Part 3 of 5: Running into an old friend...Privacy Attack and Defense. Canvas fingerprinting, browser fingerprinting, and online cookie attacks

Part 3 of 5: Running into an old friend...Privacy Attack and Defense. Canvas fingerprinting, browser fingerprinting, and online cookie attacks

Part 3 of 5: The Attack


Part One: A Question from the NIST Cybersecurity Working Group on the Smart Grid
Part Two: Attack and Defense

In this part, we review how canvas fingerprinting, browser fingerprinting, and some online "cookie-"related privacy attacks work to de-anonymize you, identify you and reveal information about you on the internet that you might have thought was private.

Who’s doing it? Who figured it out? When did they find it, and when was it reported?
Six researchers from KU Leuven in the Netherlands and Princeton University in the US teamed up to locate the canvas fingerprinting online browser attack “in the wild,” meaning, in actual websites. Researchers included Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, and Claudia Diaz. They wrote a paper, The Web Never Forgets: Persistent Tracking Mechanisms in the Wild, that technically has yet to be “published,” (forthcoming November, 2014 in the academic journal In Proceedings of CCS 2014, Nov. 2014. Yet, as of July 21, 2014, it’s already published on the web, the latest version dated August 10, 2014. Confusing? Yes.)

They built on the work first presented in 2012, as theory, in a research paper by Keaton Mowery and Hovav Shacham. Researchers flushed out adware company AddThis’s computer code, along with others, on 5 percent of the top 100,000 websites, or 5,000 websites.

How does canvas fingerprinting work?
It turns out, our browsers each use a more unique set of fonts and text settings than we realize. When a user visits a website with canvas fingerprinting, their browser is instructed to "draw" a sample hidden line of text or 3D graphic that is then converted to a digital token (hashed). It exploits the HTML5 canvas element, also known as the the Canvas API. This includes the set of fonts and the settings a user uses to format text and images in the browser. The Tor Browser specification actually sums it up best:

“The adversary simply renders WebGL, font, and named color data to a Canvas element, extracts the image buffer, and computes a hash of that image data. Subtle differences in the video card, font packs, and even font and graphics library versions allow the adversary to produce a stable, simple, high-entropy fingerprint of a computer. In fact, the hash of the rendered image can be used used almost identically to a tracking cookie by the web server.”

There are so many online privacy attacks, it’s hard to keep them all straight. When did these attacks start? When did we know about them?
Canvas fingerprinting is a kind of privacy attack known as “browser fingerprinting.” The “browser fingerprinting.”attack was made (somewhat) famous in 2010 by in the Panopticlick project by Peter Eckersley, a Senior Staff Technologist at the Electronic Frontier Foundation (EFF). He presented his findings in How Unique is your Browser? at Defcon and published them in How Unique is your Web Browser? at the Privacy Enhancing Technology Symposium in 2010. Eckersley showed that seemingly harmless browser settings and information more uniquely identify us than we realize.

Keaton Mowery and Hovav Shacham identified canvas fingerprinting, in theory, in their 2012 paper. Then, early in 2014, Princeton and KU Leuven researchers experimented and found an example “in the wild.” The actual research paper will not even be published until November 2014, in the academic journal of the ACM Conference on Computer and Communications Security (CCS). On July 22, 2014, ProPublica’s blog reported on it, the day after acceptance notifications went out for the ACM CCS publication. Acar also published an article in magazine on the same day.

What are these seemingly harmless pieces of information that reveal us?
I compiled this list from Eckersley’s Defcon presentation and research paper:
User Agent strings
Other browser headers
Cookie blocking
Screen size
Browser plugins + versions
Supercookie blocking
System fonts
performance metrics
the JavaScript engine
the rendering engine
acoustic characteristics
Quartz crystal clock skew
TCP/IP characteristics
Screen DPI
HTTP header ordering
ActiveX / Silverlight
JavaScript quirks
CSS history
CSS font list

Eckersley provided this helpful guide to show which data is most revealing:

Variable Entropy- a measure of how much of a giveaway each is about your identity:
Plugins 15.4 bits
Fonts 13.9 bits
User Agent: 10.0 bits
Other headers: 6.09 bits
Screen size 4.83 bits
Timezone 3.04 bits
Supercookies 2.12 bits
Cookies enabled? 0.353 bits

Are there related attacks?
In 2009, a study by Soltani et al. showed the abuse of Flash cookies for regenerating previously removed HTTP cookies, a technique referred to as “respawning.” In 2010: Samy Kamkar demonstrated the “Evercookie," a resilient tracking mechanism that utilizes multiple storage vectors including Flash cookies, localStorage, sessionStorage and ETags. Cookie syncing, a workaround to the Same-Origin Policy, allows different trackers to share user identifiers with each other. Besides being hard to detect, cookie syncing enables back-end server-to-server data merges hidden from public view. The 2014 Persistent paper significantly extends what was known about each in terms of extent and methodology.

Next in this series:
Part Four: The Defense
Part Five: Digital Modesty?

Read more at Security Watch

G. Acar, C. Eubank, S. Englehardt, M. Juarez, A. Narayanan, C. Diaz. The Web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of CCS 2014, Nov. 2014. (Forthcoming)
Acar, Günes and Nikiforakis, Nick, Browser Fingerprinting and the Online-Tracking Arms Race, IEEE Spectrum, 25 Jul 2014
Clark, Erinn, Murdoch, Steven, and Perry, Mike, The Design and Implementation of the Tor Browser [DRAFT] March 15, 2013
Eckersley, Peter, How Unique is Your Browser? A report on the Panopticlick Experiment, Defcon 2010,
Eckersley, Peter, How Unique is your Web Browser? In the Proceedings of PETS, 2010,
Herold, Rebecca, Privacy Professor,
Mowery, Keaton and Shachem, Hovav, Pixel Perfect: Fingerprinting Canvas in HTML5, In Proceedings of W2SP 2012. IEEE Computer Society, May 2012.
Panopticlick, Electronic Frontier Foundation (EFF)
The Tor Project,