ABSTRACT
Browser fingerprinting is often associated with cross-site user tracking, a practice that many browsers (e.g., Safari, Brave, Edge, Firefox, and Chrome) want to block. However, less is publicly known about its uses to enhance online safety, where it can provide an additional security layer against service abuses (e.g., in combination with CAPTCHAs) or during user authentication. To the best of our knowledge, no fingerprinting defenses deployed thus far consider this important distinction when blocking fingerprinting attempts, so they might negatively affect website functionality and security.
To address this issue we make three main contributions. First, we introduce a novel machine learning-based method to automatically identify authentication pages (i.e. login and sign-up pages). Our supervised algorithm achieves 96-98% precision and recall on a manually-labelled dataset of almost 1,000 popular sites. Second, we compare our algorithm with methods from prior works on the same dataset, showing that it significantly outperforms all of them. Third, we quantify the prevalence of fingerprinting scripts across login and sign-up pages (10.2%) versus those executed on other pages (9.2%); while the rates of fingerprinting are similar, home pages and authentication pages differ in the third-party scripts they include and how often these scripts are labeled as tracking. We also highlight the substantial differences in fingerprinting on login and sign-up pages. Our work sheds light on the complicated reality that fingerprinting is used to both protect user security and invade user privacy; this dual nature must be considered by fingerprinting mitigations.
Supplemental Material
- Browse Privately. Explore Freely. (Online; accessed 18. Sept. 2023). URL: https: //www.torproject.org/.Google Scholar
- Chrome User Experience Report. (Online; accessed 05. Sept. 2023). URL: https: //developers.google.com/web/tools/chrome-user-experience-report.Google Scholar
- Disconnect entity list. URL: https://github.com/mozilla-services/shavar-prodlists/ blob/master/disconnect-entitylist.json.Google Scholar
- Freedom from tracking. (Online; accessed 18. Sept. 2023). URL: https://disconnect. me/.Google Scholar
- General Data Protection Regulation (GDPR). (Online; accessed 05. Sept. 2023). URL: https://gdpr-info.eu/.Google Scholar
- intent.ly. URL: https://intent.ly/en/.Google Scholar
- JShelter. (Online; accessed 18. Sept. 2023). URL: https://jshelter.org/.Google Scholar
- Privacy Badger is a browser extension that automatically learns to block invisible trackers. . (Online; accessed 18. Sept. 2023). URL: https://privacybadger.org/.Google Scholar
- server.proto. https://source.chromium.org/chromium/chromium/ src//main:components/autofill/core/browser/proto/server.proto;drc= cefcacc55347e318a439f3112d96a1c73cfba56c.Google Scholar
- The best privacy online. (Online; accessed 18. Sept. 2023). URL: https://brave.com/.Google Scholar
- ublock. https://github.com/gorhill/uBlock.Google Scholar
- TensorFlow, 2015. (Online; accessed 21. Aug. 2023). URL: https://www.tensorflow. org/.Google Scholar
- Early browser API accesses and function calls are missed, 2023. [Online; accessed 29. Jul. 2023]. URL: https://github.com/duckduckgo/tracker-radar-collector/ issues/77.Google Scholar
- Login Forms Ruleset, 2023. (Online; accessed 21. Aug. 2023). URL: https://mozilla. github.io/fathom/zoo/login.html.Google Scholar
- Optimize.Personalize.Monetize., 2023. (Online; accessed 30. Aug. 2023). URL: https://www.hexagondata.com/en/services-marketer/.Google Scholar
