Mayer in 2009 [4] and Eckersley in 2010 [1] have shown that a web browser’s features (version, operating system, IP address, plugins, fonts, Flash and Javascript) can provide enough information to constitute a unique ID, or fingerprint, and can be used to track users without the need for cookies. Unlike cookies, browser fingerprinting is completely transparent to the user. Today, there are a small number of commercial companies that use such methods to provide browser identification through web-based fingerprinting instead of, or in complement to, using cookies, web bugs and other known techniques. Browser fingerprints can be used by owners of web sites for legitimate purposes such as combating fraud by tracking session hijacking. However, fingerprints can also serve more suspicious purposes such as tracking users between websites for targeted advertisement or for delivering exploits specific to specific browsers.
This new threat for web users’ privacy has triggered an interest from the industrial and academic communities who have started developing solutions to counter the exploitation of fingerprints. These recent works include solutions to spoof browser user agents [7] or more sophisticated techniques like the TorButton [6]. However, several works have also shown the limitations of these solutions, which tend to generate inconsistent fingerprints, which can be detected as fake ones, or the generated fingerprints are not diverse enough to really protect the user [5].
In this work, we want to explore the application of software engineering techniques, such as runtime reconfiguration [2] and feature modeling [3] to automatically randomize browser configurations and browser installations on a given computer. The main intuition here is to avoid generating fake browser fingerprints, and instead introduce ’noise’ into the actual fingerprint. We have a double objective: limit the ability of fingerprint collectors to track users and limit their capacity to detect browsers that try to hide. This work, on the synthesis of coherent and relevant diversity in fingerprints, is part of more general research about the increase of software diversity funded by the DIVERSIFY EU project [8].
Contacts: Walter Rudametkin (walter.rudametkin-ivey@inria.fr) and Benoit Baudry (benoit.baudry@inria.fr)
References
[1] P. Eckersley. How unique is your web browser? In Privacy Enhancing Technologies, pages 1–18. Springer, 2010.
[2] F. Fouquet, E. Daubert, N. Plouzeau, O. Barais, J. Bourcier, and J.- M. Jézéquel. Dissemination of reconfiguration policies on mesh networks. In Distributed Applications and Interoperable Systems, pages 16– 30. Springer, 2012.
[3] K. C. Kang, S. G. Cohen, J. A. Hess, W. E. Novak, and A. S. Peter- son. Feature-oriented domain analysis (foda) feasibility study. Technical report, DTIC Document, 1990.
[4] J. Mayer. Any person… a pamphleteer. Senior thesis, Stanford University, 2009.
[5] N. Nikiforakis, A. Kapravelos, W. Joosen, C. Kruegel, F. Piessens and G. Vigna. Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In Proc. of IEEE Symposium on Security and Privacy, 2013.
[6] Tor. Torbutton: I can’t view videos on youtube and other flash-based sites. why?, Sept. 2013. https://www.torproject.org/torbutton/torbutton-faq.html.en#noflash
[7] https://addons.mozilla.org/fr/firefox/addon/user-agent-switcher/