Combatting Browser Fingerprinting with ChromeDust

Similar documents
Web Fingerprinting. How, Who, and Why? Nick Nikiforakis

Everything you always wanted to know about web-based device fingerprinting

Browser fingerprinting

Chrome Extension Security Architecture

How Facebook knows exactly what turns you on

Device Fingerprinting

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Fingerprinting mobile devices: A short analysis

Security and privacy in the smartphone ecosystem: Final progress report

Cloak of Visibility. -Detecting When Machines Browse A Different Web. Zhe Zhao

Penetration Testing. James Walden Northern Kentucky University

Unit 4 The Web. Computer Concepts Unit Contents. 4 Web Overview. 4 Section A: Web Basics. 4 Evolution

FP-TESTER: Automated Testing of Browser Fingerprint Resilience

SCRIPT REFERENCE. UBot Studio Version 4. The Settings Commands

Browser Guide for PeopleSoft

HTML5 Tracking Techniques in Practice

Robust Defenses for Cross-Site Request Forgery Review

Recommended Browser Settings for Self Service Applications Revised: 10/10/2013 vmc

The security of Mozilla Firefox s Extensions. Kristjan Krips

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Certified Secure Web Application Engineer

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Robust Defenses for Cross-Site Request Forgery

Portal Recipient Guide. The Signature Approval Process

Robust Defenses for Cross-Site Request Forgery

Five9 Virtual Contact Center Online Help and Browser Usage Guidelines

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

s642 web security computer security adam everspaugh

Learning Center Computer and Security Settings

You Are Being Watched Analysis of JavaScript-Based Trackers

Web Application Penetration Testing

Wesleyan University. PeopleSoft - Configuring Web Browser Settings

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

Version Release Date: September 5, Release Client Version: Release Overview 7 Resolved Issues 8 Known Issues 8

Cross-Browser Functional Testing Best Practices

OWASP AppSec Research The OWASP Foundation New Insights into Clickjacking

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

CSWAE Certified Secure Web Application Engineer

Report Exec Enterprise Browser Settings. Choose Settings Topic

etrac Guide System Requirements Global DMS, 1555 Bustard Road, Suite 300, Lansdale, PA , All Rights Reserved.

Proposal for Virtual Web Browser by Using HTML5

White Paper: Delivering Enterprise Web Applications on the Curl Platform

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Learning Center Computer and Security Settings

App Development. Quick Guides for Masterminds. J.D Gauchat Cover Illustration by Patrice Garden

CSC Introduction to Computers and Their Applications

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

MTAT Research Seminar in Cryptography The Security of Mozilla Firefox s Extensions

Checklist for Testing of Web Application

On the Robustness of Mobile Device Fingerprinting

MAC CHECKING MINDTAP SYSTEM REQUIREMENTS

Why the end-to-end principle matters for privacy

Browser Settings for MyCompLab and MyLiteratureLab. October 5, 2010

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

DoS Cyber Attack on a Government Agency in Europe- April 2012 Constantly Changing Attack Vectors

WHY CSRF WORKS. Implicit authentication by Web browsers

5/19/2015. Objectives. JavaScript, Sixth Edition. Saving State Information with Query Strings. Understanding State Information


FIREFOX REVIEWER S GUIDE. Contact us:

Table of Content. Last updated: June 16th, 2015

P2_L12 Web Security Page 1

Security Using Digital Signatures & Encryption

Identifying and Preventing Conditions for Web Privacy Leakage

October 08: Introduction to Web Security

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Inline HTML Editor does not load preventing typing in text field

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Information Security CS 526 Topic 11

1. Setup a root folder for the website 2. Create a wireframe 3. Add content 4. Create hyperlinks between pages and to external websites

KASPERSKY FRAUD PREVENTION FOR ENDPOINTS

XHound: Quantifying the Fingerprintability of Browser Extensions. Priyankit Bangia Software Engineering. By Oleksii Starov & Nick Nikiforakis

Designing RIA Accessibility: A Yahoo UI (YUI) Menu Case Study

CYSE 411/AIT 681 Secure Software Engineering. Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun

4. Risk-Based Security Testing. Reading. CYSE 411/AIT 681 Secure Software Engineering. Seven Touchpoints. Application of Touchpoints

Cloud Help for Community Managers...3. Release Notes System Requirements Administering Jive for Office... 6

Portal Recipient Guide For Virtual Cabinet

Web basics: HTTP cookies

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

CSI5387: Data Mining Project

RSA INCIDENT RESPONSE SERVICES

Chapter 5: Networking and the Internet

Match the attack to its description:

How to Configure an SSH Tunnel on PuTTY

Black Hat Europe 2009

Dynamic Detection of Inter- Application Communication Vulnerabilities in Android. Daniel Barton

Cross-Site Request Forgery in Cisco SG220 series

RSA INCIDENT RESPONSE SERVICES

Browser code isolation

Can HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit

Get ready for mycourses

Mitel MiContact Center Enterprise WEB APPLICATIONS CONFIGURATION GUIDE. Release 9.2

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Top 10 Application Security Vulnerabilities in Web.config Files Part One

Browser Support Internet Explorer

Choosing The Best Firewall Gerhard Cronje April 10, 2001

Web basics: HTTP cookies

Protection of Web User s Privacy by Securing Browser from Web Privacy Attacks

Client-side Debugging. Gary Bettencourt

Transcription:

