[HN Gopher] Cascading Spy Sheets: Exploiting the Complexity of M...
___________________________________________________________________
Cascading Spy Sheets: Exploiting the Complexity of Modern CSS for
Fingerprinting
Author : robin_reala
Score : 91 points
Date : 2025-01-07 12:29 UTC (3 days ago)
(HTM) web link (cispa.de)
(TXT) w3m dump (cispa.de)
| lobito25 wrote:
| Article's date is in the future:
|
| 2025-02-02
| 8bitbeep wrote:
| It's very modern CSS.
| brudgers wrote:
| That is probably the scheduled presentation date.
| tsavo wrote:
| Reading the article.
|
| First Online Date: 2024-10-09
|
| Date Posted: 2024-12-05
|
| Date Published: 2025-02-01 (It's being "published" at a
| conference)
| dazed_confused wrote:
| As mentioned the paper was accepted in NDSS. https://www.ndss-
| symposium.org/ndss2025/accepted-papers/ The conference occurs
| in Feb, and typically, the conference proceedings are published
| a little earlier than the conference itself.
| davidsojevic wrote:
| I was impressed at the accuracy they were able to get with
| browser/architecture detection:
|
| _> Concretely, our expression reveals differences in 1116 OS-
| browser combination pairs (94.9 %)._
|
| Very cool to see that they've even gone as far as inferring
| elements like the likelihood of MS Office being installed on your
| computer by checking the width of a container with the font
| 'Leelawadee' specified:
|
| _> As this font is a non-free Microsoft font for the Thai
| Language, we do not expect users without Microsoft Office to have
| it installed_
|
| There is lots of really interesting information in here past what
| you might figure out yourself if you've played around with
| abusing CSS yourself before. So many things that had just never,
| and probably would never have, occurred to me to try.
|
| It is definitely worth a read (or skim) over the paper to see the
| lengths they went to in order to figure out some of the unique
| elements to fingerprint on.
| Narew wrote:
| I don't remember where I read that and was not able to find it
| again. There is a web/desktop app (like zoom) that install a
| font when you install the app, and the web app check if this
| font is install to trigger the open in app popup.
| sethhochberg wrote:
| It's a common enough technique that this surely isn't the
| only example, but there was discussion here a while back
| about TeamViewer doing this to detect the presence and
| version of the client software when clicking a link to open a
| remote session:
|
| https://news.ycombinator.com/item?id=32165103
|
| In their case, the (shell of a) font file goes a little
| further and encodes the version of the teamviewer client that
| installed it
| ranger_danger wrote:
| Couldn't most fingerprinting techniques be thwarted by just using
| a stock windows install in a frozen VM with a stock browser
| without changing anything? Wouldn't that make you pretty boring
| as far as any potential variations go?
| maeil wrote:
| Wouldn't a Macbook be the better platform to mimic as its
| hardware is so much more standardized? Considering techniques
| like Canvas fingerprinting.
| ranger_danger wrote:
| My understanding is that a VM should already be mimicing
| standardized hardware, and that apple (especially desktop)
| users are such a small percentage compared to windows, that
| you wouldn't want to base anything trying to "blend in" on
| that.
| kccqzy wrote:
| And by that logic an iPhone is an even better choice than a
| MacBook.
| qqqult wrote:
| not really. webgl hardware parameters, canvas fingerprints,
| audio device fingerprints, javascript engine are pretty crazy.
| In addition if you use your device at all you probably have
| other fingerprints like custom fonts installed by you or apps,
| extensions & similar. Not to mention IP and session data like
| you being logged in in different services that any website can
| check.
|
| Try visiting something like
| https://abrahamjuliot.github.io/creepjs/ [1] on "identical"
| incognito mobile devices or desktops and you'll get completely
| different fingerprint ids
|
| [1] this isn't even the best fingerprint extraction out there,
| just an eas to use open source one, there are some crazy
| advanced techniques not implemented in it
| ranger_danger wrote:
| > this isn't even the best fingerprint extraction out there,
| just an eas to use open source one, there are some crazy
| advanced techniques not implemented in it
|
| What IS the best tool? What other techniques do you know of
| that it doesn't it implement?
|
| > you being logged in in different services that any website
| can check
|
| how so?
