Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Persistent tracking mechanisms

No description

Andras Akos Nemeth

on 19 September 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Persistent tracking mechanisms

Persistent tracking mechanisms
based on study: The Web never forgets
Canvas Fingerprinting
first presented in 2012 by Keaton Mowery and Hovav Shacham: Fingerprinting Canvas in HTML5 (https://cseweb.ucsd.edu/~hovav/dist/canvas.pdf)
Evercookies & respawning
abusing different browser storage mechanism to restore removed cookies
using Canvas API the differences in the rendering of the same text (based on OS, font library, graphics card/driver, browser) can be extracted to consistent fingerprint
draws text with background
Canvas API's ToDataURL -> canvas pixel in dataURL
get hash of this combined data
combine with browser properties (plugins, fonts, user agent string) [Peter Eckersley: How Unique Is Your Web Browser? - https://panopticlick.eff.org/browser-uniqueness.pdf]
no solution to block it without false positives
example: LSO > HTTP Cookie:
webpage stores Flash Cookie (LSO) and HTTP Cookie
user removes HTTP Cookie
webpage respawns HTTP Cookie from LSO
LSO - Local Shared Objects
(Flash Cookies)
Evercookie by Samy Kamkar (http://samy.pl/evercookie/)
Other fingerprinting studies
JS Fingerprinting: http://cseweb.ucsd.edu/~kmowery/papers/js-fingerprinting.pdf
JS Engine Fingerprinting: https://www.sba-research.org/wp-content/uploads/publications/jsfingerprinting.pdf
Enhancing HTTP(S) Session Security with Browser Fingerprinting (https://www.sba-research.org/wp-content/uploads/publications/shpf_extendedPreprint.pdf)
Clock Skew Based Fingerprinting: http://www.caida.org/publications/papers/2005/fingerprinting/KohnoBroidoClaffy05-devicefingerprinting.pdf
Using the microphones and speakers of smartphones: http://arxiv.org/pdf/1403.3366v1.pdf
Opt out pages


location depends on flash plugin:
NPAPI - Netscape Plugin API
PPAPI - Pepper Plugin API

~/Library/Preferences/Macromedia/Flash Player/#SharedObjects/
~/Library/Preferences/Macromedia/Flash Player/macromedia.com/support/flashplayer/sys/

~/Library/Application Support/Google/Chrome/Default/Pepper Data/Shockwave Flash/WritableRoot/#SharedObjects/

Adblock Plus:https://adblockplus.org/en/

CanvasFingerprintBlock: https://chrome.google.com/webstore/detail/canvasfingerprintblock/ipmjngkmngdcdpmgmiebdmfbkcecdndc
Canvas Fingerprint blockers:
Canvas Fingerprint scripts:
Cookie Syncing
allows different trackers to share user identifiers
enables back-end server-to-server data merges
Google Cookie Matching https://developers.google.com/ad-exchange/rtb/cookie-guide
Full transcript