picasso for blocking bots

[komuw]

- In this work we present Picasso: a lightweight device class fingerprinting protocol 
that allows a server to verify the software and hardware stack of a mobile or desktop client.
- We address the challenge of client spoofing by introducing Picasso: a lightweight device class
fingerprinting protocol that allows a server to accurately determine the browser, operating system, 
and graphical stack of a web browsing client.
- Unlike device fingerprinting, we cannot uniquely distinguish two clients operating 
the same browser and hardware.
- Our algorithm is resistant to replay and includes a hardware-bound proof of work that forces a
client to expend a configurable amount of CPU and memory to produce a valid response that 
cannot be offloaded to more powerful devices of a different type or even emulators of the same device class
- In practice, Picasso relies on multiple rounds of drawing HTML5 canvas graphical primitives 
to surface divergent implementation behaviors across device classes.
Canvas rendering differences produce enough entropy to distinguish individual devices.
- This is a  fingerprinting protocol that enables web servers to accurately identify a client’s device class.
A device class as a unique collection of {browser, OS, graphics hardware}

• https://storage.googleapis.com/pub-tools-public-publication-data/pdf/45581.pdf

• https://adtechmadness.wordpress.com/2019/03/19/overview-of-googles-picasso/

• https://github.com/antoinevastel/picasso-like-canvas-fingerprinting
  Also see: https://twitter.com/adtechmadness/status/1107995323295772674
  And https://github.com/antoinevastel/picasso-like-canvas-fingerprinting/issues/2 where it seems like cloudflare are using that repo to detect bots.

• https://www.reddit.com/r/CODZombies/comments/6hah5n/i_put_the_upgraded_as_name_in_production_code_for/

• https://github.com/antoinevastel/fpscanner

[komuw]

Also see https://github.com/komuw/ong/issues/95 (using ja3 to block bots)