Reducing the feasibility of browser fingerprinting

DON'T post new tutorials here! Please use the "Pending Submissions" board so the staff can review them first.
Post Reply
reparto
Fame ! Where are the chicks?!
Fame ! Where are the chicks?!
Posts: 288
Joined: 27 May 2013, 11:30
10

Reducing the feasibility of browser fingerprinting

Post by reparto »

Summary
Browser fingerprinting is a method that is speculated to be used by monitoring agencies and advertising networks to track internet users, by reducing the entropy of the data that can be used to fingerprint your browser it is possible to make fingerprinting either difficult or useless. This tutorial lists how to modify the settings of your browsers to be able to reduce the entropy of your fingerprint, the recommendations are based of off the default settings for Firefox 30 and it should be possible to carry these changes out on any modern browser.

Background
The background to browser fingerprinting is well covered by the EFF[1] but I will provide a short summary anyway. Basically, the idea behind browser fingerprinting is that every browser and computers configuration is unique enough to allow you to identify a person based on these variables alone. An example of a variable is your useragent, your useragent varies based on your: browser, browser version, operating system, system architecture, CPU brand (for older Macs and mobile users), window system (for linux) and many other variables. By doing some informal testing I found that by selecting a random useragent and running the Panopticlick test[2], (by using the Random Agent Spoofer for Firefox) the number of bits of entropy you should expect will be between 10 and 20.

By taking the population of the Earth (around 7 billion) and calculating the logarithm (in base 2) of it we can see that we need approximately 33 bits (See Appendix for more details) to be able to identify any single person and that by the useragent alone we are halfway to being able to achieve this. Other sources of entropy that can be used include[2]: HTTP_ACCEPT headers, browser plugin details, time zone, screen size and color depth and system fonts, from this it is clear that any attempt to fingerprint a browser is very likely to succeed, however, it is possible to significantly reduce the number of bits of entropy to below 33 bits.

Mitigation
I will go over mitigating the effects of the most significant sources of entropy.

Useragent (~10-20bits):
There is not a lot that can be done about the useragent, due to the variety of system configurations and browsers available almost every possible useragent provides a similar amount of entropy and if you made a fake useragent then you would be more easily identifiable. A simple way to work around this is to use a plugin that will periodically switch between useragents, this essentially makes the useragent a redundant source of entropy as its not a fixed value. However, due to the possibility of having an archaic useragent, some websites may not render correctly due to the server sending additional data specific to that browser (Gmail and Google Maps will often cause problems with odd useragents).

Browser plugin details (+31 bits):
This is a very important variable as alone it can easily provide 32 bits (I don't have a reference for this but browser plugin details are almost always unique due to different installations and also the order in which the plugins are listed), in Firefox you can disable plugin enumeration by setting plugins.enumerable_names to an empty string in about:config. At the time of making this post, it doesn't seem to be possible to do this on Chrome.

System fonts (+31 bits):
The system fonts list is as useful as the browser plugins list as almost every system has a unique set of fonts due to fonts installed by applications and websites, in this area non-Windows systems have a slight advantage due to having less system fonts when making a clean install. System fonts are enumerated by using Javascript[3] or Flash[4] and both methods have to be stopped individually to remove the entropy.

To prevent Javascript based enumeration you can disable Javascript or you can set an approved set of fonts for websites to use (Firefox 30: Settings->Content->Default Font and also uncheck Settings->Content->Default Font->Advanced...->Allow websites to use fonts other than...). As far as I know this isn't possible in Chrome, it should be feasible in Chromium.

To disable Flash based enumeration you need to set the following in "mms.cfg" which can be found in "/etc/adobe" on linux and in "C:/windows/system32/Macromed/Flash" or "C:/windows/syswow64/Macromed/Flash" in Windows:

Code: Select all

DisableDeviceFontEnumeration = 1
A further measure is to set Flash to "Ask to Activate", this can be done by going to the plugins section in "about:addons" and selecting "Ask to Activate" from the dropdown next to "Shockwave Flash". You can then set per site permissions as you wish.

Conclusion:
By doing these settings changes I have been able to reduce the entropy of my browser's fingerprint from around 100 to about 19 which is far from enough data to be able to identify my browser via fingerprinting. However, this is based of the assumption that a constantly changing useragent will be able to render the value useless and also that browser vendors will enable these measures by default in the future as by not doing so there is a risk that these measures become counter productive.


[1] - A Primer on Information Theory and Privacy, Peter Eckersley, January 26, 2010 [https://www.eff.org/deeplinks/2010/01/p ... nd-privacy]
[2] - Panopticlick [https://panopticlick.eff.org/]
[3] - JavaScript/CSS Font Detector [http://www.lalit.org/lab/javascript-css-font-detect/]
[4] - Getting a List of Installed Fonts with Flash and Javascript [http://hasseg.org/blog/post/526/getting ... avascript/]

Appendix: How can 33bits can represent the world's population?
If we gave every single person in the world a unique number starting from 1 and increasing in increments of 1 (i.e. first person gets 1, second gets 2 and so on...), the number of digits required to represent any of those is 10 (all numbers from 0 to 7billion can be represented using 10 or less digits).

