies show fingerprint usage on the internet, as Acar et al. in 2013 with FPDetective[91]. Also, Acar et al. in 2014 show usage of canvas fingerprinting in the web[92]. Englehardt and Narayanan measured at a very large scale usage of tracking, included fingerprinting[93].

See also

References

  1. 1.0 1.1 (Laperdrix 2016)
  2. 2.0 2.1 2.2 2.3 2.4 ( Abgrall 2012)
  3. 3.0 3.1 (Eckersley 2010)
  4. (Eckersley 2010)
  5. 5.0 5.1 (Merzdovnik 2017)
  6. (Eckersley 2010)
  7. (Nikiforakis 2013)
  8. 8.0 8.1 (Nikiforakis 2013)
  9. (Acar 2013)
  10. (Acar 2014)
  11. 11.0 11.1 11.2 (Acar 2014)
  12. 12.0 12.1 12.2 12.3 12.4 12.5 12.6 12.7 12.8 12.9 (Nikiforakis 2013)
  13. 13.0 13.1 13.2 13.3 13.4 13.5 13.6 (Nikiforakis 2013)
  14. 14.0 14.1 (Eckersley 2010)
  15. (Acar 2013)
  16. (Nikiforakis 2015)
  17. 17.0 17.1 17.2 (Kaur 2017)
  18. (Abgrall 2012)
  19. 19.0 19.1 19.2 19.3 19.4 19.5 (Nikiforakis 2013)
  20. (Alaca 2016)
  21. 21.0 21.1 21.2 21.3 21.4 (Merzdovnik 2017)
  22. 22.0 22.1 22.2 (Merzdovnik 2017)
  23. 23.0 23.1 (Merzdovnik 2017)
  24. (Yen 2012)
  25. 25.0 25.1 25.2 25.3 25.4 25.5 (Nikiforakis 2013)
  26. (Al-Fannah 2017)
  27. 27.0 27.1 27.2 27.3 (Al-Fannah 2017)
  28. (Al-Fannah 2017)
  29. (Al-Fannah 2017)
  30. (Nikiforakis 2015)
  31. 31.0 31.1 31.2 (Nikiforakis 2015)
  32. (Nikiforakis 2015)
  33. (Nikiforakis 2015)
  34. (Olejnik 2016)
  35. (Starov 2017)
  36. (Eckersley 2010)
  37. 37.0 37.1 37.2 (Unger 2013)
  38. (Taei 2016)
  39. (Takei 2015)
  40. (Takei 2015)
  41. 41.0 41.1 (Takei 2016)
  42. (Takei 2016)
  43. 43.0 43.1 (Olejnik 2012)
  44. 44.0 44.1 (Olejnik 2012)
  45. (Olejnik 2012)
  46. 46.0 46.1 (Olejnik 2012)
  47. 47.0 47.1 (Nikiforakis 2013)
  48. (Nikiforakis 2013)
  49. 49.0 49.1 (Mulazzani 2013)
  50. (Mulazzani 2013)
  51. 51.0 51.1 51.2 51.3 51.4 51.5 (Fifield 2015)
  52. (Mowery 2012)
  53. 53.0 53.1 53.2 53.3 53.4 (Mowery 2012)
  54. (Acar 2014)
  55. 55.0 55.1 55.2 55.3 (Mowery 2012)
  56. 56.0 56.1 56.2 56.3 (Al-Fannah 2017)
  57. 57.0 57.1 57.2 (Saito 2016)
  58. (Saito 2016)
  59. 59.0 59.1 59.2 (Al-Fannah 2017)
  60. (Olejnik 2016)
  61. (Olejnik 2016)
  62. (Englehardt 2016)
  63. 63.0 63.1 63.2 63.3 63.4 (Unger 2013)
  64. (Fiore 2014)
  65. (Al-Fannah 2017)
  66. (Starov 2017)
  67. (Sanchez-Rola 2017)
  68. (Acar 2013)
  69. (Kaur 2017)
  70. 70.0 70.1 70.2 (Nikiforakis 2013)
  71. 71.0 71.1 (Starov 2017)
  72. (Fiore 2014)
  73. 73.0 73.1 (Nikiforakis 2013)
  74. 74.0 74.1 74.2 74.3 (Nikiforakis 2013)
  75. (Fiore 2014)
  76. (Kaur 2017)
  77. (Starov 2017)
  78. 78.0 78.1 78.2 78.3 78.4 (Starov 2017)
  79. (Starov 2017)
  80. (Starov 2017)
  81. 81.0 81.1 81.2 (Sanchez-Rola 2017)
  82. (Starov 2017)
  83. (Sanchez-Rola 2017)
  84. 84.0 84.1 (Abgrall 2012)
  85. 85.0 85.1 (Abgrall 2012)
  86. (Abgrall 2012)
  87. (Nikiforakis 2010)
  88. (Mowery 2011)
  89. (Mowery 2012)
  90. (Olejnik 2012)
  91. (Acar 2013)
  92. (Acar 2014)
  93. (Englehardt 2016)

Bibliography

Abgrall, Erwan; Traon, Yves Le; Monperrus, Martin; Gombault, Sylvain; Heiderich, Mario; Ribault, Alain (2012-11-20). XSS-FP: Browser Fingerprinting using HTML Parser Quirks. Abgrall2012. 

