Fingerprinting Methods Identify Users Across Different Browsers On the Same PC

An anonymous reader quotes a report from BleepingComputer: A team of researchers from universities across the U.S. has identified different fingerprinting techniques that can track users when they use different browsers installed on the same machine. Named "cross-browser fingerprinting" (CBF), this practice relies on new technologies added to web browsers in recent years, some of which had been previously considered unreliable for cross-browser tracking and only used for single browser fingerprinting. These new techniques rely on making browsers carry out operations that use the underlying hardware components to process the desired data. For example, making a browser apply an image to the side of a 3D cube in WebGL provides a similar response in hardware parameters for all browsers. This is because the GPU card is the one carrying out this operation and not the browser software. According to the three-man research team led by Assistant Professor Yinzhi Cao from the Computer Science and Engineering Department at Lehigh University, the following browser features could be (ab)used for cross-browser fingerprinting operations: [Screen Resolution, Number of CPU Virtual Cores, AudioContext, List of Fonts, Line, Curve, and Anti-Aliasing, Vertex Shader, Fragment Shader, Transparency via Alpha Channel, Installed Writing Scripts (Languages), Modeling and Multiple Models, Lighting and Shadow Mapping, Camera and Clipping Planes.] Researchers used all these techniques together to test how many users they would be able to pin to the same computer. For tests, researchers used browsers such as Chrome, Firefox, Edge, IE, Opera, Safari, Maxthon, UC Browser, and Coconut. Results showed that CBF techniques were able to correctly identify 99.24% of all test users. Previous research methods achieved only a 90.84% result.

The DOM model strikes again

[Anonymous Coward]

Someone tell me why a browser needs to tell this stuff to the Internet?

Why isn't Mozilla doing more?!

[Anonymous Coward]

What I always wonder is why Mozilla isn't doing more to protect user privacy. This is one thing that could really differentiate them from Chrome and other browsers.

I always hear from Mozilla supporters that Firefox is already "the best" when it comes to this. But the summary claims that Firefox is affected by these methods.

Then there are problems like how Firefox includes "telemetry" support that can be disabled, but it can't be easily removed completely. This should be opt-in, in the sense of the functiona

Re:

[buswolley]

Its a good point. Make them earn the white hat mug. https://society6.com/product/w... [society6.com]

Re:

[chefmonkey]

What's interesting about a lot of these fingerprinting metrics is that they aren't the result of just asking something like "navigator.getCoreCount()" -- these are sophisticated techniques that run very carefully crafted bits of code, and then measure the time certain operations take in order to deduce the number of effective cores. There's really no way to "lie" other than to intentionally be slow.

Re: Why isn't Mozilla doing more?!

[TheOuterLinux]

I think Fitefox doesn't feel the need to do more to prevent tracking because of Tor Browser project already exists. Plus, placing blockers inside their software by default slows them down just enough to affect the Firefox vs. Chrome speed war each year. And, they may use that data themselves for the Browser Health Report that's turned on by default. If anyone is interested in browser privacy, I have a few links on my website: http://theouterlinux.com/priva... [theouterlinux.com] There's other cool stuff there too.

Re:

[Anonymous Coward]

I think we're going to see a redux of "flash exploits" via webGL/HTML5

This is what browser vendors should be doing:
1) Initializing WebGL in "sandbox" mode (eg reports that WebGL functionality exists, but does not allow WebGL content until clicked first, basically whatever script first queries WebGL is paused until the user initiates it.) This would also save enormous battery life. "This site would like to run WebGL content (animations or games)", which then white lists the site.
2) Same with Video cameras, M

Re:

[TheRaven64]

I'm wondering why Edge isn't. Not only would more privacy features be a good differentiator, anything that makes ads less effective would harm Google, which seems like it would be in Microsoft's best interests.

Re:

[chefmonkey]

Mozilla is; there's just not much marketing around it.

To be clear, the level of de-featuring you're asking for makes for pretty good privacy, but a shitty modern browser. However, Mozilla is strongly committed to the prospect that the trade-off between features and privacy should remain in users' hands, which is why we work very closely with the Tor project to produce a browser that does exactly what you're proposing. The reason Firefox doesn't do this out of the box is that a browser that has been de-featu

Re:

[Tablizer]

DOM = DUM

Re:

[sexconker]

What benefit does using a HOSTS file have over using a plugin to block JS/tracking shit/ads/etc?
Is the HOSTS file more dependable? Is the HOSTS file faster?

Re:What sites??

[0100010001010011]

Someone that has advanced personal knowledge of this should definitely chime in about the glories of the HOSTS file over all other options.

Re:

[0100010001010011]

Which is why I have a whole house DNS server [freenas.org] that redirects to a catchall Nginx server that returns a 204. [httpstatuses.com]

Re:

[sexconker]

woosh

Re:

[allo]

nope, you should not.