- SignUpFormRuleset.sys.mjs, 2023. (Online; accessed 21. Aug. 2023). URL: https://searchfox.org/mozilla-central/source/toolkit/components/ passwordmgr/SignUpFormRuleset.sys.mjs.Google Scholar
- Take control of payment fraud., 2023. (Online; accessed 30. Aug. 2023). URL: https://sift.com/.Google Scholar
- Ayush Agarwal, Sioli O'Connell, Jason Kim, Shaked Yehezkel, Daniel Genkin, Eyal Ronen, and Yuval Yarom. Spook. js: Attacking Chrome Strict Site Isolation via Speculative Execution. In 2022 IEEE Symposium on Security and Privacy (SP), pages 699--715. IEEE, 2022.Google ScholarCross Ref
- Suood Al Roomi and Frank Li. A Large-Scale Measurement of Website Login Policies. In 32nd USENIX Security Symposium (USENIX Security 23), pages 2061-- 2078, Anaheim, CA, August 2023. USENIX Association.Google Scholar
- Furkan Alaca and Paul C. van Oorschot. Device Fingerprinting for Augmenting Web Authentication: Classification and Analysis of Methods. In Proceedings of the 32nd Annual Conference on Computer Security Applications, pages 289--301, 2016.Google Scholar
- Nampoina Andriamilanto, Tristan Allard, Gaëtan Le Guelvouit, and Alexandre Garel. A Large-scale Empirical Analysis of Browser Fingerprints Properties for Web Authentication. ACM Transactions on the Web (TWEB), 16(1):1--62, 2021.Google Scholar
- Konrad Dzwinel et al. Brad Slayter, Sam Macbeth. DuckDuckGo Tracker Radar Collector, 2021. (Online; accessed 01. Jan. 2023). URL: https://github.com/ duckduckgo/tracker-radar-collector.Google Scholar
- Mathias Bynens and Peter Kvitek. Chrome's Headless mode gets an upgrade: introducing headless=new, 2023. (Online; accessed 21. Aug. 2023). URL: https: //developer.chrome.com/articles/new-headless/.Google Scholar
- Joe DeBlasio, Stefan Savage, Geoffrey M Voelker, and Alex C. Snoeren. Tripwire: Inferring Internet Site Compromise. In Proceedings of the 2017 Internet Measurement Conference, pages 341--354, 2017.Google ScholarDigital Library
- Yana Dimova, Tom Van Goethem, and Wouter Joosen. Everybody's Looking for SSOmething: A large-scale evaluation on the privacy of OAuth authentication on the web. Proceedings on Privacy Enhancing Technologies, 4:452--467, 2023.Google ScholarCross Ref
- Kostas Drakonakis, Sotiris Ioannidis, and Jason Polakis. The Cookie Hunter: Automated Black-Box Auditing forWeb Authentication and Authorization Flaws. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, CCS '20, page 1953--1970. Association for Computing Machinery, 2020.Google ScholarDigital Library
- Antonin Durey, Pierre Laperdrix, Walter Rudametkin, and Romain Rouvoy. FPRedemption: Studying Browser Fingerprinting Adoption for the Sake of Web Security. In Detection of Intrusions and Malware, and Vulnerability Assessment: 18th International Conference, pages 237--257. Springer, July 2021.Google ScholarDigital Library
- Steven Englehardt and Arvind Narayanan. Online Tracking: A 1-million-site Measurement and Analysis. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 1388--1401, 2016.Google ScholarDigital Library
- Daniel Hertenstein Erik Rose. Fathom, 2017. (Online; accessed 21. Aug. 2023). URL: https://github.com/mozilla/fathom.Google Scholar
- Daniel Hertenstein Erik Rose. Ruleset Zoo, 2017. (Online; accessed 21. Aug. 2023). URL: https://mozilla.github.io/fathom/zoo.html.Google Scholar
- Mohammad Ghasemisharif, Amrutha Ramesh, Stephen Checkoway, Chris Kanich, and Jason Polakis. O Single Sign-Off, Where Art Thou? An Empirical Analysis of Single Sign-On Account Hijacking and Session Management on the Web. In 27th USENIX Security Symposium (USENIX Security 18), pages 1475--1492, 2018.Google Scholar
