Content uploaded by Gaurav Choudhary
Author content
All content in this area was uploaded by Gaurav Choudhary on Oct 05, 2021
Content may be subject to copyright.
Fingerprint Defender: Defense against browser based user
tracking
Deepali Moad1, Vikas Sihag1, Gaurav Choudhary2, Daniel Gerbi Duguma3, Ilsun You3∗
1Sardar Patel University of Police, Security and Criminal Justice, Jodhpur, India
2Department of Applied Mathematics and Computer Science, Technical University of Denmark (DTU)
3Department of Information Security Engineering, Soonchunhyang University, The Republic of Korea
{spu19csdm,vikas.sihag}@policeuniversity.ac.in,
{gauravchoudhary7777,danielgerbi2005,ilsunu}@gmail.com
Abstract
It is difficult to be anonymous online with user activities always under the scanner. Multiple identi-
fiers and their combinatories are used for user identification. While browsing, trackers keep a record
of artifacts such as OS version, screen resolution, and fonts enabled. Browser fingerprinting tries to
identify a user’s browser uniquely, without using cookies or other stateful signatures. We propose
a browser fingerprint defender tool to anonymize user browsers. It creates captures current user at-
tributes and anonymizes them before sending a request to the server. It also gives current browser
fingerprint attributes.
Keywords: Privacy, User tracking, Anonymization, Browser Fingerprinting, Fingerprinting De-
fender, Chrome Extension.
1 Introduction
The browser is becoming an important component of a user’s experience with the internet as the web
evolves and continues to be the medium of choice for providing software to users [14, 8]. The systematic
gathering of information about a remote computing device for the purposes of authentication is known
as browser fingerprinting. A third party may obtain a ”rich fingerprint” using a variety of techniques.
The availability of JavaScript or other client-side scripting languages, the user-agent and accept headers,
the HTML5 Canvas feature, and other variables are among them. Browser fingerprints can include
data such as browser and operating system type and version, active plugins, timezone, language, screen
resolution, and other active settings. In web applications, user identity usually necessitates the use of an
authentication scheme, such as providing credentials such as a username, password, or code provided
by a key. Identification is also possible without clear detection using cookies or computer fingerprinting
[2, 16]. According to Panopticlick, a browser fingerprinting research page, just 1 in 133801.5 other
browsers can have the same fingerprint as yours. Browser fingerprinting, like all other tools, maybe
exploited or misused.
A digital profile can be generated based on the data collected in order to provide customized and
tailored services. Many marketers, in particular, gather information about users’ tastes, location, surfing
habits, and so on [7, 3]. by using active or passive monitoring approaches without waiting for their
users’ permission[4, 15]. To recognize a device, websites send several queries via the browser to the
underlying environment to extract different device properties. The extracted properties are then combined
to create a unique id or fingerprint for the browser [6]. Users often are unaware of the trackers’ requests
(eds.): The 5th International Symposium on Mobile Internet Security (MobiSec’21), October 7-9, 2021, Jeju Island,
Republic of Korea, volume 1, issue: 1, pp. 1-9
∗Corresponding author: Department of Information Security Engineering, Soonchunhyang University, The Republic of
Korea.
1
Fingerprint Defender: Defense against browser based user tracking Deepali et al.
and underlying reasoning since the fingerprinting mechanism is inaccessible to them. Fig 1 shows the
example of fingerprint attributes that are collected by a browser to generate the fingerprint. In Upcoming
solutions Various Deep learning based methods can be applicable in such scenarios[13, 1].
In this paper, we propose Fingerprint Defender, a chrome browser extension to anonymize user
artifacts for tracking. We have considered multiple attributes and randomize them. The organization
of the paper: In section 2, we discuss existing works in literature on browser tracking. In section 3, we
discuss browser fingerprinting followed by proposed solution in section 4. Section 5 evaluates the work
against existing tracking techniques and followed by conclusion in section 6.
2 Related works
A browser fingerprint is more than just a set of device-specific data. It accurately depicts the actual com-
ponent array that runs a computer. Attackers can identify potential security vulnerabilities by analyzing
the content and cross-referencing the list of installed components with a database like CVE (Common
Vulnerabilities and Exposures [12]). The first goal of a browser fingerprint is to verify a user’s identity
without them having to do something. At the beginning of the Network’s growth, users could be easily
distinguished by their machines’ IP addresses [10].
After a survey of existing research papers, we conclude that there are many solutions for preventing
fingerprinting but they all are temporary and single problem solutions and don’t provide much security
against advanced attacks [9, 17]. They did not work as supposed to do. The chrome browser is the most
vulnerable web browser that can be used to steal our browser fingerprint. We found out a new browser
known as Brave browser. It is safe and fasts than another browser according to our research. It can
prevent a user from tracking. It can prevent a user from being tracked. After studying the brave browser
we find a method that how we can randomizing a browser fingerprint. We create an extension that can
help a user from being tracked. We created a chrome extension because as we discussed in our previous
sections chrome is the most vulnerable web browser. We give it a name as ”Fingerprint Defender”. The
extension is made for chrome browser so it is a chrome extension. This extension can change the value of
the attribute that can be used to generate a fingerprint so the tracker can not generate any hash/fingerprint
of the system.
To create a browser extension you must know some basic programming languages like HTML, CSS,
JavaScript, etc. We use these three languages for creating our extension. First of all, we created a
simple extension that can run on a browser and that can connect through a browser. Because this is the
most important thing to make your extension communicate with the browser. Then we started writing
code for fetching data from the browser. We can fetch many attributes such as OS information, System
information, Browser information. After fetching the data we tried to display this information to the
user. So we modify our code from only data fetching to displaying all the information on a user’s display.
After displaying all the information we finally started working on browser fingerprinting prevention. For
this purpose, we thought to randomize the attributes that we fetch using our extension, but there was a
problem with that. If we randomize all attributes then it will affect the browser and the browser will
not work as supposed to do. So we create a list of attributes and sort the list out that which attributes
can be changed and which attributes can’t be changed so that this process won’t affect the functionality
of the browser. To randomize we change the value of attributes when our browser shares the system or
browser information. For changing the value of an attribute we create a list of false values but similar to
the attribute. So when the browser shares the details of our system our extension provides it the value we
decided. It picked any value randomly from the list. Using this method gives us a positive result. After
enabling our extension we check our browser fingerprint on many browser fingerprint check websites and
they all can not detect our fingerprint. They say we have strong protection against browser fingerprinting.
2
Fingerprint Defender: Defense against browser based user tracking Deepali et al.
3 Browser Fingerprinting
A browser fingerprint, also known as a system fingerprint or a browser fingerprint, is data obtained for
the purpose of identifying a device. Websites use browser fingerprinting to gather information about you.
Scripts, which are collections of instructions that tell your browser what to do, are needed for modern
website functions. This fingerprint will then be used to track you down across the internet and across
various surfing sessions.
Figure 1: An example of user attributes used for browser fingerprint
Browser fingerprinting is qualified as fully stateless, unlike other authentication strategies such as
cookies that rely on a unique identifier (ID) directly stored inside the browser. It does not leave any trace,
as the storing of information within the browser is not necessary. Another tool that could be used to
identify guests individually without focusing on standard cookies was computer fingerprinting [12].
Lou Montulli invented the concept of cookies for preserving the state of the session in the stateless
HTTP protocol. Cookies have been adopted by both browser vendors and developers because of their
basic design and deployment. The violation of their stateful character internet providers began using
them for third-party ads and web usage monitoring, creating public discomfort [11].
This paper mainly focuses on the prevention method of browser fingerprinting. We create an exten-
sion that can prevent a user from being tracked by third parties or companies on the online platform. This
extension is also used to display your system information. We collected attributes by using javascript.
First, we collect the attributes then we randomize some of the attributes. After that, we check the finger-
3
Fingerprint Defender: Defense against browser based user tracking Deepali et al.
print on various platforms and we create a comparative table before and after enabling the extension.
4 Proposed Solution
In this section, we discuss browser extension, how to create it, and the required files. In the second part,
we explain how different websites gather data and how we gathered or retrieved data for our extension.
In the third section, we describe what is randomisation and how we randomize the attributes that we
fetched from our extension. In the fourth section, we describe the working of our chrome extension
that is ”Fingerprint Defender” that how it works. In the fifth and last section, we show the result of
our extension. We compare different websites, before enabling the extension and after enabling the
extension. We check fingerprints on 3 different websites, Panopticlick, Am I Unique, Unique Machine.
