Browser Fingerprints – How Unique Is Your Browser – Panopticlick

Use Netsparker


Now this is another interesting attack vector using little bits of data not many people consider. I have heard about this kind of technique before and considered how it’d be done myself.

Finally someone has put together a public version of a tool that can tell you how unique your browser footprint is. As for me I’m using a fairly standard Firefox install with a couple of plugins – but still Panopticlick tells me “Your browser fingerprint appears to be unique among the 764,828 tested so far”.

The people behind it are the EFF or Electronic Frontier Foundation.

Forget cookies — even the ultrasneaky, Flash-based “super cookies.” A new type of tracking may identify you far more accurately than any cookie — and you may never know it was there. The method pulls together innocuous data about your browser, such as plug-ins, system fonts, and your operating system. Alone, they don’t identify you. Together, they’re a digital fingerprint.

It’s like describing a person. Just saying “brown hair” won’t identify anyone. But add in “5 feet, 10 inches tall,” “chipped right front tooth,” “size 12 shoes,” and so on, and soon you have enough information to pull someone out of a crowd, even without their name, Social Security number, or any other of the usual identifiers.

Test your browser for unique identifiers without the risk: The Electronic Frontier Foundation, a privacy advocacy group, has set up an interesting online experiment at Panopticlick.eff.org. Panopticlick gathers little de­­tails about your browser and computer, mostly using Javascript. In my case, the information it gathered about my browser was enough to uniquely identify my surfing software out of more than 650,000 visitors.

I’d say the technique would work fairly well for tracking people on a large traffic site such as Google, but then again the amount of data that needs to be stored is quite staggering.

Either way it gives some insight into the kind of technology ad agencies or online ad networks could have been gathering about viewers so correlate statistics.

There’s currently no evidence that anyone has actually been using this kind of fingerprinting, but this demo shows it is technologically feasible.

Peter Eckersley, a staff technologist with the EFF, says he and his colleagues decided to create the site when he heard rumors about this kind of tracking. He wanted to see how accurate it might be. Well, it’s pretty accurate. And as it turns out, its use is more than a rumor.

Browser fingerprinting was developed for banks to employ to prevent fraud. But now one company, Scout Analytics, offers it as a service to Web sites, and it collects not just browser data but also data about how you type — things like your typing speed and typing patterns.

This biometric signature, like the identifiers collected from the browser and the computer, can be gathered using JavaScript alone, making this form of tracking hard to block. Matt Shanahan, senior vice president of strategy at Scout Analytics, says that the company sells its service primarily to paid subscription sites, such as those offering real estate listings, and that it is keen to expand into marketing and advertising by helping sites track visitors in a way that, as he notes, is more accurate than using cookies. (Cookies can be deleted, which makes a repeat visit look like a new person to the site.)

As with many things online, your privacy can be protected by running something like NoScript on Firefox.

EFF has provided a full list of how to protect against fingerprinting here – Self Defense.

You can check out the PoC here:

https://panopticlick.eff.org/

Source: Network World

Posted in: Privacy, Web Hacking

, ,


Latest Posts:


testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.
Four Year Old libSSH Bug Leaves Servers Wide Open Four Year Old libssh Bug Leaves Servers Wide Open
A fairly serious 4-year old libssh bug has left servers vulnerable to remote compromise, fortunately, the attack surface isn't that big as neither OpenSSH or the GitHub implementation are affected.
CHIPSEC - Platform Security Assessment Framework CHIPSEC – Platform Security Assessment Framework For Firmware Hacking
CHIPSEC is a platform security assessment framework for PCs including hardware, system firmware (BIOS/UEFI), and platform components for firmware hacking.
How To Recover When Your Website Got Hacked How To Recover When Your Website Got Hacked
The array of easily available Hacking Tools out there now is astounding, combined with self-propagating malware, people often come to me when their website got hacked and they don't know what to do, or even where to start.
HTTrack - Website Downloader Copier & Site Ripper Download HTTrack – Website Downloader Copier & Site Ripper Download
HTTrack is a free and easy-to-use offline browser utility which acts as a website downloader and a site ripper for copying websites and downloading them for offline viewing.
sshLooter - Script To Steal SSH Passwords sshLooter – Script To Steal SSH Passwords
sshLooter is a Python script using a PAM module to steal SSH passwords by logging the password and notifying the admin of the script via Telegram when a user logs in.


2 Responses to Browser Fingerprints – How Unique Is Your Browser – Panopticlick

  1. Gabriel March 29, 2010 at 9:03 pm #

    Well, I’m impressed. It seems the only way I could really reduce my browser fingerprint was to pose as an iphone browser, or to use Tor. The EFF love to surprise me with incredible things every now and then.

  2. dblackshell March 30, 2010 at 5:45 pm #

    If just want to track the browser one could hash all that data and use that as the browser fingerprint. Of course if aggregation is desired, that is a large amount of data.