Online citations, reference lists, and bibliographies.

Cookieless Monster: Exploring The Ecosystem Of Web-Based Device Fingerprinting

N. Nikiforakis, A. Kapravelos, W. Joosen, C. Krügel, F. Piessens, G. Vigna
Published 2013 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
The web has become an essential part of our society and is currently the main medium of information delivery. Billions of users browse the web on a daily basis, and there are single websites that have reached over one billion user accounts. In this environment, the ability to track users and their online habits can be very lucrative for advertising companies, yet very intrusive for the privacy of users. In this paper, we examine how web-based device fingerprinting currently works on the Internet. By analyzing the code of three popular browser-fingerprinting code providers, we reveal the techniques that allow websites to track users without the need of client-side identifiers. Among these techniques, we show how current commercial fingerprinting approaches use questionable practices, such as the circumvention of HTTP proxies to discover a user's real IP address and the installation of intrusive browser plugins. At the same time, we show how fragile the browser ecosystem is against fingerprinting through the use of novel browser-identifying techniques. With so many different vendors involved in browser development, we demonstrate how one can use diversions in the browsers' implementation to distinguish successfully not only the browser-family, but also specific major and minor versions. Browser extensions that help users spoof the user-agent of their browsers are also evaluated. We show that current commercial approaches can bypass the extensions, and, in addition, take advantage of their shortcomings by using them as additional fingerprinting features.
This paper references
VirusTotal - Free Online Virus, Malware and URL Scanner
VirusTotal (2011)
Torbutton: I can't view videos on YouTube and other flash-based sites. Why?
Third-Party Web Tracking: Policy and Technology
J. Mayer (2012)
Host Fingerprinting and Tracking on the Web: Privacy and Security Implications
T. Yen (2012)
On the uniqueness of Web browsing history patterns
L. Olejnik (2014)
Giving the Web a Memory Cost Its Users Privacy
John Schwartz (2001)
Rozzle: De-cloaking Internet Malware
Clemens Kolbitsch (2012)
The Impact of Cookie Deletion on Site-Server and Ad-Server Metrics in Australia
Detection and analysis of drive-by-download attacks and malicious JavaScript code
M. Cova (2010)
You are what you include: large-scale evaluation of remote javascript inclusions
N. Nikiforakis (2012)
Panopticlick — Self-Defense
P Eckersley
Anubis: Analyzing Unknown Binaries
Patent US 20080040802NETWORK SECURITY AND FRAUD DETECTION SYSTEM AND METHOD Detection and analysis of drivebydownload attacks and malicious javascript code
A. Andersen (2011)
Fingerprinting Information in JavaScript Implementations
K. Mowery (2011)
ECMAScript Language Specification, Standard ECMA-262, Third edition
How to Unplug Java from the Browser, " http://
B Krebs
Measuring Time Spent On A Web Page
J.-L Gassée
Device identification in online banking is privacy threat, expert says
E Mills (2009)
Any person... a pamphleteer
J R Mayer (2009)
Private browsing and Flash Player 10
T. Nguyen
Private browsing and Flash Player 10.1
J. Xu
Detecting and Defending Against Third-Party Tracking on the Web
F. Roesner (2012)
Privacy leakage on the Internet
B Krishnamurthy (2010)
Adblock plus -for annoyance-free web surfing
How Unique Is Your Browser
P Eckersley (2010)
How Unique Is Your Web Browser?
P. Eckersley (2010)
The Tangled Web: A Guide to Securing Modern Web Applications
M. Zalewski (2011)
How to turn off Java on your browser -and why you should do it now
G Cluley
Collusion: Discover who's tracking you online
How Fraudsters are Disguising PCs to Fool Device Fingerprinting
A. Klein
Generating a privacy footprint on the internet
B. Krishnamurthy (2006)
Pixel Perfect : Fingerprinting Canvas in HTML 5
K. Mowery (2012)
I Still Know What You Visited Last Summer: Leaking Browsing History via User Interaction and Side Channel Attacks
Zachary Weinberg (2011)
Why Johnny Can ’ t Browse in Peace : On the Uniqueness of Web Browsing History Patterns , ” in
C. Castelluccia Ł. Olejnik (2012)
History of the browser user-agent string, " http: //
A Andersen
History of the browser user-agent string
A. Andersen
An empirical study of privacy-violating information flows in JavaScript web applications
D. Jang (2010)
Smart, useful, scary, creepy: perceptions of online behavioral advertising
B. Ur (2012)
Flash Cookies and Privacy
A. Soltani (2010)
Opt out of being tracked
Tracking the Trackers: Early Results — Center for Internet and Society
J R Mayer
How many Firefox users have add-ons installed? 85%! "
J Scott (2011)
The Impact of Cookie Deletion on Site-Server and Ad-Server Metrics in Australia
comScore (2011)
Web Tracking Protection 2011/SUBM-web-tracking-protection
How Fraudsters are Disguising PCs to Fool Device Fingerprinting how-fraudsters-are-disguising-pcs-fool-device-fingerprinting
A Klein
How to Unplug Java from the Browser
B. Krebs
G Pierson
How many Firefox users have add-ons installed? 85%!
J. Scott (2011)
Private browsing and Flash Player 10
J Xu
Americans Reject Tailored Advertising and Three Activities that Enable It
J. Turow (2009)

