Fingerprinting attacks are ways of identifying individuals by some kind of attribute of their online activity. In some ways, fingerprinting attacks are the most dangerous and difficult type of de-anonymizing threats to defend against. I want to highlight one facet of fingerprinting that is used by many web services and organizations: screen resolution tracking.
In many cases, you have a laptop with a native screen resolution. This could be 1024x768, or 1900x1024, or some other combination. These resolutions point to the make and model of your laptop itself. The Macbook Pro for instance has a native resolution of 1280x800. While there are many other laptops that run a similar resolution, you have shrunk down all of the possible systems that could be connecting to that of a system with that resolution. Imagine what a forensic investigator could do with this information.
This is even more dangerous on mobile devices such as Android. Each manufacturer releases new phones and tablets with different resolution, these are often very odd screen resolutions, making them very unique to that phone time. There are dozens of sites that provide this information for you:
http://en.wikipedia.org/wiki/List_of_dis...el_density
https://deviceatlas.com/
http://wurfl.sourceforge.net/
Background
There are two types of fingerprinting; passive and active. Active fingerprinting attacks are usually reserved to those that are collecting information about your network traffic, and do a secondary correlation. For example, if an adversary were running multiple exit nodes, they collect the list of sites each circuit connects to, and tries correlates that to a specific user.
Active attacks will manipulate or inject an identifier into your traffic — an identifying cookie or malicious JavaScript that when executed tries to collect identifying information about your browsing environment.
This is not a new revelation, the EFF has highlighted this problem by making the Panopticlick project. This simulates attacks that aim at fingerprinting your browser, its plugins, fonts installed, etc. This is similar to the BrowserSpy project.
Screen Resolution
While we’ve found ways to defend ourself against a variety of attacks (e.g. detecting the plugins we have installed by disabling JavaScript), defending yourself against tracking your screen resolution becomes more difficult. You should note here that screen resolution is the actual resolution of your computer screen, not just your browser window.
Here’s a simple Javascript example that does that
Defense Measures
There are a couple of ways of defending, let me go over some possibilities:
In many cases, you have a laptop with a native screen resolution. This could be 1024x768, or 1900x1024, or some other combination. These resolutions point to the make and model of your laptop itself. The Macbook Pro for instance has a native resolution of 1280x800. While there are many other laptops that run a similar resolution, you have shrunk down all of the possible systems that could be connecting to that of a system with that resolution. Imagine what a forensic investigator could do with this information.
This is even more dangerous on mobile devices such as Android. Each manufacturer releases new phones and tablets with different resolution, these are often very odd screen resolutions, making them very unique to that phone time. There are dozens of sites that provide this information for you:
http://en.wikipedia.org/wiki/List_of_dis...el_density
https://deviceatlas.com/
http://wurfl.sourceforge.net/
Background
There are two types of fingerprinting; passive and active. Active fingerprinting attacks are usually reserved to those that are collecting information about your network traffic, and do a secondary correlation. For example, if an adversary were running multiple exit nodes, they collect the list of sites each circuit connects to, and tries correlates that to a specific user.
Active attacks will manipulate or inject an identifier into your traffic — an identifying cookie or malicious JavaScript that when executed tries to collect identifying information about your browsing environment.
This is not a new revelation, the EFF has highlighted this problem by making the Panopticlick project. This simulates attacks that aim at fingerprinting your browser, its plugins, fonts installed, etc. This is similar to the BrowserSpy project.
Screen Resolution
While we’ve found ways to defend ourself against a variety of attacks (e.g. detecting the plugins we have installed by disabling JavaScript), defending yourself against tracking your screen resolution becomes more difficult. You should note here that screen resolution is the actual resolution of your computer screen, not just your browser window.
Here’s a simple Javascript example that does that
Defense Measures
There are a couple of ways of defending, let me go over some possibilities: