[Back]

M. Mulazzani, S. Schrittwieser, P. Reschl, M. Leithner, E. Weippl, M. Huber:
"Fast and Reliable Browser Identification with JavaScript Engine Fingerprinting";
Talk: Web 2.0 Security & Privacy 2013, San Francisco; 2013-05-24.

Web browsers are crucial software components
in today´s usage of the Internet, but the reliable detection
of whether a client is using a specific browser can still be
considered a nontrivial problem. Reliable browser identification
is crucial for online security and privacy e.g., regarding drive-by
downloads and user tracking, and can be used to enhance the
user´s security. So far the UserAgent string is often used to
identify a given browser, but it is a self-reported string provided
by the client and can be changed arbitrarily.
In this paper we propose a new method for identifying web
browsers based on the underlying Javascript engine, which can
be executed on the client side within a fraction of a second. Our
method is three orders of magnitude faster than previous work
on Javascript engine fingerprinting, and can be implemented with
well below a few hundred lines of code. We show the feasibility of
our method with a survey and discuss the consequences for user
privacy and browser security. Furthermore, we collected data for
more than 150 browser and operating system combinations, and
present algorithms to make browser identification as fast as possible.
UserAgent string modifications become easily detectable with
JavaScript engine fingerprinting, which is shown exemplarily on
the Tor browser bundle as it uses a uniform UserAgent string
across different browser versions. Finally, we propose to use our
results for enhancing state-of-the-art session management (with
or without SSL), as reliable browser identification can be used to
increase the complexity of session hijacking attacks considerably.