How to Detect a Client’s Browser Senior Seminar CS498
Conrad Kennington
Kount
Stops e-commerce fraud Passively identifies devices
Your device automatically sends information about itself
Why?
= mobile site
= desktop site
= mobile site = desktop site en-US
= mobile site = desktop site en-US = English site
= mobile site = desktop site en-US = English site ja-JA
= mobile site = desktop site en-US = English site ja-JA = Japanese site
=
What information?
What they know Device location (~30 miles) Business type If you’re a return visitor When you last visited If they care: Browser version Browser plugins installed Plugins can gather additional system information Operating system version Local timezone Language settings Limited device specs Resolution Screen size Color depth
What they don’t know Name Age Gender Weight Address Profession Phone Credit card number Major Salary Social Security Number Medical history Facebook relationship status Mother’s maiden name Licensed watercraft Outstanding parking tickets Favorite ice-cream Overdue library books Credit score
Grades Favorite bands High school sweethearts Eye color Nicknames Netflix recently watched addresses Tax returns Candy Crush score Batting average Attendance records Instant messages Pirated music/movies Magazine subscriptions Purchase history World of Warcraft achievements Books read Adderall dosage MySpace Top 10 Travel schedule Birthday Voting records Smart phone contact list Student loan balance
Tattoos Fingerprints Drivers license number License plate Dental records Guns owned Magic the Gathering decks Costco membership status Unredeemed rewards points Average commute time Hobbies Mile run Favorite restaurants Merit badges Religion Pets Mood Amazon wish list Marital status 401k balance Therapist Phone logs YouTube comments Number of children
Pretty much nothing about your person
Location
71.33.*.*
This means Boise, Idaho
71.33.*.* This means Boise, Idaho For now.
This means Qatar
This means Qatar The whole country.
Mask my IP, mask my location?
Not exactly.
Mask my IP, mask my location? Not exactly. Timezone, language, etc
Browser
HTTP Request Headers Request methodGET Request URI / Request protocolHTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept charset Accept encodinggzip,deflate,sdch Accept languageen-US,en;q=0.8 Connection keep-alive Host myhttp.info Referer User agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/ (KHTML, like Gecko) Chrome/ Safari/537.36
Parsing a user agent string sucks
Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/ (KHTML, like Gecko) Chrome/ Safari/ Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/ Firefox/19.0 Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:15.0) Gecko/ Firefox/ Googlebot/2.1 (+ Mozilla/5.0 (compatible; Googlebot/2.1; + Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0;.NET CLR ; Media Center PC 6.0) Mozilla/4.0 (compatible; MSIE 6.1; Windows XP) None of your business. Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Opera/9.80 (Windows NT 6.0) Presto/ Version/12.14 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/ (KHTML, like Gecko) Version/5.1.3 Safari/ Opera/9.80 (Android; Opera Mini/ / ; U; en) Presto/ Version/11.10 ‘; DELETE FROM user_agents; Mozilla/5.0 (PLAYSTATION 3; 2.00) Mozilla/5.0 (BlackBerry; U; BlackBerry 9900; en) AppleWebKit/ (KHTML, like Gecko) Version/ Mobile Safari/ Mozilla/5.0 (Linux armv6l; Maemo; Opera Mobi/8; U; en-GB; rv: ) Gecko/ Firefox/3.5.6 Opera Mozilla/5.0 (X11; U; Linux i686; ru; rv: ) Gecko/ SeaMonkey/8.2.8 Mozilla/5.0 (X11; U; OpenBSD arm; en-us) AppleWebKit/ (KHTML, like Gecko) Safari/ Epiphany/ Mozilla/5.0 (compatible; Konqueror/4.3; Linux) KHTML/4.3.1 (like Gecko) Fedora/ fc11 Mozilla/5.0 (Windows; U; MSIE 9.0; WIndows NT 9.0; en-US)) Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Mozilla/5.0 ( ; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Mozilla/5.0 (Windows; U; Windows NT 6.1) AppleWebKit/526.3 (KHTML, like Gecko) Chrome/ Safari/526.3
HTTP Header Order Chrome 34 on a Macbook Host: pgl.yoyo.org Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/ (KHTML, like Gecko) Chrome/ Safari/ Referer: Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Firefox 5 on a Macbook Host: pgl.yoyo.org User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:19.0) Gecko/ Firefox/19.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Safari 7 on a Macbook Host: pgl.yoyo.org Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us Connection: keep-alive Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/ (KHTML, like Gecko) Version/7.0.1 Safari/
JavaScript
Good at detecting browser features and capabilities.
