I was impressed at the accuracy they were able to get with browser/architecture detection:
> Concretely, our expression reveals differences in 1116 OS-browser combination pairs (94.9 %).
Very cool to see that they've even gone as far as inferring elements like the likelihood of MS Office being installed on your computer by checking the width of a container with the font 'Leelawadee' specified:
> As this font is a non-free Microsoft font for the Thai Language, we do not expect users without Microsoft Office to have it installed
There is lots of really interesting information in here past what you might figure out yourself if you've played around with abusing CSS yourself before. So many things that had just never, and probably would never have, occurred to me to try.
It is definitely worth a read (or skim) over the paper to see the lengths they went to in order to figure out some of the unique elements to fingerprint on.
I don't remember where I read that and was not able to find it again. There is a web/desktop app (like zoom) that install a font when you install the app, and the web app check if this font is install to trigger the open in app popup.
It’s a common enough technique that this surely isn’t the only example, but there was discussion here a while back about TeamViewer doing this to detect the presence and version of the client software when clicking a link to open a remote session:
https://web.archive.org/web/20220810044159/https://news.ycom...
In their case, the (shell of a) font file goes a little further and encodes the version of the teamviewer client that installed it
I know this is a privacy nightmare but also kinda... cool? Or at least interesting. I don't think I would have thought of this.
1. Measure element dimensions and detect installed fonts (measure a piece of text with specific a specific font to see if its installed)
2. CSS functions (e.g calc) that produce different results across browsers/systems
3. Detecting browser-specific CSS property differences (e.g render a file input, measure it)
seems like you have to allow `@container` checks or something similar for this to work in order to then make your network request `#something { background-image: url('/x-browser-y-os-detected'); }`
CISPA is really interesting, I was just reading this on their site the other day - They're developing grey box coverage based fuzzing tools for PHP web applications, which is how I know about them in the first place. Definitely one of those entities to look out for in serious cybersecurity research going into 2025
Article's date is in the future:
2025-02-02
It's very modern CSS.
Reading the article.
First Online Date: 2024-10-09
Date Posted: 2024-12-05
Date Published: 2025-02-01 (It's being "published" at a conference)
That is probably the scheduled presentation date.
Couldn't most fingerprinting techniques be thwarted by just using a stock windows install in a frozen VM with a stock browser without changing anything? Wouldn't that make you pretty boring as far as any potential variations go?
Yes and no.
If you go for a stock browser without changing anything - that means you can't install ublock origin, or noscript, or adjust the cookie settings.
If the fingerprint detects you're running your browser in a VM? Because your canvas/webgl stuff reveals a graphics card that is only seen on VMs, or your mouse movement is characteristic of the way host OSes pass mouse movement to guest OSes? That's an unusual characteristic.
If you freeze the VM and everyone else installs updates? Your configuration will gradually become unusual because of its age.
And of course if you've got a 4k screen but you run your VM at 1920x1080, the gain in anonymity has come at the cost of most of your screen real estate.
Also, if you do manage to completely resist tracking by IP address, by cookies, and by browser fingerprints? Your reward is that Cloudflare and Google ReCaptcha will give you endless tedious challenges. ReCaptcha has a special extra-slow mode, specifically to punish people like you. I hope you like clicking fire hydrants!
Wouldn't a Macbook be the better platform to mimic as its hardware is so much more standardized? Considering techniques like Canvas fingerprinting.
My understanding is that a VM should already be mimicing standardized hardware, and that apple (especially desktop) users are such a small percentage compared to windows, that you wouldn't want to base anything trying to "blend in" on that.
not really. webgl hardware parameters, canvas fingerprints, audio device fingerprints, javascript engine are pretty crazy. In addition if you use your device at all you probably have other fingerprints like custom fonts installed by you or apps, extensions & similar. Not to mention IP and session data like you being logged in in different services that any website can check.
Try visiting something like https://abrahamjuliot.github.io/creepjs/ [1] on "identical" incognito mobile devices or desktops and you'll get completely different fingerprint ids
[1] this isn't even the best fingerprint extraction out there, just an eas to use open source one, there are some crazy advanced techniques not implemented in it