Cookieless monster: Exploring the ecosystem of web-based device fingerprinting

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2013, Pages 541-555

  Nikiforakis, Nick ^a   Kapravelos, Alexandros ^b   Joosen, Wouter ^a   Kruegel, Christopher ^b   Piessens, Frank ^a   Vigna, Giovanni ^b  

^a UNIVERSITY OF LEUVEN   (Belgium)

^b UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

browser extensions; device identification; fingerprinting

Indexed keywords

BROWSER EXTENSIONS; CLIENT SIDES; DEVICE FINGERPRINTING; FINGERPRINTING; IN BROWSERS; INFORMATION DELIVERY; IP ADDRESSS; QUESTIONABLE PRACTICE;

ECOSYSTEMS; HTTP;

WEBSITES;

EID: 84881238242     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2013.43     Document Type: Conference Paper

References (42)

1. The New York Times - John Schwartz, "Giving the Web a Memory Cost Its Users Privacy," http://www.nytimes.com/2001/09/04/technology/04COOK. html.
2. B. Krishnamurthy, "Privacy leakage on the Internet," presented at IETF 77, March 2010.
3. B. Krishnamurthy and C. E. Wills, "Generating a privacy footprint on the Internet," in Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, ser. IMC '06, New York, NY, USA, 2006, pp. 65-70.
4. F. Roesner, T. Kohno, and D. Wetherall, "Detecting and defending against third-party tracking on the web," in NSDI'12: Proceedings of the 9th USENIX conference on Networked Systems Design and Implementation. Berkeley, CA, USA: USENIX Association, 2012, pp. 12-12.
5. The Wall Street Journal, "What They Know," http://blogs.wsj. com/wtk/.
6. J. Turow, J. King, C. J. Hoofnagle, A. Bleakley, and M. Hennessy, "Americans Reject Tailored Advertising and Three Activities that Enable It," 2009.
7. B. Ur, P. G. Leon, L. F. Cranor, R. Shay, and Y. Wang, "Smart, useful, scary, creepy: perceptions of online behavioral advertising," in Proceedings of the Eighth Symposium on Usable Privacy and Security, ser. SOUPS '12. New York, NY, USA: ACM, 2012, pp. 4:1-4:15.
8. comScore, "The Impact of Cookie Deletion on Site-Server and Ad-Server Metrics in Australia," January 2011.
9. "Ghostery," http:wwww.ghostery.com.
10. "Collusion: Discover who's tracking you online," http://www.mozilla.org/en-US/collusion/.
11. J. R. Mayer, "Any person... a pamphleteer," Senior Thesis, Stanford University, 2009.
12. P. Eckersley, "How Unique Is Your Browser?" in Proceedings of the 10th Privacy Enhancing Technologies Symposium (PETS), 2010.
13. K. Mowery, D. Bogenreif, S. Yilek, and H. Shacham, "Fingerprinting information in JavaScript implementations," in Proceedings of W2SP 2011, H. Wang, Ed. IEEE Computer Society, May 2011.
14. C. Kolbitsch, B. Livshits, B. Zorn, and C. Seifert, "Rozzle: De-cloaking internet malware," in IEEE Symposium on Security and Privacy, May 2012.
15. E. Mills, "Device identification in online banking is privacy threat, expert says," CNET News (April 2009).
16. "Opt out of being tracked," http://www.bluecava.com/ preferences/.
17. J. R. Mayer, "Tracking the Trackers: Early Results - Center for Internet and Society," http://cyberlaw.stanford.edu/node/6694.
18. T.-F. Yen, Y. Xie, F. Yu, R. P. Yu, and M. Abadi, "Host Fingerprinting and Tracking on the Web: Privacy and Security Implications," in Proceddings of the 19th Annual Network and Distributed System Security Symposium (NDSS), 2012.
19. J. R. Mayer and J. C. Mitchell, "Third-party web tracking: Policy and technology," in IEEE Symposium on Security and Privacy, 2012, pp. 413-427.
20. G. Cluley, "How to turn off Java on your browser - and why you should do it now," http://nakedsecurity.sophos.com/2012/08/30/how-turn-off- java-browser/.
21. B. Krebs, "How to Unplug Java from the Browser," http://krebsonsecurity.com/how-to-unplug-java-from-the-browser.
22. D. Jang, R. Jhala, S. Lerner, and H. Shacham, "An empirical study of privacy-violating information flows in JavaScript Web applications," in Proceedings of CCS 2010, Oct. 2010.
23. "Torbutton: I can't view videos on YouTube and other flash-based sites. Why?" https://www.torproject.org/torbutton/torbutton-faq.html. en#noflash.
24. "Anubis: Analyzing Unknown Binaries," http://anubis.iseclab. org/.
25. "VirusTotal - Free Online Virus, Malware and URL Scanner," https://www.virustotal.com/.
26. G. Pierson and J. DeHaan, "Patent US20080040802 - Network Security and Fraud Detection System and Method."
27. M. Cova, C. Kruegel, and G. Vigna, "Detection and analysis of drive-by-download attacks and malicious javascript code," in Proceedings of the 19th International Conference on World Wide Web (WWW), 2010, pp. 281-290.
28. "ECMAScript Language Specification, Standard ECMA-262, Third edition."
29. M. Zalewski, The Tangled Web: A Guide to Securing Modern Web Applications. No Starch Press, 2011.
30. A. Andersen, "History of the browser user-agent string," http://webaim.org/blog/user-agent-string-history.
31. "Web Tracking Protection," http://www.w3.org/Submission/2011/ SUBM-web-tracking-protection-20110224/.
32. P. Eckersley, "Panopticlick - Self-Defense," https://panopticlick.eff.org/self-defense.php.
33. J. Scott, "How many Firefox users have add-ons installed? 85%!" https://blog.mozilla.org/addons/2011/06/21/firefox-4-add-on-users/.
34. "Adblock plus - for annoyance-free web surfing," http://adblockplus.org.
35. A. Klein, "How Fraudsters are Disguising PCs to Fool Device Fingerprinting," http://www.trusteer.com/blog/how-fraudsters-are- disguising-pcs-fool-device-fingerprinting.
36. A. Soltani, S. Canty, Q. Mayo, L. Thomas, and C. J. Hoofnagle, "Flash Cookies and Privacy," in SSRN preprint (August 2009).
37. J. Xu and T. Nguyen, "Private browsing and Flash Player 10.1," http://www.adobe.com/devnet/flashplayer/articles/privacy-mode-fp10-1.html.
38. J.-L. Gassée and F. Filloux, "Measuring Time Spent On A Web Page," http://www.cbsnews.com/2100-215-162-5037448.html.
39. K. Mowery and H. Shacham, "Pixel perfect: Fingerprinting canvas in HTML5," in Proceedings of W2SP 2012, M. Fredrikson, Ed. IEEE Computer Society, May 2012.
40. Ł. Olejnik, C. Castelluccia, and A. Janc, "Why Johnny Can't Browse in Peace: On the Uniqueness of Web Browsing History Patterns," in the 5th workshop on Hot Topics in Privacy Enhancing Technologies (HOTPETS 2012).
41. Z. Weinberg, E. Y. Chen, P. R. Jayaraman, and C. Jackson, "I still know what you visited last summer: Leaking browsing history via user interaction and side channel attacks," in Proceedings of the 2011 IEEE Symposium on Security and Privacy, ser. SP '11, 2011, pp. 147-161.
42. N. Nikiforakis, L. Invernizzi, A. Kapravelos, S. V. Acker, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna, "You Are What You Include: Large-scale Evaluation of Remote JavaScript Inclusions," in Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2012.