4.1 Browser Extensions
Extensions are small software programs that allow you to configure your browsing experience and add
features to the browser. Browser plugins are typically used to enhance a website’s functionality and
functions. However, they can also be used to disable unnecessary features and functions like pop-up ads
and other facets of a website’s core behavior that a user wants to disable. Users install plugins to their
browsers to customize the appearance of the browser. They’re made with web technologies like HTML,
CSS, and JavaScript, among others. The extensions are zipped into an a.crx box, which the user must
import and update. The Chrome online store now has a Chrome extension. Extensions are made up of
a variety of materials that work together. When combined with the advanced features of JavaScript and
Cascading Style Sheets, HTML5 allows developers to create feature-rich applications(CSS).
For creating our extension we required some files as listed below -
manifest.json: This is a JSON file in a website that informs the browser about the website on the
user’s laptop or desktop. Chrome needs a manifest in order to display the Add to Home Screen prompt.
The name, logos, and other information about your website are provided by JSON to the browser. The
manifest.json file includes information such as the name of your website app, the icons it should use, the
start-URL it should use when it is first released, and several other specifics.
background.js: Background scripts are the most secure parts of the Chrome Extension environment
when it comes to logging and connecting with the server or API. Background scripts are dependent on the
plugin because as long as it is installed, the scripts can run in the background in a daemon-like manner.
Content scripts.js: Content scripts.js files are used to add functionality to a website. Extensions add
more Javascript on top of that. As long as we specify them in the manifest, we can add as many extra
files as we want. It’s useful for communicating with a page’s DOM in every way.
dom.js: dom.js is a JavaScript file that is used to randomize the attributes. DOMtegrity is a JavaScript-
based platform that ensures the credibility of web pages. This source code is embedded within the
”script” tag and placed first on the web page, before all other HTML tags.
fetch-info.js: fetch-info.js is a JavaScript file. this is the main file used in our extension. It is used to
fetch the information from the user’s system. It has one more feature we added to our extension that it
can display the information of the system to the user.
popup.html: A popup is the graphical user interface that appears when we communicate with a plugin
by clicking on its button. The only difference between a website and a Chrome Extension popup is that
an extension popup must be tracked. The popup’s HTML, CSS, JS, and images can all be described. It
works in the same way as any other website.
4
Fingerprint Defender: Defense against browser based user tracking Deepali et al.
Figure 2: Extension Files
4.2 User artifact collection
Since websites use scripts that run in the context of the browser, browser fingerprinting is possible. APIs
are built-in program features in today’s web browsers that can be used by website scripts to capture data.
Fingerprinting scripts seem to be identical to any other script running on a website, users have no way
of knowing that their personal information is being collected. These scripts gather the information that
can be used to create a ”hash” or digital fingerprint. To conduct cross-site monitoring, many website
owners and ad networks share browser fingerprinting capabilities. That means they follow you around
the web using your online fingerprint and gather personal information about you, such as your browsing
history, shopping and news habits, and more. Figure 3 shows how two websites share hashes to describe
the same person. So that they can show them advertises according to them.
We extract information from the user’s device using javascript in our extension. We fetched system
information, IP information, URL information. We fetch the system information using ”fetch-info.js”
and display the information on the user device using the ”popup.html” file.
5
Fingerprint Defender: Defense against browser based user tracking Deepali et al.
Figure 3: Two websites sharing their hashes
4.3 Randomization
Firefox was the first major browser to solve this growing issue by introducing an anti-fingerprinting
feature that allows users to disable attempts to fingerprint their browser. A couple of months later, Apple
followed suit with a new solution, requiring Safari to return similar values for certain fingerprinting data
points, such as fonts [5]. In order to protect the user’s privacy, the Brave browser is working on a feature
that will randomize its ”fingerprint” any time a user visits a website.
In Fingerprint defender we create a file ”dom.js”. In dom.js we use Math.random(), Element.prototype,
Date.prototype, function(), etc. to randomise the value. We create a list of attributes and then we replace
the actual attributes with our false attributes. For example- randomising a TimeZoneOffset we created a
list like- [720, 660, 600, 570, 540, 480, 420, 360, 300, 240, 210, 180, 120, 60, 0, -60, -120, -180, -210,
-240, -270, -300, -330, -345, -360, -390, -420, -480, -510, -525, -540, -570, -600, -630, -660, -720, -765,
-780, -840]. Every time a user visits a website the extension change the value of time zone offset. As
like this we randomise the other attribute to prevent from fingerprinting.
