Fingerprinting Web Users through Font Metrics
Title | Fingerprinting Web Users through Font Metrics |
Publication Type | Conference Paper |
Year of Publication | 2015 |
Authors | Fifield, D., & Egelman S. |
Published in | Proceedings of the 19th international conference on Financial Cryptography and Data Security |
Publisher | Springer-Verlag |
Place Published | Berlin, Germany |
Other Numbers | 3740 |
Abstract | We describe a web browser fingerprinting technique based on measuring the onscreen dimensions of font glyphs. Font rendering in web browsers is affected by many factorsbrowser version, what fonts are installed, and hinting and antialiasing settings, to name a fewthat are sources of fingerprintable variation in end-user systems. We show that even the relatively crude tool of measuring glyph bounding boxes can yield a strong fingerprint, and is a threat to users privacy. Through a user experiment involving over 1,000 web browsers and an exhaustive survey of the allocated space of Unicode, we find that font metrics are more diverse than User-Agent strings, uniquely identifying 34% of participants, and putting others into smaller anonymity sets. Fingerprinting is easy and takes only milliseconds. We show that of the over 125,000 code points examined, it suffices to test only 43 in order to account for all the variation seen in our experiment. Font metrics, being orthogonal to many other fingerprinting techniques, can augment and sharpen those other techniques. We seek ways for privacy-oriented web browsers to reduce the effectiveness of font metricbased fingerprinting, without unduly harming usability. As part of the same user experiment of 1,000 web browsers, we find that whitelisting a set of standard font files has the potential to more than quadruple the size of anonymity sets on average, and reduce the fraction of users with a unique font fingerprint below 10%. We discuss other potential countermeasures. |
URL | https://www.icsi.berkeley.edu/pubs/networking/fingerprintingweb15.pdf |
Bibliographic Notes | Proceedings of the 19th International Conference on Financial Cryptography and Data Security (FC '15), San Juan, Puerto Rica |
Abbreviated Authors | D. Fifield and S. Egelman |
ICSI Research Group | Usable Security and Privacy |
ICSI Publication Type | Article in conference proceedings |