- Tom Van Goethem, Wout Scheepers, Davy Preuveneers, and Wouter Joosen. Accelerometer-Based Device Fingerprinting for Multi-factor Mobile Authentication. In International Symposium on Engineering Secure Software and Systems, pages 106--121. Springer, 2016.Google Scholar
- Umar Iqbal, Steven Englehardt, and Zubair Shafiq. Fingerprinting the Fingerprinters: Learning to Detect Browser Fingerprinting Behaviors. In 2021 IEEE Symposium on Security and Privacy, pages 1143--1161. IEEE, 2021.Google ScholarCross Ref
- Nikhil Jha, Martino Trevisan, Luca Vassio, and Marco Mellia. The Internet with Privacy Policies: Measuring The Web Upon Consent. ACM Transactions on the Web (TWEB), 16(3):1--24, 2022.Google Scholar
- Hugo Jonker, Stefan Karsch, Benjamin Krumnow, and Marc Sleegers. Shepherd: a Generic Approach to Automating Website Login. In Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb). Reston: Internet Society, 2020.Google ScholarCross Ref
- Pierre Laperdrix, Benoit Baudry, and Vikas Mishra. FPRandom: Randomizing Core Browser Objects to Break Advanced Device Fingerprinting Techniques. In Engineering Secure Software and Systems: 9th International Symposium, pages 97--114. Springer, 2017.Google ScholarCross Ref
- Xu Lin, Panagiotis Ilia, and Jason Polakis. Fill in the Blanks: Empirical Analysis of the Privacy Threats of Browser Form Autofill. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, CCS '20, page 507--519. Association for Computing Machinery, 2020.Google Scholar
- Xu Lin, Panagiotis Ilia, Saumya Solanki, and Jason Polakis. Phish in Sheep's Clothing: Exploring the Authentication Pitfalls of Browser Fingerprinting. In 31st USENIX Security Symposium (USENIX Security 22), pages 1651--1668, Boston, MA, August 2022. USENIX Association.Google Scholar
- Luka Lodrant. Designing a generic web forms crawler to enable legal compliance analysis of authentication sections. Master's thesis, ETH Zurich, 2022.Google Scholar
- nikhiljha95 Martino Trevisan, Antonino Musmeci. Priv-Accept, 2020. (Online; accessed 13. Jul. 2023). URL: https://github.com/marty90/priv-accept.Google Scholar
- Ariana Mirian, Nikunj Bhagat, Caitlin Sadowski, Adrienne Porter Felt, Stefan Savage, and Geoffrey M. Voelker. Web Feature Deprecation: A Case Study for Chrome. In 2019 IEEE/ACM 41st International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP), pages 302--311, 2019.Google Scholar
- Mozilla. Firefox rolls out Total Cookie Protection by default to all usersworldwide. Mozilla Blog, 2022. URL: https://blog.mozilla.org/en/mozilla/firefox-rolls-outtotal- cookie-protection-by-default-to-all-users-worldwide/.Google Scholar
- Nick Nikiforakis, Wouter Joosen, and Benjamin Livshits. PriVaricator: Deceiving Fingerprinters with Little White Lies. In Proceedings of the 24th International Conference on World Wide Web, pages 820--830, 2015.Google Scholar
- Sean Oesch and Scott Ruoti. ThatWas Then, This Is Now: A Security Evaluation of Password Generation, Storage, and Autofill in Browser-Based Password Managers. In Proceedings of the 29th USENIX Conference on Security Symposium, pages 2165-- 2182, 2020.Google Scholar
- Davy Preuveneers and Wouter Joosen. SmartAuth: Dynamic Context Fingerprinting for Continuous User Authentication. In Proceedings of the 30th Annual ACM Symposium on Applied Computing, pages 2185--2191, 2015.Google Scholar
- Jannis Rautenstrauch, Giancarlo Pellegrino, and Ben Stock. The Leaky Web: Automated Discovery of Cross-Site Information Leaks in Browsers and the Web. In 2023 IEEE Symposium on Security and Privacy, 2023.Google Scholar
- Walter Rudametkin. Improving the Security and Privacy of the Web through Browser Fingerprinting. PhD thesis, Université de Lille, 2021.Google Scholar
