FP-tracer: Fine-grained Browser Fingerprinting Detection via Taint-tracking and Entropy-based Thresholds

Proceedings on Privacy Enhancing Technologies Pub Date : 2024-07-01 DOI:10.56553/popets-2024-0092

Soumaya Boussaha, Lukas Hock, Miguel Bermejo, Rubén Cuevas Rumin, Ángel Cuevas Rumín, David Klein, Martin Johns, Luca Compagna, Daniele Antonioli, Thomas Barber

{"title":"FP-tracer: Fine-grained Browser Fingerprinting Detection via Taint-tracking and Entropy-based Thresholds","authors":"Soumaya Boussaha, Lukas Hock, Miguel Bermejo, Rubén Cuevas Rumin, Ángel Cuevas Rumín, David Klein, Martin Johns, Luca Compagna, Daniele Antonioli, Thomas Barber","doi":"10.56553/popets-2024-0092","DOIUrl":null,"url":null,"abstract":"Browser fingerprinting is an effective technique to track web users by building a fingerprint from their browser attributes. It is also stealthy because the tracker uses legitimate JavaScript API calls offered by the browser engine, which can be obfuscated before they are sent to a (third-party) server. Current browser fingerprinting methodologies employ coarse-grained collection and classification techniques, such as binary classification of fingerprinters based on the number of non-obfuscated exfiltrated attributes. As a result, they produce inconsistent findings. Meanwhile, the privacy of millions of web users is at risk daily. We address this gap by presenting FP-tracer, a novel methodology to detect and classify browser fingerprinters based on dynamic taint tracking and joint entropy classification. Our methodology enables detecting first- and third-party fingerprinters even when they use obfuscation by tainting attributes, propagating them, and logging when they are leaked (via 62 sources and 25 sinks). Moreover, it discriminates the invasiveness of fingerprinting activities, even from the same service, by measuring the joint entropy of the collected attributes and clustering them. We implement FP-tracer by extending Foxhound, a privacy-oriented Firefox fork with numeric type tainting, more taint tracking sources and sinks, support for multiple sources, and better logging capabilities. We embed our implementation in our automated crawling infrastructure, which is capable of testing websites in parallel using programmable and reproducible logic. We will open-source our implementation. We evaluate FP-tracer by performing a large-scale crawl over the Tranco Top 100K, and detect, amongst others, audio, canvas, and storage fingerprinting on the web. Among others, we find high fingerprinting activities in 8% of domains, with more moderate activity reaching 75%. Notably, fingerprinting is almost five times more likely to be performed by third-party scripts for high activity levels. In addition, we measure that the most severe category of fingerprinting obfuscates 46% of transmitted attributes, and 38% of fingerprinters involve two or more domains. Finally, we find that existing consent banners do not provide an effective defense against browser fingerprinting","PeriodicalId":519525,"journal":{"name":"Proceedings on Privacy Enhancing Technologies","volume":"54 26","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings on Privacy Enhancing Technologies","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.56553/popets-2024-0092","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Browser fingerprinting is an effective technique to track web users by building a fingerprint from their browser attributes. It is also stealthy because the tracker uses legitimate JavaScript API calls offered by the browser engine, which can be obfuscated before they are sent to a (third-party) server. Current browser fingerprinting methodologies employ coarse-grained collection and classification techniques, such as binary classification of fingerprinters based on the number of non-obfuscated exfiltrated attributes. As a result, they produce inconsistent findings. Meanwhile, the privacy of millions of web users is at risk daily. We address this gap by presenting FP-tracer, a novel methodology to detect and classify browser fingerprinters based on dynamic taint tracking and joint entropy classification. Our methodology enables detecting first- and third-party fingerprinters even when they use obfuscation by tainting attributes, propagating them, and logging when they are leaked (via 62 sources and 25 sinks). Moreover, it discriminates the invasiveness of fingerprinting activities, even from the same service, by measuring the joint entropy of the collected attributes and clustering them. We implement FP-tracer by extending Foxhound, a privacy-oriented Firefox fork with numeric type tainting, more taint tracking sources and sinks, support for multiple sources, and better logging capabilities. We embed our implementation in our automated crawling infrastructure, which is capable of testing websites in parallel using programmable and reproducible logic. We will open-source our implementation. We evaluate FP-tracer by performing a large-scale crawl over the Tranco Top 100K, and detect, amongst others, audio, canvas, and storage fingerprinting on the web. Among others, we find high fingerprinting activities in 8% of domains, with more moderate activity reaching 75%. Notably, fingerprinting is almost five times more likely to be performed by third-party scripts for high activity levels. In addition, we measure that the most severe category of fingerprinting obfuscates 46% of transmitted attributes, and 38% of fingerprinters involve two or more domains. Finally, we find that existing consent banners do not provide an effective defense against browser fingerprinting

查看原文本刊更多论文

FP-tracer：通过污点跟踪和基于熵的阈值进行细粒度浏览器指纹检测

浏览器指纹识别是一种通过浏览器属性建立指纹来跟踪网络用户的有效技术。它还具有隐蔽性，因为跟踪器使用浏览器引擎提供的合法 JavaScript API 调用，这些调用在发送到（第三方）服务器之前可以进行混淆。目前的浏览器指纹识别方法采用粗粒度的收集和分类技术，例如根据非混淆外泄属性的数量对指纹识别器进行二进制分类。因此，这些方法得出的结果并不一致。与此同时，每天都有数百万网络用户的隐私受到威胁。为了弥补这一不足，我们提出了 FP-tracer，这是一种基于动态污点跟踪和联合熵分类来检测和分类浏览器指纹器的新方法。我们的方法通过污染属性、传播属性和记录属性泄露（通过 62 个来源和 25 个汇集），即使第一和第三方浏览器使用混淆技术，也能检测到它们。此外，它还通过测量所收集属性的联合熵并对其进行聚类，来区分指纹识别活动的侵扰性，即使是来自同一服务的指纹识别活动。我们通过扩展 Foxhound 实现了 FP-tracer，Foxhound 是面向隐私的 Firefox fork，具有数字类型污点、更多污点跟踪源和汇、多源支持和更好的日志记录功能。我们将在自动爬行基础架构中嵌入我们的实现，该基础架构能够使用可编程和可重现的逻辑并行测试网站。我们将开源我们的实施方案。我们通过对 Tranco Top 100K 进行大规模抓取来评估 FP-tracer，并在网络上检测音频、画布和存储指纹等。其中，我们发现有 8% 的领域存在大量指纹识别活动，中等程度的活动达到 75%。值得注意的是，在高活跃度情况下，第三方脚本执行指纹识别的可能性几乎是普通脚本的五倍。此外，我们发现最严重的指纹识别混淆了 46% 的传输属性，38% 的指纹识别者涉及两个或更多的域。最后，我们发现现有的同意横幅并不能有效抵御浏览器指纹识别。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings on Privacy Enhancing Technologies

自引率

0.00%

发文量