Fingerprinting Computers By Making Them Draw Images

Here’s a new way to identify individual computers over the Internet. The page instructs the browser to draw an image. Because each computer draws the image slightly differently, this can be used to uniquely identify each computer. This is a big deal, because there’s no way to block this right now.

Article. Hacker News thread.

EDITED TO ADD (7/22): This technique was first described in 2012. And it seems that NoScript blocks this. Privacy Badger probably blocks it, too.

EDITED TO ADD (7/23): EFF has a good post on who is using this tracking system—the White House is—and how to defend against it.

And a good story on BoingBoing.

Tags: , , , , ,

Posted on July 21, 2014 at 3:34 PM46 Comments

Comments

SteveS July 21, 2014 4:12 PM

It seems that a given browser’s fingerprint could change over time based on any number of factors. They specifically mention the list of plugins. If you got a new graphics card, that would do it, too. Granted, that is not something that will happen frequently or at all for most computers.

I wonder if the fingerprint would change on different versions of the same browser.

The linked article mentioned that the technique does not work well on mobile. I guess that would be related to the tight uniformity of hardware on many devices.

Jens July 21, 2014 4:14 PM

As far as I understand this (I might be wrong) there are only 2 big sites which use this canvas fingerprinting: addthis and ligatus (together with lots of smaller websites). From my understanding this should be blocked by using Add-Ons which block those services (like Ghostery), right? Alternatively, you could block those domains by hand using your adblocker (or even further your own dns).

Nevertheless, this study shows how shameless websites are spying on their users and that a wide list of Addons for your browser (adblock, Ghostery, LSO and Cookie deletion) is needed to protect your privacy. I knew it was bad but wouldn’t have guessed that it is so bad as the study shows. Respect for the people who worked on it.

AnonymousBloke July 21, 2014 4:25 PM

Hrrm, looks like just a new type of evercookie (though these things are nasty, especially on mobiles)…

Not to say the link is bad, very clever method of attribution, that is for sure.

My wild guess is intel agencies would have to follow ad agencies on these courses, as ad agencies have such extraordinary ‘supply & demand’ influences here & intel agencies can just sit on their collective asses…

(NM that they already have the backbone, we can assume, and so probably are constantly tying IP addresses to identities and web traffic…)

Daniel July 21, 2014 5:07 PM

It’s important to remember that not all the needs of the end users of this data are the same. I’d imagine that 90% accuracy is enough for many juries to find proof beyond a reasonable doubt. What if the NSA learned that there was 90% probably that it was computer x that made the terrorist threat? Certainty that is enough to meet any standard of probable cause to get a warrant.

From a marketer’s perspective–who is trying to build a personality profile to sell to advertisers–maybe 90% isn’t so good. For a lot of other purposes, 90% is awesome.

anon July 21, 2014 5:34 PM

Please don’t call this “a new way” to identify individual computer. It’s been around for years.

“Canvas fingerprinting is a type of browser or device fingerprinting technique that was first presented by Mowery and Shacham in 2012.”
Source: https://securehomes.esat.kuleuven.be/~gacar/persistent/index.html

The above source was even linked to by the Pro Publica article! The due diligence of this blog sure has gone downhill. 🙁

EvilKiru July 21, 2014 6:53 PM

@anon: It’s only been around for a couple of years, so it’s still relatively new.

Anonymous complaints on this blog sure have gone downhill!

AnonymousBloke July 21, 2014 6:57 PM

“this has been know for years” whine

Maybe not a good writeup until now, anyway, why complain? Peer pressure attempts at work.

It isn’t like Bruce is getting paid for this.

Definitely one of the best blogs out there and has been for years.

Godel July 21, 2014 7:56 PM

“this has been know for years” whine

The possibility of this sort of fingerprinting has been known; the extent to which it’s actually been used in the wild probably was not.

Gando July 21, 2014 8:33 PM

Seems like one could write a plugin to using a random number generator and draw the image different every time from the same browser.

Buck July 21, 2014 10:59 PM

@Daniel

Context my dear friend; context…
Do you think 90% would be sure enough for a drone strike? What if you lived in Ragheadistan..? Is 90% sure proper cause for some microwaves?

Benni July 22, 2014 12:08 AM

Well, I think there are three ways to counteract this.

1) Just go to your internet cafe of your choice and begin webbrowsing. But do not sign in to some service during your browsing..

or
2) Or do not browse altogether in the web, but restrict your network communication to friends that you personally know and communicate over encrypted channel

or

3) use a text based browser, like lynx: http://lynx.isc.org/ Lynx is quite a fine browser that every gentoo.org user learns to enjoy during his first installs of gentoo….

Costas July 22, 2014 12:53 AM

These guys will never stop. Maybe a better approach, instead of just blocking them, would be to discredit their value, by overwhelming them with fake data? Their data be less accurate, which in turn will make it uneconomic to run such a “service”.

Cpt. Obvious July 22, 2014 2:20 AM

As many have pointed out, this isn’t someone tracking your computer through an imagefile. It’s someone tracking your computer through javascript.