Acar, Gunes; Juarez, Marc; Nikiforakis, Nick; Diaz, Claudia; Gürses, Seda; Piessens, Frank; Preneel, Bart (2013). "FPDetective: Dusting the Web for Fingerprinters". Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security. New York, NY, USA: ACM. pp. 1129–1140. doi:10.1145/2508859.2516674. Acar2013. ISBN 978-1-4503-2477-9. 

Acar, Gunes; Eubank, Christian; Englehardt, Steven; Juarez, Marc; Narayanan, Arvind; Diaz, Claudia (2014). "The Web Never Forgets: Persistent Tracking Mechanisms in the Wild". Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security - CCS '14. the 2014 ACM SIGSAC Conference. Scottsdale, Arizona, USA: ACM Press. pp. 674–689. doi:10.1145/2660267.2660347. Acar2014. ISBN 978-1-4503-2957-6. http://dl.acm.org/citation.cfm?doid=2660267.2660347. 

Al-Fannah, Nasser Mohammed; Li, Wanpeng (2017). "Not All Browsers are Created Equal: Comparing Web Browser Fingerprintability". in Satoshi Obana, Koji Chida (eds.). Advances in Information and Computer Security. Springer International Publishing. pp. 105–120. Al-Fannah2017. ISBN 978-3-319-64200-0. 

Alaca, Furkan; van Oorschot, P. C. (2016). "Device Fingerprinting for Augmenting Web Authentication: Classification and Analysis of Methods". Proceedings of the 32Nd Annual Conference on Computer Security Applications. New York, NY, USA: ACM. pp. 289–301. doi:10.1145/2991079.2991091. Alaca2016. ISBN 978-1-4503-4771-6. http://doi.acm.org/10.1145/2991079.2991091. 

Eckersley, Peter (2010). "How Unique Is Your Web Browser?". in Mikhail J. Atallah, Nicholas J. Hopper (eds.). Privacy Enhancing Technologies. Springer Berlin Heidelberg. pp. 1–18. Eckersley2010. ISBN 978-3-642-14527-8. 

Englehardt, Steven; Narayanan, Arvind (2016). "Online Tracking: A 1-million-site Measurement and Analysis". Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. New York, NY, USA: ACM. pp. 1388–1401. doi:10.1145/2976749.2978313. Englehardt2016. ISBN 978-1-4503-4139-4. http://doi.acm.org/10.1145/2976749.2978313. 

Fifield, David; Egelman, Serge (2015). "Fingerprinting Web Users Through Font Metrics". in Rainer Böhme, Tatsuaki Okamoto (eds.). Financial Cryptography and Data Security. Berlin, Heidelberg: Springer. pp. 107–124. doi:10.1007/978-3-662-47854-7_7. Fifield2015. ISBN 978-3-662-47854-7. 

Fiore, Ugo; Castiglione, Aniello; Santis, Alfredo De; Palmieri, Francesco (September 2014). "Countering Browser Fingerprinting Techniques: Constructing a Fake Profile with Google Chrome". 2014 17th International Conference on Network-Based Information Systems. 2014 17th International Conference on Network-Based Information Systems. pp. 355–360. doi:10.1109/NBiS.2014.102. Fiore2014. 

Gómez-Boix, Alejandro; Laperdrix, Pierre; Baudry, Benoit (2018). "Hiding in the Crowd: An Analysis of the Effectiveness of Browser Fingerprinting at Large Scale". Proceedings of the 2018 World Wide Web Conference. Republic and Canton of Geneva, Switzerland: International World Wide Web Conferences Steering Committee. pp. 309–318. doi:10.1145/3178876.3186097. Gómez-Boix2018. ISBN 978-1-4503-5639-8. 

Kaur, Navpreet; Azam, Sami; Kannoorpatti, Krishnan; Yeo, Kheng Cher; Shanmugam, Bharanidharan (2017). "Browser Fingerprinting as user tracking technology". 2017 11th International Conference on Intelligent Systems and Control (ISCO). Kaur2017. 

Laperdrix, P.; Rudametkin, W.; Baudry, B. (May 2016). "Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints". 2016 IEEE Symposium on Security and Privacy (SP). pp. 878–894. doi:10.1109/SP.2016.57. Laperdrix2016. 

Merzdovnik, Georg; Huber, Markus; Buhov, Damjan; Nikiforakis, Nick; Neuner, Sebastian; Schmiedecker, Martin; Weippl, Edgar (April 2017). "Block Me If You Can: A Large-Scale Study of Tracker-Blocking Tools". 2017 IEEE European Symposium on Security and Privacy (EuroS P). 2017 IEEE European Symposium on Security and Privacy (EuroS P). pp. 319–333. doi:10.1109/EuroSP.2017.26. Merzdovnik2017. 

