sweeti sah, profile picture
Uploaded bysweeti sah
PPTX, PDF1,797 views

Canvas fingerprinting

Canvas fingerprinting is a technique used by websites to uniquely identify browsers and track users without cookies. It works by having a user's browser render a hidden image using the canvas HTML element, with characteristics like fonts and screen resolution incorporated. The pixel data of this image creates a distinctive fingerprint. Fingerprints can be combined with other browser data and used by third parties to build long-term profiles of user behavior across multiple sites. While blocking scripts or using privacy extensions can help, canvas fingerprinting is very difficult for users to prevent due to the complexity of browsers. Legislation may be needed for long-term solutions to this privacy issue.

Internet
Related topics:
Internet Security

Embed presentation

Downloaded 55 times
Sweeti Kumari Sah G. V. P. College 13131D2512 1 CanvasFingerprinting12/22/2014
Contents • Introduction • Problem Today • Web Browser Fingerprinting • Working Mechanism • Examples • Primary Actions • Limitations • Conclusion • References 12/22/2014CanvasFingerprinting 2
INTRODUCTION History (Canvas Fingerprinting): • In May 2012, Keaton Mowery and Hovav Shacham, researchers at University of California, San Diego, wrote a paper ‘Pixel Perfect: Fingerprinting Canvas in HTML5’ describing how the HTML5 canvas could be used to create digital fingerprints of web users. • Social bookmarking technology company AddThis experimented it early in 2014. • AddThis, employing it in “shadowing visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.com.” 12/22/2014CanvasFingerprinting 3
1993 4 CanvasFingerprinting12/22/2014
But today on the internet... Interested parties not only know you’re a dog, they also have a pretty good idea of the color of your fur, how often you visit the vet, and what your favorite doggy treat is. 12/22/2014CanvasFingerprinting 5
Canvas Fingerprinting • A new web tracking tool that's ‘nearly impossible to block’ • Technology which advertisers use to track your every movement online • One of a number of browser fingerprinting techniques of tracking online users that allow websites to uniquely identify and track visitors without the use of browser cookies 12/22/2014CanvasFingerprinting 6
Problem  Modern web browsers suffer from a fundamental privacy/information leakage flaw.  Websites you visit can query your web browser for instance-specific information.  Using this information, one can attach a certain uniqueness to your browser thereby creating a very persistent, cookie-less tracking mechanism. 12/22/2014CanvasFingerprinting 7
Web Browser Fingerprinting • A device fingerprint or machine fingerprint or browser fingerprint is information collected about a remote computing device for the purpose of identification. • Fingerprints can be used to fully or partially identify individual users or devices even when cookies are turned off. 12/22/2014CanvasFingerprinting 8
Background  Special variables in modern web browsers contain information regarding your specific browser instance  browser plug-in details  MIME types your browser can accept  which fonts are installed  screen resolution  others  This information can be easily queried from websites you visit (javascript). 12/22/2014CanvasFingerprinting 9
12/22/2014CanvasFingerprinting 10 • Each piece of information contributes a certain amount of uniqueness to your browser, effectively creating a browser fingerprint.
Third Party Tracking “Suddenly” all sorts of websites that you’ve never heard about, can create a browsing profile of you and sell it to advertising companies quantserve.com scorecardresearch.com addthis.com 12/22/2014CanvasFingerprinting 11
Implementation • The tool asks a user’s browser to draw a small image on their screen when they visit a website. • Certain unique characteristics of their browser and computer mean that this image is drawn in an near- unique way that can be used to identify the user. • The image is analyzed, converted into a number and sent back to a third party. • All of the website visits with a matching number can then be grouped together to create a profile of what that unique user looks at and when. 12/22/2014CanvasFingerprinting 12
12/22/2014CanvasFingerprinting 13
Resulting fingerprint 12/22/2014CanvasFingerprinting 14 Canvas fingerprinting scripts deployed on 5000 of the top 100,000 most popular websites
Basic flow of operation When a user visits a page,  The fingerprinting script first draws text with the font and size of its choice and adds background colors.  Next, the script calls Canvas API's ToDataURL method to get the canvas pixel data in dataURL format, which is basically a Base64 encoded representation of the binary pixel data.  Finally, the script takes the hash of the text-encoded pixel data, which serves as the fingerprint and may be combined with other high-entropy browser properties such as the list of plugins, the list of fonts, or the user agent string. 12/22/2014CanvasFingerprinting 15
12/22/2014CanvasFingerprinting 16 To save the canvas image, you need to do similar to: var el = document.getElementsByTagName('canvas')[0]; var base64 = el.toDataURL(); alert(base64);
HTML5 Canvas fingerprinting 12/22/2014CanvasFingerprinting 17
Examples of the usually-invisible images in Canvas fingerprinting 12/22/2014CanvasFingerprinting 18
A sample javascript code that produce the pixel 12/22/2014CanvasFingerprinting 19
Users Reacted.. • 1/3 of users delete first & third-party cookies within a month after they’ve been setup • Multiple extensions revealing hidden trackers Ghostery Lightbeam • Private mode of browsers used to avoid traces of cookies from certain websites 12/22/2014CanvasFingerprinting 20
Ghostery 12/22/2014CanvasFingerprinting 21  “Ghostery’s script blocking app sits in your browser, and canvas fingerprinting won’t work if it’s there,”.  Ghostery launched in 2009. Now, five years later, 40 million consumers are using the software.
Lightbeam 12/22/2014CanvasFingerprinting 22
Primary Actions • Use the Tor browser (Warning: can be slow) • Block Javascript from loading in your browser (Warning: breaks a lot of websites) • Use NoScript browser extension to block JavaScript from known fingerprinters such as AddThis (Warning: requires a lot of research and decision-making) 12/22/2014CanvasFingerprinting 23
• Trying browser extension Chameleon that is designed to block fingerprinting (Warning: only recommended for tech-savvy users at this point) • A countermeasure against canvas fingerprinting is the CanvasFingerprintBlock browser extension (currently only available for Chrome). Every time a website tries to read data from a canvas, the extension intervenes to blank the data out before it can be read.  If the website then use the read data to create a fingerprint, everyone's fingerprint will look the same. 12/22/2014CanvasFingerprinting 24 Primary Actions
Limitations • Unlike cookie, canvas fingerprinting brings Internet tracking to an entirely new level of invasiveness. • For one, it is performed without the user’s prior knowledge or consent, and it’s extremely difficult to know when and where you’re being tracked online. • To make matters worse, canvas fingerprinting is incredibly complicated and inconvenient to disable on the user’s end. 12/22/2014CanvasFingerprinting 25
Conclusion • Web tracking is so much more than cookies • Fingerprinting is a real problem • Browsers are so complex that it is really hard to make them seem identical • Current browser extensions should not be used for privacy reasons • Long term solutions will most-likely not be pure technical ones (Legislation required ) 12/22/2014CanvasFingerprinting 26
References: • Acar, Gunes; Eubank, Christian; Englehardt, Steven; Juarez, Marc; Narayanan, Arvind; Diaz, Claudia (July 24, 2014). "The Web never forgets: Persistent tracking mechanisms in the wild". • Nikiforakis, Nick; Acar, Günes (2014-07- 25). "Browser Fingerprinting and the Online- Tracking Arms Race". ieee.org. IEEE. Retrieved 2014-10-31. • http://www.theregister.co.uk/2014/07/22/canvas_fing erprinting_is_privacy_pirates_new_web_weapon/ 12/22/2014CanvasFingerprinting 27
Queries Please 12/22/2014CanvasFingerprinting 28
12/22/2014CanvasFingerprinting 29