And the “image drawing” they talk about is really just some information written by said javascript, following a set of rules meant to provide unique information. In other words, they are creating a cookie of sorts. The only interesting thing about this is the technique they use to make the information unique.

Use a browser that let’s you disable javascript by default and only allow sites you trust run any scripts. Oh, and make sure that trust isn’t because of wishful thinking.

That way this type of tracking isn’t possible.

name.withheld.for.obvious.reasons July 22, 2014 2:30 AM

I guess I am an outlier once again…I don’t process HTTP stream data. First, without digesting the GET (HTML 5 has issues), I redirect the source to a local file or pipe to an appropriate viewer. Once download, viewing the information is done via hexdump….

lynx -source https://www.schneier.com/blog/newcomments.html | xxd | more

or

lynx -source https://www.schneier.com/blog/newcomments.html | w3m -T text/html

or

lynx -source https://www.schneier.com/blog/newcomments.html > schneier.html;lynx file://`pwd`/schneier.html

Bostas July 22, 2014 4:18 AM

Firefox has been showing warnings for canvas drawing tracking for quite a long time already.

Czerno July 22, 2014 6:29 AM

TL;DR : any browser exploit, such as this profiling technique, that relies on users blindly executing browser-side JS, should not have to be mentionned, even less seriously discussed. /

If it’s true – as seems to be – this particular fingerprinting mechanism requires a target browser to execute javascript, then I do not consider it a problem for privacy aware users, like me and all of you, followers of this blog.

Who of us in his right mind would not be using NoScript, ScriptSafe or similar browser add-ons to permanently disallow all JS except perhaps a handful very trusted sites (not even this AFAIAC), only allowing JS execution case by case and only in a temporary fashion ?

I’ve been using JS blockers in this way for so long I can’t even remember otherwise, and I’m so happy I have !

Sometimes we hear self proclaimed tech ‘gurus’, who should know better, say that blocking all JS by default is “too inconvenient” to be practical; such statements are total nonsense. Using JS blocking extensions, whenever some element you /really/ want appears to be missing, it’s a simple matter to get at the list of blocked scripts and carefully select one or more you will allow, albeit always temporarily. The inconvenience, if any, in this way of using a browser if to be put in balance with the 1,000 times more inconvenient AND risky alternative of permanently allowing all, or even some non fully controlled, JS.

x11794A July 22, 2014 8:41 AM

This is a big deal, because there’s no way to block this right now.

As others have said, for now you can just use NoScript and it won’t work, which is really not that difficult to do.

Longer term, this also doesn’t seem like a particularly difficult fingerprinting method to defeat even with Javascript on, because you could just deliberately fuzz the highest entropy font rendering parameters. Since the average user doesn’t even realize that fonts are rendered differently on different systems, it seems likely to me that the highest entropy would likely be in the least visible parts of the font rendering engine.

Additionally, I’m not 100% sure what the legitimate use case is for whatever Javascript functionality allows scripts to grab on-screen pixel data, but you could potentially reduce the severity of or entirely eliminate this attack without any change to the way fonts are displayed by disabling Javascript access to on-screen pixel data by default (or if it’s actually some critical function, you could fuzz and/or reduce the resolution of such image data by default).

paul July 22, 2014 9:39 AM

Not only can this technique be defeated by the various blockers, it’s relatively easy to recognize and thus spoof. Now that it’s in the news, I await the “Draper for a Day” plugin (or greasemonkey script) in 3… 2… 1…

Mike the goat July 22, 2014 10:48 AM

Personally I am more concerned about the panopticlick style fingerprinting at this stage. I guess it is little wonder that advertisers will continue to try and exploit browser design so that they can track user behavior…

Gweihir July 22, 2014 2:39 PM

Just tried this with the TOR browser bundle: Not even installing a different version of the graphics driver helped (win7). I was also never asked whether canvas access was ok. The only thing that helped was NoScript. Now, it could be that all browser-bundle installations get pretty much the same hash, but I doubt it.

I expect Tails will be better, as it has a far more standardized setup. Still, disabling JavaScript may be mandatory for anonymous surfing these days. Not that this is really any surprise.

Lambert July 22, 2014 3:51 PM

Trying out the HTTP switchboard now. It is taking a little config to not break a lot of functionality (e.g. Youtube).

David July 22, 2014 10:58 PM

Fingerprinting can be disbled in
Google chrome by going to

chrome://flags/

and disabling WebGL

Might break some valid functionality,
but this should be obvious and the
flag enabled when desired.

Sally Shears July 23, 2014 5:08 AM

The nifty product DoNotTrackMe by abide.com claims to block the tracker from AddThis.com

Mat2 July 23, 2014 6:10 AM

EFF had since ages a website that allows for fingerprinting browsers based on installed plugins (and the order in which the browser reports them), installed fonts, etc. and no popular browser (except for Tor Browser) did anything to stop that:
https://panopticlick.eff.org/

BTW, using NoScript makes fingerprinting easier because very few people use it.

Czerno July 23, 2014 7:15 AM

@Mat2: “.. using NoScript makes fingerprinting easier because very few people use it.”