Support multiple backgrounds?
Good at detecting browser features and capabilities. Support multiple backgrounds? HTML5 canvas?
Good at detecting browser features and capabilities. Support multiple backgrounds? HTML5 canvas? Border radius?
Good at detecting browser features and capabilities. Support multiple backgrounds? HTML5 canvas? Border radius? Box shadow?
Good at detecting browser features and capabilities. Support multiple backgrounds? HTML5 canvas? Border radius? Box shadow? Available events?
Good at detecting browser features and capabilities. Support multiple backgrounds? HTML5 canvas? Border radius? Box shadow? Available events? CSS properties recognized?
Good at detecting browser features and capabilities. Support multiple backgrounds? HTML5 canvas? Border radius? Box shadow? Available events? CSS properties recognized? CSS animations?
Good at detecting browser features and capabilities. Support multiple backgrounds? HTML5 canvas? Border radius? Box shadow? Available events? CSS properties recognized? CSS animations? DOM prefixes available?
SSL Ciphers
Client Handshake Packet
Chrome 34 on a Macbook ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-ECDSA-RC4128-SHA ECDHE-RSA-RC4128-SHA DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA DHE-RSA-AES256-SHA RSA-AES128-GCM-SHA256 RSA-AES128-SHA RSA-AES256-SHA RSA-3DES-EDE-SHA RSA-RC4128-SHA RSA-RC4128-MD5 Firefox 5 on a Macbook ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA DHE-DSS-CAMELLIA256-SHA DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA ECDH-RSA-AES256-SHA ECDH-ECDSA-AES256-SHA RSA-CAMELLIA256-SHA RSA-AES256-SHA ECDHE-ECDSA-RC4128-SHA ECDHE-ECDSA-AES128-SHA ECDHE-RSA-RC4128-SHA ECDHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA DHE-DSS-CAMELLIA128-SHA DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA ECDH-RSA-RC4128-SHA ECDH-RSA-AES128-SHA ECDH-ECDSA-RC4128-SHA ECDH-ECDSA-AES128-SHA RSA-SEED-SHA RSA-CAMELLIA128-SHA RSA-RC4128-SHA RSA-RC4128-MD5 RSA-AES128-SHA ECDHE-ECDSA-3DES-EDE-SHA ECDHE-RSA-3DES-EDE-SHA DHE-RSA-3DES-EDE-SHA DHE-DSS-3DES-EDE-SHA ECDH-RSA-3DES-EDE-SHA ECDH-ECDSA-3DES-EDE-SHA RSA-FIPS-3DES-EDE-SHA RSA-3DES-EDE-SHA curl 7.30 on a Macbook ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-RC4128-SHA ECDHE-ECDSA-3DES-EDE-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-RC4128-SHA ECDHE-RSA-3DES-EDE-SHA ECDH-ECDSA-AES256-SHA384 ECDH-ECDSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-ECDSA-AES256-SHA ECDH-ECDSA-AES128-SHA ECDH-ECDSA-RC4128-SHA ECDH-ECDSA-3DES-EDE-SHA ECDH-RSA-AES256-SHA ECDH-RSA-AES128-SHA ECDH-RSA-RC4128-SHA ECDH-RSA-3DES-EDE-SHA DH-RSA-MISTY1-SHA DH-DSS-MISTY1-SHA RSA-AES128-SHA RSA-RC4128-SHA RSA-RC4128-MD5 RSA-AES256-SHA RSA-3DES-EDE-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-3DES-EDE-SHA PSK-AES256-SHA PSK-AES128-SHA PSK-RC4128-SHA
So…
What they know Device location If you’re a return visitor When you last visited Browser version Browser plugins installed Plugins can gather additional system information Operating system version Local timezone Language settings Limited device specs Resolution Screen size Color depth How they know it IP address, HTTP headers Cookie HTTP headers, ciphers, JS HTTP headers Depends on the plugin HTTP headers, ciphers JavaScript HTTP headers JavaScript Javascript
Questions