Ruslan Rakhmetov, Security Vision
For most users, the Internet browser is the main "window" into the world of the Internet. The safety and reliability of browsers is a major priority for their developers - new versions are constantly being released and various functions are being added, including measures to protect user privacy. On the other hand, large companies and Internet giants want to know as much as possible about users for marketing purposes, and attackers on phishing sites are trying to understand who has become their victim - and for these purposes, browser analysis methods are used. We will talk about such an analysis - the so-called browser fingerprinting - in this article.
A fingerprint is a collection of data about a browser that is likely to distinguish that browser from millions of others, and Fingerprinting is the process of collecting such data. Ideally, the browser fingerprint should uniquely identify it: the effectiveness of browser fingerprinting depends on the technical ability to create a unique browser identifier with high entropy, which will distinguish this browser (and therefore both a person and his device - a smartphone or laptop) from many other Internet users. This recognition is used for a variety of purposes:
- Improving the convenience of working with sites: on different devices and in different browsers, the website can be displayed in different ways, so the site needs to get information about which browser connects to it.
- Identification of site visitors: it is important for site owners to "find out" their old users and analyze their behavior (history of visited sections, viewed product cards, purchases made earlier).
- Marketing: data about users, their interests, preferences, income and plans are of significant value to big tech companies, retailers, marketplaces and social networks - this allows them to offer relevant advertising to Internet users, conduct targeted marketing campaigns, increase conversion and sales on sites. In addition, marketing and analytical agencies purposefully collect, process and sell huge amounts of user information to interested companies.
- Cybersecurity: identifying bots that are trying to hack accounts and preventing the use of stolen credentials is implemented by analyzing browser fingerprints (bots and hackers will not be able to fake the fingerprint of a legitimate user's browser).
- Anti-fraud: identifying users who may commit fraudulent or unauthorized actions on the site (for example, web scraping, searching for vulnerabilities outside the Bug Bounty program, reusing promotional codes for new users, entering stolen bank card data, cheating bonus points, etc.).
- Digital tracking and violation of user privacy: unauthorized collection of browser fingerprints will allow a wide variety of actors to form an Internet user profile (gender, age, place of residence, profession, interests, visited sites, etc.), which can be used, for example, for targeted phishing attacks with a suitable context or for social manipulation.
Browser fingerprinting is used everywhere: for example, a study conducted in 2021 showed that 30.6% of sites use Fingerprinting Top-1000 from the Alexa list. At the same time, a study conducted in 2016 showed that of the studied 118,934 browser fingerprints, 89.4% were unique. Despite the fact that there are certain restrictions and recommendations for creating fingerprint browsers, interested companies continue to implement various methods of tracking users using browsers.
How is the collection of digital fingerprints of browsers implemented? It would seem that two identical models of a device (laptop, for example) with the same OS and one version of the browser should not differ from each other in terms of the website visited, but the smallest details help to detect the difference - fonts installed in the system, browser extensions, screen resolution, even differences in versions of drivers for video adapters and the presence of connected external devices. Browser fingerprinting methods can be classified as follows:
1. Stateful tracking - Uses cookies in the browser store. Back in the mid-2010s, there was an urgent problem of "non-removable" cookies (Evercookie/persistent cookie/super cookie/zombie cookie). However, with the departure of outdated technologies such as Adobe Flash and Microsoft Silverlight, as well as with improvements in the work of browsers in private mode ("Incognito" mode), by 2020 this problem has practically disappeared.
2. Stateless tracking: Identifiers are not stored in the browser, and the characteristics of the browser itself are used for analysis. Stateless tracking can be divided into passive and active:
2.1. Passive tracking: collecting information that is transmitted by the browser itself when connecting to the site, including:
- Standard HTTP headers transmitted by the web client: User-Agent (indicating the type of OS, browser and its version), Accept (supported MIME types), Accept-Encoding (supported compression algorithms), Accept-Language (preferred browser locale);
- Additional HTTP headers transmitted by the web client (for example, HTTP headers set by some browsers or browser extensions);
- HTTP service headers that can be added by different ISPs on their DPI systems or that can be added by different intermediate network equipment;
- External IP address of the client.
2.2. Active tracking: the site interacts with the browser for detailed information about it, while some such requests can be detected in the browser itself. This type of tracking can use data such as:
- List of installed browser plugins (extensions): websites can request data from the browser about installed extensions - a unique set of installed extensions will distinguish one browser from another.
- CSS: to get a browser fingerprint (even with JavaScript support disabled in it), you can use CSS constructs and, due to the difference in the display of HTML elements in browsers, it is enough to accurately distinguish them. In addition, the history of visiting web pages until recently, sites could receive through CSS by reading the color values of links.
- WebGL: the use of WebGL technology by websites (JavaScript API for displaying graphic elements in a browser) allows you to obtain data about the manufacturer and graphics device (Vendor and Renderer) of the computer. The DrawnApart technique allows you to create a browser fingerprint due to the difference in time it takes to render graphics on different devices.
- Canvas: using the Canvas API to render graphic elements on web pages also allows you to create a unique digital fingerprint of the browser due to the fact that the rendering of a specially created Canvas element depends on device-specific settings (installed fonts, support for displaying special characters in the OS, graphics adapter characteristics).
- Various Javascript APIs can be used for functional and algorithmic browser fingerprinting: functional allows Internet sites to request permissions for browser access to various functions and peripherals of the computer (for example, access to display notifications, access to the camera and microphone, access to geolocation, to connected USB devices), and algorithmic allows you to uniquely highlight the browser by measuring the execution time of various API requests to the browser, the speed of rendering graphics, obtaining a list of available audio devices and access to various sensors (accelerometer, gyroscope, proximity sensor, etc.). In addition, Javascript allows you to query the browser for the current time and time zone of the device, screen resolution, supported modes of translating and voicing web pages, installed fonts, geolocation data, data on touch screen support, etc.
Some browser fingerprint techniques can be combined: for example, cookies can be set based on the analysis of a previously created browser fingerprint. In addition, browser fingerprint techniques are constantly improving, and browser manufacturers are striving to protect the privacy of their users, with each new version offering fewer and fewer opportunities to create a reliable and unique fingerprint browser.
To check the security of your browser for fingerprinting, you can use the following online tests:
https://coveryourtracks.eff.org/
.jpg)
