Abstract
Browser fingerprinting has established itself as a stateless technique to identify users on the Web. In particular, it is a highly criticized technique to track users. However, we believe that this identification technique can serve more virtuous purposes, such as bot detection or multi-factor authentication. In this paper, we explore the adoption of browser fingerprinting for security-oriented purposes. More specifically, we study 4 types of web pages that require security mechanisms to process user data: sign-up, sign-in, basket and payment pages. We visited 1, 485 pages on 446 domains and we identified the acquisition of browser fingerprints from 405 pages. By using an existing classification technique, we identified 169 distinct browser fingerprinting scripts included in these pages. By investigating the origins of the browser fingerprinting scripts, we identified 12 security-oriented organizations who collect browser fingerprints on sign-up, sign-in, and payment pages. Finally, we assess the effectiveness of browser fingerprinting against two potential attacks, namely stolen credentials and cookie hijacking. We observe browser fingerprinting being successfully used to enhance web security.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Acar, G., Eubank, C., Englehardt, S., Juarez, M., Narayanan, A., Diaz, C.: The web never forgets: persistent tracking mechanisms in the wild. In: CCS 2014 (2014)
Alaca, F., van Oorschot, P.C.: Device fingerprinting for augmenting web authentication: classification and analysis of methods. In: ACSAC 2016 (2016)
Bursztein, E.: The bleak picture of two-factor authentication adoption in the wild (2018). https://elie.net/blog/security/the-bleak-picture-of-two-factor-authentication-adoption-in-the-wild/
Bursztein, E., Malyshev, A., Pietraszek, T., Thomas, K.: Picasso: lightweight device class fingerprinting for web clients. In: SPSM 2016 (2016)
Cao, Y., Li, S., Wijmans, E.: (Cross-)browser fingerprinting via OS and hardware level features. In: NDSS 2017 (2017)
Durey, A., Laperdrix, P., Rudametkin, W., Rouvoy, R.: An iterative technique to identify browser fingerprinting scripts (2021)
Eckersley, P.: How unique is your web browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14527-8_1
Englehardt, S., Narayanan, A.: Online tracking: a 1-million-site measurement and analysis. In: CCS 2016 (2016)
Gómez-Boix, A., Laperdrix, P., Baudry, B.: Hiding in the crowd: an analysis of the effectiveness of browser fingerprinting at large scale. In: WWW 2018 (2018)
Anti-Phishing Working Group: Phishing activity trends report (2019). https://docs.apwg.org/reports/apwg_trends_report_q3_2019.pdf
Invernizzi, L., Thomas, K., Kapravelos, A., Comanescu, O., Picod, J., Bursztein, E.: Cloak of visibility: detecting when machines browse a different web. In: S&P 2016 (2016)
Iqbal, U., Englehardt, S., Shafiq, Z.: Fingerprinting the fingerprinters: learning to detect browser fingerprinting behaviors (2021)
Jonker, H., Kalkman, J., Krumnow, B., Sleegers, M., Verresen, A.: Shepherd: enabling automatic and large-scale login security studies (2018)
Jonker, H., Krumnow, B., Vlot, G.: Fingerprint surface-based detection of web bot detectors. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11736, pp. 586–605. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29962-0_28
Laperdrix, P., Avoine, G., Baudry, B., Nikiforakis, N.: Morellian analysis for browsers: making web authentication stronger with canvas fingerprinting. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds.) DIMVA 2019. LNCS, vol. 11543, pp. 43–66. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-22038-9_3
Laperdrix, P., Baudry, B., Mishra, V.: FPRandom: randomizing core browser objects to break advanced device fingerprinting techniques. In: Bodden, E., Payer, M., Athanasopoulos, E. (eds.) ESSoS 2017. LNCS, vol. 10379, pp. 97–114. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-62105-0_7