Fingerprint Defender is a chrome extension. We made this extension to stop these kinds of frauds or
activities. Tracker or attacker basically finds you by calculating your browser fingerprint. This extension
changes some values of attributes that the attacker collects from the user device. It can protect your
anonymity online. The scrips that are used in this extension is worked as a defender of your system. This
extension is work only on chrome browser because we made it for chrome browser only. Fingerprinting
Defender has a privacy feature that makes it harder for sites to track you while you browse. It randomizes
and hides some attribute so that your fingerprint can not be generated.
Figure 4: Fingerprint Defender
Fingerprint Defender is used to checking your system information. It provides the details of your
system as Architecture, Model, Processor, Features, Free Memory, Total Memory. Also IP Information
6
Fingerprint Defender: Defense against browser based user tracking Deepali et al.
Table 1: Result after enable the extension on different websites
Attributes Panopticlick AmIUnique UniqueMachine
USER AGENT same same same
HTTP ACCEPT HEADERS same same NA
BROWSER PLUGIN DETAILS randomized NA Null
TIME ZONE OFFSET changed NA NA
TIME ZONE same NA changed
SCREEN SIZE AND COLOR DEPTH changed NA changed
SYSTEM FONTS randomized NA changed
HASH OF CANVAS FINGERPRINT randomized NA changed
HASH OF WEBGL FINGERPRINT randomized NA NA
WEBGL VENDOR and RENDERER changed NA same
LANGUAGE same same same
PLATFORM changed NA NA
AUDIOCONTEXT FINGERPRINT randomized NA changed
HARDWARE CONCURRENCY same NA NA
DEVICE MEMORY (GB) same NA NA
such as IP, Latitude, Longitude, City, Region, Country, Zip, and ISP. The URL Information as Active
Tab, IP, Latitude, Longitude, City, Country, Region, Zip, and ISP.
5 Result and Analysis
Online privacy is a spectrum: some sites collect and hold more information about you than others. When
you’re online, online privacy, also called internet privacy or digital privacy, refers to how much of your
health, financial, and browsing information is kept confidential. This has become a growing concern.
We checked the performance of our extension on various platforms. It is working fine on every plat-
form. In table 1 we showed the comparison between Panopticlick1, AmIUnique2and UniqueMachine3
websites. We checked the result before enabling the extension and after enabling the extension. We put
the result in table1. Table 1 describes the results that we get on different platforms. The table shows a list
of attributes and on which platform what attribute is changed, same or randomized. After getting these
results we can say the extension is randomizing user attributes and thus failing user tracking methods.
6 Conclusion
The rising threat of browser fingerprinting to privacy inspired the research presented in this paper. We
looked at previous research on browser fingerprinting. Browser fingerprinting, we found, posed a bigger
risk of privacy than cookie tracking since users have no direct control over it. We have also seen that
it’s being utilized more and more for online user monitoring, even when there’s no persistent IP address
1https://panopticlick.eff.org/
2https://amiunique.org/
3https://uniquemachine.org/
7
Fingerprint Defender: Defense against browser based user tracking Deepali et al.
or cookie. Fingerprint Defender is a free browser plugin that identifies and, if desired, prevents data
transfers that are likely to be used for browser fingerprinting. The extension’s major goal was to make
browser users aware of the widespread usage of browser fingerprinting and to give them some control
over it.
Nothing is free in this online or digital world, whether it’s installing software, using a company’s
”free” email service (like Gmail), or using social media site. Even visiting a website entails exchanging
personal information. Over the last few years, browser fingerprinting is increasing day by day. Every
person in this world is connected with a network and using one or more devices. Users can be classified
differently by website creators on occasion. The device has many specifications. When a user visits a
website then the browser shares the device information with the server. That server can take advantage
of the information. They have a variety of motivations for doing so. Some companies want to classify
users for analytic purposes, such as to see how many other people have visited or read a particular page
on a website. If a website is able to recognize a visitor personally, advertisements targeted to that person
may be presented. For taking device information web server used cookies earlier. But after some time
people come to know about it. They were aware of this so users tried to block cookies from their web
browser. So that tracker can not get their information. After that, the attacker found a new technology
that is known as browser fingerprinting. browser fingerprinting is a method that can’t be stopped by
the user because it does not save anything on that system. It only steals some information from that
system and generates or calculates a hash without the knowledge of the user. Many methods can prevent
you from browser fingerprint but partially they can not prevent you fully. After reading and studying
browser fingerprinting we created an extension as discussed in the paper. We hope that the approach
we’ve covered will keep you safe from web browser fingerprinting.
