RE: Font Based Fingerprinting Papers from Mike O'Neill on 2019-04-19 (public-privacy@w3.org from April to June 2019)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Fri, 19 Apr 2019 20:33:45 +0100
To: <jnovak@apple.com>, "'Pete Snyder'" <psnyder@brave.com>
Cc: "'public-privacy $W3C mailing list$'" <public-privacy@w3.org>
Message-ID: <0a1b01d4f6e6$cf01ce20$6d056a60$@baycloud.com>
Yes, that uses the canvas-font method, put some fixed text in a span inside a canvas element, then read how big the enclosing rectangle is. You would need to try a lot of fonts to get any reasonable number of bits for a UID. 

 

You could imagine mitigation e.g. you could detect styling different fonts on the same span then refuse to do more that a small number, but it would be hard get folk to implement it unless there was evidence there was a major risk.

 

Have Apple got any figures on how common font enumeraion is in the wild?

 

Mike

 

From: jnovak@apple.com <jnovak@apple.com> 
Sent: 19 April 2019 19:01
To: Pete Snyder <psnyder@brave.com>; Mike O'Neill <michael.oneill@baycloud.com>
Cc: public-privacy (W3C mailing list) <public-privacy@w3.org>
Subject: Re: Font Based Fingerprinting Papers

 

And while JS doesn’t have an API to return all fonts, it can be used to probe for fonts which is effectively enumeration.

 

fingerprintjs2 <https://github.com/Valve/fingerprintjs2>  has an implementation of such in lines 525-712 of fingerprint2.js <https://github.com/Valve/fingerprintjs2/blob/master/fingerprint2.js> .

 

J





On Apr 19, 2019, at 12:56 PM, Pete Snyder <psnyder@brave.com <mailto:psnyder@brave.com> > wrote:

 

Mike, please take another look at the studies.  Flash is just one of many ways of doing font enumeration discussed.

Also, none of these are unique as individual identifiers, but the combine to be very unique.  This is how all (as far as I know) passive fingerprinting is done. 

And to echo Jason’s point, it’d be nice to take cookies out of the picture, but thats not quite a “easy first win”. ;)

Pete Snyder
{pes,psnyder}@brave.com <mailto:psnyder%7d@brave.com> 
Brave Software
Privacy Researcher




On Apr 19, 2019, at 6:39 PM, Mike O'Neill <michael.oneill@baycloud.com <mailto:michael.oneill@baycloud.com> > wrote:

This and the Princeton study conclude that most fingerprinting techniques are not very effective at getting unique identifiers, and the Princeton found only 2.5% of sites had font fingerprinting.

http://randomwalker.info/publications/OpenWPM_1_million_site_tracking_measurement.pdf

There is no JS function to enumerate fonts, and the early studies e.g. the EFF’s, had to use Flash, luckily no longer very common. The usual way now is for script to try different fonts in a canvas contained <span>, then measure how big the resulting text is in pixels.

The script then has to deliver the resulting fingerprint ID via another HTTP transaction (XHR, Fetch, Image etc.) and then has to link it to the initiating browsing context with a cookie UID.

They found non-font canvas fingerprinting was twice as common, a bit over 5%, but was in fact was usually being used for fraud detection, because there is not enough entropy to be commercially useful for tracking.

Cookies, on the other hand, are used for tracking on >>95% of sites, including the ones supposedly using fingerprinting.

Mike


From: jnovak@apple.com <mailto:jnovak@apple.com>  <jnovak@apple.com <mailto:jnovak@apple.com> > 
Sent: 19 April 2019 15:29
To: Pete Snyder <psnyder@brave.com <mailto:psnyder@brave.com> >
Cc: public-privacy@w3.org <mailto:public-privacy@w3.org> 
Subject: Re: Font Based Fingerprinting Papers

Thanks for the links Pete.  Here’s another paper on fingerprinting more generally that has some interesting stats on font fingerprinting.

Alejandro Gómez-Boix, Pierre Laperdrix, and Benoit Baudry’s "Hiding in the Crowd: an Analysis of the Eectiveness of Browser Fingerprinting at Large Scale” — https://www.doc.ic.ac.uk/~maffeis/331/EffectivenessOfFingerprinting.pdf.

J





On Apr 19, 2019, at 9:06 AM, Pete Snyder <psnyder@brave.com <mailto:psnyder@brave.com> > wrote:

Hi all,

As promised, here are some papers describing the accuracy and (in two cases) frequency of using font enumeration to finger print browsers.

I’ll try to come up with a first, goof-attempt at a proposed change well in advance of our next call too.

Laperdrix, Pierre, Walter Rudametkin, and Benoit Baudry. "Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints." 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 2016.
https://hal.inria.fr/hal-01285470/document

Nikiforakis, Nick, et al. "Cookieless monster: Exploring the ecosystem of web-based device fingerprinting." 2013 IEEE Symposium on Security and Privacy. IEEE, 2013.
https://ieeexplore.ieee.org/iel7/6547086/6547088/06547132.pdf

Eckersley, Peter. "How unique is your web browser?." International Symposium on Privacy Enhancing Technologies Symposium. Springer, Berlin, Heidelberg, 2010.
https://panopticlick.eff.org/static/browser-uniqueness.pdf


Pete Snyder
{pes,psnyder}@brave.com
Brave Software
Privacy Researcher
Received on Friday, 19 April 2019 19:34:14 UTC