Mercredi 4 Mai 2022
Improving Security and Privacy of the Web : a look through the lens of Browser Fingerprinting
Browser fingerprinting is the process of identifying devices by accessing a collection of relatively stable attributes through Web browsers. We call the generated identifiers browser fingerprints. Fingerprints are stateless identifiers and no information is stored on the client’s device. In this talk I will look at three properties of browser fingerprinting that make it both a risk to privacy, but also of use for security. These properties are Uniqueness, Stability and Consistency. Through our results from multiple empirical studies, we'll show how these influence the uses and risks of browser fingerprinting. In short, we show that fingerprints present a relatively high level of statistical uniqueness [Laperdrix 2016], and although a fingerprint is unstable, the changes still allow for tracking [Vastel 2018a, Tomer 2022]. We also show that recent defenses to fingerprinting are deficient and potentially counterproductive [Vastel 2018b].

I'll also take a look at some of the practical uses of browser fingerprinting, such as building or complementing lightweight security mechanisms, as well as it's use in bot detection to fight Web crawlers. I draw some perspectives for exploring browser fingerprinting for multi-factor authentication [Durey 2021]. I believe there is potential in automated testing to improve privacy to help developers defend against introducing "privacy bugs" [Vastel 2018c]. And of course, we know that fingerprint tracking does not happen in a bubble, it is complementary to other techniques. I therefore explore other tracking techniques, such as our preliminary results around IP addresses [Mishra 2020] and caches [Mishra 2021], fingerprinting filterlists in ad blockers, as well as our recent results on GPU fingerprinting [Tomer 2022].
## References :
[Durey 2021] A. Durey, P Laperdrix, W Rudametkin, R. Rouvoy. "FP-Redemption: Studying Browser Fingerprinting Adoption for the Sake of Web Security." DIMVA'21.
[Laperdrix 2016] Pierre Laperdrix, Walter Rudametkin and Benoît Baudry. Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints. In 2016 IEEE Symposium on Security and Privacy (SP), pages 878–894, May 2016.
[Mishra 2020] Vikas Mishra, Pierre Laperdrix, Antoine Vastel, Walter Rudametkin, Romain Rouvoy and Martin Lopatka. Don’t count me out: On the relevance of IP addresses in the tracking ecosystem. In Bruno Crispo and Nick Nikiforakis, editors, The Web Conference 2020, volume Security, Privacy, and Trust of Proceedings of The Web Conference (WWW’20), Tapeï, Taiwan, April 2020.
[Mishra 2021] Vikas Mishra, Pierre Laperdrix, Walter Rudametkin and Romain Rouvoy. Déjà vu: Abusing Browser Cache Headers to Identify and Track Online Users. In PETS 2021 - The 21th International Symposium on Privacy Enhancing Technologies, Virtual, France, July 2021.
[Tomer 2022] Tomer Laor, Naif Mehanna, Antonin Durey, Vitaly Dyadyuk, Pierre Laperdrix, Clémentine Mauric, Yossi Oren, Romain Rouvoy, Walter Rudametkin, Yuval Yarom. DRAWNAPART: A Device Identification Technique based on Remote GPU Fingerprinting. Network and Distributed System Security Symposium (NDSS 2022), June 2022, San Diego, United States.
[Vastel 2018a] Antoine Vastel, Pierre Laperdrix, Walter Rudametkin and Romain Rouvoy. Fp-Scanner: The Privacy Implications of Browser Fingerprint Inconsistencies. In 27th USENIX Security Symposium (USENIX Security 18), pages 135–150, Baltimore, MD, 2018. USENIX Association.
[Vastel 2018b] Antoine Vastel, Pierre Laperdrix, Walter Rudametkin and Romain Rouvoy. FP-STALKER: Tracking Browser Fingerprint Evolutions. In Bryan Parno and Christopher Kruegel, editors, IEEE S&P 2018 - 39th IEEE Symposium on Security and Privacy, Proceedings of the 39th IEEE Symposium on Security and Privacy (S&P), pages 728–741, San Francisco, United States, May 2018. IEEE.
[Vastel 2018c] Antoine Vastel, Walter Rudametkin and Romain Rouvoy. FP-TESTER: Automated Testing of Browser Fingerprint Resilience. In 2018 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pages 103–107. IEEE, 2018.
[Vastel 2020] Antoine Vastel, Walter Rudametkin, Romain Rouvoy and Xavier Blanc. FP-Crawlers: Studying the Resilience of Browser Fingerprinting to Block Crawlers. In Oleksii Starov, Alexandros Kapravelos and Nick Nikiforakis, editors, MADWeb’20 - NDSS Workshop on Measurements, Attacks, and Defenses for the Web, San Diego, United States, February 2020.
Mis à jour le 3 mai 2022