skip to main content
research-article

A Large-scale Empirical Analysis of Browser Fingerprints Properties for Web Authentication

Published:28 September 2021Publication History
Skip Abstract Section

Abstract

Modern browsers give access to several attributes that can be collected to form a browser fingerprint. Although browser fingerprints have primarily been studied as a web tracking tool, they can contribute to improve the current state of web security by augmenting web authentication mechanisms. In this article, we investigate the adequacy of browser fingerprints for web authentication. We make the link between the digital fingerprints that distinguish browsers, and the biological fingerprints that distinguish Humans, to evaluate browser fingerprints according to properties inspired by biometric authentication factors. These properties include their distinctiveness, their stability through time, their collection time, their size, and the accuracy of a simple verification mechanism. We assess these properties on a large-scale dataset of 4,145,408 fingerprints composed of 216 attributes and collected from 1,989,365 browsers. We show that, by time-partitioning our dataset, more than 81.3% of our fingerprints are shared by a single browser. Although browser fingerprints are known to evolve, an average of 91% of the attributes of our fingerprints stay identical between two observations, even when separated by nearly six months. About their performance, we show that our fingerprints weigh a dozen of kilobytes and take a few seconds to collect. Finally, by processing a simple verification mechanism, we show that it achieves an equal error rate of 0.61%. We enrich our results with the analysis of the correlation between the attributes and their contribution to the evaluated properties. We conclude that our browser fingerprints carry the promise to strengthen web authentication mechanisms.

