Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
The Internet Australia Privacy

A New Use For Browser Fingerprints: Defeating Spoofing (browserprint.info) 64

AnonymousCube writes: Researchers at the University of Adelaide have found a new use for browser fingerprints: uncovering and defeating spoofing by web browsers. By using machine learning on browser fingerprints they were able to correctly guess the OS or browser family of a browser 90% of the time, and defeat operating system and browser family spoofing 76% of the time. This was done with small training sets of less than 1000 fingerprints, so accuracy with a much larger training set, like the size of the EFF's Panopticlick database should give even better results; you can help prove this, and see what their site thinks your browser family and OS is, by submitting your fingerprint to their site.
This discussion has been archived. No new comments can be posted.

A New Use For Browser Fingerprints: Defeating Spoofing

Comments Filter:
  • by Opportunist ( 166417 ) on Sunday May 07, 2017 @08:45AM (#54370913)

    We now have to evolve the better mouse.

    Dear fingerprinters: It might surprise you, but we don't want this to happen. We want the non-mobile version of your damn webpage on our mobile phone if we go out of our way to pretend we're not on a mobile device. Because guess what: Your mobile version almost invariably sucks and is unusable. Forcing us to use what YOU want us to use instead of allowing us to choose what WE want to choose leads to us not using your service at all.

    • by GargamelSpaceman ( 992546 ) on Sunday May 07, 2017 @08:58AM (#54370949) Homepage Journal

      They can even get you by canvas fingerprinting and web3d fingerprinting where they use various drawing apis to create an image and then send back the checksum of that image to create a fairly unique fingerprint.

      CanvasBlocker sends a fake one, but then they know you are faking it. Or you can shut off access to the api, but then THAT flags you as unique for returning nothing but zeroes.

      I have yet to be able to produce a browser fingerprint that isn't unique using any combination of addons.

      We need some standardization. Then people could download an addon that produces at least the same fingerprint as all other users of that addon giving some space to hide in.

      • by allo ( 1728082 )

        > I have yet to be able to produce a browser fingerprint that isn't unique using any combination of addons.
        You do not need to. You just need a fingerprint, which is different *every* time. Instead of being one in a group of 100, you're unique, but you are unique every time you re-visit the site.

        • Problem is, they can't produce a unique fingerprint for every user's browser. And ANY browser fingerprint can be mimicked - in the end it's just bits and bytes coming down the wire.

          So what if they know you're faking the checksum if millions of other people are faking it as well, and giving different bogus checksums for every page load. Or returning all zeroes, along with millions of other people doing the same? No need for an add-on that produces the same fingerprint as all other users of that add-on. You're overthinking the problem. What are they going to do, block users who don't let their browsers return fingerprints? We saw how well that worked with paywalls and not allowing ad-blockers. People just go elsewhere.

          It's the internet - it was designed to route around such brain-damage.

        • It's actually quite hard to fake fingerprints thoroughly and coherently. There's a whole bunch of different Javascript API's a website can use to obtain fingerprintable data through, and some API's are browser specific or sometimes something simple, like the order of the objects returned, may be browser specific and give you away.

          If you were to spoof coherently, you'd need to ensure that you can defend against all (most) of the attacks that attempt to verify your browser. This would require all kinds of a

          • by allo ( 1728082 )

            I think we will never ever eliminate the uniqueness of modern browser's fingerprint while keeping its features. You may have the same fingerprint when using something like tails in a VM. But start installing addons and you're changing it.

            But you can try to randomize everything everytime. The problem is, while you may think "i fooled panopticlick to think i am always another unique person", the real fingerprinting service will not only take the full fingerprint, but try to analyse it. Something which is with

      • I have yet to be able to produce a browser fingerprint that isn't unique using any combination of addons.

        How do you tell different w3m or lynx users apart if they spoof their user agents?

        • by Vairon ( 17314 ) on Sunday May 07, 2017 @11:53AM (#54371541)

          By comparing the behavior of the two clients.