| qqqult wrote:
| > What IS the best tool? What other techniques do you know
| of that it doesn't it implement?
|
| The best fingerprinting tools aren't open source they're
| anti-botting services like CAPTCHA providers & probably ad
| networks.
|
| This particular service has implementations for several
| popular fignerprinting techniques but there are so many
| ways to measure the same thing that even if your
| fingerprint looks fine on one test a different test of the
| same measure could detect it as unique. For example a user
| font fingerprint could be implemented via JS tests, canvas
| rendering tests or CSS sheets (like in this paper).
|
| The tests that offer the highest degree of hardware
| variability and uniqueness that I've seen deal with
| rendering of test and images over canvas.
|
| > how so?
|
| By loading an image that can only be accessed if you're
| logged in your google / facebook / twitter accounts and
| checking if the image request returned an error. There's a
| repo that implements this for >30 different websites, but I
| can't remember it's name rn. I'll edit this comment later
| if I remember what it was called
| ranger_danger wrote:
| > an image that can only be accessed if you're logged in
| your google / facebook / twitter accounts
|
| I don't understand how this would work? Wouldn't there
| have to be some kind of cookie/storage that is accessible
| to third parties in order to know this? AFAIK this is
| exactly what angered people about Flash due to their use
| of cross-domain capable "super cookies".
| qqqult wrote:
| Here's one implementation:
| https://browserleaks.com/social#protection and
| https://robinlinus.github.io/socialmedia-leak/
|
| Click the explanation & protection sections for info on
| how it works
| michaelt wrote:
| Yes and no.
|
| If you go for a stock browser without changing anything - that
| means you can't install ublock origin, or noscript, or adjust
| the cookie settings.
|
| If the fingerprint detects you're running your browser in a VM?
| Because your canvas/webgl stuff reveals a graphics card that is
| only seen on VMs, or your mouse movement is characteristic of
| the way host OSes pass mouse movement to guest OSes? That's an
| unusual characteristic.
|
| If you freeze the VM and everyone else installs updates? Your
| configuration will gradually become unusual because of its age.
|
| And of course if you've got a 4k screen but you run your VM at
| 1920x1080, the gain in anonymity has come at the cost of most
| of your screen real estate.
|
| Also, if you _do_ manage to completely resist tracking by IP
| address, by cookies, and by browser fingerprints? Your reward
| is that Cloudflare and Google ReCaptcha will give you endless
| tedious challenges. ReCaptcha has a special extra-slow mode,
| specifically to punish people like you. I hope you like
| clicking fire hydrants!
| dehrmann wrote:
| I used to work in this space. Your best bet is a recent iPhone.
| There are a lot of them out there, they're usually up-to-date,
| and Apple only releases a handful models with relevant
| differences per year.
| ranger_danger wrote:
| https://abrahamjuliot.github.io/creepjs/
| jamal-kumar wrote:
| CISPA is really interesting, I was just reading this on their
| site the other day - They're developing grey box coverage based
| fuzzing tools for PHP web applications, which is how I know about
| them in the first place. Definitely one of those entities to look
| out for in serious cybersecurity research going into 2025
| frankfrank13 wrote:
| I know this is a privacy nightmare but also kinda... cool? Or at
| least interesting. I don't think I would have thought of this.
|
| 1. Measure element dimensions and detect installed fonts (measure
| a piece of text with specific a specific font to see if its
| installed)
|
| 2. CSS functions (e.g calc) that produce different results across
| browsers/systems
|
| 3. Detecting browser-specific CSS property differences (e.g
| render a file input, measure it)
|
| seems like you have to allow `@container` checks or something
| similar for this to work in order to then make your network
| request `#something { background-image: url('/x-browser-y-os-
| detected'); }`
| InvisGhost wrote:
| I wonder if you could track the usage of features known to be
| used for fingerprinting and disable the functionality if enough
| are used. I assume that most sites using advanced fingerprinting
| like this are also the kind that would remove it quickly if it
| causes the site to break.
| qqqult wrote:
| tor tries to do this by offering different "safety" levels that
| the user can choose between
|
| some browsers try to randomize fignerprintable parameters but
| that's easy to detect
___________________________________________________________________
(page generated 2025-01-10 23:01 UTC)