Top

Published in:

2019 | OriginalPaper | Chapter

Morellian Analysis for Browsers: Making Web Authentication Stronger with Canvas Fingerprinting

Authors : Pierre Laperdrix, Gildas Avoine, Benoit Baudry, Nick Nikiforakis

Published in: Detection of Intrusions and Malware, and Vulnerability Assessment

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

In this paper, we present the first fingerprinting-based authentication scheme that is not vulnerable to trivial replay attacks. Our proposed canvas-based fingerprinting technique utilizes one key characteristic: it is parameterized by a challenge, generated on the server side. We perform an in-depth analysis of all parameters that can be used to generate canvas challenges, and we show that it is possible to generate unique, unpredictable, and highly diverse canvas-generated images each time a user logs onto a service. With the analysis of images collected from more than 1.1 million devices in a real-world large-scale experiment, we evaluate our proposed scheme against a large set of attack scenarios and conclude that canvas fingerprinting is a suitable mechanism for stronger authentication on the web.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter New Kid on the Web: A Study on the Prevalence of WebAssembly in the Wild

next chapter On the Perils of Leaking Referrers in Online Collaboration Services

Pale Moon browser - Version 25.6.0 adds a canvas poisoning feature (2015). https://www.palemoon.org/releasenotes-archived.shtml

Bugzilla - Bug 1231701: Ship an emoji font on Windows XP-7 (2017). https://bugzilla.mozilla.org/show_bug.cgi?id=1231701

Yahoo breach actually hit all 3 billion user accounts - CNET (2017). https://www.cnet.com/news/yahoo-announces-all-3-billion-accounts-hit-in-2013-breach/

Canvas Defender - Firefox add-on that adds noise to a canvas element (2018). https://addons.mozilla.org/en-US/firefox/addon/no-canvas-fingerprinting/

Over a billion people’s data was compromised in 2018 - NordVPN (2018). https://nordvpn.com/blog/biggest-data-breaches-2018/

Two Factor Auth List - List of websites supporting two-factor authentication and the methods they use (2018). https://twofactorauth.org/

User Authentication with OAuth 2.0 (2018). https://oauth.net/articles/authentication/

Acar, G., Eubank, C., Englehardt, S., Juarez, M., Narayanan, A., Diaz, C.: The web never forgets: persistent tracking mechanisms in the wild. In: CCS 2014 (2014)

Acar, G., Juarez, M., Nikiforakis, N., Diaz, C., Gürses, S., Piessens, F., Preneel, B.: FPDetective: dusting the web for fingerprinters. In: CCS 2013 (2013)

10.

Alaca, F., van Oorschot, P.: Device fingerprinting for augmenting web authentication: classification and analysis of methods. In: ACSAC 2016 (2016)

11.

Bonneau, J., Herley, C., Van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: S&P 2012 (2012)

12.

Bursztein, E., Malyshev, A., Pietraszek, T., Thomas, K.: Picasso: lightweight device class fingerprinting for web clients. In: SPSM 2016 (2016)

13.

Cao, Y., Li, S., Wijmans, E.: (Cross-)Browser fingerprinting via OS and hardware level features. In: NDSS 2017 (2017)

14.

Conway, J.H.: On Numbers and Games. No. 6 in London Mathematical Society Monographs. Academic Press, London-New-San Francisco (1976)

15.

Duo Labs: State of the Auth: Experiences and Perceptions of Multi-Factor Authentication. https://duo.com/assets/ebooks/state-of-the-auth.pdf

16.

Eckersley, P.: How unique is your web browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14527-8_1CrossRef

17.

Englehardt, S., Narayanan, A.: Online tracking: a 1-million-site measurement and analysis. In: CCS 2016 (2016)

18.

Gómez-Boix, A., Laperdrix, P., Baudry, B.: Hiding in the crowd: an analysis of the effectiveness of browser fingerprinting at large scale. In: WWW 2018 (2018)

19.

