collect resources

[Thorin-Oakenpants]

i don't want to mess up your readme (plus this alerts you to add it to your collection): so when ever I post in here, that's your cue to DL and write up

Learning-based Practical Smartphone Eavesdropping with Built-in Accelerometer PDF: https://www.ndss-symposium.org/wp-content/uploads/2020/02/24076-paper.pdf

It's a side-channel attack to record audio

[abrahamjuliot]

Sweet. This is perfect.

[Thorin-Oakenpants]

https://github.com/plaperdr/fingerprinting-in-style

[abrahamjuliot]

Wow, this is very interesting. I'm looking forward to the paper and talk. This subject has been on my mind.

[Thorin-Oakenpants]

https://www.cs.uic.edu/~polakis/papers/solomos-ndss21.pdf

[Thorin-Oakenpants]

http://www.iiisci.org/journal/CV$/sci/pdfs/SA899XU20.pdf https://www.ekzhang.com/assets/pdf/Browser_Fingerprinting.pdf https://easychair.org/publications/preprint_download/H7Dc <- direct download

[Thorin-Oakenpants]

are you ready for some priming and probing 👽 ?

• title: Prime+Probe 1, JavaScript 0: Overcoming Browser-based Side-Channel Defenses
• article: https://thehackernews.com/2021/03/new-browser-attack-allows-tracking.html
• pdf: https://arxiv.org/abs/2103.04952

[Thorin-Oakenpants]

why is prototype lies here as well: it's out of date with out improvements

• adding navigator
• adding dual checks
• sorting

[abrahamjuliot]

I've been collecting function concepts here (prototype lies being one), but I'm behind on updating these. Webgl, Emojis, and webRTC have a list of improvements. I to plan give this more focus soon.

[Thorin-Oakenpants]

title: Estimation of the time for calculating the attributes of browser fingerprints in the user authentication task of cultural learnings of browser for make benefit glorious track of kazakhstan some url: https://search.proquest.com/openview/86f7e90c68787855a85391876d850056/ pdf: link top right

edit: a more official URL: https://www.e3s-conferences.org/articles/e3sconf/abs/2020/84/e3sconf_TPACEE2020_01030/e3sconf_TPACEE2020_01030.html pdf: ^^ the full E3S Web Conf Vol 224 PDF is linked top right

50ms? But I do agree that webgl is time hogs. Compared to webgl, canvas is a saint

[Thorin-Oakenpants]

title: Who Touched My Browser Fingerprint?: A Large-scale Measurement Study and Classification of Fingerprint Dynamics url: https://dl.acm.org/doi/10.1145/3419394.3423614 pdf: https://yinzhicao.org/fpmeasurement/imc20.pdf

That's this Song Li - > https://github.com/Song-Li/cross_browser

---

For example, we find that a certain emoji update at a mobile Chrome browser can reveal the fact that a Samsung browser is co-installed with the Chrome browser because the Samsung update introduces a new emoji. Similarly,for another example, the font list and the changes of fonts in fingerprint dynamics can be used to infer whether Microsoft Office is installed or even updated

This is already known: see MS bundled fonts in 1670199 . As for emoji's, I think any entropy from them is rather limited that fonts themselves don't already give from equivalency: but sure, there may be something extra there

---

For example, we have observed that the sample rate of audio card in Chrome may change together with the GPU renderer. The reason is that although some features are not directly related, the causes behind the changes may be. Specifically, in the aforementioned example, Chrome adopts DirectX to manage audio card on certain Windows machines: An update of DirectX will influence both the GPU renderer and the audio sample rate

Yikes. My understanding was that audio entropy (at least in FF) only comes from floating points. I might have to follow up on this

---

wow, table one just shows what a f__king mess the user agent devolved into

interesting static values' distinct groups

• font list 115k
• user agent 41k .. seriously, the web needs to get it's shit together
• OMG ... plugins 16k (and 14k unique .. wow) <-- really? must be a chromium thing
• language header 14k <- so additional/fallback languages here is quite painful
• canvas 14k
• GPU renderer 5.7k
• GPU type 5k
• pixel ratio 2k
• language list 1.2k
• Audio 114 <-- I knew audio entropy was low (23 of those were unique)

interesting - @pes10k : randomizing additional languages should be ASAP :) I know you have an issue for it