- Kimberly Ruth, Aurore Fass, Jonathan Azose, Mark Pearson, Emma Thomas, Caitlin Sadowski, and Zakir Durumeric. A World Wide View of Browsing the World WideWeb. In Proceedings of the 22nd ACMInternet Measurement Conference, pages 317--336, 2022.Google Scholar
- Kimberly Ruth, Deepak Kumar, Brandon Wang, Luke Valenta, and Zakir Durumeric. Toppling Top Lists: Evaluating the Accuracy of Popular Website Lists. In Proceedings of the 22nd ACM Internet Measurement Conference, pages 374--387, 2022.Google Scholar
- Justin Schuh. Building a more private web: A path towards making third party cookies obsolete. Chromium Blog, 2020. URL: https://blog.chromium.org/2020/ 01/building-more-private-web-path-towards.html.Google Scholar
- Thomas Unger, Martin Mulazzani, Dominik Frühwirt, Markus Huber, Sebastian Schrittwieser, and Edgar Weippl. SHPF: Enhancing HTTP(S) Session Security with Browser Fingerprinting. In 2013 International Conference on Availability, Reliability and Security, pages 255--261. IEEE, 2013.Google ScholarDigital Library
- Steven Van Acker, Daniel Hausknecht, and Andrei Sabelfeld. Measuring Login Webpage Security. In Proceedings of the Symposium on Applied Computing, pages 1753--1760, 2017.Google ScholarDigital Library
- Maximilian Westers, Tobias Wich, Louis Jannett, Vladislav Mladenov, Christian Mainka, and Andreas Mayer. SSO-Monitor: Fully-Automatic Large-Scale Landscape, Security, and Privacy Analyses of Single Sign-On in the Wild. arXiv preprint arXiv:2302.01024, 2023.Google Scholar
- John Wilander. Full third-party cookie blocking and more. WebKit, 2020. URL: https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/.Google Scholar
- Shujiang Wu, Pengfei Sun, Yao Zhao, and Yinzhi Cao. Him of Many Faces: Characterizing Billion-scale Adversarial and Benign Browser Fingerprints on Commercial Websites. In 30th Annual Network and Distributed System Security Symposium, NDSS, 2023.Google Scholar
- David Zeber, Sarah Bird, Camila Oliveira,Walter Rudametkin, Ilana Segall, Fredrik Wollsén, and Martin Lopatka. The Representativeness of AutomatedWeb Crawls as a Surrogate for Human Browsing. In Proceedings of The Web Conference 2020, pages 167--178, 2020.Google ScholarDigital Library
- Yuchen Zhou and David Evans. SSOScan: Automated Testing ofWeb Applications for Single Sign-on Vulnerabilities. In Proceedings of the 23rd USENIX Conference on Security Symposium, SEC'14, page 495--510, USA, 2014. USENIX Association.Google Scholar
Index Terms
- The Double Edged Sword: Identifying Authentication Pages and their Fingerprinting Behavior
Recommendations
Web-based Fingerprinting Techniques
ICETE 2016: Proceedings of the 13th International Joint Conference on e-Business and TelecommunicationsThe concept of device fingerprinting is based in the assumption that each electronic device holds a unique set
of physical and/or logical features that others can capture and use to differentiate it from the whole. Web-based
fingerprinting, a particular ...
Toward the flow-centric detection of browser fingerprinting
AbstractBrowser fingerprinting has become a prevalent technique employed by websites for advertising and analytics. It utilizes JavaScript objects and APIs to gather traditional and non-traditional browser attributes and creates unique identifiers for ...
FP-Redemption: Studying Browser Fingerprinting Adoption for the Sake of Web Security
Detection of Intrusions and Malware, and Vulnerability AssessmentAbstractBrowser fingerprinting has established itself as a stateless technique to identify users on the Web. In particular, it is a highly criticized technique to track users. However, we believe that this identification technique can serve more virtuous ...
Comments