Very cool to see that they've even gone as far as inferring elements like the likelihood of MS Office being installed on your computer by checking the width of a container with the font 'Leelawadee' specified:
> As this font is a non-free Microsoft font for the Thai Language, we do not expect users without Microsoft Office to have it installed
There is lots of really interesting information in here past what you might figure out yourself if you've played around with abusing CSS yourself before. So many things that had just never, and probably would never have, occurred to me to try.
It is definitely worth a read (or skim) over the paper to see the lengths they went to in order to figure out some of the unique elements to fingerprint on.
I don't remember where I read that and was not able to find it again.
There is a web/desktop app (like zoom) that install a font when you install the app, and the web app check if this font is install to trigger the open in app popup.
It’s a common enough technique that this surely isn’t the only example, but there was discussion here a while back about TeamViewer doing this to detect the presence and version of the client software when clicking a link to open a remote session:
seems like you have to allow `@container` checks or something similar for this to work in order to then make your network request `#something { background-image: url('/x-browser-y-os-detected'); }`
CISPA is really interesting, I was just reading this on their site the other day - They're developing grey box coverage based fuzzing tools for PHP web applications, which is how I know about them in the first place. Definitely one of those entities to look out for in serious cybersecurity research going into 2025
I wonder if you could track the usage of features known to be used for fingerprinting and disable the functionality if enough are used. I assume that most sites using advanced fingerprinting like this are also the kind that would remove it quickly if it causes the site to break.
Couldn't most fingerprinting techniques be thwarted by just using a stock windows install in a frozen VM with a stock browser without changing anything? Wouldn't that make you pretty boring as far as any potential variations go?
If you go for a stock browser without changing anything - that means you can't install ublock origin, or noscript, or adjust the cookie settings.
If the fingerprint detects you're running your browser in a VM? Because your canvas/webgl stuff reveals a graphics card that is only seen on VMs, or your mouse movement is characteristic of the way host OSes pass mouse movement to guest OSes? That's an unusual characteristic.
If you freeze the VM and everyone else installs updates? Your configuration will gradually become unusual because of its age.
And of course if you've got a 4k screen but you run your VM at 1920x1080, the gain in anonymity has come at the cost of most of your screen real estate.
Also, if you do manage to completely resist tracking by IP address, by cookies, and by browser fingerprints? Your reward is that Cloudflare and Google ReCaptcha will give you endless tedious challenges. ReCaptcha has a special extra-slow mode, specifically to punish people like you. I hope you like clicking fire hydrants!
FWIW, I've used a stock Windows VM + Chrome a few times for testing things. Of course you don't freeze it solid, you just take a snapshot before installing the browser, and revert to that snapshot whenever you want to update the OS. For the screen real-estate issue, just get a VM viewer that doesn't insist on showing the full screen. You also don't block cookies every second, you just wipe them regularly.
The Captcha services don't particularly care, since obviously they don't want to punish people on a fresh system. They care far, far more about whether I'm going through a commercial VPN, doubly so if I'm using Tor. But if I'm really worried about IP tracking, I usually run it through my university network.
Of course, a sufficiently-motivated fingerprinting service can surmount any barrier in theory, with typographic analysis and whatnot. But in practice, websites tend not to care to an extraordinary extent.
E.g., I remember one person who was convinced that Google/YouTube used your specific IP address (not just your cookies, or your geo-IP location) as a major part of ad targeting. But lo and behold, the whole VM setup consistently gave me a generic set of ads, as did just wiping my browser cookies. Of course, their explanation was "Of course they're detecting that you're trying to sniff them out, so they're only giving you generic ads to uphold the conspiracy!" As if cookies + geo-IP weren't more than enough for 99.9% of users they want to display ads to.
My understanding is that a VM should already be mimicing standardized hardware, and that apple (especially desktop) users are such a small percentage compared to windows, that you wouldn't want to base anything trying to "blend in" on that.
I used to work in this space. Your best bet is a recent iPhone. There are a lot of them out there, they're usually up-to-date, and Apple only releases a handful models with relevant differences per year.
not really. webgl hardware parameters, canvas fingerprints, audio device fingerprints, javascript engine are pretty crazy. In addition if you use your device at all you probably have other fingerprints like custom fonts installed by you or apps, extensions & similar. Not to mention IP and session data like you being logged in in different services that any website can check.
Try visiting something like https://abrahamjuliot.github.io/creepjs/ [1] on "identical" incognito mobile devices or desktops and you'll get completely different fingerprint ids
[1] this isn't even the best fingerprint extraction out there, just an eas to use open source one, there are some crazy advanced techniques not implemented in it
> this isn't even the best fingerprint extraction out there, just an eas to use open source one, there are some crazy advanced techniques not implemented in it
What IS the best tool? What other techniques do you know of that it doesn't it implement?
> you being logged in in different services that any website can check
> What IS the best tool? What other techniques do you know of that it doesn't it implement?
The best fingerprinting tools aren't open source they're anti-botting services like CAPTCHA providers & probably ad networks.
This particular service has implementations for several popular fignerprinting techniques but there are so many ways to measure the same thing that even if your fingerprint looks fine on one test a different test of the same measure could detect it as unique. For example a user font fingerprint could be implemented via JS tests, canvas rendering tests or CSS sheets (like in this paper).
The tests that offer the highest degree of hardware variability and uniqueness that I've seen deal with rendering of test and images over canvas.
> how so?
By loading an image that can only be accessed if you're logged in your google / facebook / twitter accounts and checking if the image request returned an error. There's a repo that implements this for >30 different websites, but I can't remember it's name rn. I'll edit this comment later if I remember what it was called
> an image that can only be accessed if you're logged in your google / facebook / twitter accounts
I don't understand how this would work? Wouldn't there have to be some kind of cookie/storage that is accessible to third parties in order to know this? AFAIK this is exactly what angered people about Flash due to their use of cross-domain capable "super cookies".
So I read the second link and it looks to me like this is a combination of problems: the browser ignoring SOP for images, and the website just happening to expose a way to abuse that fact to check if one is logged in.
I think this also assumes you are not using any kind of isolation for your tabs. What I don't understand though, is how it could figure out that I am logged into google even though I have third-party cookies disabled.
As mentioned the paper was accepted in NDSS. https://www.ndss-symposium.org/ndss2025/accepted-papers/
The conference occurs in Feb, and typically, the conference proceedings are published a little earlier than the conference itself.
> Concretely, our expression reveals differences in 1116 OS-browser combination pairs (94.9 %).
Very cool to see that they've even gone as far as inferring elements like the likelihood of MS Office being installed on your computer by checking the width of a container with the font 'Leelawadee' specified:
> As this font is a non-free Microsoft font for the Thai Language, we do not expect users without Microsoft Office to have it installed
There is lots of really interesting information in here past what you might figure out yourself if you've played around with abusing CSS yourself before. So many things that had just never, and probably would never have, occurred to me to try.
It is definitely worth a read (or skim) over the paper to see the lengths they went to in order to figure out some of the unique elements to fingerprint on.
reply