More Related Content

PPTX
canvas fingerprinting,the web never forgets
bySri427742
 
PPTX
Abhi ppt
byAbhinav Pal
 
PPTX
When the anonymity ends for darknets - by Denis Makrushin and Maria Garnaeva
byEC-Council
 
PPTX
Brain gate technology
bysweeti sah
 
DOCX
BROWSER FINGERPRINTING
byVannaSchrader3
 
PDF
Columbus Data & Analytics Wednesdays - Browser Tracking Methods
byJason Packer
 
PPTX
Web Tracking in cyber security and network security
byHRJEETSINGH
 
PDF
Ferrante and Griffey "Federated Authentication_ Browser changes and what to e...
byNational Information Standards Organization (NISO)
 
canvas fingerprinting,the web never forgets
bySri427742
 
Abhi ppt
byAbhinav Pal
 
When the anonymity ends for darknets - by Denis Makrushin and Maria Garnaeva
byEC-Council
 
Brain gate technology
bysweeti sah
 
BROWSER FINGERPRINTING
byVannaSchrader3
 
Columbus Data & Analytics Wednesdays - Browser Tracking Methods
byJason Packer
 
Web Tracking in cyber security and network security
byHRJEETSINGH
 
Ferrante and Griffey "Federated Authentication_ Browser changes and what to e...
byNational Information Standards Organization (NISO)
 