However, computers use binary and so the value of 10 digits is incorrect (10bits would allows us to give 1024 people a unique number). To find the number of bits you can calculate it manually by finding the power of 2 which is greater than the number of numbers you need or you can use logarithms (See: https://www.wolframalpha.com/input/?i=l ... MathWorld-" onclick="window.open(this.href);return false;).
Last edited by reparto on 07 Jul 2014, 19:22, edited 1 time in total.
Selling invisible pets:
Dogs - 0.5 Bitcoins
Cats - 0.7 Bitcoins
Unicorns - 10 Bitcoins
Chimpanzee - 2 Bitcoins

PM me if you are interested, will ship via priority airmail, will accept escrow services

User avatar
maboroshi
Dr. Mab
Dr. Mab
Posts: 1624
Joined: 28 Aug 2005, 16:00
18

Re: Reducing the feasibility of browser fingerprinting

Post by maboroshi »

Wow I like this write up and I would never have thought about a lot of these things. If possible can you explain a bit of the math behind this.
By taking the population of the Earth (around 7 billion) and calculating the logarithm (in base 2) of it we can see that we need approximately 33 bits to be able to identify any single person
Also on my Windows 7 Home Edition x86_64 system with Flash Player 14 (fresh install) the path was

Code: Select all

C:\Windows\SysWOW64\Macromed\Flash
For the mention in the mitigation section

*cheers nice write up :-)

Mabo

reparto
Fame ! Where are the chicks?!
Fame ! Where are the chicks?!
Posts: 288
Joined: 27 May 2013, 11:30
10

Re: Reducing the feasibility of browser fingerprinting

Post by reparto »

maboroshi wrote:Wow I like this write up and I would never have thought about a lot of these things. If possible can you explain a bit of the math behind this.
Well a boolean can represent 2 states (1 and 0) and it takes up 1bit of space, a 32bit integer can represent 2^32 states and it takes up 32bits. If we want to represent 7billion states (each state corresponds to a person) then we can find the number of bits required by taking the logarithm of base 2 (which is often represented as Log2()).

Logarithm explanation: https://www.wolframalpha.com/input/?i=l ... MathWorld-" onclick="window.open(this.href);return false;
maboroshi wrote: Also on my Windows 7 Home Edition x86_64 system with Flash Player 14 (fresh install) the path was

Code: Select all

C:\Windows\SysWOW64\Macromed\Flash
That's my bad, don't know why I did that...
Selling invisible pets:
Dogs - 0.5 Bitcoins
Cats - 0.7 Bitcoins
Unicorns - 10 Bitcoins
Chimpanzee - 2 Bitcoins

PM me if you are interested, will ship via priority airmail, will accept escrow services

User avatar
maboroshi
Dr. Mab
Dr. Mab
Posts: 1624
Joined: 28 Aug 2005, 16:00
18

Re: Reducing the feasibility of browser fingerprinting

Post by maboroshi »

Cool deal. I moved this to Hacking tutorials not sure that is where you wanted it. Let me know if you want it some where else ;)

reparto
Fame ! Where are the chicks?!
Fame ! Where are the chicks?!
Posts: 288
Joined: 27 May 2013, 11:30
10

Re: Reducing the feasibility of browser fingerprinting

Post by reparto »

I guess the general section would be better since a lot of this stuff should be standard behaviour, but I am not too fussed either way.
Selling invisible pets:
Dogs - 0.5 Bitcoins
Cats - 0.7 Bitcoins
Unicorns - 10 Bitcoins
Chimpanzee - 2 Bitcoins

PM me if you are interested, will ship via priority airmail, will accept escrow services

reparto
Fame ! Where are the chicks?!
Fame ! Where are the chicks?!
Posts: 288
Joined: 27 May 2013, 11:30
10

Re: Reducing the feasibility of browser fingerprinting

Post by reparto »

Just found this:
https://securehomes.esat.kuleuven.be/~g ... index.html" onclick="window.open(this.href);return false;

They have found a new technique that uses the <canvas> tag to fingerprint browsers, it seems that most people who use adblockplus/ghostery/donottrackme should be unaffected because the technique is almost always implemented via addthis.com which is blocked by the aformentioned plugins.
Selling invisible pets:
Dogs - 0.5 Bitcoins
Cats - 0.7 Bitcoins
Unicorns - 10 Bitcoins
Chimpanzee - 2 Bitcoins

PM me if you are interested, will ship via priority airmail, will accept escrow services

Post Reply