W3C home > Mailing lists > Public > public-privacy@w3.org > January to March 2017

New fingerprinting paper: UniqueMachine

From: Nick Doty <npdoty@ischool.berkeley.edu>
Date: Mon, 20 Feb 2017 16:46:14 -0800
Message-Id: <99156826-A3BF-44D7-9D35-7592654B98A0@ischool.berkeley.edu>
To: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Hi all,

I'm parsing through some new browser fingerprinting work, with a paper being published at NDSS. You can also try it yourself in browser. Of particular note is whether you see the same hashed fingerprint when you run the test on two different browsers on the same device.

http://www.uniquemachine.org/
https://drive.google.com/file/d/0B4s900Byvv1ibW5uc1NiU2g3R3c/view

I'd welcome comments from public-privacy folks.

My read: the paper argues that it's OS/hardware characteristics that are particularly important, because they're cross-browser. But at least in running the test on my machine and in my analysis of the numbers reported in the paper, there are some simple things that introduce more entropy. In particular, generating the list of fonts installed on the machine via JavaScript provides a large source of entropy that persists over time and across browsers on the same device. (Also, it's not at all clear that this is a particularly important or unique feature of the Web platform, especially since Web Fonts can be delivered over the network.)

I'm trying to update the Mitigating Browser Fingerprinting guidance this week to document what the different sources of fingerprinting surface are. And perhaps of particular focus we can gauge which kinds of fingerprinting are the most important. Persistence and scope (across browsers or even across devices) seem like additional dimensions we should look at in evaluating new features for their fingerprinting risk.

Thanks,
Nick

Received on Tuesday, 21 February 2017 00:46:50 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 21 February 2017 00:46:50 UTC