Abstract
Although browser fingerprinting has been widely studied from a privacy angle, there is also a case for fingerprinting in the context of risk-based authentication. Given that most browser-context features can be easily spoofed, APIs that potentially depend both on software and hardware have gained interest. HTML5 Canvas has been shown to provide a certain degree of characterization of a browser. However, multiple research questions remain open. In this paper, we study how to use this API for browser fingerprinting in a scalable way by means of a Siamese deep neural network. We also explore the limits of this technique on modern browsers that are progressively standardizing the Canvas outputs. On our evaluation using over 200 browser instances, we obtain an 82% accuracy in distinguishing browser instances in our dataset and 92% if the model only distinguishes between users with a different browser or OS. Our model has a 0% false-rejection rate and up to 36% average false acceptance rate on simulated attacks, that occurs mostly when victims and attackers share the same browser model and version and the same OS.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
References
Acar, G., Eubank, C., Englehardt, S., Juarez, M., Narayanan, A., Diaz, C.: The web never forgets: persistent tracking mechanisms in the wild. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 674–689. ACM, New York (2014). https://doi.org/10.1145/2660267.2660347
Addons Mozilla: CanvasBlocker (2021). https://addons.mozilla.org/en-US/firefox/addon/canvasblocker/
Al-Fannah, N.M., Li, W., Mitchell, C.J.: Beyond cookie monster amnesia: real world persistent online tracking. In: Chen, L., Manulis, M., Schneider, S. (eds.) ISC 2018. LNCS, vol. 11060, pp. 481–501. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-99136-8_26
Al-Fannah, N.M., Mitchell, C.: Too little too late: can we control browser fingerprinting? J. Intellect. Capital 21(2), 165–180 (2020). https://doi.org/10.1108/JIC-04-2019-0067. https://www.emerald.com/insight/content/doi/10.1108/JIC-04-2019-0067/full/html
Alaca, F., van Oorschot, P.: Device fingerprinting for augmenting web authentication. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, vol. 5-9-Decemb, pp. 289–301. ACM, New York (2016). https://doi.org/10.1145/2991079.2991091
Andriamilanto, N., Allard, T., Guelvouit, G.L.: FPSelect: low-cost browser fingerprints for mitigating dictionary attacks against web authentication mechanisms. In: ACM International Conference Proceeding Series, vol. 1, no. 1, pp. 627–642 (2020). https://doi.org/10.1145/3427228.3427297. https://arxiv.org/abs/2010.06404
Bharadwaj, S., Vatsa, M., Singh, R.: Biometric quality: a review of fingerprint, iris, and face. EURASIP J. Image Video Process. 2014(1), 1–28 (2014). https://doi.org/10.1186/1687-5281-2014-34
Blanco-Gonzalo, R., Lunerti, C., Sanchez-Reillo, R., Guest, R.: Biometrics: accessibility challenge or opportunity? PLOS ONE 13(4), 1 (2018). https://doi.org/10.1371/journal.pone.0196372
Boerman, S.C., Kruikemeier, S., Borgesius, F.J.Z.: Online behavioral advertising: a literature review and research agenda. J. Advertising 46(3), 363–376 (2017)
Bursztein, E., Malyshev, A., Pietraszek, T., Thomas, K.: Picasso: lightweight device class fingerprinting for web clients. In: Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 93–102. ACM, New York (2016). https://doi.org/10.1145/2994459.2994467
Cao, Y., Li, S., Wijmans, E.: (Cross-)Browser fingerprinting via OS and hardware level features. In: Proceedings 2017 Network and Distributed System Security Symposium. Internet Society, Reston (2017). https://doi.org/10.14722/ndss.2017.23152
Daud, N.I., Haron, G.R., Othman, S.S.S.: Adaptive authentication: implementing random canvas fingerprinting as user attributes factor. In: 2017 IEEE Symposium on Computer Applications & Industrial Electronics (ISCAIE), pp. 152–156. IEEE (2017). https://doi.org/10.1109/ISCAIE.2017.8074968. https://ieeexplore.ieee.org/document/8074968/
Durey, A., Laperdrix, P., Rudametkin, W., Rouvoy, R.: FP-redemption: studying browser fingerprinting adoption for the sake of web security. In: Bilge, L., Cavallaro, L., Pellegrino, G., Neves, N. (eds.) DIMVA 2021. LNCS, vol. 12756, pp. 237–257. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-80825-9_12
Eckersley, P.: How unique is your web browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14527-8_1
Englehardt, S., Narayanan, A.: Online tracking. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1388–1401. ACM, New York (2016). https://doi.org/10.1145/2976749.2978313