References
[1] D. Bae and J. Ha. Performance metric for differential deep learning analysis. Journal of Internet Services
and Information Security (JISIS), 11(2):22–33, May 2021.
[2] C. Blakemore, J. Redol, and M. Correia. Fingerprinting for web applications: From devices to related groups.
In 2016 IEEE Trustcom/BigDataSE/ISPA, pages 144–151. IEEE, 2016.
[3] A. M. F. G. G. G. Boda, Karoly and S. Imre. User tracking on the web via cross-browser fingerprinting. In
Nordic conference on secure it systems, pages 31–46. Springer, 2011.
[4] K. Boda, ´
A. M. F¨
oldes, G. G. Guly´
as, and S. Imre. User tracking on the web via cross-browser fingerprinting.
In Nordic conference on secure it systems, pages 31–46. Springer, 2011.
[5] C. Cimpanu. Brave to generate random browser fingerprints to preserve user privacy, 03 2020.
[6] P. Eckersley. How unique is your web browser? In International Symposium on Privacy Enhancing Tech-
nologies Symposium, pages 1–18. Springer, 2010.
[7] A. FaizKhademi, M. Zulkernine, and K. Weldemariam. Fpguard: Detection and prevention of browser
fingerprinting. In IFIP Annual Conference on Data and Applications Security and Privacy, pages 293–308.
Springer, 2015.
[8] A. G´
omez-Boix, P. Laperdrix, and B. Baudry. Hiding in the crowd: an analysis of the effectiveness of browser
fingerprinting at large scale. In Proceedings of the 2018 world wide web conference, pages 309–318, 2018.
[9] F. L. Greitzer, J. Purl, P. J. Sticha, M. C. Yu, and J. Lee. Use of expert judgments to inform bayesian
models of insider threat risk. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable
Applications (JoWUA), 12(2):3–47, June 2021.
[10] G. Guly´
as, R. Schulcz, and S. Imre. Comprehensive analysis of web privacy and anonymous web browsers:
are next generation services based on collaborative filtering? In Joint SPACE and TIME International Work-
shops. Citeseer, 2008.
8
Fingerprint Defender: Defense against browser based user tracking Deepali et al.
[11] N. Kaur, S. Azam, K. Kannoorpatti, K. C. Yeo, and B. Shanmugam. Browser fingerprinting as user tracking
technology. In 2017 11th International Conference on Intelligent Systems and Control (ISCO), pages 103–
111. IEEE, 2017.
[12] P. Laperdrix, N. Bielova, B. Baudry, and G. Avoine. Browser fingerprinting: A survey. ACM Transactions
on the Web (TWEB), 14(2):1–33, 2020.
[13] V. Sihag, M. Vardhan, P. Singh, G. Choudhary, and S. Son. De-lady: Deep learning based android malware
detection using dynamic features. Journal of Internet Services and Information Security (JISIS), 11(2):34–45,
May 2021.
[14] E. Trickel, O. Starov, A. Kapravelos, N. Nikiforakis, and A. Doup´
e. Everyone is different: client-side diversi-
fication for defending against extension fingerprinting. In 28th {USENIX}Security Symposium ({USENIX}
Security 19), pages 1679–1696, 2019.
[15] T. Unger, M. Mulazzani, D. Fr¨
uhwirt, M. Huber, S. Schrittwieser, and E. Weippl. Shpf: Enhancing http (s)
session security with browser fingerprinting. In 2013 International Conference on Availability, Reliability
and Security, pages 255–261. IEEE, 2013.
[16] R. Upathilake, Y. Li, and A. Matrawy. A classification of web browser fingerprinting techniques. In 2015 7th
International Conference on New Technologies, Mobility and Security (NTMS), pages 1–5. IEEE, 2015.
[17] A. Walls and I. Agrafiotis. A bayesian approach to insider threat detection. Journal of Wireless Mobile
Networks, Ubiquitous Computing, and Dependable Applications (JoWUA), 12(2):48–84, June 2021.
9