Laperdrix, P., Baudry, B., Mishra, V.: FPRandom: randomizing core browser objects to break advanced device fingerprinting techniques. In: Bodden, E., Payer, M., Athanasopoulos, E. (eds.) ESSoS 2017. LNCS, vol. 10379, pp. 97–114. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-62105-0_7CrossRef

20.

Laperdrix, P., Rudametkin, W., Baudry, B.: Beauty and the beast: diverting modern web browsers to build unique browser fingerprints. In: S&P 2016 (2016)

21.

Laperdrix, P., Rudametkin, W., Baudry, B.: Mitigating browser fingerprint tracking: multi-level reconfiguration and diversification. In: SEAMS 2015 (2015)

22.

Milka, G.: Anatomy of Account Takeover (2018). https://www.usenix.org/node/208154

23.

Mowery, K., Shacham, H.: Pixel perfect: fingerprinting canvas in HTML5. In: W2SP 2012 (2012)

24.

Mulazzani, M., Reschl, P., Huber, M., Leithner, M., Schrittwieser, S., Weippl, E., Wien, F.C.: Fast and reliable browser identification with javascript engine fingerprinting. In: W2SP 2013 (2013)

25.

Nikiforakis, N., Joosen, W., Livshits, B.: Privaricator: deceiving fingerprinters with little white lies. In: WWW 2015 (2015)

26.

Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless monster: exploring the ecosystem of web-based device fingerprinting. In: S&P 2013 (2013)

27.

Picazo-Sanchez, P., Sjösten, A., Van Acker, S., Sabelfeld, A.: LATEX GLOVES: protecting browser extensions from probing and revelation attacks. In: NDSS 2019 (2019)

28.

Rupertus Fine Art Research: What Is Morellian Analysis. http://rupertusresearch.com/2016/09/27/what-is-morellian-analysis/ (2016)

29.

Sánchez-Rola, I., Santos, I., Balzarotti, D.: Clock around the clock: time-based device fingerprinting. In: CCS 2018 (2018)

30.

Sanchez-Rola, I., Santos, I., Balzarotti, D.: Extension breakdown: security analysis of browsers extension resources control policies. In: USENIX Security 2017 (2017)

31.

Shannon, C.E.: A mathematical theory of communication. Bell Syst. Tech. J. 27(3), 379–423 (1948)MathSciNetCrossRef

32.

Sjösten, A., Van Acker, S., Sabelfeld, A.: Discovering browser extensions via web accessible resources. In: CODASPY 2017 (2017)

33.

Spooren, J., Preuveneers, D., Joosen, W.: Mobile device fingerprinting considered harmful for risk-based authentication. In: EuroSec 2015 (2015)

34.

Starov, O., Laperdrix, P., Kapravelos, A., Nikiforakis, N.: Unnecessarily identifiable: quantifying the fingerprintability of browser extensions due to bloat. In: WWW 2019 (2019)

35.

Starov, O., Nikiforakis, N.: XHOUND: quantifying the fingerprintability of browser extensions. In: S&P 2017 (2017)

36.

Vastel, A., Laperdrix, P., Rudametkin, W., Rouvoy, R.: FP-Scanner: the privacy implications of browser fingerprint inconsistencies. In: USENIX Security 2018 (2018)

37.

Vastel, A., Laperdrix, P., Rudametkin, W., Rouvoy, R.: FP-STALKER: tracking browser fingerprint evolutions. In: S&P 2018 (2018)

Title: Morellian Analysis for Browsers: Making Web Authentication Stronger with Canvas Fingerprinting
Authors: Pierre Laperdrix
Gildas Avoine
Benoit Baudry
Nick Nikiforakis
Publisher: Springer International Publishing
Book: Detection of Intrusions and Malware, and Vulnerability Assessment
Print ISBN: 978-3-030-22037-2

Electronic ISBN: 978-3-030-22038-9

Copyright Year: 2019
DOI: https://doi.org/10.1007/978-3-030-22038-9_3

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner