New fingerprinting techniques identify users across different browsers on the same pc

A team of researchers from universities across the US has identified different fingerprinting techniques that can track users when they use different browsers installed on the same machine.

Named “cross-browser fingerprinting” (CBF), this practice relies on new technologies added to web browsers in recent years, some of which had been previously considered unreliable for cross-browser tracking and only used for single browser fingerprinting.

Researchers measured the response to these operations and used this information to identify the different hardware rigs, specific to distinct users, regardless of the browser accessing a test website.

For example, making a browser apply an image to the side of a 3D cube in WebGL provides a similar response in hardware parameters for all browsers. Database triggers This is because the GPU card is the one carrying out this operation and not the browser software. Data recovery recuva Cross-browser fingerprintable features

According to the three-man research team led by Assistant Professor Yinzhi Cao from the Computer Science and Engineering Department at Lehigh University, the following browser features could be (ab)used for cross-browser fingerprinting operations.

Screen Resolution – Also used for single-browser fingerprinting (SBF) but thought to be unusable for CBF. Data recovery texas Researchers discovered that by taking browser zoom levels into account, this measurement could be used reliably.

Number of CPU Virtual Cores – The browser parameter named hardwareConcurrency that provides the browser’s maximum threshold in Web Worker operations. Database resume This is the same for most browsers, and for those that alter this value, it can be easily calculated (e.g, multiplied by two for Safari).

AudioContext – AudioContext provides a bundle of audio signal processing functionalities from signal generation to signal filtering with the help of the audio stack in the OS and the audio card. Data recovery external hard drive mac Measuring the output of AudioContext operations can identify the same user across different browsers, based on how the audio signal is processed.

List of Fonts – SBF technique that researchers adapted to work in CBF tracking. Database management systems Researchers query a list of locally installed fonts or determine if certain fonts are installed based on how predetermined font characters (glyphs) are rendered inside the browser.

Line, Curve, and Anti-aliasing – Researchers can measure how browsers render lines, curves and anti-aliasing operations in HTML5 Canvas and WebGL. 7 data recovery review These operations are handled by the GPU.

Vertex Shader – Rendered by the GPU and the graphics driver, vertex shaders are used for drawing shadows and light on 3D objects and are used by WebGL.

Transparency via Alpha Channel – Browsers use the GPU and the graphics driver to render transparency. Mode s database The output of these operations is similar across all local browsers because of the “compositing algebra” used by each individual GPU and graphics driver.

Installed Writing Scripts (Languages) – Writing scripts (systems), or commonly known as written languages, such as Chinese, Korean, and Arabic, require the installation of special libraries to display due to the size of the libraries and locality of the languages. Windows 8 data recovery Browsers do not provide APIs to access the list of installed languages, however such information can be obtained via a side channel. Java 8 database Specifically, a browser with a particular language installed will display the language correctly and otherwise show several boxes. Database tools That is, the existence of boxes can be used to fingerprint the presence of that language.

Camera – Not the computer’s camera, but another technique specific to 3D modeling. Drupal 7 database api This technique is used to make 2D representations of 3D objects.

Clipping Planes – Researchers measured how 3D objects moved in limited plans. Raid 6 data recovery This WebGL operation, like the ones above, was handled by the PC’s GPU, and not by the browser itself. Database architecture CBF techniques correctly identify 99% of all users/computers

Researchers used all these techniques together to test how many users they would be able to pin to the same computer. Iphone 4 data recovery software For tests, researchers used browsers such as Chrome, Firefox, Edge, IE, Opera, Safari, Maxthon, UC Browser, and Coconut.

Results showed that CBF techniques were able to correctly identify 99.24% of all test users. Database java Previous research methods achieved only a 90.84% result.

“Our fingerprintable features are highly reliable,” researchers said, “the removal of one single feature has little impact on the fingerprinting results.” Tor Browser effective against most CGF techniques

“Tor Browser normalizes many browser outputs to mitigate existing browser fingerprinting,” researchers said, albeit the browser is not perfect, still allowing some fingerprinting via screen width and AudioContext parameters. Data recovery android “We believe that it is easy for Tor Browser to normalize these remaining outputs,” researchers added.

For other browsers, researchers recommend that they implement virtualization layers in order to process the hardware-level operations on a generic virtual platform (machine), the same for a large number of users.

The research paper titled (Cross-)Browser Fingerprinting via OS and Hardware Level Features will be presented at the Network & Distributed System Security Symposium in February 2017.