Alexandros Kapravelos , UC Santa Barbara, Santa Barbara
Wouter Joosen , K.U.Leuven, Leuven
Christopher Kruegel , UC Santa Barbara, Santa Barbara
Frank Piessens , KU Leuven, Leuven
Nick Nikiforakis , KU Leuven, Leuven
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2013.160
In this article, we examine how web-based device fingerprinting currently works on the Internet. By analyzing the code of three popular browser-fingerprinting code providers, we reveal the techniques that allow websites to track users without the need of client-side identifiers. We expose questionable practices, such as the circumvention of HTTP proxies to discover a user's real IP address and the installation of intrusive browser plugins. At the same time, we show how fragile the browser ecosystem is against fingerprinting through the use of novel browser-identifying techniques. We demonstrate how one can use diversions in the browsers' implementation to distinguish successfully not only the browser-family, but also specific major and minor versions. Lastly, we evaluate user-agent-spoofing browser extensions and show that current commercial approaches can bypass the extensions, and, in addition, take advantage of their shortcomings by using them as additional fingerprinting features.
Alexandros Kapravelos, Wouter Joosen, Christopher Kruegel, Frank Piessens, Nick Nikiforakis, "On the Workings and Current Practices of Web-based Device Fingerprinting", IEEE Security & Privacy, , no. 1, pp. 1, PrePrints PrePrints, doi:10.1109/MSP.2013.160