References

  1. 2002. Consolidated text: Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). Retrieved from https://data.europa.eu/eli/dir/2002/58/2009-12-19.Google ScholarGoogle Scholar
  2. 2009. Consolidated text: Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws (Text with EEA relevance). Retrieved from https://data.europa.eu/eli/dir/2009/136/2009-12-19.Google ScholarGoogle Scholar
  3. 2017. Browser Market Share France | StatCounter Global Stats. Retrieved from https://gs.statcounter.com/browser-market-share/all/france/2017.Google ScholarGoogle Scholar
  4. 2017. Operating System Market Share France | StatCounter Global Stats. Retrieved from https://gs.statcounter.com/os-market-share/all/france/2017.Google ScholarGoogle Scholar
  5. 2021. “createDataChannel” | Can I use... Support tables for HTML5, CSS3, etc. Retrieved from https://caniuse.com/?search=createDataChannel.Google ScholarGoogle Scholar
  6. 2021. “SpeechSynthesis” | Can I use... Support tables for HTML5, CSS3, etc. Retrieved from https://caniuse.com/?search=SpeechSynthesis.Google ScholarGoogle Scholar
  7. 2021. “Web Audio API” | Can I use... Support tables for HTML5, CSS3, etc. Retrieved from https://caniuse.com/?search=Web Audio API.Google ScholarGoogle Scholar
  8. 2021. WebGL. Retrieved from https://get.webgl.org.Google ScholarGoogle Scholar
  9. Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, and Claudia Diaz. 2014. The web never forgets: Persistent tracking mechanisms in the wild. In ACM SIGSAC Conference on Computer and Communications Security (CCS). 674–689. DOI:https://doi.org/10.1145/2660267.2660347 Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Nasser Mohammed Al-Fannah and Wanpeng Li. 2017. Not all browsers are created equal: Comparing web browser fingerprintability. In International Workshop on Security (IWSEC), Satoshi Obana and Koji Chida (Eds.). Springer, 105–120. DOI:https://doi.org/10.1007/978-3-319-64200-0_7Google ScholarGoogle ScholarCross RefCross Ref
  11. Nasser Mohammed Al-Fannah, Wanpeng Li, and Chris J. Mitchell. 2018. Beyond cookie monster amnesia: Real world persistent online tracking. In Information Security, Liqun Chen, Mark Manulis, and Steve Schneider (Eds.). 481–501. DOI:https://doi.org/10.1007/978-3-319-99136-8_26Google ScholarGoogle Scholar
  12. Nasser Mohammed Al-Fannah and Chris Mitchell. 2020. Too little too late: Can we control browser fingerprinting?Journal of Intellectual Capital 21, 2 (2020), 165–180. DOI:https://doi.org/10.1108/JIC-04-2019-0067Google ScholarGoogle Scholar
  13. Furkan Alaca and P. C. van Oorschot. 2016. Device fingerprinting for augmenting web authentication: Classification and analysis of methods. In Annual Conference on Computer Security Applications (ACSAC). 289–301. DOI:https://doi.org/10.1145/2991079.2991091 Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Alexa Internet. 2021. Top Sites in France - Alexa. Retrieved from https://www.alexa.com/topsites/countries/FR.Google ScholarGoogle Scholar
  15. Nampoina Andriamilanto, Tristan Allard, and Gaëtan Le Guelvouit. 2020. FPSelect: Low-cost browser fingerprints for mitigating dictionary attacks against web authentication mechanisms. In Annual Computer Security Applications Conference (ACSAC). DOI:https://doi.org/10.1145/3427228.3427297 Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Nampoina Andriamilanto, Tristan Allard, and Gaëtan Le Guelvouit. 2021. “Guess who?” Large-scale data-centric study of the adequacy of browser fingerprints for web authentication. In International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS), Leonard Barolli, Aneta Poniszewska-Maranda, and Hyunhee Park (Eds.). 161–172. DOI:https://doi.org/10.1007/978-3-030-50399-4_16Google ScholarGoogle ScholarCross RefCross Ref
  17. Tompoariniaina Nampoina Andriamilanto. 2020. Leveraging Browser Fingerprinting for Web Authentication. Retrieved from https://tel.archives-ouvertes.fr/tel-03150590.Google ScholarGoogle Scholar
  18. Antidetect. 2021. Antidetect. Retrieved from https://antidetect.org.Google ScholarGoogle Scholar
