23. Canvas Fingerprinting
HTML5において図形や文字の描画に用いるCanvas要素を利用
– K. Mowery and H. Shacham. “Pixel perfect: Fingerprinting canvas in HTML5.” In Web
2.0 Workshop on Security and Privacy (W2SP). IEEE, 2012.
描画結果をピクセル単位で見ると,OSやブラウザ,インストールされ
ているフォント,GPUの組み合わせによって微妙に異なる
– “Canvas fingerprint Checker”
23
https://securehomes.esat.kuleuven.be/~gacar/persistent/#press
25. Canvas Fingerprinting
Canvas Fingerprintの特徴
– Cookieと異なり,ドメインを跨いでも同じ値にアクセス可能
– User-Agentのように値を偽造することが不可能
– 通常利用とトラッキング目的での利用の区別が難しい
Alexa Rank上位10万サイトのうち,5.5%がCanvas Fingerprintingを
行うスクリプトを含んでおり,その内の95%はAddThis(addthis.com)
のもの
– “The Web Never Forgets: Persistent Tracking Mechanisms in the Wild” (Gunes Acar,
ACM CCS, 2014)
– AddThisの場合,FingerprintはTargetingやPersonalizationのためではなく,内部で
の調査や開発に利用される
25
26. Evercookie
ブラウザの永続的なcookieを作るJavaScript API
– Created by Samy Kamkar (https://github.com/samyk/evercookie)
ローカルストレージに保存するものなど,ブラウザでは削除困難な
Fingerprint(Supercookie)の寄せ集め
– Standard HTTP Cookies
– Local Shared Objects (Flash Cookies)
– Silverlight Isolated Storage
– Storing cookies in RGB values of auto-generated, force-cached
– PNGs using HTML5 Canvas tag to read pixels (cookies) back out
– Storing cookies in Web History
– Storing cookies in HTTP ETags
– Storing cookies in Web cache
– window.name caching
– Internet Explorer userData storage
– HTML5 Session Storage
– HTML5 Local Storage
– HTML5 Global Storage
– HTML5 Database Storage via SQLite
– HTML5 IndexedDB
– Java JNLP PersistenceService
– Java CVE-2013-0422 exploit (applet sandbox escaping) 26
49. 論文
Fingerprinting Mechanism
– P. Eckersley, “How unique is your web browser? In Privacy
Enhancing Technologies (PETs),” pages 1–18. Springer, 2010
Measurement Study
– Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind
Narayanan, Claudia Diaz, “The Web Never Forgets: Persistent
Tracking Mechanisms in the Wild,” ACM CCS, 2014
Defense
– N. Nikiforakis, W. Joosen, and B. Livshits. “PriVaricator: Deceiving
Fingerprinters with Little White Lies,” Microsoft Research, 2014
Behavioral targeting without tracking
– S. Guha, B. Cheng, and P. Francis, “Privad: Practical Privacy in Online
Advertising,“ USENIX, 2011
49
50. 論文
Canvas fingerprinting
– K. Mowery and H. Shacham. “Pixel perfect: Fingerprinting canvas in
HTML5.” In Web 2.0 Workshop on Security and Privacy (W2SP). IEEE,
2012.
Detect session hijacking
– T. Unger, M. Mulazzani, D. Fruhwirt, M. Huber, S. Schrittwieser, and E.
Weippl. “SHPF: Enhancing HTTP(S) Session Security with Browser
Fingerprinting.” In Availability, Reliability and Security (ARES), pages
255–261. IEEE, 2013.
50
51. Web
英BBC "Browser 'fingerprints' help track users“
米NBC News "New Tracking Tool Is Like a Cookie That Can't be Blocked“
米Wired “Bill to Restrict Online Tracking Introduced in Congress”
米ProPublica “Meet the Online Tracking Device That is Virtually Impossible to
Block”
米Business Wire “comScore Ranks AddThis #1 in Distributed Content in the
United States”
米Ars Technica ” Zombie cookie wars: evil tracking API meant to “raise
awareness””
The Chromium Projects “Technical analysis of client identification mechanisms”
明治大 齋藤孝道研究室 “Web Browser Fingerprint解説ページ”
51
