The Community for Technology Leaders
2013 IEEE Symposium on Security and Privacy (SP) Conference (2013)
Berkeley, CA
May 19, 2013 to May 22, 2013
ISSN: 1081-6011
ISBN: 978-1-4673-6166-8
pp: 541-555
N. Nikiforakis , iMinds-DistriNet, KU Leuven, Leuven, Belgium
A. Kapravelos , Univ. of California, Santa Barbara, Santa Barbara, CA, USA
W. Joosen , iMinds-DistriNet, KU Leuven, Leuven, Belgium
C. Kruegel , Univ. of California, Santa Barbara, Santa Barbara, CA, USA
F. Piessens , iMinds-DistriNet, KU Leuven, Leuven, Belgium
G. Vigna , Univ. of California, Santa Barbara, Santa Barbara, CA, USA
ABSTRACT
The web has become an essential part of our society and is currently the main medium of information delivery. Billions of users browse the web on a daily basis, and there are single websites that have reached over one billion user accounts. In this environment, the ability to track users and their online habits can be very lucrative for advertising companies, yet very intrusive for the privacy of users. In this paper, we examine how web-based device fingerprinting currently works on the Internet. By analyzing the code of three popular browser-fingerprinting code providers, we reveal the techniques that allow websites to track users without the need of client-side identifiers. Among these techniques, we show how current commercial fingerprinting approaches use questionable practices, such as the circumvention of HTTP proxies to discover a user's real IP address and the installation of intrusive browser plugins. At the same time, we show how fragile the browser ecosystem is against fingerprinting through the use of novel browser-identifying techniques. With so many different vendors involved in browser development, we demonstrate how one can use diversions in the browsers' implementation to distinguish successfully not only the browser-family, but also specific major and minor versions. Browser extensions that help users spoof the user-agent of their browsers are also evaluated. We show that current commercial approaches can bypass the extensions, and, in addition, take advantage of their shortcomings by using them as additional fingerprinting features.
INDEX TERMS
Browsers, Companies, IP networks, Fingerprint recognition, Servers, Internet, Feature extraction,browser extensions, fingerprinting, device identification
CITATION
N. Nikiforakis, A. Kapravelos, W. Joosen, C. Kruegel, F. Piessens, G. Vigna, "Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting", 2013 IEEE Symposium on Security and Privacy (SP) Conference, vol. 00, no. , pp. 541-555, 2013, doi:10.1109/SP.2013.43
84 ms
(Ver 3.3 (11022016))