  19. The HTTP Archive. 2020. Median Loading Time of Web Pages. Retrieved from https://httparchive.org/reports/loading-speed#ol.Google ScholarGoogle Scholar
  20. Mohammadreza Ashouri. 2019. A large-scale analysis of browser fingerprinting via chrome instrumentation. 25–36. Retrieved from https://www.thinkmind.org/index.php?view=article&articleid=icimp_2019_2_20_30045.Google ScholarGoogle Scholar
  21. Gildas Avoine, Muhammed Ali Bingöl, Ioana Boureanu, Srdjan Čapkun, Gerhard Hancke, Süleyman Kardaş, Chong Hee Kim, Cédric Lauradoux, Benjamin Martin, Jorge Munilla, Alberto Peinado, Kasper B. Rasmussen, Dave Singelée, Aslan Tchamkerten, Rolando Trujillo-Rasua, and Serge Vaudenay. 2019. Security of distance-bounding: a survey. 51, 5 (2019), 1–33. DOI:https://doi.org/10.1145/3264628 Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Peter Baumann, Stefan Katzenbeisser, Martin Stopczynski, and Erik Tews. 2016. Disguised chromium browser: Robust browser, flash and canvas fingerprinting protection. In ACM Workshop on Privacy in the Electronic Society (WPES). 37–46. DOI:https://doi.org/10.1145/2994620.2994621 Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Sarah Bird, Vikas Mishra, Steven Englehardt, Rob Willoughby, David Zeber, Walter Rudametkin, and Martin Lopatka. 2020. Actions speak louder than words: Semi-supervised learning for browser fingerprinting detection. Retrieved from https://arxiv.org/abs/2003.04463.Google ScholarGoogle Scholar
  24. C. Blakemore, J. Redol, and M. Correia. 2016. Fingerprinting for web applications: From devices to related groups. In IEEE Trustcom/BigDataSE/ISPA. 144–151. DOI:https://doi.org/10.1109/TrustCom.2016.0057Google ScholarGoogle Scholar
  25. Joseph Bonneau. 2012. The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In IEEE Symposium on Security and Privacy (S&P). 538–552. DOI:https://doi.org/10.1109/SP.2012.49 Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano. 2015. Passwords and the evolution of imperfect authentication. Communications of the ACM 58, 7 (2015), 78–87. DOI:https://doi.org/10.1145/2699390 Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Ralph Broenink. 2012. Using browser properties for fingerprinting purposes. In Twente Student Conference on IT.Google ScholarGoogle Scholar
  28. Elie Bursztein, Artem Malyshev, Tadek Pietraszek, and Kurt Thomas. 2016. Picasso: Lightweight device class fingerprinting for web clients. In Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM). 93–102. DOI:https://doi.org/10.1145/2994459.2994467 Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Yinzhi Cao, Song Li, and Erik Wijmans. 2017. (Cross-)browser fingerprinting via OS and hardware level features. In Network and Distributed System Security Symposium (NDSS). DOI:https://doi.org/10.14722/ndss.2017.23152Google ScholarGoogle ScholarCross RefCross Ref
  30. Anupam Das, Gunes Acar, Nikita Borisov, and Amogh Pradeep. 2018. The web’s sixth sense: A study of scripts accessing smartphone sensors. In ACM SIGSAC Conference on Computer and Communications Security (CCS). 1515–1532. DOI:https://doi.org/10.1145/3243734.3243860 Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Anupam Das, Joseph Bonneau, Matthew Caesar, Nikita Borisov, and Xiaofeng Wang. 2014. The tangled web of password reuse. In Network and Distributed System Security Symposium (NDSS). 23–26. DOI:https://doi.org/10.14722/ndss.2014.23357Google ScholarGoogle ScholarCross RefCross Ref
  32. Data Is Beautiful. 2019. Usage Share of Internet Browsers 1996–2019. Retrieved from https://www.youtube.com/watch?v=es9DNe0l0Qo.Google ScholarGoogle Scholar
  33. Peter Eckersley. 2010. How unique is your web browser? In International Conference on Privacy Enhancing Technologies (PETS). 1–18. DOI:https://doi.org/10.1007/978-3-642-14527-8_1 Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Steven Englehardt and Arvind Narayanan. 2016. Online tracking: A 1-million-site measurement and analysis. In ACM SIGSAC Conference on Computer and Communications Security (CCS). 1388–1401. DOI:https://doi.org/10.1145/2976749.2978313 Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. David Fifield and Serge Egelman. 2015. Fingerprinting web users through font metrics. In Financial Cryptography and Data Security (FC), Rainer Böhme and Tatsuaki Okamoto (Eds.). 107–124. DOI:https://doi.org/10.1007/978-3-662-47854-7_7Google ScholarGoogle Scholar