Fifield, D., Egelman, S.: Fingerprinting web users through font metrics. In: Böhme, R., Okamoto, T. (eds.) FC 2015. LNCS, vol. 8975, pp. 107–124. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47854-7_7
Firefox Help: Firefox’s protection against fingerprinting. https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting
Gómez-Boix, A., Laperdrix, P., Baudry, B.: Hiding in the crowd. In: Proceedings of the 2018 World Wide Web Conference on World Wide Web, WWW 2018, pp. 309–318. ACM Press, New York (2018). https://doi.org/10.1145/3178876.3186097
Iqbal, U., Englehardt, S., Shafiq, Z.: Fingerprinting the fingerprinters: learning to detect browser fingerprinting behaviors. In: 2021 IEEE Symposium on Security and Privacy (SP), pp. 1143–1161 (2020). https://doi.org/10.1109/SP40001.2021.00017
Jiang, W., Wang, X., Song, X., Liu, Q., Liu, X.: Tracking your browser with high-performance browser fingerprint recognition model. China Commun. 17(3), 168–175 (2020). https://doi.org/10.23919/JCC.2020.03.014
Koch, G., Zemel, R., Salakhutdinov, R.: Siamese neural networks for one-shot image recognition. In: 32nd International Conference on Machine Learning, Lille, France, vol. 37, pp. 1–8 (2015). https://doi.org/10.1136/bmj.2.5108.1355-c. https://www.bmj.com/lookup/doi/10.1136/bmj.2.5108.1355-c
Laperdrix, P., Avoine, G., Baudry, B., Nikiforakis, N.: Morellian analysis for browsers: making web authentication stronger with canvas fingerprinting. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds.) DIMVA 2019. LNCS, vol. 11543, pp. 43–66. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-22038-9_3
Laperdrix, P., Bielova, N., Baudry, B., Avoine, G.: Browser fingerprinting: a survey. ACM Trans. Web 14(2), 1–33 (2020). https://doi.org/10.1145/3386040
Mowery, K., Shacham, H.: Pixel perfect: fingerprinting canvas in HTML5. In: Web 2.0 Security & Privacy 20 (W2SP), pp. 1–12 (2012)
Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless monster: exploring the ecosystem of web-based device fingerprinting. In: 2013 IEEE Symposium on Security and Privacy, pp. 541–555. IEEE (2013). https://doi.org/10.1109/SP.2013.43
Pagnin, E., Mitrokotsa, A.: Privacy-preserving biometric authentication: challenges and directions. Secur. Commun. Netw. 2017(1), 9 (2017). https://doi.org/10.1155/2017/7129505
Pasquini, C., Amerini, I., Boato, G.: Media forensics on social media platforms: a survey. EURASIP J. Inf. Secur. 2021(1), 1–19 (2021). https://doi.org/10.1186/s13635-021-00117-2
Pedregosa, F., et al.: Scikit-learn: machine learning in Python. J. Mach. Learn. Res. 12, 2825–2830 (2011)
Pugliese, G., Riess, C., Gassmann, F., Benenson, Z.: Long-term observation on browser fingerprinting: users’ trackability and perspective. Proc. Priv. Enhancing Technol. 2020(2), 558–577 (2020). https://doi.org/10.2478/popets-2020-0041
Reitinger, N., Mazurek, M.L.: ML-CB: machine learning canvas block. Proc. Priv. Enhancing Technol. 2021(3), 453–473 (2021). https://doi.org/10.2478/popets-2021-0056. https://www.sciendo.com/article/10.2478/popets-2021-0056
Rochet, F., Efthymiadis, K., Koeune, F., Pereira, O.: SWAT: seamless web authentication technology. In: The World Wide Web Conference on WWW 2019, vol. 2, pp. 1579–1589. ACM Press, New York (2019). https://doi.org/10.1145/3308558.3313637
Samizade, S., Shen, C., Si, C., Guan, X.: Passive browser identification with multi-scale convolutional neural networks. Neurocomputing 378, 238–247 (2020). https://doi.org/10.1016/j.neucom.2019.10.028
Solomos, K., Kristoff, J., Kanich, C., Polakis, J.: Tales of favicons and caches: persistent tracking in modern browsers. In: Proceedings 2021 Network and Distributed System Security Symposium, p. 18. Internet Society, Reston (2021). https://doi.org/10.14722/ndss.2021.24202
StatCounter Global Stats: Desktop browser market share worldwide. https://gs.statcounter.com/browser-market-share/desktop/worldwide
Vastel, A., Rouvoy, R., Rudametkin, W.: Tracking versus security: investigating the two facets of browser fingerprinting. Ph.D. thesis, Université de Lille (2019)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Rivera, E., Tengana, L., Solano, J., López, C., Flórez, J., Ochoa, M. (2022). Scalable and Secure HTML5 Canvas-Based User Authentication. In: Zhou, J., et al. Applied Cryptography and Network Security Workshops. ACNS 2022. Lecture Notes in Computer Science, vol 13285. Springer, Cham. https://doi.org/10.1007/978-3-031-16815-4_30
Download citation
DOI: https://doi.org/10.1007/978-3-031-16815-4_30
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-16814-7
Online ISBN: 978-3-031-16815-4
eBook Packages: Computer ScienceComputer Science (R0)