Fingerprinting attacks are ways of identifying individuals by some kind of attribute of their online activity. In some ways, fingerprinting attacks are the most dangerous and difficult type of de-anonymizing threats to defend against. I want to highlight one facet of fingerprinting that is used by many web services and organizations: screen resolution tracking.
In many cases, you have a laptop with a native screen resolution. This could be 1024x768, or 1900x1024, or some other combination. These resolutions point to the make and model of your laptop itself. The Macbook Pro for instance has a native resolution of 1280x800. While there are many other laptops that run a similar resolution, you have shrunk down all of the possible systems that could be connecting to that of a system with that resolution. Imagine what a forensic investigator could do with this information.
This is even more dangerous on mobile devices such as Android. Each manufacturer releases new phones and tablets with different resolution, these are often very odd screen resolutions, making them very unique to that phone time. There are dozens of sites that provide this information for you:
There are two types of fingerprinting; passive and active. Active fingerprinting attacks are usually reserved to those that are collecting information about your network traffic, and do a secondary correlation. For example, if an adversary were running multiple exit nodes, they collect the list of sites each circuit connects to, and tries correlates that to a specific user.
This is not a new revelation, the EFF has highlighted this problem by making the Panopticlick project. This simulates attacks that aim at fingerprinting your browser, its plugins, fonts installed, etc. This is similar to the BrowserSpy project.
1 2 3
EDIT: lugh points out that this example is inconsistent and depends on your OS and browser.
There are a couple of ways of defending, let me go over some possibilities:
- resizing your browser window: Sometimes attacks do not read screen resolution, but just window size.
- changing your screen resolution: This is often difficult but by choosing a screen resolution that many other users may have, would help defend against fingerprinting. The Liberte Linux distribution is the only system I’ve seen that automatically does this by forcing the screen resolution of 800x600.
- external monitors: If you are on a laptop, and have an external monitor around, it might be possible to have its resolution provide instead of your laptop screen. Note here that different operating systems handle this value in different ways. Some append the width and height of both screens to eachother.
- virtualization: If you are running your anonymous environment inside of a virtual machine, you can dynamically change the resolution very easily by resizing the window of the VM.
One example of software designed for fingerprinting is Juniper’s Webapp Secure. It is a tool that will fingerprint a web site’s users based on a variety of metrics; one of which is your computer’s resolution. By doing so, they are able to track their browsing experience across multiple sessions without any cookies.
Applying to Registration
Screen resolution is just a single attribute that can be keyed on but I find that it is relied upon the most often during web provider registration processes. This may be because the providers don’t believe that anyone would go through the steps of changing their screen resolution – I’m not sure. In any event, by merely changing your screen resolution, you are able to easily register without the stigma of anything you have done in a previous sessions possibly fingerprinting you. This along with clearing your cookies, connecting with a different IP address, and possibly manipulating the fonts that are installed on your computer will let you bypass the registration process…. sometimes.
If nothing else, I provide this as a reminder that your screen resolution is often a hard-coded, highly identifiable value you should actively defend against leaking to unknown parties. While not as identifying as say something like your MAC address, it remains a highly attributable value. Imagine a scenario where an adversary is correlating the online activity of someone visiting a site with a resolution of 1870x1300. Even if you’ve securely erased your system before a forensic investigator has arrived, they will be able to easily notice that your laptop’s screen resolution is 1870x1300. And because this resolution is highly unusual, it’s a simple step to make the correlation between your laptop and its traffic.