  36. fingerprintjs. 2021. fingerprintjs/fingerprintjs: Browser fingerprinting library with the highest accuracy and stability. Retrieved from https://github.com/fingerprintjs/fingerprintjs.Google ScholarGoogle Scholar
  37. Micro Focus. 2019. Device Fingerprinting for Low Friction Authentication. Retrieved from https://www.microfocus.com/media/white-paper/device-fingerprinting-for-low-friction-authentication-wp.pdf.Google ScholarGoogle Scholar
  38. Aurélien Francillon, Boris Danev, and Srdjan Capkun. 2011. Relay attacks on passive keyless entry and start systems in modern cars. In Network and Distributed System Security Symposium (NDSS). Retrieved from https://www.ndss-symposium.org/wp-content/uploads/2017/09/franc.pdf.Google ScholarGoogle Scholar
  39. Marco Gamassi, Massimo Lazzaroni, Mauro Misino, Vincenzo Piuri, Daniele Sana, and Fabio Scotti. 2005. Quality assessment of biometric systems: A comprehensive perspective based on accuracy and performance measurement. IEEE Trans. Instrum. Meas. 54, 4 (2005), 1489–1496. DOI:https://doi.org/10.1109/TIM.2005.851087Google ScholarGoogle ScholarCross RefCross Ref
  40. Ewa Gasperowicz. 2018. OffscreenCanvas—Speed up Your Canvas Operations with a Web Worker. Retrieved from https://developers.google.com/web/updates/2018/08/offscreen-canvas.Google ScholarGoogle Scholar
  41. Tom Goethem, Wout Scheepers, Davy Preuveneers, and Wouter Joosen. 2016. Accelerometer-based device fingerprinting for multi-factor mobile authentication. In International Symposium on Engineering Secure Software and Systems (ESSoS). 106–121. DOI:https://doi.org/10.1007/978-3-319-30806-7_7 Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Maximilian Golla, Theodor Schnitzler, and Markus Dürmuth. 2018. “Will any password do?” Exploring rate-limiting on the web. In USENIX Symposium on Usable Privacy and Security (SOUPS).Google ScholarGoogle Scholar
  43. Google. 2017. Background Tabs in Chrome 57 | Web | Google Developers. Retrieved from https://developers.google.com/web/updates/2017/03/background_tabs#background_timer_alignment.Google ScholarGoogle Scholar
  44. Alejandro Gómez-Boix, Pierre Laperdrix, and Benoit Baudry. 2018. Hiding in the crowd: An analysis of the effectiveness of browser fingerprinting at large scale. In The Web Conference (TheWebConf). DOI:https://doi.org/10.1145/3178876.3186097 Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Marti A. Hearst, Susan T. Dumais, Edgar Osuna, John Platt, and Bernhard Scholkopf. 1998. Support vector machines. IEEE Intelligent Systems and their Applications 13, 4 (1998), 18–28. DOI:https://doi.org/10.1109/5254.708428 Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Peter Hraška. 2018. Browser Fingerprinting. Retrieved from https://virpo.sk/browser-fingerprinting-hraska-diploma-thesis.pdfGoogle ScholarGoogle Scholar
  47. Troy Hunt. 2018. Troy Hunt: 86% of Passwords are Terrible (and Other Statistics). Retrieved from https://www.troyhunt.com/86-of-passwords-are-terrible-and-other-statistics.Google ScholarGoogle Scholar
  48. Amnesty International. 2018. When Best Practice Isn’t Good Enough: Large Campaigns of Phishing Attacks in Middle East and North Africa Target Privacy-Conscious Users. Retrieved from https://www.amnesty.org/en/latest/research/2018/12/when-best-practice-is-not-good-enough.Google ScholarGoogle Scholar
  49. U. Iqbal, S. Englehardt, and Z. Shafiq. 2021. Fingerprinting the fingerprinters: Learning to detect browser fingerprinting behaviors. In IEEE Symposium on Security and Privacy (S&P). IEEE Computer Society, 283–301. DOI:https://doi.org/10.1109/SP40001.2021.00017Google ScholarGoogle Scholar
  50. jonarne. 2008. Useful “X headers” - mobiForge. Retrieved from https://mobiforge.com/design-development/useful-x-headers.Google ScholarGoogle Scholar