This paper is referenced by
Bloom Cookies: Web Search Personalization without User Tracking
Nitesh Mor (2015)
Web Privacy Census
Ibrahim Altaweel (2015)
Everyone is Different: Client-side Diversification for Defending Against Extension Fingerprinting
Erik Trickel (2019)
Web-based Fingerprinting Techniques
Vitor Bernardo (2016)
Automated discovery of privacy violations on the web
Steven Englehardt (2018)
Privilege-Based Scoring System Against Cross-Site Scripting Using Machine Learning
N Shyam Sunder (2016)
Tracking your browser with high-performance browser fingerprint recognition model
Weiman Jiang (2020)
"Technology Should Be Smarter Than This!": A Vision for Overcoming the Great Authentication Fatigue
M. Angela Sasse (2013)
Explicit authentication response considered harmful
Lianying Zhao (2013)
Attacks on the User’s Session
Philippe De Ryck (2014)
Fingerprinting for Web Applications: From Devices to Related Groups
Christine Blakemore (2016)
Web Tracking: Mechanisms, Implications, and Defenses
Tomasz Bujlow (2015)
Enforcing Browser Anonymity with Quantitative Information Flow
Frédéric Besson (2014)
SurroundWeb: Mitigating Privacy Concerns in a 3D Web Browser
John Vilk (2015)
Towards A Non-tracking Web
Istemi Ekin Akkus (2016)
Towards accurate detection of obfuscated web tracking
Hoan Le (2017)
Engineering Secure Software and Systems
J. Kittler (2017)
Making it personal : web users and algorithmic personalisation
Tanya Kant (2016)
Privacy and Online Rights
Carmela Troncoso ()
You Shall Not Register! Detecting Privacy Leaks Across Registration Forms
Manolis Chatzimpyrros (2019)
Towards Seamless Tracking-Free Web: Improved Detection of Trackers via One-class Learning
M. Ikram (2017)
WhoTracks .Me: Shedding light on the opaque world of online tracking
Arjaldo Karaj (2018)
Collect it all: national security, Big Data and governance
J. Crampton (2015)
Finding proxy users at the service using anomaly detection
Allen T. Webb (2016)
Website Forensic Investigation to Identify Evidence and Impact of Compromise
Yuta Takata (2016)
If you are not paying for it, you are the product: how much do advertisers pay to reach you?
P. Papadopoulos (2017)
Device Graphing by Example
Keith Funkhouser (2018)
Towards a Secure Web: Critical Vulnerabilities and Client-Side Countermeasures (Bedreigingen en beveiligingsmaatregelen voor een veilig web)
Nikolaos Nikiforakis (2013)
Fingerprinting Network Device Based on Traffic Analysis in High-Speed Network Environment
Yiting Zhang (2018)
The Unique Id's you Can't Delete: Browser Fingerprints
Krishna.V. Nair (2018)
Towards lightweight secure user-transparent and privacy-preserving web metering
Fahad Abdulkareem Alarifi (2015)
User tracking mechanisms and counter measures
Asra Ishtiaq (2017)
See more
Semantic Scholar Logo Some data provided by SemanticScholar