The latest attack on Internet anonymity=>Forget cookies, your browser has fingerprints

[Dave Farber <dave () farber net>]

Begin forwarded message:

> From: Steve Goldstein <steve.goldstein () cox net>
> Date: May 20, 2010 4:18:01 PM EDT
> To: dave () farber net
> Subject: Re: [IP] The latest attack on Internet anonymity=>Forget  
> cookies, your browser has fingerprints

> Macworld review article:
>
> http://www.macworld.com/article/151328/2010/05/web_tracking.html
>
> EFF: Forget cookies, your browser has fingerprints
> by Robert McMillan, IDG News Service
>
> Even without cookies, popular browsers such as Internet Explorer and  
> Firefox give Web sites enough information to get a unique picture of  
> their visitors about 94 percent of the time, according to  
> researchcompiled over the past few months by the Electronic Frontier  
> Foundation.PEOPLE WHO READ THIS ALSO READ:
>
> The research puts a quantitative assessment on something that  
> security gurus have known about for years, said Peter Eckersley, the  
> EFF senior staff technologist who did the research. He found that  
> configuration information—data on the type of browser, operating sys 
> tem, plugins, and even fonts installed can be compiled by Web sites  
> to create a unique portrait of most visitors.
>
> This means that most Internet users are a lot less anonymous than  
> they believe, Eckersley said. “Even if you turn off cookies and you  
> use a proxy to hide your IP address, you could still be tracked,” he 
>  said.
>
> The data doesn’t actually identify the Web user, but it creates a un 
> ique browser “fingerprint,” that can be used to identify the user  
> when he visits other Web sites.
>
> Using JavaScript, Web sites are able to probe PCs and learn a lot.  
> No single piece of data is enough to identify the visitor on its  
> own, but when it’s all strung together — browser version,  
> language, operating system, time zone details—a clearer picture emer 
> ges. Some things—what combination of plugins and fonts are installed 
> , for example—can be a dead giveaway.
>
> And using the private mode offered by some browser-makers does  
> nothing to stop this analysis. “They provide you with some protectio 
> n against other people who may be in your house or who have access t 
> o your computer, but they haven’t got to the point where they’ve  
> provided protection against the companies that are profiling Web use 
> rs,” Eckersley said.
>
> In fact, there are already a handful of companies have already  
> started offering this kind of cookie-less Web tracking to help e- 
> commerce sites identify fraudsters. Companies such as 41st  
> Parameter, ThreatMetrix, and Iovation are widely used in the  
> banking, e-commerce and social Web sites.
>
> And the products work. Last August, when Serbian criminals started  
> testing stolen credit cards by posting hundreds of $1.99  
> transactions to the iReel.com online movie site each day, iReel  
> turned to ThreatMetrix to get a fix on the fraudsters.
>
> . . .
>                                          8< ...snip ... >8
>
> The EFF site:
> http://panopticlick.eff.org/
>
> A research project of the Electronic Frontier Foundation
> Panopticlick — How Unique, and Trackable, Is Your Browser?
>
> Is your browser configuration rare or unique? If so, web sites may  
> be able to track you, even if you limit or disable cookies.
>
> Panopticlick tests your browser to see how unique it is based on the  
> information it will share with sites it visits. Click below and you  
> will be given a uniqueness score, letting you see how easily  
> identifiable you might be as you surf the web.
>
> Only anonymous data will be collected by this site.
>
> Click here to test how trackable your browser is.
> The statistical results of this experiment have now been published.
>
>
>
> My results:
>
>
>
> Your browser fingerprint appears to be unique among the 978,452  
> tested so far.
>
> Currently, we estimate that your browser has a fingerprint that  
> conveys at least 19.9 bits of identifying information.
>
> The measurements we used to obtain this result are listed below. You  
> can read more about our methodology, statistical results, and some  
> defenses against fingerprinting in this article.
>
>
> Abstract of the published article:
>
> How Unique Is Your Web Browser?
>
> Peter Eckersley?
> Electronic Frontier Foundation,
> pde () eff org
>
> Abstract. We investigate the degree to which modern web browsers
> are subject to \device ngerprinting" via the version and congura-
> tion information that they will transmit to websites upon request. We
> implemented one possible ngerprinting algorithm, and collected these
> fingerprints from a large sample of browsers that visited our test  
> side,
> panopticlick.eff.org. We observe that the distribution of our nger-
> print contains at least 18.1 bits of entropy, meaning that if we  
> pick a
> browser at random, at best we expect that only one in 286,777 other
> browsers will share its ngerprint. Among browsers that support Flash
> or Java, the situation is worse, with the average browser carrying  
> at least
> 18.8 bits of identifying information. 94.2% of browsers with Flash  
> or Java
> were unique in our sample.
>
> By observing returning visitors, we estimate how rapidly browser nger-
> prints might change over time. In our sample, ngerprints changed quite
> rapidly, but even a simple heuristic was usually able to guess when a
> fingerprint was an \upgraded" version of a previously observed  
> browser's
> fingerprint, with 99.1% of guesses correct and a false positive rate  
> of only
> 0.86%.
>
> We discuss what privacy threat browser ngerprinting poses in practice,
> and what countermeasures may be appropriate to prevent it. There is a
> tradeo between protection against ngerprintability and certain kinds  
> of
> debuggability, which in current browsers is weighted heavily against  
> pri-
> vacy. Paradoxically, anti-fingerprinting privacy technologies can be  
> self-
> defeating if they are not used by a sufficient number of people; we  
> show
> that some privacy measures currently fall victim to this paradox, but
> others do not.



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com