  51. Daniel Jurafsky and James H. Martin. 2009. Speech and Language Processing (2nd ed.). Pearson. Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. Nian-hua Kang, Ming-zhi Chen, Ying-yan Feng, Wei-ning Lin, Chuan-bao Liu, and Guang-yao Li. 2017. Zero-permission mobile device identification based on the similarity of browser fingerprints. In International Conference on Computer Science and Technology (CST). DOI:https://doi.org/10.12783/dtcse/cst2017/12531Google ScholarGoogle Scholar
  53. Soroush Karami, Panagiotis Ilia, Konstantinos Solomos, and Jason Polakis. 2020. Carnus: Exploring the privacy threats of browser extension fingerprinting. In Network and Distributed System Security Symposium (NDSS). DOI:https://doi.org/10.14722/ndss.2020.24383Google ScholarGoogle ScholarCross RefCross Ref
  54. Amin Faiz Khademi, Mohammad Zulkernine, and Komminist Weldemariam. 2015. An empirical evaluation of web-based fingerprinting. IEEE Softw. 32, 4 (2015), 46–52. DOI:https://doi.org/10.1109/MS.2015.77Google ScholarGoogle ScholarDigital LibraryDigital Library
  55. Andreas Kurtz, Hugo Gascon, Tobias Becker, Konrad Rieck, and Felix Freiling. 2016. Fingerprinting mobile devices using personalized configurations. Proc. Priv. Enhancing Technol. 2016, 1 (2016). DOI:https://doi.org/10.1515/popets-2015-0027Google ScholarGoogle ScholarCross RefCross Ref
  56. Pierre Laperdrix, Gildas Avoine, Benoit Baudry, and Nick Nikiforakis. 2019. Morellian analysis for browsers: Making web authentication stronger with canvas fingerprinting. In Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA). 43–66. DOI:https://doi.org/10.1007/978-3-030-22038-9_3Google ScholarGoogle ScholarCross RefCross Ref
  57. Pierre Laperdrix, Benoit Baudry, and Vikas Mishra. 2017. FPRandom: Randomizing core browser objects to break advanced device fingerprinting techniques. In International Symposium on Engineering Secure Software and Systems (ESSoS), Eric Bodden, Mathias Payer, and Elias Athanasopoulos (Eds.). 97–114. DOI:https://doi.org/10.1007/978-3-319-62105-0_7Google ScholarGoogle ScholarCross RefCross Ref
  58. Pierre Laperdrix, Nataliia Bielova, Benoit Baudry, and Gildas Avoine. 2020. Browser fingerprinting: A survey. ACM Trans. Web 14, 2 (2020), 8:1–8:33. DOI:https://doi.org/10.1145/3386040 Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. 2015. Mitigating browser fingerprint tracking: Multi-level reconfiguration and diversification. In IEEE/ACM International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS). 98–108. DOI:https://doi.org/10.1109/SEAMS.2015.18Google ScholarGoogle ScholarDigital LibraryDigital Library
  60. Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. 2016. Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints. In IEEE Symposium on Security and Privacy (S&P). 878–894. DOI:https://doi.org/10.1109/SP.2016.57Google ScholarGoogle ScholarCross RefCross Ref
  61. H. Le, F. Fallace, and P. Barlet-Ros. 2017. Towards accurate detection of obfuscated web tracking. In IEEE International Workshop on Measurement and Networking (M&N). 1–6. DOI:https://doi.org/10.1109/IWMN.2017.8078365Google ScholarGoogle Scholar
  62. Song Li and Yinzhi Cao. 2020. Who touched my browser fingerprint? A large-scale measurement study and classification of fingerprint dynamics. In ACM Internet Measurement Conference (IMC’20). Association for Computing Machinery, 370–385. DOI:https://doi.org/10.1145/3419394.3423614 Google ScholarGoogle ScholarDigital LibraryDigital Library
  63. Multilogin Software Ltd.2021. Multilogin - Replace Multiple Computers with Virtual Browser Profiles - Multilogin. Retrieved from https://multilogin.com.Google ScholarGoogle Scholar
  64. PortSwigger Ltd.2021. Burp Suite - Application Security Testing Software - PortSwigger. Retrieved from https://portswigger.net/burp.Google ScholarGoogle Scholar
  65. Bo Lu, Xiaokuan Zhang, Ziman Ling, Yinqian Zhang, and Zhiqiang Lin. 2018. A measurement study of authentication rate-limiting mechanisms of modern websites. In Annual Computer Security Applications Conference (ACSAC). 89–100. DOI:https://doi.org/10.1145/3274694.3274714 Google ScholarGoogle ScholarDigital LibraryDigital Library
