Fingerprinting Computers – Part I – Your browser.

Authentication is about the only big open problem in the practice of internet security. The existing encryption and hashing algorithms as well as the key generation/management protocols offer a high degree of security, barring programming/implementation errors.
Authentication technologies face serious challenges mainly because identity is difficult to establish with a 100% certainty even using physical characteristics, i.e., signatures and credentials can be forged, the physical appearance of people can be manipulated, etc.

In some applications, the availability of a technology able to establish the identity of the computer with a 100% certainty, is enough to establish identity (or at least a very important factor). Such technologies could be particularly useful for Digital Right Management applications and for communications between servers.
One way to establish the ID of a computer in the network is through the cataloging of the public information that is available to your browser. For example, if you need to establish the identity of your computer on the Internet for the purposes of an e-commerce transaction, the Verificator may use a script running in your browser that requests and catalog the information about installed drivers, fonts, software and plug-ins, such that the particular setup of your computer can be used as its ID. The Electronic Frontier Foundation has made an enormous contribution to the practical aspects of this issue through the project Panopticlik. Focusing on what this information leak does to privacy, they setup a website that runs a script looking at the information that is “leaked” by the browser in your computer. From that they calculated that on average browsers leak about 18 bits of information, that means your particular computer can be picked up from a set of 2^{18} = 262,144   ^{[1]} computers that visit the site. Moreover, the evolution of this fingerprint can be tracked over time with a good degree of accuracy.
For identification purposes, this will need to be complemented with additional information readily available to a piece of software that has access to the OS. Therefore, it is in principle possible to have a ‘software’ based ID method. The problem with this approach is that as the computer administrator has full control over the OS, these parameters can be faked and therefore such system will be subjected to a Man in the Middle attack.

[To be contibued…]

  1. To uniquely identify a person out of the total population of the globe will take less than 33 bits 2^{33} = 8,589,934,594
  2. A very good introduction to the probabilistic concepts behind this can be found here.

One Response to Fingerprinting Computers – Part I – Your browser.

  1. Mario says:

    I did test my browser (Firefox) running NoScript and Panopticlick reports a fingerprint that conveys 16.56 bits of identifying information (1 in 96,433). If I allow the website it reports 20.46 bist, (1 in 1,446,498) the same as using Internet Explorer.
    Go here for a more in depth discussion about NoScript.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: