- From: Jason Novak <jnovak@apple.com>
- Date: Fri, 19 Apr 2019 13:01:20 -0500
- To: Pete Snyder <psnyder@brave.com>, Mike O'Neill <michael.oneill@baycloud.com>
- Cc: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
- Message-id: <D13325DF-78DC-4A0F-9D4A-2241FC6B2037@apple.com>
And while JS doesn’t have an API to return all fonts, it can be used to probe for fonts which is effectively enumeration. fingerprintjs2 <https://github.com/Valve/fingerprintjs2> has an implementation of such in lines 525-712 of fingerprint2.js <https://github.com/Valve/fingerprintjs2/blob/master/fingerprint2.js>. J > On Apr 19, 2019, at 12:56 PM, Pete Snyder <psnyder@brave.com> wrote: > > Mike, please take another look at the studies. Flash is just one of many ways of doing font enumeration discussed. > > Also, none of these are unique as individual identifiers, but the combine to be very unique. This is how all (as far as I know) passive fingerprinting is done. > > And to echo Jason’s point, it’d be nice to take cookies out of the picture, but thats not quite a “easy first win”. ;) > > Pete Snyder > {pes,psnyder}@brave.com > Brave Software > Privacy Researcher > >> On Apr 19, 2019, at 6:39 PM, Mike O'Neill <michael.oneill@baycloud.com> wrote: >> >> This and the Princeton study conclude that most fingerprinting techniques are not very effective at getting unique identifiers, and the Princeton found only 2.5% of sites had font fingerprinting. >> >> http://randomwalker.info/publications/OpenWPM_1_million_site_tracking_measurement.pdf >> >> There is no JS function to enumerate fonts, and the early studies e.g. the EFF’s, had to use Flash, luckily no longer very common. The usual way now is for script to try different fonts in a canvas contained <span>, then measure how big the resulting text is in pixels. >> >> The script then has to deliver the resulting fingerprint ID via another HTTP transaction (XHR, Fetch, Image etc.) and then has to link it to the initiating browsing context with a cookie UID. >> >> They found non-font canvas fingerprinting was twice as common, a bit over 5%, but was in fact was usually being used for fraud detection, because there is not enough entropy to be commercially useful for tracking. >> >> Cookies, on the other hand, are used for tracking on >>95% of sites, including the ones supposedly using fingerprinting. >> >> Mike >> >> >> From: jnovak@apple.com <jnovak@apple.com> >> Sent: 19 April 2019 15:29 >> To: Pete Snyder <psnyder@brave.com> >> Cc: public-privacy@w3.org >> Subject: Re: Font Based Fingerprinting Papers >> >> Thanks for the links Pete. Here’s another paper on fingerprinting more generally that has some interesting stats on font fingerprinting. >> >> Alejandro Gómez-Boix, Pierre Laperdrix, and Benoit Baudry’s "Hiding in the Crowd: an Analysis of the Eectiveness of Browser Fingerprinting at Large Scale” — https://www.doc.ic.ac.uk/~maffeis/331/EffectivenessOfFingerprinting.pdf. >> >> J >> >> >>> On Apr 19, 2019, at 9:06 AM, Pete Snyder <psnyder@brave.com> wrote: >>> >>> Hi all, >>> >>> As promised, here are some papers describing the accuracy and (in two cases) frequency of using font enumeration to finger print browsers. >>> >>> I’ll try to come up with a first, goof-attempt at a proposed change well in advance of our next call too. >>> >>> Laperdrix, Pierre, Walter Rudametkin, and Benoit Baudry. "Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints." 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 2016. >>> https://hal.inria.fr/hal-01285470/document >>> >>> Nikiforakis, Nick, et al. "Cookieless monster: Exploring the ecosystem of web-based device fingerprinting." 2013 IEEE Symposium on Security and Privacy. IEEE, 2013. >>> https://ieeexplore.ieee.org/iel7/6547086/6547088/06547132.pdf >>> >>> Eckersley, Peter. "How unique is your web browser?." International Symposium on Privacy Enhancing Technologies Symposium. Springer, Berlin, Heidelberg, 2010. >>> https://panopticlick.eff.org/static/browser-uniqueness.pdf >>> >>> >>> Pete Snyder >>> {pes,psnyder}@brave.com >>> Brave Software >>> Privacy Researcher >>> >
Received on Friday, 19 April 2019 18:01:49 UTC