Talks and Poster Presentations (without Proceedings-Entry):
M. Mulazzani, S. Schrittwieser, P. Reschl, M. Leithner, E. Weippl, M. Huber:
Talk: Web 2.0 Security & Privacy 2013,
Web browsers are crucial software components
in today´s usage of the Internet, but the reliable detection
of whether a client is using a specific browser can still be
considered a nontrivial problem. Reliable browser identification
is crucial for online security and privacy e.g., regarding drive-by
downloads and user tracking, and can be used to enhance the
user´s security. So far the UserAgent string is often used to
identify a given browser, but it is a self-reported string provided
by the client and can be changed arbitrarily.
In this paper we propose a new method for identifying web
be executed on the client side within a fraction of a second. Our
method is three orders of magnitude faster than previous work
well below a few hundred lines of code. We show the feasibility of
our method with a survey and discuss the consequences for user
privacy and browser security. Furthermore, we collected data for
more than 150 browser and operating system combinations, and
present algorithms to make browser identification as fast as possible.
UserAgent string modifications become easily detectable with
the Tor browser bundle as it uses a uniform UserAgent string
across different browser versions. Finally, we propose to use our
results for enhancing state-of-the-art session management (with
or without SSL), as reliable browser identification can be used to
increase the complexity of session hijacking attacks considerably.
Created from the Publication Database of the Vienna University of Technology.