Fingerprinting of a specific PC with an accuracy of 99.24%: even changing a browser does not save

Tasks rendering on the client side for the purpose of fingerprinting

The practice of changing the browser to change the identity on the Internet is a popular piece of advice from security experts and experts . According to the survey , about 70% of users have installed and regularly use at least two browsers. So they hope to avoid surveillance and unwanted recognition on sites.

A group of American researchers published a scientific work describing more advanced fingerprinting techniques that do not take into account the browser version, but still recognize a particular PC with high accuracy.

Fingerprinting is a controversial technique of identifying users on the Internet as an alternative to regular cookies and "eternal" cookies. If the user deletes cookies or has installed programs for blocking tracking trackers, you can still recognize him with the help of fingerprinting.
')
Opponents of this technique say that the use of fingerprinting is unethical if the user has explicitly forbidden himself from identifying and actively deletes cookies. On the other hand, some web developers see nothing wrong with recognizing repeat visitors, if you do not do anything illegal. Like, it's for their own convenience. User recognition (tracking) in one way or another is carried out by more than 90% of the most popular Internet sites. Fingerprinting is the most reliable technique. It implies the creation of a unique “fingerprint” of a user’s computer taking into account all open parameters: OS version, browser version, set of plug-ins and browser extensions, list of installed fonts, screen resolution, etc.

Until recently, fingerprinting has always taken into account the user's browser version, but now researchers are trying to overcome this limitation - and recognize specific PCs independently of the browser.

In the work of a group of American researchers, the new technique is called CBF, that is, cross-browser fingerprinting (Cross-Browser Fingerprinting). It takes into account the characteristics of a computer system that manifest themselves regardless of the browser version when rendering and processing graphics.



Researchers measure the execution time of various graphical operations and use this information to profile a particular PC. For example, applying a bitmap image to the face of a cube using WebGL with hardware accelerated video is performed at the same speed regardless of the browser.

Here is a list of some parameters that can be used for cross-browser fingerprinting.

Screen resolution As it turned out, if you use zooming, you can get a reliable result regardless of the browser version.

The number of processor cores . The hardwareConcurrency browser parameter provides the maximum threshold for a specific computer in Web Worker operations. Even if the browser tries to change this parameter (for example, Safari divides it into two), you can easily calculate the true value.

AudioContext . A set of tasks for sound processing in the operating system and sound card. Fingerprinting is carried out by measuring the time of these operations.

Font list . A standard fingerprinting technique that researchers have adapted for the cross-browser version. The list of installed fonts can be determined by rendering the glyphs in the browser.

Lines, curves and anti-aliasing . Rendering of lines, direct and anti-aliasing in HTML5 Canvas and WebGL is performed by means of a GPU.

Vertex Shader . Another element that is rendered by the graphics subsystem and the graphics driver. It is used to create shadows and lighting in 3D objects and is used in WebGL.

Fragment Shader . Tracked in the same way as Vertex Shader.

Transparency in the alpha channel . The output of these graphic elements depends on the GPU and the driver and is the same in all browsers.

Installed scripts (languages) . Some scripts such as Chinese, Korean, and Arabic require the installation of special libraries.

Simulation . Rendering 3D models.

Lighting and Shadow Mapping. Another feature of 3D-graphics, associated with the processing of light and shadows.

Camera This refers to a webcam not installed on a computer, but another technique specific to 3D modeling. It builds 2D views for 3D objects.

Clipping planes . The WebGL operation associated with calculating the coordinates of 3D objects with limited visibility.

All of these techniques together allow us to create a fairly reliable and accurate profile of a specific computer. The table below lists the reliability and entropy that each method and all of them provide.



Collectively, CBF technicians can accurately identify about 99.24% of all computers. The researchers conducted tests using Chrome, Firefox, Edge, IE, Opera, Safari, Maxthon, UC Browser and Coconut browsers.

The technique works quite reliably and the absence of any one of the parameters in the profile has practically no effect on the result.

For anonymous work on the Internet, the authors of the scientific work recommend using the Tor browser, which normalizes the browser output and does not allow for this kind of fingerprinting. True, he also has a small sin: it also leaves a couple of parameters open, including the width of the screen and AudioContext. The researchers hoped that the Tor developers would normalize the output by these parameters, too.