          When w3m requests a web page it sends the following:
          GET / HTTP/1.0
          User-Agent: w3m/0.5.3+git20161120
          Accept: text/html, text/*;q=0.5, image/*
          Accept-Encoding: gzip, compress, bzip, bzip2, deflate
          Accept-Language: en;q=1.0
          Host: www.website.com

          When lynx, with a w3m user agent, requests a web page it sends the following:
          GET / HTTP/1.0
          Host: www.website.com
          Accept: text/html, text/plain, text/css, text/sgml, */*;q=0.01
          Accept-Encoding: gzip, bzip2
          Accept-Language: en
          User-Agent: w3m/0.5.3+git20161120

          • I was asking how it could tell different lynxes apart, or different w3ms apart, the way it could tell e.g. Firefox on Linux and Firefox on Windows apart. It doesn't seem possible unless the headers or the response times differ.

            If headers are all that make different text browsers look different, perhaps the developers could talk to each other to make their browser more like one another, to thwart just this kind of privacy invasion.
  • by scrib ( 1277042 ) on Sunday May 07, 2017 @08:54AM (#54370939)

    If a user has gone to the trouble of configuring a browser (or plugin) to spoof which browser they are using, why would I want to help researchers circumvent that?

    If there's a good reason to defeat an intentional user choice, I'd love to hear it.

    • by TimSSG ( 1068536 )
      I just tested the Microsoft Edge Browser and I have never changed the defaults.
      The website responded with
      Your user-agent string specifies your browser as being a variant of CHROME.
      Judging by your fingerprint we believe your browser is a variant of EDGE.

      Tim S.
  • double plus ungood (Score:4, Informative)

    by Anonymous Coward on Sunday May 07, 2017 @08:56AM (#54370943)

    You do not call it "fighting spoofing". You must call it "reducing privacy, usability and anonymity". Doesn't sound so good now, does it?

  • I am running Firefox 45.9.0 with NoScript and the site thinks it is IE.
    Tim S.
    Your user-agent string specifies your browser as being a variant of FIREFOX.
    Judging by your fingerprint we believe your browser is a variant of IE.
  • Palemoon + Addons:
    Cookie Monster - https://addons.mozilla.org/en-... [mozilla.org]
    RequestPolicy - https://addons.mozilla.org/en-... [mozilla.org]
    NoScript - https://addons.mozilla.org/en-... [mozilla.org]
    Secret Agent - https://www.dephormation.org.u... [dephormation.org.uk]
    No java, no flash. Good luck finger printing that.
  • I've said this too many times, and I really don't know what to write that would be a thoughtful comment. All I know to do for now, and have done for nearly a decade, is use VPN, Tor, and DNSCrypt, and hope that all I've done so far will be enough to mud-up things, at least for a while, for when it gets really bad. The Internet used to be like the U.S. was in its infancy, a self-reliant frontier of sorts, and now we're are all statistics once again to be ruled and manipulated by governments that don't know
  • by Anonymous Coward

    I tried it. It pops up a page that says "Please wait..." with an icon to "Get Adobe Flash". That's it.

    So yet again, it's a malicious technique that only works with the active cooperation of the target. Do not volunteer to run malicious payloads, and you are apparently safe from this.

    • by mi ( 197448 )
      It does not require Flash for most of the functionality. My browser does not have Flash installed, and it told me quite a bit about my environment anyway. It does need JavaScript, but that's enabled for most people, because a vast number of sites break without it.
      • by Anonymous Coward

        It does need JavaScript,

        But it's javascript that leaks so much identifying information. Once you enable javascript, you have lost the battle pretty much no matter what you do.

        The best approach is probably a combination of things. Use javascript on a strict whitelist basis, not by default. Whitelist sites you trust that need it for something real. Block all other javascript. That will VASTLY reduce the number of bits of entropy that you leak to web sites, and still let you use your bank and so on.

        Sites break with JS because th

  • Now we need a spoofing AI to defeat the anti-spoofing AI, thus recovering our privacy.
  • Though my User-Agent header clearly says: "FreeBSD", the site claimed, my OS is "likely Windows" :)

    Other than that, yes, it is quite amazing, how much info is available to the JavaScript code...

  • Using Sandboxed Opera (Sandboxie) and Opera's built in VPN, it guessed my browser was Chrome.
    • by DERoss ( 1919496 )

      Me too.

      I tried Browserprint twice just now. Each time, it gave a different browser, none of which were correct. In one case, it even responded that I was using a Mac; but I am using a Windows PC.

      How did I defeat it? It was simple. I have Secret Agent from https://www.dephormation.org.u... [dephormation.org.uk] installed.

      Browserprint is not new. I first tried Browserprint almost a year ago. I have also tried Panopticlick several times. Secret Agent always defeats the attempt to identify my browser.

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...