Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Privacy The Internet Communications Network Networking Security United States Technology

Fingerprinting Methods Identify Users Across Different Browsers On the Same PC (bleepingcomputer.com) 88

An anonymous reader quotes a report from BleepingComputer: A team of researchers from universities across the U.S. has identified different fingerprinting techniques that can track users when they use different browsers installed on the same machine. Named "cross-browser fingerprinting" (CBF), this practice relies on new technologies added to web browsers in recent years, some of which had been previously considered unreliable for cross-browser tracking and only used for single browser fingerprinting. These new techniques rely on making browsers carry out operations that use the underlying hardware components to process the desired data. For example, making a browser apply an image to the side of a 3D cube in WebGL provides a similar response in hardware parameters for all browsers. This is because the GPU card is the one carrying out this operation and not the browser software. According to the three-man research team led by Assistant Professor Yinzhi Cao from the Computer Science and Engineering Department at Lehigh University, the following browser features could be (ab)used for cross-browser fingerprinting operations: [Screen Resolution, Number of CPU Virtual Cores, AudioContext, List of Fonts, Line, Curve, and Anti-Aliasing, Vertex Shader, Fragment Shader, Transparency via Alpha Channel, Installed Writing Scripts (Languages), Modeling and Multiple Models, Lighting and Shadow Mapping, Camera and Clipping Planes.] Researchers used all these techniques together to test how many users they would be able to pin to the same computer. For tests, researchers used browsers such as Chrome, Firefox, Edge, IE, Opera, Safari, Maxthon, UC Browser, and Coconut. Results showed that CBF techniques were able to correctly identify 99.24% of all test users. Previous research methods achieved only a 90.84% result.
This discussion has been archived. No new comments can be posted.

Fingerprinting Methods Identify Users Across Different Browsers On the Same PC

Comments Filter:
  • by Anonymous Coward

    Someone tell me why a browser needs to tell this stuff to the Internet?

    • by Anonymous Coward

      What I always wonder is why Mozilla isn't doing more to protect user privacy. This is one thing that could really differentiate them from Chrome and other browsers.

      I always hear from Mozilla supporters that Firefox is already "the best" when it comes to this. But the summary claims that Firefox is affected by these methods.

      Then there are problems like how Firefox includes "telemetry" support that can be disabled, but it can't be easily removed completely. This should be opt-in, in the sense of the functiona

      • Its a good point. Make them earn the white hat mug. https://society6.com/product/w... [society6.com]

      • I think Fitefox doesn't feel the need to do more to prevent tracking because of Tor Browser project already exists. Plus, placing blockers inside their software by default slows them down just enough to affect the Firefox vs. Chrome speed war each year. And, they may use that data themselves for the Browser Health Report that's turned on by default. If anyone is interested in browser privacy, I have a few links on my website: http://theouterlinux.com/priva... [theouterlinux.com] There's other cool stuff there too.
      • by Anonymous Coward

        I think we're going to see a redux of "flash exploits" via webGL/HTML5

        This is what browser vendors should be doing:
        1) Initializing WebGL in "sandbox" mode (eg reports that WebGL functionality exists, but does not allow WebGL content until clicked first, basically whatever script first queries WebGL is paused until the user initiates it.) This would also save enormous battery life. "This site would like to run WebGL content (animations or games)", which then white lists the site.
        2) Same with Video cameras, M

      • I'm wondering why Edge isn't. Not only would more privacy features be a good differentiator, anything that makes ads less effective would harm Google, which seems like it would be in Microsoft's best interests.
      • Mozilla is; there's just not much marketing around it.

        To be clear, the level of de-featuring you're asking for makes for pretty good privacy, but a shitty modern browser. However, Mozilla is strongly committed to the prospect that the trade-off between features and privacy should remain in users' hands, which is why we work very closely with the Tor project to produce a browser that does exactly what you're proposing. The reason Firefox doesn't do this out of the box is that a browser that has been de-featu

    • by Tablizer ( 95088 )

      DOM = DUM

  • So it will be easier for the travel industry to keep track of you and keep the prices up for the places you have been looking at information for, even when you try to use different browsers, ip adresses etc?

    • by voxel ( 70407 )

      Technically yes. You could even browse with Internet Explorer as usual, then connect a VPN and switch to Icognito mode in Google Chrome and they still know who you are.

  • by Anonymous Coward

    I guess now we need a bunch of VMs with different distros on them or something. This is really getting tiring.

    Btw, I bet javascript was used to pull all these variables somehow.

  • by davidwr ( 791652 ) on Thursday January 12, 2017 @06:03PM (#53657191) Homepage Journal

    Browsers should present a "generic" capabilities list to web sites unless the user white-lists that site to receive some or all of the "real" capabilities. An online video-gaming site may need to know if I can play a GPU-intensive online game through the web browser, but very few other sites need to know.

    For example, "generic capabilities" would be:

    Screen size would be "small" for tablets, phones, and small notebooks, or "normal" for everything else. Pixel density would not be disclosed.
    "List of fonts" would be the most common "web fonts" in the main language of the operating system.
    As for the rest, they would be shown as "not disclosed."

    • by bsdasym ( 829112 ) on Thursday January 12, 2017 @06:43PM (#53657461)
      The game site does not need to know what your capabilities are. If you try to run it, and it doesn't work, you don't try again. It doesn't need to know *any* of the fonts or even font-families you have installed, it just needs to do what the web has always done; Present a list of fonts the site designer would like the browser to use, if they are available and the user allows it. No site needs to know even the simple small/med/large screen size, as that can all be (and usually is) handled entirely within the browser via CSS.

      Give them even less info than you propose and it'll still be too much, generally speaking.
    • Screen size would be "small" for tablets, phones, and small notebooks, or "normal" for everything else.

      Important information for the web site and CSS is the viewport size, i.e. the size of the browser window usable by the site scripts. The screen size itself should not be disclosed.

      • by tepples ( 727027 )

        Given the "all maximized all the time" window management policy of popular web browsing environments, the viewport size is a very good predictor of screen size. In fact, exact viewport size might even help with fingerprinting because different system fonts may cause the the notification bar to be larger or smaller.

  • Wake me up when we're able to fingerprint the same user across different devices. *That* will be freaky - and, admittedly, will interest me as a marketer.

    • by Anonymous Coward

      >as a marketer.

      Well there's yer problem. As a marketer you have limited capacity to understand humans.

  • The VAST majority of fingerprinting and most of the useful stuff relies on whoever is doing the fingerprinting running their javascript in your browser (client). Using something like NoScript to block javascript by default and limiting what you allow is quite effective at fighting fingerprinting.

    Definitely not a magic bullet but it's super helpful for this and lots of other web annoyances.
    Plus, you get to learn just how much useless javascript most sites want you to run (3rd party that has no impact on
  • Have a look at ffprofile.com to generate a secured profile. Look at the github page to extend the site for more un-features.

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...