  66. Davide Maltoni, Dario Maio, Anil K. Jain, and Salil Prabhakar. 2009. Handbook of Fingerprint Recognition (2nd ed.). Springer. DOI:https://doi.org/10.1007/978-1-84882-254-2 Google ScholarGoogle ScholarDigital LibraryDigital Library
  67. Francesco Marcantoni, Michalis Diamantaris, Sotiris Ioannidis, and Jason Polakis. 2019. A large-scale study on the risks of the HTML5 WebAPI for mobile sensor-based attacks. In the Web Conference. 3063–3071. . DOI:https://doi.org/10.1145/3308558.3313539 Google ScholarGoogle ScholarDigital LibraryDigital Library
  68. Philipp Markert, Maximilian Golla, Elizabeth Stobert, and Markus Dürmuth. 2020. Work in progress: A comparative long-term study of fallback authentication. In Network and Distributed System Security Symposium (NDSS). Retrieved from https://www.ndss-symposium.org/ndss-paper/auto-draft-30/.Google ScholarGoogle Scholar
  69. Paul Marks. 2020. Dark Web’s Doppelgängers Aim to Dupe Antifraud Systems. Communications of the ACM 63, 2 (2020), 16–18. . DOI:https://doi.org/10.1145/3374878. Google ScholarGoogle ScholarDigital LibraryDigital Library
  70. João Pedro Figueiredo Correia Rijo Mendes. 2011. noPhish—Anti-phishing System using Browser Fingerprinting. Retrieved from https://estagios.dei.uc.pt/cursos/mei/relatorios-de-estagio/?id=279.Google ScholarGoogle Scholar
  71. Keaton Mowery and Hovav Shacham. 2012. Pixel perfect: Fingerprinting canvas in HTML5. (2012), 1–12. Retrieved from https://www.ieee-security.org/TC/W2SP/2012/papers/w2sp12-final4.pdf.Google ScholarGoogle Scholar
  72. Mozilla. 2021. Service Worker API - Web APIs | MDN. In W2SP. Retrieved from https://developer.mozilla.org/en-US/docs/Web/API/Service_Worker_API.Google ScholarGoogle Scholar
  73. Mozilla. 2021. WindowOrWorkerGlobalScope.setTimeout() - Web APIs | MDN. Retrieved from https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/setTimeout.Google ScholarGoogle Scholar
  74. Mozilla and individual contributors. 2021. NavigatorPlugins.plugins - Web APIs | MDN. Retrieved from https://developer.mozilla.org/en-US/docs/Web/API/NavigatorPlugins/plugins.Google ScholarGoogle Scholar
  75. Panagiotis Papadopoulos, Panagiotis Ilia, Michalis Polychronakis, Evangelos P. Markatos, Sotiris Ioannidis, and Giorgos Vasiliadis. 2019. Master of web puppets: Abusing web browsers for persistent and stealthy computation. In Network and Distributed System Security Symposium (NDSS). DOI:https://doi.org/10.14722/ndss.2019.23070Google ScholarGoogle ScholarCross RefCross Ref
  76. Davy Preuveneers and Wouter Joosen. 2015. SmartAuth: Dynamic context fingerprinting for continuous user authentication. In Annual ACM Symposium on Applied Computing (SAC). 2185–2191. DOI:https://doi.org/10.1145/2695664.2695908 Google ScholarGoogle ScholarDigital LibraryDigital Library
  77. Gaston Pugliese, Christian Riess, Freya Gassmann, and Zinaida Benenson. 2020. Long-term observation on browser fingerprinting: Users’ trackability and perspective. Proc. Priv. Enhancing Technol. 2020, 2 (2020), 558–577. DOI:https://doi.org/10.2478/popets-2020-0041Google ScholarGoogle ScholarCross RefCross Ref
  78. Jordan S. Queiroz and Eduardo L. Feitosa. 2019. A web browser fingerprinting method based on the web audio API. DOI:https://doi.org/10.1093/comjnl/bxy146Google ScholarGoogle Scholar
  79. Valentino Rizzo, Stefano Traverso, and Marco Mellia. 2021. Unveiling web fingerprinting in the wild via code mining and machine learning. Proc. Priv. Enhancing Technol. 2021, 1 (2021), 43–63. DOI:https://doi.org/10.2478/popets-2021-0004Google ScholarGoogle ScholarCross RefCross Ref
  80. Florentin Rochet, Kyriakos Efthymiadis, François Koeune, and Olivier Pereira. 2019. SWAT: Seamless web authentication technology. In the Web Conference. 1579–1589. . DOI:https://doi.org/10.1145/3308558.3313637 Google ScholarGoogle ScholarDigital LibraryDigital Library
  81. Julian F. Reschke and Roy T. Fielding. 2014. RFC 7231 - Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content. Retrieved from https://tools.ietf.org/html/rfc7231#section-5.5.3.Google ScholarGoogle Scholar