Combatting Browser Fingerprinting with ChromeDust Ram Bhaskar <rambhask@mit.edu> Rishikesh Tirumala <rrt@mit.edu> Timmy Galvin <tgalvin@mit.edu> 6.858 Final Project (Lab 7) December 12, 2013

Introduction Online advertising is a multi-billion dollar industry. There exists a constant pressure to improve the techniques used to further influence consumer habits. At the core of online advertising efforts lies directed advertisements ads shown for a specific user to align with their interests. This individualized approach is mainly accomplished by tracking a user s online browsing habits to build a model of his/her interests and behaviors. The main way to track a user s browsing activity since 1994 has been cookies. However, cookies have recently faced both legal and technical limitations, so advertisers have adopted a new method to track user activity: browser fingerprinting. Fingerprinting is the process of identifying a user using various metadata accessible through their browsers (e.g., user agent string, screen resolution). This method has gained prominence in the last four years and stands as a threat to users privacy. Problem Statement While users have methods with which to protect themselves from tracking cookie-based tracking, attempts to interfere with browser fingerprinting are next to non-existent. The reason for this void of options is multi-fold: the technology, more specifically the approach, only became well-known in 2009, solutions must be constantly updated, and the attack surface is not well-defined. While these are daunting challenges, we believe the solution is an open-source browser extension that interferes with common fingerprinting techniques without sacrificing usability too much. So while our research made it clear that we could not stop fingerprinting, we hope our project will help raise awareness of browser fingerprinting and focus efforts on generating solutions.

A Closer Look at Fingerprinting Although it may not seem like it, fighting fingerprinting is a complicated task. There are so many parameters that can act as personal identifiable information (PII) and it is near impossible to protect against all of these. Different levels of fingerprint tracking are implemented in today s web ecosystem. The first is that of a source that collects information from HTTP Headers and JavaScript objects, and stores these values. Then, once a repeat fingerprint is observed, adversaries can match the data and begin to collect information and track users actions. The second kind is much more sophisticated. These are mostly commercial fingerprinting services such as BlueCava, Iovation, and ThreatMatrix. These services go above and beyond the rudimentary tracking mechanisms and extract additional information from the user s browser. Figure 1 shows a comparison between Panopticlick and these other three companies in terms of what features they are tracking in their applications. Figure 1: List of features used by Panopticlick and other fingerprinting services. 1 As one may notice, these companies track much more sophisticated information than their basic counterparts. One common exploit is through Flash. There are specific vulnerabilities 1 N. Nikiforakis, A. Kapravelos, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna. Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting. In IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 2013.

that allow for font detection, proxy detection, and even Windows Registry and IP information which could prove to be enough to identify an user uniquely. Many other tricks involve the navigator and the screen object of the window. These objects, the navigator in particular, are very powerful as they contain incredible amount of information. For example, the navigator has properties such as useragent, plugins, appname, platform, language, etc. However, there are also properties of the navigator object that are unique to certain browsers. For example, Firefox has properties such as mozalarms, mozdonottrack, mozsettings, etc that are usually only prevalent in Firefox. Similarly, Internet Explorer has properties such as mspointerenabled, msmaxtouchpoints, etc. that only exist in IE. Adversaries can use the information present to detect which browser users are using. Also, different versions of the same browser have different properties as well, which also complicates protection against this detection scheme. Other tricky ways of fingerprinting utilized by these services include math constant detection, using css size to determine fonts, assessing the mutability of navigator object, preserving enumeration of JavaScript objects, and detecting mismatch in useragent information gather from http headers and JavaScript objects. Code Design and Implementation Our code follows the basic structure of a Chrome Extension. On a high level, the manifest.json file holds information about the extension as a whole, including what permissions are required from the user. We ask for access to local storage, tabs, and the http headers that the user s browser sends to various websites. The manifest also identifies the various javascript files where most of the extension s functionality lies.

The user interfaces with the extension through options.html and options.js, the options page which is opened through the extension s menu. The options page allows a user to see which pieces of PII are available to manipulate. Previously, we had allowed users to choose what to spoof their data as, but we removed that functionality. Our scheme works best when each user is seen as unique over the same sites and sessions, since the randomness prevents a site from being able to track a user over his/her trawl across the world wide web. The options page handles the storing and displaying of this data to the user, along with passing messages to background.js, which holds the state machines relating to user preferences. Inside background.js, each potential PII data-point is given a boolean variable, mapping to whether or not the user wants to spoof that data-point. Background.js handles listening for messages from other areas of the extension (specifically options.js), along with user-triggered actions that we are interested in. When the user switches tabs, we are able to spoof his/her http headers, specifically the user-agent string. This file also handles sending variable states to content.js, which handles client-side JavaScript. One of the roadblocks we ran into while developing ChromeDust was the realization that Chrome extensions execute in a different executable environment from the web page client-side JavaScript code. By changing code in the extension s JavaScript executable environment, we were not able to spoof what the server-side code could see. Instead, we inject JavaScript code into the DOM to spoof PII attributes on to the page that the user is viewing, and this functionality is handled in content.js. The file also holds an array of plausible user-agent strings and version numbers so that there are a large number of permutations of valid configurations.

Conclusion We believe that our project is the beginning of an open-source solution to browser fingerprinting in the form of a browser extension. We focused mainly on interfering with common fingerprinting techniques while maintaining usability as best we could. We hope that others will build upon the work that we have done so far and will continue to raise awareness of browser fingerprinting while providing users with an easy-to-use solution.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback