Online citations, reference lists, and bibliographies.

Cookieless Monster: Exploring The Ecosystem Of Web-Based Device Fingerprinting

N. Nikiforakis, A. Kapravelos, W. Joosen, C. Krügel, F. Piessens, G. Vigna
Published 2013 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
Share
The web has become an essential part of our society and is currently the main medium of information delivery. Billions of users browse the web on a daily basis, and there are single websites that have reached over one billion user accounts. In this environment, the ability to track users and their online habits can be very lucrative for advertising companies, yet very intrusive for the privacy of users. In this paper, we examine how web-based device fingerprinting currently works on the Internet. By analyzing the code of three popular browser-fingerprinting code providers, we reveal the techniques that allow websites to track users without the need of client-side identifiers. Among these techniques, we show how current commercial fingerprinting approaches use questionable practices, such as the circumvention of HTTP proxies to discover a user's real IP address and the installation of intrusive browser plugins. At the same time, we show how fragile the browser ecosystem is against fingerprinting through the use of novel browser-identifying techniques. With so many different vendors involved in browser development, we demonstrate how one can use diversions in the browsers' implementation to distinguish successfully not only the browser-family, but also specific major and minor versions. Browser extensions that help users spoof the user-agent of their browsers are also evaluated. We show that current commercial approaches can bypass the extensions, and, in addition, take advantage of their shortcomings by using them as additional fingerprinting features.
This paper references
VirusTotal - Free Online Virus, Malware and URL Scanner
VirusTotal (2011)
Torbutton: I can't view videos on YouTube and other flash-based sites. Why?
10.1109/SP.2012.47
Third-Party Web Tracking: Policy and Technology
J. Mayer (2012)
Host Fingerprinting and Tracking on the Web: Privacy and Security Implications
T. Yen (2012)
10.1007/s12243-013-0392-5
On the uniqueness of Web browsing history patterns
L. Olejnik (2014)
Giving the Web a Memory Cost Its Users Privacy
John Schwartz (2001)
10.1109/SP.2012.48
Rozzle: De-cloaking Internet Malware
Clemens Kolbitsch (2012)
The Impact of Cookie Deletion on Site-Server and Ad-Server Metrics in Australia
(2011)
10.1145/1772690.1772720
Detection and analysis of drive-by-download attacks and malicious JavaScript code
M. Cova (2010)
10.1145/2382196.2382274
You are what you include: large-scale evaluation of remote javascript inclusions
N. Nikiforakis (2012)
Panopticlick — Self-Defense
P Eckersley
Anubis: Analyzing Unknown Binaries
Patent US 20080040802NETWORK SECURITY AND FRAUD DETECTION SYSTEM AND METHOD Detection and analysis of drivebydownload attacks and malicious javascript code
A. Andersen (2011)
Fingerprinting Information in JavaScript Implementations
K. Mowery (2011)
ECMAScript Language Specification, Standard ECMA-262, Third edition
How to Unplug Java from the Browser, " http:// krebsonsecurity.com/how-to-unplug-java-from-the-browser
B Krebs
Measuring Time Spent On A Web Page
J.-L Gassée
Device identification in online banking is privacy threat, expert says
E Mills (2009)
Any person... a pamphleteer
J R Mayer (2009)
Private browsing and Flash Player 10
T. Nguyen
Private browsing and Flash Player 10.1
J. Xu
Detecting and Defending Against Third-Party Tracking on the Web
F. Roesner (2012)
Privacy leakage on the Internet
B Krishnamurthy (2010)
Adblock plus -for annoyance-free web surfing
How Unique Is Your Browser
P Eckersley (2010)
10.1007/978-3-642-14527-8_1
How Unique Is Your Web Browser?
P. Eckersley (2010)
The Tangled Web: A Guide to Securing Modern Web Applications
M. Zalewski (2011)
Ghostery
How to turn off Java on your browser -and why you should do it now
G Cluley
Collusion: Discover who's tracking you online
How Fraudsters are Disguising PCs to Fool Device Fingerprinting
A. Klein
10.1145/1177080.1177088
Generating a privacy footprint on the internet
B. Krishnamurthy (2006)
Pixel Perfect : Fingerprinting Canvas in HTML 5
K. Mowery (2012)
10.1109/SP.2011.23
I Still Know What You Visited Last Summer: Leaking Browsing History via User Interaction and Side Channel Attacks
Zachary Weinberg (2011)
Why Johnny Can ’ t Browse in Peace : On the Uniqueness of Web Browsing History Patterns , ” in
C. Castelluccia Ł. Olejnik (2012)
History of the browser user-agent string, " http: //webaim.org/blog/user-agent-string-history
A Andersen
History of the browser user-agent string
A. Andersen
10.1145/1866307.1866339
An empirical study of privacy-violating information flows in JavaScript web applications
D. Jang (2010)
10.1145/2335356.2335362
Smart, useful, scary, creepy: perceptions of online behavioral advertising
B. Ur (2012)
10.2139/SSRN.1446862
Flash Cookies and Privacy
A. Soltani (2010)
Opt out of being tracked
Tracking the Trackers: Early Results — Center for Internet and Society
J R Mayer
How many Firefox users have add-ons installed? 85%! " https://blog.mozilla.org/addons
J Scott (2011)
The Impact of Cookie Deletion on Site-Server and Ad-Server Metrics in Australia
comScore (2011)
Web Tracking Protection http://www.w3.org/Submission/ 2011/SUBM-web-tracking-protection
(2011)
How Fraudsters are Disguising PCs to Fool Device Fingerprinting http://www.trusteer.com/blog/ how-fraudsters-are-disguising-pcs-fool-device-fingerprinting
A Klein
How to Unplug Java from the Browser
B. Krebs
Patent US20080040802 -NET- WORK SECURITY AND FRAUD DETECTION SYSTEM AND METHOD
G Pierson
How many Firefox users have add-ons installed? 85%!
J. Scott (2011)
Private browsing and Flash Player 10
J Xu
10.2139/SSRN.1478214
Americans Reject Tailored Advertising and Three Activities that Enable It
J. Turow (2009)