“Very few” using Noscript ? Maybe few in relative terms, there are still many in absolute numbers.

Whatever, I don’t care if advertisers notice I’m refusing to execute their scripts, all it tells them if anything is I’m not likely to be interested in whatever they would like to mush to me.

Using NoScript does NOT make fingerprinting easier as it deprives the trackers from a LOT identifying tidbits of information.

The Panopticlik site’s tests are interesting per se, but their evaluation of your level of “uniqueness” is flawed, based on an error of perspective, IMNSHO.

x11794A July 23, 2014 10:46 AM

@Mat2 If you’re using NoScript, they know that you aren’t running Javascript, and maybe they know you’re using NoScript. If you’re not using NoScript, they can use Javascript to get a list of every plugin you have installed in your browser, a list of all your system fonts, and much, MUCH more. “This person isn’t allowing us to run Javascript” is a pretty terrible fingerprint compared to all that other configuration information.

Gweihir July 23, 2014 2:15 PM

@Mat2:

Sorry, but NoScript does not make fingerprinting easier at all. That statement is complete BS. Sure, they get one bit of “no JavaScript”, that is not even NoScript specific, but lose something like 100 bits or more of what the canvas-grab gives them.

leaveacomment July 23, 2014 3:56 PM

Where have you been for the last couple of years Bruce? HTML5 canvas request attacks are old news!

Correct July 23, 2014 3:57 PM

@Gweihir

Correct. I ran that test myself. With NS turned off my browser was uniquely identifiable. With it turned one it was 1 in 6000. Now, even an idiot can understand that 1 in 6000 is better than one in one.

HOWEVER, No Script is a bigger problem in a different way. It is possible fingerprint a browser based on the pattern of sites a user as permanently enabled NS on. To be truly secure on has to leave NS on all the time and always use the temporary enable function, even on sites one uses a lot. Very annoying.

Czerno July 23, 2014 4:08 PM

@Correct : “one has to leave NS on all the time and always use the temporary enable function, even on sites one uses a lot. Very annoying.”

Not annoying at all. On the contrary, browsing with KS enabled is where it negins to be annoying.

Peter T July 24, 2014 5:52 AM

Is there any information on how much this canvas fingerprinting is hardware dependent? Based on what I have read so far it seems to me that they can track me only if I use the same OS and same browser. So simply switching to another OS or browser on the same hardware would make this method useless.

Leon Wolfeson July 24, 2014 1:12 PM

Peter T – How often do you do that, though? And I’m not sure it’s that easy to tweak a VM to give different results, either.

Canvas is just badly designed from a user perspective, like a lot of HTML5, sadly.

unhappyApples July 24, 2014 7:38 PM

I blocked AddThis at my router(s), specifically the following:

p.addthis.com
s3.addthis.com
s7.addthis.com
s9.addthis.com
su.addthis.com
http://www.addthis.com

Interestingly most sites worked fine afterwards, but it broke Google Maps (some inside my LAN expected to use it, but it just hung on both on IE or Firefox) so I set the router to reject packets for the above instead of drop. Problem solved. (On the other hand if you want to block FB and it’s parasitical tracking completely it’s fine to drop packets for them, no need to reject).

Shadow July 25, 2014 4:32 AM

Still waiting for an add-on that explicitly targets fingerprinting whenever a script asks for a list of: OS, browser version, installed fonts, pixel resolution, etc.

Instead of blocking: the add-on would deliver a slightly randomized spoofed list based on the most common set-up (win7, standard Chrome/Firefox with no add-ons, screen resolution close to the actual res, etc.)

LawYesTheVillageNo August 16, 2014 12:13 AM

Just a few days ago, at Mozilla addons site, appeared an extension called “CanvasBlocker” (v. 0.1.2); I just tried it, and it actually causes zero data to be revealed at “Browserleaks” canvas test! Hope this helps Mozilla-based browser users.

Questernaut September 29, 2014 7:01 AM

disabling HTML5 canvas fingerprinting is a bad idea and I think the merits of fingerprint should be considered

HTML5 canvas fingerprinting can be shown in a very positive light. The fingerprint, when used in conjunction with server-side session management, can be used as an additional layer of authentication. The canvas fingerprint can accomplish what the IP address couldn’t. A canvas fingerprint provides a stable form of unique identification that unlike a session token isn’t sent over a network as a cookie value provided by the client.

A session is compromised when someone accesses the session_id. Today, systems can only try to minimize session hijacking by managing relative and absolute timeouts through timers and expirations. Combining the canvas fingerprint with a session token makes it that much more challenging to spoof and compromise someone’s identity.

Thoughts?

Clive Robinson September 29, 2014 7:16 AM

@ Questernaut,

canvas fingerprint provides a stable form of unique identification that unlike a session token isn’t sent over a network as a cookie value provided by the client.

It results from a determanistic process beyond the control of the authenticating service but not others, thus it that can be imitated so is far from reliable or even unique.

So is at the end of the day probably less reliable than the IP address as an authenticator.

However it might see service as a “watchdog” to spot a change in behaviour and thus flag it as another warning that there might be a compromise in place.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.