[Thorin-Oakenpants]

BrFAST: a Tool to Select Browser Fingerprinting Attributes for Web Authentication According to a Usability-Security Trade-off

• alt title by pants: BrFast: perf vs entropy 👍
• link https://arxiv.org/abs/2104.09175
• pdf: https://arxiv.org/pdf/2104.09175
• doi: 10.11453442442.3458610
• github: https://github.com/tandriamil/BrFAST

Why can't they use the word "equivalency" (edit: where appropriate) . It is true that for example language and timezone can be largely correlated, but many languages share timezones, and many timezones can be used across one language (e.g. en-US has dozens, russian has seven timezones I think), and I wouldn't call these expensive to query

edit: @ViRPo Hey Peter, we meet again .. your diploma thesis was cited in the above research

[Thorin-Oakenpants]

title: fantistic timers and where to find them link: https://gruss.cc/files/fantastictimers.pdf

this is better than that 19.2mb pdf (you know the one I mean) which is not publicly available anyway

[Thorin-Oakenpants]

some light reading

• title: Information Theory: A Tutorial Introduction
• link: https://arxiv.org/abs/1802.05968
• pdf: https://arxiv.org/pdf/1802.05968.pdf

[Thorin-Oakenpants]

• Title: A Study of Feasibility and Diversity of Web Audio Fingerprints
• URL: https://arxiv.org/abs/2107.14201
• Date: study done March-May 2021

---

also this which is somewhat interesting

• Title: EssentialFP: Exposing the Essence of Browser Fingerprinting
• Link: https://www.cse.chalmers.se/~andrei/secweb21.pdf
• those heatmaps are whacky

• For each row, the column identifies the conditional probability of the feature of the column given the feature of the row. The probability is interpreted as a gradient between yellow (0% probability) and red (100% probability)

[Thorin-Oakenpants]

https://mozilla.github.io/ppa-docs/privacy-budget.pdf

[Thorin-Oakenpants]

Dum Dum Want Gum Gum

that can successfully spoof a wide variety of fingerprinting features to mimic many different browsers including mobile browsers and the tor browser

Just run Tor Browser, with the right language on the applicable OS (VM), resize the window if needed - and only spoof edge case data if really needed. Seriously, it's not hard to make Tor Browser look like Tor Browser (plus you would want to be using a Tor exit node)

[Thorin-Oakenpants]

What? 5 days already and no love for the Gummy Browser .. I am bitterly disapppointed

[Thorin-Oakenpants]

title: Online Website Fingerprinting: Evaluating Website Fingerprinting Attacks on Tor in the Real World link: https://www.usenix.org/conference/usenixsecurity22/presentation/cherubin pdf: https://www.usenix.org/system/files/sec22summer_cherubin.pdf

PS: I've met Rob Jansen .. cool guy :)

[KOLANICH]

"Gummy browsers" seems to be bringing nothing unobvious and novel.

The website fingerprinting paper is quite good.

[KOLANICH]

I know it is pretty old, but it surely belongs here: https://research.google.com/pubs/archive/45581.pdf (and there are some impls on gh)

While it is designed to fingerprint not unique device, but device class, it may be possible to invent something to combat it.

Their scheme relies on the fact that users they consider as "attackers" are outnumbered by the ones giving their real fingerprints to the service. They give the same challenge to multiple users to collect statistics. That's why response sharing is possible. If one device gets a challenge, it is likely other ones will get the same soon. The fingerprinting party doesn't know the real response for a challenge (given that everything else is perfectly spoofed), it has to just check if it is present in its DB.