  82. Bardia Safaei, Amir Mahdi Monazzah, Milad Bafroei, and Alireza Ejlali. 2017. Reliability side-effects in internet of things application layer protocols. DOI:https://doi.org/10.1109/ICSRS.2017.8272822Google ScholarGoogle Scholar
  83. Samsung. 2015. SAMSUNG UMTS Handset UA Prof. http://wap.samsungmobile.com/uaprof/SM-B550H.xml.Google ScholarGoogle Scholar
  84. Michael Schwarz, Florian Lackner, and Daniel Gruss. 2019. JavaScript template attacks: Automatically inferring host information for targeted exploits. In Network and Distributed System Security Symposium (NDSS). DOI:https://doi.org/10.14722/ndss.2019.23155Google ScholarGoogle ScholarCross RefCross Ref
  85. SecureAuth. 2020. Device / Browser Fingerprinting - Heuristic-based Authentication. Retrieved from https://docs.secureauth.com/pages/viewpage.action?pageId=33063454.Google ScholarGoogle Scholar
  86. Alexander Sjösten, Steven Van Acker, and Andrei Sabelfeld. 2017. Discovering browser extensions via web accessible resources. In ACM Conference on Data and Application Security and Privacy (CODASPY). 329–336. DOI:https://doi.org/10.1145/3029806.3029820 Google ScholarGoogle ScholarDigital LibraryDigital Library
  87. Jan Spooren, Davy Preuveneers, and Wouter Joosen. 2015. Mobile device fingerprinting considered harmful for risk-based authentication. In European Workshop on System Security (EuroSec). 6:1–6:6. . DOI:https://doi.org/10.1145/2751323.2751329 Google ScholarGoogle ScholarDigital LibraryDigital Library
  88. Jan Spooren, Davy Preuveneers, and Wouter Joosen. 2017. Leveraging battery usage from mobile devices for active authentication. DOI:https://doi.org/10.1155/2017/1367064Google ScholarGoogle Scholar
  89. Oleksii Starov and Nick Nikiforakis. 2017. XHOUND: Quantifying the fingerprintability of browser extensions. In IEEE Symposium on Security & Privacy (S&P). 941–956. DOI:https://doi.org/10.1109/SP.2017.18.Google ScholarGoogle ScholarCross RefCross Ref
  90. StatCounter. 2017. Browser Market Share Worldwide | StatCounter Global Stats. Retrieved from https://gs.statcounter.com/browser-market-share/all/worldwide/2017.Google ScholarGoogle Scholar
  91. StatCounter. 2017. Operating System Market Share Worldwide | StatCounter Global Stats. Retrieved from https://gs.statcounter.com/os-market-share/all/worldwide/2017.Google ScholarGoogle Scholar
  92. K. Takasu, T. Saito, T. Yamada, and T. Ishikawa. 2015. A survey of hardware features in modern browsers: 2015 edition. In International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS). 520–524. DOI:https://doi.org/10.1109/IMIS.2015.72.Google ScholarGoogle Scholar
  93. Kazuhisa Tanabe, Ryohei Hosoya, and Takamichi Saito. 2018. Combining features in browser fingerprinting. In International Conference on Advances on Broadband and Wireless Computing, Communication and Applications (BWCCA), Leonard Barolli, Fang-Yie Leu, Tomoya Enokido, and Hsing-Chung Chen (Eds.). 671–681. DOI:https://doi.org/10.1007/978-3-030-02613-4_60.Google ScholarGoogle Scholar
  94. Adobe Communications Team. 2017. Flash & the Future of Interactive Content. Retrieved from https://blog.adobe.com/en/publish/2017/07/25/adobe-flash-update.html.Google ScholarGoogle Scholar
  95. The Carat Team. 2021. Carat Project Statistics. http://carat.cs.helsinki.fi/statistics.Google ScholarGoogle Scholar
  96. Kurt Thomas, Frank Li, Ali Zand, Jacob Barrett, Juri Ranieri, Luca Invernizzi, Yarik Markov, Oxana Comanescu, Vijay Eranti, Angelika Moscicki, Daniel Margolis, Vern Paxson, and Elie Bursztein. 2017. Data breaches, phishing, or malware? Understanding the risks of stolen credentials. In ACM SIGSAC Conference on Computer and Communications Security (CCS). 1421–1434. DOI:https://doi.org/10.1145/3133956.3134067. Google ScholarGoogle ScholarDigital LibraryDigital Library
  97. Henning Tillmann. 2014. Browser Fingerprinting: 93% of all user configurations are unique | Henning Tillmann. Retrieved from https://www.henning-tillmann.de/en/2014/05/browser-fingerprinting-93-of-all-user-configurations-are-unique.Google ScholarGoogle Scholar
