Very cool to see that they've even gone as far as inferring elements like the likelihood of MS Office being installed on your computer by checking the width of a container with the font 'Leelawadee' specified:
> As this font is a non-free Microsoft font for the Thai Language, we do not expect users without Microsoft Office to have it installed
There is lots of really interesting information in here past what you might figure out yourself if you've played around with abusing CSS yourself before. So many things that had just never, and probably would never have, occurred to me to try.
It is definitely worth a read (or skim) over the paper to see the lengths they went to in order to figure out some of the unique elements to fingerprint on.
Narew 2 days ago [-]
I don't remember where I read that and was not able to find it again.
There is a web/desktop app (like zoom) that install a font when you install the app, and the web app check if this font is install to trigger the open in app popup.
sethhochberg 2 days ago [-]
It’s a common enough technique that this surely isn’t the only example, but there was discussion here a while back about TeamViewer doing this to detect the presence and version of the client software when clicking a link to open a remote session:
seems like you have to allow `@container` checks or something similar for this to work in order to then make your network request `#something { background-image: url('/x-browser-y-os-detected'); }`
CISPA is really interesting, I was just reading this on their site the other day - They're developing grey box coverage based fuzzing tools for PHP web applications, which is how I know about them in the first place. Definitely one of those entities to look out for in serious cybersecurity research going into 2025
InvisGhost 2 days ago [-]
I wonder if you could track the usage of features known to be used for fingerprinting and disable the functionality if enough are used. I assume that most sites using advanced fingerprinting like this are also the kind that would remove it quickly if it causes the site to break.
qqqult 2 days ago [-]
tor tries to do this by offering different "safety" levels that the user can choose between
some browsers try to randomize fignerprintable parameters but that's easy to detect
ranger_danger 2 days ago [-]
Couldn't most fingerprinting techniques be thwarted by just using a stock windows install in a frozen VM with a stock browser without changing anything? Wouldn't that make you pretty boring as far as any potential variations go?
michaelt 2 days ago [-]
Yes and no.
If you go for a stock browser without changing anything - that means you can't install ublock origin, or noscript, or adjust the cookie settings.
If the fingerprint detects you're running your browser in a VM? Because your canvas/webgl stuff reveals a graphics card that is only seen on VMs, or your mouse movement is characteristic of the way host OSes pass mouse movement to guest OSes? That's an unusual characteristic.
If you freeze the VM and everyone else installs updates? Your configuration will gradually become unusual because of its age.
And of course if you've got a 4k screen but you run your VM at 1920x1080, the gain in anonymity has come at the cost of most of your screen real estate.
Also, if you do manage to completely resist tracking by IP address, by cookies, and by browser fingerprints? Your reward is that Cloudflare and Google ReCaptcha will give you endless tedious challenges. ReCaptcha has a special extra-slow mode, specifically to punish people like you. I hope you like clicking fire hydrants!
LegionMammal978 1 days ago [-]
FWIW, I've used a stock Windows VM + Chrome a few times for testing things. Of course you don't freeze it solid, you just take a snapshot before installing the browser, and revert to that snapshot whenever you want to update the OS. For the screen real-estate issue, just get a VM viewer that doesn't insist on showing the full screen. You also don't block cookies every second, you just wipe them regularly.
The Captcha services don't particularly care, since obviously they don't want to punish people on a fresh system. They care far, far more about whether I'm going through a commercial VPN, doubly so if I'm using Tor. But if I'm really worried about IP tracking, I usually run it through my university network.
Of course, a sufficiently-motivated fingerprinting service can surmount any barrier in theory, with typographic analysis and whatnot. But in practice, websites tend not to care to an extraordinary extent.
E.g., I remember one person who was convinced that Google/YouTube used your specific IP address (not just your cookies, or your geo-IP location) as a major part of ad targeting. But lo and behold, the whole VM setup consistently gave me a generic set of ads, as did just wiping my browser cookies. Of course, their explanation was "Of course they're detecting that you're trying to sniff them out, so they're only giving you generic ads to uphold the conspiracy!" As if cookies + geo-IP weren't more than enough for 99.9% of users they want to display ads to.
maeil 2 days ago [-]
Wouldn't a Macbook be the better platform to mimic as its hardware is so much more standardized? Considering techniques like Canvas fingerprinting.