I think about a cryptocurrency of authentic devices sharing challenge-environment-fingerprint tuples and generating fingerprints for each other, the software to be implemented in browsers wanting to be privacy preserving. To get a new nonce data for another device a user must share one for own device. Though I am not yet sure how to make the devices behave honestly in fully decentralised setting. Also to protect privacy of users a threshold scheme is needed, so to prevent the network to know details on unique combinations.

The devil is that they may have supplied (and likely do it in recaptcha in a form of bytecode) a brand new code for each measurement. I mean not entirely brand new, but enough brand new to make it very hard to automatically reverse engineer it.

[Thorin-Oakenpants]

^ Ahh the picasso paper 👍 I never bothered to collect that one

[Thorin-Oakenpants]

Title: DRAWN APART: A Device Identification Technique based on Remote GPU Fingerprinting PDF: https://arxiv.org/pdf/2201.09956.pdf Article: https://www.bleepingcomputer.com/news/security/researchers-use-gpu-fingerprinting-to-track-users-online/

[Thorin-Oakenpants]

https://blog.amiunique.org/an-explicative-article-on-drawnapart-a-gpu-fingerprinting-technique/

• much better article from pierre

[Thorin-Oakenpants]

title: FP-Radar: Longitudinal Measurement and Early Detection of Browser Fingerprinting authors: Pouneh Nikkhah Bahrami, Umar Iqbal, Zubair Shafiq date: 14 Dec 2021 link: https://arxiv.org/abs/2112.01662 pdf: https://arxiv.org/pdf/2112.01662

[Thorin-Oakenpants]

title: Hacky Racers: Exploiting Instruction-Level Parallelism to Generate Stealthy Fine-Grained Timers authors: Haocheng Xiao, Sam Ainsworth date: 26 Nov 2022 link: https://arxiv.org/abs/2211.14647 PDF: https://arxiv.org/pdf/2211.14647

[Thorin-Oakenpants]

not to be added, just FYI - https://www.mdpi.com/1424-8220/23/6/3087 - shame the code is old [1] and TZP isn't ready yet - there are plans afoot at tor project, and I've been beavering away at a new local version for a while now - 30% smaller, 30% faster, better type checking/lies, more metrics collected, all data (inclusive, i.e not just a hash but the underlying data) in objects, softer colors, smaller widths, less noise ... etc

edit: [1] also the code relies on always being able to correctly detect some global vars, such as os, version - and without maintenance it "breaks" things - it still gives a FP and is consistent but it reduces what is collected, e.g. user agent is always untrustworthy (because the version detection is out of date), or OS detection breaks in TB (due to system font patches)

[Thorin-Oakenpants]

title: Automatic Discovery of Emerging Browser Fingerprinting Techniques authors: Junhua Su, Alexandros Kapravelos date: ACM Web Conference 2023 pdf: https://www.kapravelos.com/publications/fptechniques-www23.pdf

interesting: https://github.com/wspr-ncsu/BrowserFingerprintingAD/blob/main/APIs and Code Snippet.md

I'm honestly struggling to see what is new in any of the 18 APIs they identified - may be they're new to being detected in scripts in the wild, but not new to FPing researchers and PoCs

• https://bfadweb.github.io/bfadweb/

[KOLANICH]

https://github.com/cispa/browser-cpu-fingerprinting

Also I guess support of AVX in CPU (given that CPU is x86_64 and WASM is enabled) can be detected by trying to load WASM code using SIMD. If it is supported, it loads. If it is not, it errors. See https://github.com/mozilla/firefox-translations/issues/370

[Thorin-Oakenpants]

title: Fashion Faux Pas: Implicit Stylistic Fingerprints for Bypassing Browsers' Anti-Fingerprinting Defenses authors: Xu Lin, Frederico Araujo, Teryl Taylor, Jiyong Jang, Jason Polakis date: 2023 IEEE Symposium on Security and Privacy (SP) link: https://www.computer.org/csdl/proceedings-article/sp/2023/933600b640/1Js0Ecrxjzi pfd: https://www.computer.org/csdl/pds/api/csdl/proceedings/download-article/1Js0Ecrxjzi/pdf