  98. Christof Ferreira Torres, Hugo Jonker, and Sjouke Mauw. 2015. FP-block: Usable web privacy by controlling browser fingerprinting. In European Symposium on Research in Computer Security (ESORICS). 3–19. DOI:https://doi.org/10.1007/978-3-319-24177-7_1.Google ScholarGoogle ScholarCross RefCross Ref
  99. T. Unger, M. Mulazzani, D. Frühwirt, M. Huber, S. Schrittwieser, and E. Weippl. 2013. SHPF: enhancing HTTP(S) session security with browser fingerprinting. In International Conference on Availability, Reliability and Security (ARES). 255–261. DOI:https://doi.org/10.1109/ARES.2013.33. Google ScholarGoogle ScholarDigital LibraryDigital Library
  100. Narseo Vallina-Rodriguez, Srikanth Sundaresan, Christian Kreibich, and Vern Paxson. 2015. Header enrichment or ISP enrichment?: Emerging privacy threats in mobile networks. In ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization (HotMiddlebox). 25–30. DOI:https://doi.org/10.1145/2785989.2786002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  101. Antoine Vastel, Pierre Laperdrix, Walter Rudametkin, and Romain Rouvoy. 2018. FP-STALKER: Tracking browser fingerprint evolutions. In IEEE Symposium on Security and Privacy (S&P). 728–741. DOI:https://doi.org/10.1109/sp.2018.00008.Google ScholarGoogle ScholarCross RefCross Ref
  102. Antoine Vastel, Walter Rudametkin, Romain Rouvoy, and Xavier Blanc. 2020. FP-Crawlers: Studying the resilience of browser fingerprinting to block crawlers. In Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb).Google ScholarGoogle ScholarCross RefCross Ref
  103. Rick Waldron. 2021. Generic Sensor API. Retrieved from https://www.w3.org/TR/2021/CRD-generic-sensor-20210619.Google ScholarGoogle Scholar
  104. Ding Wang, Zijian Zhang, Ping Wang, Jeff Yan, and Xinyi Huang. 2016. Targeted online password guessing: An underestimated threat. In ACM SIGSAC Conference on Computer and Communications Security (CCS). 1242–1254. DOI:https://doi.org/10.1145/2976749.2978339. Google ScholarGoogle ScholarDigital LibraryDigital Library
  105. Stephan Wiefling, Luigi Lo Iacono, and Markus Dürmuth. 2019. Is this really you? An empirical study on risk-based authentication applied in the wild. In IFIP International Conference on ICT Systems Security and Privacy Protection (SEC). 134–148. DOI:https://doi.org/10.1007/978-3-030-22312-0_10.Google ScholarGoogle ScholarCross RefCross Ref
  106. Wenjia Wu, Jianan Wu, Yanhao Wang, Zhen Ling, and Ming Yang. 2016. Efficient fingerprinting-based Android device identification with zero-permission identifiers. IEEE Access 4 (2016), 8073–8083. DOI:https://doi.org/10.1109/ACCESS.2016.2626395.Google ScholarGoogle ScholarCross RefCross Ref
  107. Vasilios Zorkadis and P. Donos. 2004. On biometrics-based authentication and identification from a privacy-protection perspective: Deriving privacy-enhancing requirements. Inf. Manag. Comput. Secur. 12, 1 (2004), 125–137. DOI:https://doi.org/10.1108/09685220410518883.Google ScholarGoogle ScholarCross RefCross Ref

Index Terms

  1. A Large-scale Empirical Analysis of Browser Fingerprints Properties for Web Authentication

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Published in

        cover image ACM Transactions on the Web
        ACM Transactions on the Web  Volume 16, Issue 1
        February 2022
        173 pages
        ISSN:1559-1131
        EISSN:1559-114X
        DOI:10.1145/3484933
        Issue’s Table of Contents

        Copyright © 2021 Association for Computing Machinery.

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 28 September 2021
        • Revised: 1 July 2021
        • Accepted: 1 July 2021
        • Received: 1 June 2020
        Published in tweb Volume 16, Issue 1

        Permissions

        Request permissions about this article.

        Request Permissions

        Check for updates

        Qualifiers

        • research-article
        • Refereed

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      HTML Format

      View this article in HTML Format .

      View HTML Format
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!