From Selectel: This article is the first in a series of translations of a very detailed article on browser fingerprinting and how the technology works. Here is everything you wanted to know, but were afraid to ask on this topic.
What are browser fingerprints?
This is a method used by websites and services to track visitors. Users are assigned a unique identifier (fingerprint). It contains a lot of information about users' browser settings and capabilities, which is used to identify them. In addition, browser fingerprinting allows websites to track behavioral patterns in order to identify users even more accurately later on.
The uniqueness is about the same as that of real fingerprints. Only the latter are collected by the police to search for suspects in crimes. But browser fingerprint technology is not used to track criminals at all. After all, we're not criminals here, right?
What data does a browser fingerprint collect?
The fact that a person can be tracked by IP, we knew at the dawn of the Internet. But in this case, everything is much more complicated. The browser fingerprint includes an IP address, but this is far from the most important information. In fact, you don't need an IP to identify you.
According to a study , browser fingerprint includes:
- User-agent (including not only the browser, but also the OS version, device type, language settings, toolbars, etc.).
- Timezone.
- Screen resolution and color depth.
- supercookies.
- Cookie settings.
- System fonts.
- Browser plugins and their versions.
- Visit log.
According to the EFF study, the uniqueness of the browser fingerprint is very high. If we talk about statistics, then only once in 286777 cases does a complete match of browser fingerprints of two different users happen.
According to more , the accuracy of user identification using a browser fingerprint is 99,24%. Changing one of the browser settings reduces the accuracy of user identification by only 0,3%. There are browser fingerprint tests that show how much information is collected.
How browser fingerprinting works
Why is it possible to collect information about the browser at all? It's simple - your browser communicates with a web server when you request a website address. In a normal situation, sites and services assign a unique identifier to the user.
For example, the "gh5d443ghjflr123ff556ggf".
This string of random letters and numbers helps the server recognize you and associate your browser and preferences with you. The actions you take online will be assigned approximately the same code.
So, if you are logged into Twitter, where there is some information about you, all this data will be automatically associated with the same identifier.
Of course, this code will not be with you for the rest of your days. If you start surfing from a different device or browser, then the identifier will most likely change too.
How do websites collect user data?
This is a two-tier process that works on both the server side and the client side.
Server Side
Site access logs
In this case, we are talking about the collection of data sent by the browser. At least this:
- The requested protocol.
- The requested URL.
- your IP.
- referer.
- user-agent.
Headlines
Web servers receive them from your browser. Headers are important because they allow you to be sure that the requested site works with your browser.
For example, header information lets the site know if you're using a desktop or mobile device. In the second case, a redirect will occur to a version optimized for mobile devices. Unfortunately, the same data will end up in your fingerprint.
Cookies
Everything is clear here. Web servers always exchange cookies with browsers. If you specify the ability to work with cookies in the settings, they are stored on your device and sent to the server whenever you visit a site that you have already visited before.
Cookies help you surf more comfortably, but they also reveal more information about you.
Canvas Fingerprinting
This method uses the HTML5 canvas element, which WebGL also uses to render 2D and 3D graphics in the browser.
This method usually "forces" the browser to render graphical content, including images, text, or both. For you, this process is invisible, since everything happens in the background.
Once the process is complete, canvas fingerprinting turns the graphics into a hash, which becomes the very unique identifier we talked about above.
This method allows you to get the following information about your device:
- Graphics adapter.
- Graphics adapter driver.
- Processor (if there is no dedicated graphics chip).
- Installed fonts.
Client side logging
This implies that your browser is exchanging a lot of information thanks to:
Adobe Flash and JavaScript
According to the FAQ , if you have JavaScript enabled, then data about your plugins or hardware specifications is transmitted outside.
If Flash is installed and activated, this provides the third-party "observer" with even more information, including:
- Your timezone.
- OS version.
- Screen resolution.
- A complete list of fonts installed in the system.
Cookies
They play a very important role in logging. So, you usually need to decide whether to allow your browser to handle cookies or delete them completely.
In the first case, the web server receives just a huge amount of information about your device and preferences. If you do not accept cookies, sites will still receive some data about your browser.
Why do we need browser fingerprint technology?
Basically, in order for the device user to receive a site optimized for his device, regardless of whether he accessed the Internet from a tablet or smartphone.
In addition, the technology is used for advertising. It's just the perfect data mining tool.
For example, after receiving the information collected by the server, suppliers of goods or services can create very finely targeted advertising campaigns with personalization. Targeting accuracy is much higher than using just IP addresses.
For example, advertisers can use browser fingerprinting to get a list of site users whose screen resolution can be described as low (eg 1300*768) who are looking for better monitors in the seller's online store. Or users who simply surf the site without the intention of buying anything.
The information obtained can then be used to target ads for high-quality, high-resolution monitors to users with a small and outdated display.
In addition, browser fingerprint technology is also used to:
- Fraud and botnet detection. This is a really useful feature for banks and financial institutions. They allow you to separate user behavior from the activity of attackers.
- Definition of VPN and proxy users. Intelligence agencies can use this method to track Internet users with hidden IP addresses.
Ultimately, even if browser fingerprinting is used for legitimate purposes, it is still very bad for user privacy. Especially if the latter are trying to protect themselves with a VPN.
Also, browser fingerprints can be a hacker's best friend. If they know the exact data about your device, they can use special exploits to hack the device. There is nothing complicated about this - any cybercriminal can create a fake site with a fingerprinting script.
Recall that this article is only the first part, there are two more to come. They address issues of the legality of the collection of personal data of users, the possibilities of using this data and methods of protection against too active βcollectorsββ.
Source: habr.com