Similar to Canvas fingerprinting

PPTX
Web analytics & Online privacy
byPanagiotis Tzamtzis
 
PPTX
Owasp2013 johannesullrich
bydrewz lin
 
PDF
We are Digital Puppets
bySecpro - Security Professionals
 
PDF
Presentation Canvas for RSScholl 2025/04
byinnamassura
 
PDF
Browser fingerprinting without cookies
byAseem Rohatgi
 
PDF
Alt-Cookies and Controversies in Ethics
byKazuhiro Kosaka
 
PDF
Digital Advertising, Privacy and User-tracking Methods
byHonza Pav
 
Web analytics & Online privacy
byPanagiotis Tzamtzis
 
Owasp2013 johannesullrich
bydrewz lin
 
We are Digital Puppets
bySecpro - Security Professionals
 
Presentation Canvas for RSScholl 2025/04
byinnamassura
 
Browser fingerprinting without cookies
byAseem Rohatgi
 
Alt-Cookies and Controversies in Ethics
byKazuhiro Kosaka
 
Digital Advertising, Privacy and User-tracking Methods
byHonza Pav
 

Canvas fingerprinting

  • 1.
    Sweeti Kumari Sah G.V. P. College 13131D2512 1 CanvasFingerprinting12/22/2014
  • 2.
    Contents • Introduction • ProblemToday • Web Browser Fingerprinting • Working Mechanism • Examples • Primary Actions • Limitations • Conclusion • References 12/22/2014CanvasFingerprinting 2
  • 3.
    INTRODUCTION History (Canvas Fingerprinting): •In May 2012, Keaton Mowery and Hovav Shacham, researchers at University of California, San Diego, wrote a paper ‘Pixel Perfect: Fingerprinting Canvas in HTML5’ describing how the HTML5 canvas could be used to create digital fingerprints of web users. • Social bookmarking technology company AddThis experimented it early in 2014. • AddThis, employing it in “shadowing visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.com.” 12/22/2014CanvasFingerprinting 3
  • 4.
  • 5.
    But today onthe internet... Interested parties not only know you’re a dog, they also have a pretty good idea of the color of your fur, how often you visit the vet, and what your favorite doggy treat is. 12/22/2014CanvasFingerprinting 5
  • 6.
    Canvas Fingerprinting • Anew web tracking tool that's ‘nearly impossible to block’ • Technology which advertisers use to track your every movement online • One of a number of browser fingerprinting techniques of tracking online users that allow websites to uniquely identify and track visitors without the use of browser cookies 12/22/2014CanvasFingerprinting 6
  • 7.
    Problem  Modern webbrowsers suffer from a fundamental privacy/information leakage flaw.  Websites you visit can query your web browser for instance-specific information.  Using this information, one can attach a certain uniqueness to your browser thereby creating a very persistent, cookie-less tracking mechanism. 12/22/2014CanvasFingerprinting 7
  • 8.
    Web Browser Fingerprinting •A device fingerprint or machine fingerprint or browser fingerprint is information collected about a remote computing device for the purpose of identification. • Fingerprints can be used to fully or partially identify individual users or devices even when cookies are turned off. 12/22/2014CanvasFingerprinting 8
  • 9.
    Background  Special variablesin modern web browsers contain information regarding your specific browser instance  browser plug-in details  MIME types your browser can accept  which fonts are installed  screen resolution  others  This information can be easily queried from websites you visit (javascript). 12/22/2014CanvasFingerprinting 9
  • 10.
    12/22/2014CanvasFingerprinting 10 • Each pieceof information contributes a certain amount of uniqueness to your browser, effectively creating a browser fingerprint.
  • 11.
    Third Party Tracking “Suddenly”all sorts of websites that you’ve never heard about, can create a browsing profile of you and sell it to advertising companies quantserve.com scorecardresearch.com addthis.com 12/22/2014CanvasFingerprinting 11
  • 12.
    Implementation • The toolasks a user’s browser to draw a small image on their screen when they visit a website. • Certain unique characteristics of their browser and computer mean that this image is drawn in an near- unique way that can be used to identify the user. • The image is analyzed, converted into a number and sent back to a third party. • All of the website visits with a matching number can then be grouped together to create a profile of what that unique user looks at and when. 12/22/2014CanvasFingerprinting 12
