Browser Fingerprint

1 - What is Browser Fingerprinting ?

Browser fingerprinting is the systematic collection of information about a remote device, for identification purposes.
Client-side scripting languages allow the development of procedures to collect very rich fingerprints :
browser and operating system type and version, screen resolution, architecture type, graphic card, lists of fonts, plugins, microphone, camera ...

2 - How fingerprint are used ?

There are three main ways to use fingerprints :
- Fingerprints can be used in a constructive way to combat fraud or credential hijacking, by checking that a user who logs into a specific site is likely the legitimate user.
- Fingerprints can also be used in more questionable way, in order to track users across web sites and collect information about their habits and their tastes without the users knowing about it.
- Fingerprints can even be used in a destructive way: if attackers know which software modules (specific browser version, plugins, etc.) are installed on a specific device, they can deliver exploits that are tailored for these specific modules or combination of modules.

3 - How is the Fingerprint collected ?

Browser fingerprints are also called cookieless monsters because it is not necessary to install any form of cookie to collect a fingerprint. This means that the act of fingerprinting a specific browser is stateless and transparent for the user.
Any third-party interested in fingerprinting can exploit a set of different techniques to get a rich fingerprint :

• JavaScript gives access to many browser-populated features like the plugins installed on the user’s device.
• Through the display of an HTML5 Canvas element, it is possible to collect small differences in the hardware or in the software configurations, thanks to slight differences in the image rendering between devices. The smallest pixel difference can be detected. This is called canvas fingerprinting.
• If the Flash plugin is installed, its rich programming interface (API) provides access to many system-specific attributes: exact version of the operating system, list of fonts,screen resolution, timezone.
• the user agent and the accept headers are automatically sent to websites when a connection is initiated.
• Plugin Detect for plugins detection.

4 - How to protect yourself ?

It is not possible to completely prevent the digital fingerprint of your Internet browser from being determined, the characteristics automatically transferred in the HTTP header during the passive fingerprint are always received by the web server operator.
However, you can try to keep the recognition value of your client as low as possible so that the fingerprint is not unique and therefore unusable for tracking.

4.1 - Mozilla Firefox

Version 67 of Mozilla Firefox provides protection against digital fingerprints. By default, this protection is not activated and it is up to the user to activate it. You have to go to the privacy options and switch the content blocking to custom and check the "fingerprints" box.

4.2 - Browser Plugins

• CanvasBlocker - Alters some JS APIs to prevent fingerprinting.
• NoScript - Blocks JavaScript and other objects, so the source code of the Tracker and FingerPrint Browser can be blocked.
• Trace - An advanced extension that can protect many different types of browser fingerprinting such as Canvas/Audio/WebGL Fingerprinting.
• Chameleon - Spoof your browser profile. Includes a few privacy enhancing options.

Don't forget to check our Add-ons recommandations and our Firefox Tweaks.