Mowery, Keaton; Bogenreif, Dillon; Yilek, Scott; Shacham, Hovav (2011). Fingerprinting Information in JavaScript Implementations. pp. 11. Mowery2011. 

Mowery, Keaton; Shacham, Hovav (2012). Pixel Perfect: Fingerprinting Canvas in HTML5. pp. 12. Mowery2012. 

Mulazzani, Martin; Reschl, Philipp; Huber, Markus; Leithner, Manuel; Schrittwieser, Sebastian; Weippl, Edgar (2013). Fast and Reliable Browser Identification with JavaScript Engine Fingerprinting. IEEE-Security. Mulazzani2013. 

Nikiforakis, Nick; Kapravelos, Alexandros; Wouter, Joosen; Kruegel, Christopher; Piessens, Frank; Vigna, Giovanni (2013). Cookieless Monster:Exploring the Ecosystem of Web-based Device Fingerprinting. Nikiforakis2013. https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6547132. 

Nikiforakis, Nick; Joosen, Wouter; Livshits, Benjamin (2015). "PriVaricator: Deceiving Fingerprinters with Little White Lies". Proceedings of the 24th International Conference on World Wide Web. Republic and Canton of Geneva, Switzerland: International World Wide Web Conferences Steering Committee. pp. 820–830. doi:10.1145/2736277.2741090. Nikiforakis2015. ISBN 978-1-4503-3469-3. 

Olejnik, Lukasz; Castelluccia, Claude; Janc, Artur (2012-07-13). Why Johnny Can't Browse in Peace: On the Uniqueness of Web Browsing History Patterns. Olejnik2012. https://hal.inria.fr/hal-00747841. 

Olejnik, Łukasz; Acar, Gunes; Castelluccia, Claude; Diaz, Claudia (2016). "The Leaking Battery". in Joaquin Garcia-Alfaro, Guillermo Navarro-Arribas, Alessandro Aldini, Fabio Martinelli, Neeraj Suri (eds.). Data Privacy Management, and Security Assurance. Cham: Springer International Publishing. pp. 254–263. doi:10.1007/978-3-319-29883-2_18. Olejnik2016. ISBN 978-3-319-29883-2. 

Saito, Takamichi; Yasuda, Koki; Ishikawa, Takayuki; Hosoi, Rio; Takahashi, Kazushi; Chen, Yongyan; Zalasiński, Marcin (July 2016). "Estimating CPU Features by Browser Fingerprinting". 2016 10th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS). 2016 10th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS). pp. 587–592. doi:10.1109/IMIS.2016.108. Saito2016. 

Sanchez-Rola, Iskander; Santos, Igor; Balzarotti, Davide (2017). "Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies". 26th {USENIX} Security Symposium ({USENIX} Security 17). pp. 679–694. Sanchez-Rola2017. ISBN 978-1-931971-40-9. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/sanchez-rola. 

Sjösten, Alexander; Van Acker, Steven; Sabelfeld, Andrei (2017). "Discovering Browser Extensions via Webible Resources". Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy. New York, NY, USA: ACM. pp. 329–336. doi:10.1145/3029806.3029820. Sjösten2017. ISBN 978-1-4503-4523-1. 

Starov, Oleksii; Nikiforakis, Nick (May 2017). "XHOUND: Quantifying the Fingerprintability of Browser Extensions". 2017 IEEE Symposium on Security and Privacy (SP). 2017 IEEE Symposium on Security and Privacy (SP). pp. 941–956. doi:10.1109/SP.2017.18. Starov2017. 

Takei, Naoki; Saito, Takamichi; Takasu, Ko; Yamada, Tomotaka (2015). "Web Browser Fingerprinting Using Only Cascading Style Sheets". 2015 10th International Conference on Broadband and Wireless Computing, Communication and Applications (BWCCA). 2015 10th International Conference on Broadband and Wireless Computing, Communication and Applications (BWCCA). pp. 57–63. doi:10.1109/BWCCA.2015.105. Takei2015. 

Unger, Thomas; Mulazzani, Martin; Frühwirt, Dominik; Huber, Markus; Schrittwieser, Sebastian; Weippl, Edgar (September 2013). "SHPF: Enhancing HTTP(S) Session Security with Browser Fingerprinting". 2013 International Conference on Availability, Reliability and Security. 2013 International Conference on Availability, Reliability and Security. pp. 255–261. doi:10.1109/ARES.2013.33. Unger2013. 

Upathilake, R.; Li, Y.; Matrawy, A. (2015). "A classification of web browser fingerprinting techniques". 2015 7th International Conference on New Technologies, Mobility and Security (NTMS). Upathilake2015. 

Yen, Ting-Fang; Xie, Yinglian; Yu, Fang; Yu, Roger Peng; Abadi, Martın (2012). Host Fingerprinting and Tracking on the Web: Privacy and Security Implications. pp. 16. Yen2012. 

External links