0.0.0.0 means "use a random* ip of the system".
Your should either use 127.0.0.1 (and make sure NOT to run a webserver on your host) or some unroutable ip.

* depending on the order of network interfaces.

Re:

[allo]

Nope. Just open two terminals:

$ nc -vlp 2000 #first terminal
$ nc 0.0.0.0 2000 # second terminal

listening on [any] 2000 ...
connect to [127.0.0.1] from localhost [127.0.0.1] 47888

Price of you vacation

[Bender Unit 22]

So it will be easier for the travel industry to keep track of you and keep the prices up for the places you have been looking at information for, even when you try to use different browsers, ip adresses etc?

Re:

[voxel]

Technically yes. You could even browse with Internet Explorer as usual, then connect a VPN and switch to Icognito mode in Google Chrome and they still know who you are.

VirtualBox

[Anonymous Coward]

I guess now we need a bunch of VMs with different distros on them or something. This is really getting tiring.

Btw, I bet javascript was used to pull all these variables somehow.

Re:

[mlts]

I've been browsing in a VM for a while. This not just limits browser fingerprinting, but also what damage malicious software can do.

Re:VirtualBox

[techno-vampire]

Using multiple VMs with different distros won't help a bit here, because when you come right down to it, they're all using the same hardware, and that's what this is exploiting. Now, if you had multiple graphics cards and let different distros use different cards, that might throw them off.

Re:

[Lyle Kroll]

Yup. Viva la Virtualbox. :)

Re:

[The-Ixian]

Unplug your computer from the Internet...

I really think that is the only way.

But then you still have all the public surveillance, credit cards, wifi, cell towers and who knows what else tracking you.... so.... good luck.

Re:

[AHuxley]

Some kind of VM with one browser in it and a good VPN on a router?

Time for counter-measures

[davidwr]

Browsers should present a "generic" capabilities list to web sites unless the user white-lists that site to receive some or all of the "real" capabilities. An online video-gaming site may need to know if I can play a GPU-intensive online game through the web browser, but very few other sites need to know.

For example, "generic capabilities" would be:

Screen size would be "small" for tablets, phones, and small notebooks, or "normal" for everything else. Pixel density would not be disclosed.
"List of fonts" would be the most common "web fonts" in the main language of the operating system.
As for the rest, they would be shown as "not disclosed."

You're far too generous

[bsdasym]

The game site does not need to know what your capabilities are. If you try to run it, and it doesn't work, you don't try again. It doesn't need to know *any* of the fonts or even font-families you have installed, it just needs to do what the web has always done; Present a list of fonts the site designer would like the browser to use, if they are available and the user allows it. No site needs to know even the simple small/med/large screen size, as that can all be (and usually is) handled entirely within the browser via CSS.

Give them even less info than you propose and it'll still be too much, generally speaking.

Re:

[tepples]

Then the browser could lie to sites that want to use WebGL, telling them "My device's GPU is no more powerful than that of the original PlayStation from 1995" until the user has opted into full-featured WebGL for that domain.

Re:

[hcs_$reboot]

Screen size would be "small" for tablets, phones, and small notebooks, or "normal" for everything else.

Important information for the web site and CSS is the viewport size, i.e. the size of the browser window usable by the site scripts. The screen size itself should not be disclosed.

Re:

[tepples]

Given the "all maximized all the time" window management policy of popular web browsing environments, the viewport size is a very good predictor of screen size. In fact, exact viewport size might even help with fingerprinting because different system fonts may cause the the notification bar to be larger or smaller.

Not interesting

[Kergan]

Wake me up when we're able to fingerprint the same user across different devices. *That* will be freaky - and, admittedly, will interest me as a marketer.

Re:

[Anonymous Coward]

>as a marketer.

Well there's yer problem. As a marketer you have limited capacity to understand humans.

Multi-PC means affluent ergo more valuable

[tepples]

You can have multiple individuals using the same PC.

I'm aware that multihead is possible with multiple graphics cards on an X11/Linux box.. But I thought home versions of Windows, the most popular operating system for desktop and laptop computers in the industrialized English-speaking world and therefore probably the most interesting to the marketing industry, were locked down to support only one desktop session at once.

Or perhaps you meant one at a time. Previous comments such as this one [slashdot.org] seem to indicate that multi-PC households are more common than family

Javascript

[floodo1]

The VAST majority of fingerprinting and most of the useful stuff relies on whoever is doing the fingerprinting running their javascript in your browser (client). Using something like NoScript to block javascript by default and limiting what you allow is quite effective at fighting fingerprinting.

Definitely not a magic bullet but it's super helpful for this and lots of other web annoyances.
Plus, you get to learn just how much useless javascript most sites want you to run (3rd party that has no impact on

Protect your firefox

[allo]

Have a look at ffprofile.com to generate a secured profile. Look at the github page to extend the site for more un-features.