Fingerprinting Information in JavaScript Implementations

By Keaton Mowery, Dillon Bogenreif, Scott Yilek, and Hovav Shacham.

In Proceedings of W2SP 2011. IEEE Computer Society, May 2011.

Abstract

To date, many attempts have been made to fingerprint users on the web. These fingerprints allow browsing sessions to be linked together and possibly even tied to a user’s identity. They can be used constructively by sites to supplement traditional means of user authentication such as passwords; and they can be used destructively to counter attempts to stay anonymous online.

In this paper, we identify two new avenues for browser fingerprinting. The new fingerprints arise from the browser’s JavaScript execution characteristics, making them difficult to simulate or mitigate in practice. The first uses the innate performance signature of each browser’s JavaScript engine, allowing the detection of browser version, operating system and microarchitecture, even when traditional forms of system identification (such as the user-agent header) are modified or hidden. The second subverts the whitelist mechanism of the popular NoScript Firefox extension, which selectively enables web pages’ scripting privileges to increase privacy by allowing a site to determine if particular domains exist in a user’s NoScript whitelist.

We have experimentally verified the effectiveness of our system fingerprinting technique using a 1,015-person study on Amazon’s Mechanical Turk platform.

Material

Reference

@InProceedings{MBYS11, author = {Keaton Mowery and Dillon Bogenreif and Scott Yilek and Hovav Shacham}, title = {Fingerprinting Information in {JavaScript} Implementations}, booktitle = {Proceedings of W2SP 2011}, year = 2011, editor = {Helen Wang}, month = may, organization = {IEEE Computer Society} }

Navigation: Hovav Shacham // Publications // [MBYS11]