This paper is referenced by
10.14722/NDSS.2015.23108
Bloom Cookies: Web Search Personalization without User Tracking
Nitesh Mor (2015)
10.2139/SSRN.2460547
Web Privacy Census
Ibrahim Altaweel (2015)
Everyone is Different: Client-side Diversification for Defending Against Extension Fingerprinting
Erik Trickel (2019)
10.5220/0005965602710282
Web-based Fingerprinting Techniques
Vitor Bernardo (2016)
Automated discovery of privacy violations on the web
Steven Englehardt (2018)
10.1007/978-81-322-2656-7_54
Privilege-Based Scoring System Against Cross-Site Scripting Using Machine Learning
N Shyam Sunder (2016)
10.23919/JCC.2020.03.014
Tracking your browser with high-performance browser fingerprint recognition model
Weiman Jiang (2020)
10.1007/978-3-319-06811-4_7
"Technology Should Be Smarter Than This!": A Vision for Overcoming the Great Authentication Fatigue
M. Angela Sasse (2013)
10.1145/2535813.2535822
Explicit authentication response considered harmful
Lianying Zhao (2013)
10.1007/978-3-319-12226-7_7
Attacks on the User’s Session
Philippe De Ryck (2014)
10.1109/TrustCom.2016.0057
Fingerprinting for Web Applications: From Devices to Related Groups
Christine Blakemore (2016)
Web Tracking: Mechanisms, Implications, and Defenses
Tomasz Bujlow (2015)
Enforcing Browser Anonymity with Quantitative Information Flow
Frédéric Besson (2014)
10.1109/SP.2015.33
SurroundWeb: Mitigating Privacy Concerns in a 3D Web Browser
John Vilk (2015)
Towards A Non-tracking Web
Istemi Ekin Akkus (2016)
10.1109/IWMN.2017.8078365
Towards accurate detection of obfuscated web tracking
Hoan Le (2017)
10.1007/978-3-319-62105-0
Engineering Secure Software and Systems
J. Kittler (2017)
Making it personal : web users and algorithmic personalisation
Tanya Kant (2016)
Privacy and Online Rights
Carmela Troncoso ()
10.1007/978-3-030-42051-2_7
You Shall Not Register! Detecting Privacy Leaks Across Registration Forms
Manolis Chatzimpyrros (2019)
10.1515/popets-2017-0006
Towards Seamless Tracking-Free Web: Improved Detection of Trackers via One-class Learning
M. Ikram (2017)
WhoTracks .Me: Shedding light on the opaque world of online tracking
Arjaldo Karaj (2018)
10.1007/S10708-014-9598-Y
Collect it all: national security, Big Data and governance
J. Crampton (2015)
10.1109/CNS.2016.7860473
Finding proxy users at the service using anomaly detection
Allen T. Webb (2016)
10.1007/978-3-319-59608-2_25
Website Forensic Investigation to Identify Evidence and Impact of Compromise
Yuta Takata (2016)
10.1145/3131365.3131397
If you are not paying for it, you are the product: how much do advertisers pay to reach you?
P. Papadopoulos (2017)
10.1145/3219819.3219852
Device Graphing by Example
Keith Funkhouser (2018)
Towards a Secure Web: Critical Vulnerabilities and Client-Side Countermeasures (Bedreigingen en beveiligingsmaatregelen voor een veilig web)
Nikolaos Nikiforakis (2013)
10.1109/CBD.2018.00052
Fingerprinting Network Device Based on Traffic Analysis in High-Speed Network Environment
Yiting Zhang (2018)
10.1109/ICETIETR.2018.8529040
The Unique Id's you Can't Delete: Browser Fingerprints
Krishna.V. Nair (2018)
Towards lightweight secure user-transparent and privacy-preserving web metering
Fahad Abdulkareem Alarifi (2015)
10.18100/ijamec.2017528829
User tracking mechanisms and counter measures
Asra Ishtiaq (2017)
See more
Semantic Scholar Logo Some data provided by SemanticScholar