Browser fingerprinting is the process of identifying devices by accessing a collection of relatively stable attributes through Web browsers. We call the generated identifiers browser fingerprints. In the first half of this manuscript, we identify and study three properties of browser fingerprinting that make it both a risk to privacy, but also of use for security. The first property, uniqueness, is the power to uniquely identify a device. We performed a large scale study on fingerprint uniqueness and, although not a perfect identifier, we show its statistical qualities allow uniquely identifying a high percentage of both desktops and mobile devices. The second property, linkability, is the capacity to re-identify, or link, fingerprints over time. This is arguably the main risk to privacy and enables fingerprint tracking. We show, through two algorithms, that some devices are highly trackable, while other devices’ fingerprints are too similar to be tracked over time. The third and final property is consistency, which refers to the capacity to verify the attributes in a fingerprint. Through redundancies, correlations or dependencies, many attributes are verifiable, making them more difficult to spoof convincingly. We show that most countermeasures to browser fingerprinting are identifiable through such inconsistencies, a useful property for security applications. In the second half of this manuscript, we look at the same properties from a different angle. We create a solution that breaks fingerprint linkability by randomly generating usable browsing platforms that are unique and consistent. We also propose an automated testing framework to provide feedback to the developers of browsers and browser extensions to assist them in reducing the uniqueness or their products. Finally, we look at how fingerprint consistency is exploited in-the-wild to protect websites against automated Web crawlers. We show that fingerprinting is effective and fast to block crawlers, but lacks resiliency when facing a determined adversary. Beyond the results I report in this manuscript, I draw perspectives for exploring browser fingerprinting for multi-factor authentication, with a planned large-scale deployment. I also believe there is potential in automated testing to improve privacy. And of course, we know that fingerprint tracking does not happen in a bubble, it is complementary to other techniques. I am therefore exploring other tracking techniques, such as our preliminary results around IP addresses and caches, using ad blockers against their users, and a few other ideas to improve privacy and security on the Web.
defended on 21/06/2021