ranger_danger 2 days ago [-]
My understanding is that a VM should already be mimicing standardized hardware, and that apple (especially desktop) users are such a small percentage compared to windows, that you wouldn't want to base anything trying to "blend in" on that.
kccqzy 2 days ago [-]
And by that logic an iPhone is an even better choice than a MacBook.
dehrmann 2 days ago [-]
I used to work in this space. Your best bet is a recent iPhone. There are a lot of them out there, they're usually up-to-date, and Apple only releases a handful models with relevant differences per year.
qqqult 2 days ago [-]
not really. webgl hardware parameters, canvas fingerprints, audio device fingerprints, javascript engine are pretty crazy. In addition if you use your device at all you probably have other fingerprints like custom fonts installed by you or apps, extensions & similar. Not to mention IP and session data like you being logged in in different services that any website can check.
Try visiting something like https://abrahamjuliot.github.io/creepjs/ [1] on "identical" incognito mobile devices or desktops and you'll get completely different fingerprint ids
[1] this isn't even the best fingerprint extraction out there, just an eas to use open source one, there are some crazy advanced techniques not implemented in it
ranger_danger 2 days ago [-]
> this isn't even the best fingerprint extraction out there, just an eas to use open source one, there are some crazy advanced techniques not implemented in it
What IS the best tool? What other techniques do you know of that it doesn't it implement?
> you being logged in in different services that any website can check
how so?
qqqult 2 days ago [-]
> What IS the best tool? What other techniques do you know of that it doesn't it implement?
The best fingerprinting tools aren't open source they're anti-botting services like CAPTCHA providers & probably ad networks.
This particular service has implementations for several popular fignerprinting techniques but there are so many ways to measure the same thing that even if your fingerprint looks fine on one test a different test of the same measure could detect it as unique. For example a user font fingerprint could be implemented via JS tests, canvas rendering tests or CSS sheets (like in this paper).
The tests that offer the highest degree of hardware variability and uniqueness that I've seen deal with rendering of test and images over canvas.
> how so?
By loading an image that can only be accessed if you're logged in your google / facebook / twitter accounts and checking if the image request returned an error. There's a repo that implements this for >30 different websites, but I can't remember it's name rn. I'll edit this comment later if I remember what it was called
ranger_danger 2 days ago [-]
> an image that can only be accessed if you're logged in your google / facebook / twitter accounts
I don't understand how this would work? Wouldn't there have to be some kind of cookie/storage that is accessible to third parties in order to know this? AFAIK this is exactly what angered people about Flash due to their use of cross-domain capable "super cookies".
Click the explanation & protection sections for info on how it works
ranger_danger 2 days ago [-]
So I read the second link and it looks to me like this is a combination of problems: the browser ignoring SOP for images, and the website just happening to expose a way to abuse that fact to check if one is logged in.
I think this also assumes you are not using any kind of isolation for your tabs. What I don't understand though, is how it could figure out that I am logged into google even though I have third-party cookies disabled.
qingcharles 2 days ago [-]
This is a two-part problem.
1) You can fingerprint devices using CSS
2) You can make server calls using CSS to exfiltrate the client-side data
Stopping (2) would limit the utility of (1).
lobito25 5 days ago [-]
Article's date is in the future:
2025-02-02
8bitbeep 5 days ago [-]
It's very modern CSS.
tsavo 2 days ago [-]
Reading the article.
First Online Date: 2024-10-09
Date Posted: 2024-12-05
Date Published: 2025-02-01 (It's being "published" at a conference)
dazed_confused 2 days ago [-]
As mentioned the paper was accepted in NDSS. https://www.ndss-symposium.org/ndss2025/accepted-papers/
The conference occurs in Feb, and typically, the conference proceedings are published a little earlier than the conference itself.
brudgers 5 days ago [-]
That is probably the scheduled presentation date.
davidashe 1 days ago [-]
Imagine a world where developers refused to build fingerprinting features.
Rendered at 22:59:39 GMT+0000 (Coordinated Universal Time) with Vercel.
> Concretely, our expression reveals differences in 1116 OS-browser combination pairs (94.9 %).
Very cool to see that they've even gone as far as inferring elements like the likelihood of MS Office being installed on your computer by checking the width of a container with the font 'Leelawadee' specified:
> As this font is a non-free Microsoft font for the Thai Language, we do not expect users without Microsoft Office to have it installed
There is lots of really interesting information in here past what you might figure out yourself if you've played around with abusing CSS yourself before. So many things that had just never, and probably would never have, occurred to me to try.
It is definitely worth a read (or skim) over the paper to see the lengths they went to in order to figure out some of the unique elements to fingerprint on.
https://news.ycombinator.com/item?id=32165103
In their case, the (shell of a) font file goes a little further and encodes the version of the teamviewer client that installed it
1. Measure element dimensions and detect installed fonts (measure a piece of text with specific a specific font to see if its installed)
2. CSS functions (e.g calc) that produce different results across browsers/systems
3. Detecting browser-specific CSS property differences (e.g render a file input, measure it)
seems like you have to allow `@container` checks or something similar for this to work in order to then make your network request `#something { background-image: url('/x-browser-y-os-detected'); }`
some browsers try to randomize fignerprintable parameters but that's easy to detect
If you go for a stock browser without changing anything - that means you can't install ublock origin, or noscript, or adjust the cookie settings.
If the fingerprint detects you're running your browser in a VM? Because your canvas/webgl stuff reveals a graphics card that is only seen on VMs, or your mouse movement is characteristic of the way host OSes pass mouse movement to guest OSes? That's an unusual characteristic.
If you freeze the VM and everyone else installs updates? Your configuration will gradually become unusual because of its age.
And of course if you've got a 4k screen but you run your VM at 1920x1080, the gain in anonymity has come at the cost of most of your screen real estate.
Also, if you do manage to completely resist tracking by IP address, by cookies, and by browser fingerprints? Your reward is that Cloudflare and Google ReCaptcha will give you endless tedious challenges. ReCaptcha has a special extra-slow mode, specifically to punish people like you. I hope you like clicking fire hydrants!
The Captcha services don't particularly care, since obviously they don't want to punish people on a fresh system. They care far, far more about whether I'm going through a commercial VPN, doubly so if I'm using Tor. But if I'm really worried about IP tracking, I usually run it through my university network.
Of course, a sufficiently-motivated fingerprinting service can surmount any barrier in theory, with typographic analysis and whatnot. But in practice, websites tend not to care to an extraordinary extent.
E.g., I remember one person who was convinced that Google/YouTube used your specific IP address (not just your cookies, or your geo-IP location) as a major part of ad targeting. But lo and behold, the whole VM setup consistently gave me a generic set of ads, as did just wiping my browser cookies. Of course, their explanation was "Of course they're detecting that you're trying to sniff them out, so they're only giving you generic ads to uphold the conspiracy!" As if cookies + geo-IP weren't more than enough for 99.9% of users they want to display ads to.
Try visiting something like https://abrahamjuliot.github.io/creepjs/ [1] on "identical" incognito mobile devices or desktops and you'll get completely different fingerprint ids
[1] this isn't even the best fingerprint extraction out there, just an eas to use open source one, there are some crazy advanced techniques not implemented in it
What IS the best tool? What other techniques do you know of that it doesn't it implement?
> you being logged in in different services that any website can check
how so?
The best fingerprinting tools aren't open source they're anti-botting services like CAPTCHA providers & probably ad networks.
This particular service has implementations for several popular fignerprinting techniques but there are so many ways to measure the same thing that even if your fingerprint looks fine on one test a different test of the same measure could detect it as unique. For example a user font fingerprint could be implemented via JS tests, canvas rendering tests or CSS sheets (like in this paper).
The tests that offer the highest degree of hardware variability and uniqueness that I've seen deal with rendering of test and images over canvas.
> how so?
By loading an image that can only be accessed if you're logged in your google / facebook / twitter accounts and checking if the image request returned an error. There's a repo that implements this for >30 different websites, but I can't remember it's name rn. I'll edit this comment later if I remember what it was called
I don't understand how this would work? Wouldn't there have to be some kind of cookie/storage that is accessible to third parties in order to know this? AFAIK this is exactly what angered people about Flash due to their use of cross-domain capable "super cookies".
Click the explanation & protection sections for info on how it works
I think this also assumes you are not using any kind of isolation for your tabs. What I don't understand though, is how it could figure out that I am logged into google even though I have third-party cookies disabled.
1) You can fingerprint devices using CSS
2) You can make server calls using CSS to exfiltrate the client-side data
Stopping (2) would limit the utility of (1).
2025-02-02
First Online Date: 2024-10-09
Date Posted: 2024-12-05
Date Published: 2025-02-01 (It's being "published" at a conference)