  • 13.
  • 14.
  • 15.
    Basic flow ofoperation When a user visits a page,  The fingerprinting script first draws text with the font and size of its choice and adds background colors.  Next, the script calls Canvas API's ToDataURL method to get the canvas pixel data in dataURL format, which is basically a Base64 encoded representation of the binary pixel data.  Finally, the script takes the hash of the text-encoded pixel data, which serves as the fingerprint and may be combined with other high-entropy browser properties such as the list of plugins, the list of fonts, or the user agent string. 12/22/2014CanvasFingerprinting 15
  • 16.
    12/22/2014CanvasFingerprinting 16 To save thecanvas image, you need to do similar to: var el = document.getElementsByTagName('canvas')[0]; var base64 = el.toDataURL(); alert(base64);
  • 17.
  • 18.
    Examples of theusually-invisible images in Canvas fingerprinting 12/22/2014CanvasFingerprinting 18
  • 19.
    A sample javascriptcode that produce the pixel 12/22/2014CanvasFingerprinting 19
  • 20.
    Users Reacted.. • 1/3of users delete first & third-party cookies within a month after they’ve been setup • Multiple extensions revealing hidden trackers Ghostery Lightbeam • Private mode of browsers used to avoid traces of cookies from certain websites 12/22/2014CanvasFingerprinting 20
  • 21.
    Ghostery 12/22/2014CanvasFingerprinting 21  “Ghostery’s scriptblocking app sits in your browser, and canvas fingerprinting won’t work if it’s there,”.  Ghostery launched in 2009. Now, five years later, 40 million consumers are using the software.
  • 22.
  • 23.
    Primary Actions • Usethe Tor browser (Warning: can be slow) • Block Javascript from loading in your browser (Warning: breaks a lot of websites) • Use NoScript browser extension to block JavaScript from known fingerprinters such as AddThis (Warning: requires a lot of research and decision-making) 12/22/2014CanvasFingerprinting 23
  • 24.
    • Trying browserextension Chameleon that is designed to block fingerprinting (Warning: only recommended for tech-savvy users at this point) • A countermeasure against canvas fingerprinting is the CanvasFingerprintBlock browser extension (currently only available for Chrome). Every time a website tries to read data from a canvas, the extension intervenes to blank the data out before it can be read.  If the website then use the read data to create a fingerprint, everyone's fingerprint will look the same. 12/22/2014CanvasFingerprinting 24 Primary Actions
  • 25.
    Limitations • Unlike cookie,canvas fingerprinting brings Internet tracking to an entirely new level of invasiveness. • For one, it is performed without the user’s prior knowledge or consent, and it’s extremely difficult to know when and where you’re being tracked online. • To make matters worse, canvas fingerprinting is incredibly complicated and inconvenient to disable on the user’s end. 12/22/2014CanvasFingerprinting 25
  • 26.
    Conclusion • Web trackingis so much more than cookies • Fingerprinting is a real problem • Browsers are so complex that it is really hard to make them seem identical • Current browser extensions should not be used for privacy reasons • Long term solutions will most-likely not be pure technical ones (Legislation required ) 12/22/2014CanvasFingerprinting 26
  • 27.
    References: • Acar, Gunes;Eubank, Christian; Englehardt, Steven; Juarez, Marc; Narayanan, Arvind; Diaz, Claudia (July 24, 2014). "The Web never forgets: Persistent tracking mechanisms in the wild". • Nikiforakis, Nick; Acar, Günes (2014-07- 25). "Browser Fingerprinting and the Online- Tracking Arms Race". ieee.org. IEEE. Retrieved 2014-10-31. • http://www.theregister.co.uk/2014/07/22/canvas_fing erprinting_is_privacy_pirates_new_web_weapon/ 12/22/2014CanvasFingerprinting 27
  • 28.
  • 29.