Skip to Main content Skip to Navigation
New interface
Habilitation à diriger des recherches

Improving the Security and Privacy of the Web through Browser Fingerprinting

Walter Rudametkin 1 
1 SPIRALS - Self-adaptation for distributed services and large software systems
Inria Lille - Nord Europe, CRIStAL - Centre de Recherche en Informatique, Signal et Automatique de Lille - UMR 9189
Abstract : I have been an associate professor in computer science at the University of Lille and a member of the Spirals project-team in the CRIStAL laboratory since September 2014. I obtained my PhD in Software Engineering in Grenoble in 2013, focusing on building robust self-adaptive component-based systems, and I completed a postdoctoral stay in the Inria DiverSE project-team, in Rennes, in the area of component-based software engineering. Since 2014, my research has mostly focused on (i) multi-cloud computing and (ii) security and privacy on the web. I have successfully co-advised two doctorates, Gustavo Sousa (defended July 2018) and Antoine Vastel (defended November 2019), and currently advise 3 students. I have decided to write my Habilitation pour Diriger des Recherches (HDR) in the area of privacy and security because this will be my main line of research activities for the near future. More specifically, I present the results of the research that my students, colleagues, collaborators, and I have done in the area of browser fingerprinting. Browser fingerprinting is the process of identifying devices by accessing a collection of relatively stable attributes through Web browsers. We call the generated identifiers browser fingerprints. Fingerprints are stateless identifiers and no information is stored on the client’s device. In the first half of this manuscript, we identify and study three properties of browser fingerprinting that make it both a risk to privacy, but also of use for security. The first property, uniqueness, is the power to uniquely identify a device. We performed a large scale study on fingerprint uniqueness and, although not a perfect identifier, we show its statistical qualities allow uniquely identifying a high percentage of both desktops and mobile devices [Laperdrix 2016]. The second property, linkability, is the capacity to re-identify, or link, fingerprints over time. This is arguably the main risk to privacy and enables fingerprint tracking. We show, through two algorithms, that some devices are highly trackable, while other devices’ fingerprints are too similar to be tracked over time [Vastel 2018b]. The third and final property is consistency, which refers to the capacity to verify the attributes in a fingerprint. Through redundancies, correlations or dependencies, many attributes are verifiable, making them more difficult to spoof convincingly. We show that most countermeasures to browser fingerprinting are identifiable through such inconsistencies [Vastel 2018a], a useful property for security applications. In the second half of this manuscript, we look at the same properties from a different angle. We create a solution that breaks fingerprint linkability by randomly generating usable browsing platforms that are unique and consistent [Laperdrix 2015]. We also propose an automated testing framework to provide feedback to the developers of browsers and browser extensions to assist them in reducing the uniqueness or their products [Vastel 2018c]. Finally, we look at how fingerprint consistency is exploited in-the-wild to protect websites against automated Web crawlers. We show that fingerprinting is effective and fast to block crawlers, but lacks resiliency when facing a determined adversary [Vastel 2020]. Beyond the results I report in this manuscript, I draw perspectives for exploring browser fingerprinting for multi-factor authentication, with a planned large-scale deployment in the following months. I also believe there is potential in automated testing to improve privacy. And of course, we know that fingerprint tracking does not happen in a bubble, it is complementary to other techniques. I am therefore exploring other tracking techniques, such as our preliminary results around IP addresses [Mishra 2020] and caches [Mishra 2021], using ad blockers against their users, and a few other ideas to improve privacy and security on the Web.
Document type :
Habilitation à diriger des recherches
Complete list of metadata

https://hal.inria.fr/tel-03370277
Contributor : Walter Rudametkin Connect in order to contact the contributor
Submitted on : Thursday, October 7, 2021 - 9:40:18 PM
Last modification on : Tuesday, November 22, 2022 - 2:26:16 PM
Long-term archiving on: : Saturday, January 8, 2022 - 7:46:33 PM

File

hdr_rudametkin_2021.pdf
Files produced by the author(s)

Identifiers

  • HAL Id : tel-03370277, version 1

Citation

Walter Rudametkin. Improving the Security and Privacy of the Web through Browser Fingerprinting. Computer Science [cs]. Université de Lille, 2021. ⟨tel-03370277⟩

Share

Metrics

Record views

227

Files downloads

331