Laperdrix, P., Bielova, N., Baudry, B., Avoine, G.: Browser fingerprinting: a survey. In: TWEB 2020 (2020)
Laperdrix, P., Rudametkin, W., Baudry, B.: Beauty and the beast: diverting modern web browsers to build unique browser fingerprints. In: S&P 2016 (2016)
Li, S., Cao, Y.: Who touched my browser fingerprint?: A large-scale measurement study and classification of fingerprint dynamics (2020)
Mowery, K., Shacham, H.: Pixel perfect: fingerprinting canvas in HTML5. In: W2SP 2012 (2012)
Mulazzani, M., et al.: Fast and reliable browser identification with Javascript engine fingerprinting. In: W2SP 2013 (2013)
Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless monster: exploring the ecosystem of web-based device fingerprinting. In: S&P 2013 (2013)
Nikiforakis, N., Joosen, W., Livshits, B.: Privaricator: deceiving fingerprinters with little white lies. In: WWW 2015 (2015)
Olejnik, Ł., Acar, G., Castelluccia, C., Diaz, C.: The leaking battery. In: Garcia-Alfaro, J., Navarro-Arribas, G., Aldini, A., Martinelli, F., Suri, N. (eds.) DPM/QASA -2015. LNCS, vol. 9481, pp. 254–263. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29883-2_18
Ometov, A., Bezzateev, S.V., Mäkitalo, N., Andreev, S., Mikkonen, T., Koucheryavy, Y.: Multi-factor authentication: a survey. Cryptography (2018)
Rizzo, V., Traverso, S., Mellia, M.: Unveiling web fingerprinting in the wild via code mining and machine learning. In: PETS 2021 (2021)
Rochet, F., Efthymiadis, K., Koeune, F.A., Pereira, O.: SWAT: seamless web authentication technology. Association for Computing Machinery (2019)
Sivakorn, S., Polakis, I., Keromytis, A.D.: The cracked cookie jar: http cookie hijacking and the exposure of private information. In: S&P 2016 (2016)
Unger, T., Mulazzani, M., Frühwirt, D., Huber, M., Schrittwieser, S., Weippl, E.: SHPF: Enhancing http(s) session security with browser fingerprinting. In: AReS 2013 (2013)
Urban, T., Degeling, M., Holz, T., Pohlmann, N.: Beyond the front page: Measuring third party dynamics in the field (2020)
Vastel, A., Laperdrix, P., Rudametkin, W., Rouvoy, R.: Fp-scanner: the privacy implications of browser fingerprint inconsistencies. In: USENIX 2018 (2018)
Vastel, A., Laperdrix, P., Rudametkin, W., Rouvoy, R.: FP-STALKER: tracking browser fingerprint evolutions. In: S&P 2018 (2018)
Vastel, A., Rudametkin, W., Rouvoy, R., Blanc, X.: FP-crawlers: studying the resilience of browser fingerprinting to block crawlers. In: MADWeb 2020 (2020)
Zeber, D., et al.: The representativeness of automated Web crawls as a surrogate for human browsing. In: WWW 2020 (2020)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Selected Search Keywords
A Selected Search Keywords
We used the following list of keywords to get specific website types: – Bank – Money transfer service – Stock trading – Financial – Cryptocurrency – Social insurance – Taxes – Healthcare – Job search – News – Email – Adult – Dating – Metro/train/flight tickets – Flight companies – Travel agencies – Airlines – Event ticket – Sport ticket – Social network – Ecommerce – Shopping – TV channel – Streaming – Bet games – Poker – Online game.
We used the following list of countries for our experiment: – United States – Japan – Germany – France – Russia – Spain – United Kingdom – India – China
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Durey, A., Laperdrix, P., Rudametkin, W., Rouvoy, R. (2021). FP-Redemption: Studying Browser Fingerprinting Adoption for the Sake of Web Security. In: Bilge, L., Cavallaro, L., Pellegrino, G., Neves, N. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2021. Lecture Notes in Computer Science(), vol 12756. Springer, Cham. https://doi.org/10.1007/978-3-030-80825-9_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-80825-9_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-80824-2
Online ISBN: 978-3-030-80825-9
eBook Packages: Computer ScienceComputer Science (R0)