Fingerprinting Information in JavaScript Implementations

Authors

Keaton Mowery, Dillon Bogenreif, Scott Yilek, and Hovav Shacham

Abstract

To date, many attempts have been made to fingerprint users on the web. These fingerprints allow browsing sessions to be linked together and possibly even tied to a user's identity. They can be used constructively by sites to supplement traditional means of user authentication such as passwords; and they can be used destructively to counter attempts to stay anonymous online. In this paper, we identify two new avenues for browser fingerprinting. The new fingerprints arise from the browser's JavaScript execution characteristics, making them diffcult to simulate or mitigate in practice. The first uses the innate performance signature of each browser's JavaScript engine, allowing the detection of browser version, operating system and microarchitecture, even when traditional forms of sys- tem identification (such as the user-agent header) are modified or hidden. The second subverts the whitelist mechanism of the popular NoScript Firefox extension, which selectively enables web pages' scripting privileges to increase privacy by allowing a site to determine if particular domains exist in a user's NoScript whitelist. We have experimentally verified the effectiveness of our system fingerprinting technique using a 1,015-person study on Amazon's Mechanical Turk platform.

Reference

Keaton Mowery, Dillon Bogenreif, Scott Yilek, and Hovav Shacham.
Fingerprinting Information in JavaScript Implementations
Proceedings of Web 2.0 Security and Privacy 2011 - W2SP 2011.

Versions

PDF

See Also

W2SP 2011 Website