Browser Fingerprinting Techniques Explained
Every time you open a website or a mobile app, you give away clues about the device you’re using. Those clues are your device’s fingerprints, if you will. Smart companies use those fingerprints to separate and identify unique users across browser sessions, something that is called browser fingerprinting.
In this article, we will discuss what browser fingerprinting is, what information companies gather, what different browser fingerprinting techniques exist, and how this all ties into bot and online fraud detection.
What is browser fingerprinting?
Browser fingerprinting is a tracking method that collects enough pieces of information to distinguish a unique user across browsing sessions, even when that user is browsing incognito or using a VPN.
Browser fingerprinting is considered a better tracking method than cookies, because a user can easily clear their cookies or use an ad blocker that disables cookies. Companies generally use cookies when a browsing session matches a particular cookie. But if there’s no cookie match, they use browser fingerprinting to understand who’s on their website.
What information do they gather?
Your device gives away a large amount of data to every website or app it visits. This is unavoidable. The unique architecture of your device’s hardware and software are what gives it away. Here are only a few of the fingerprints it leaves behind:
- Timezone
- Screen Size
- Device Model
- Installed Fonts
- Installed Drivers
- Operating System
- Language Settings
- Browser Extensions
There are hundreds more. The more signals a company collects, the easier it becomes to identify a unique user. While millions of people might browse your website with Chrome, how many people browse your website with four Chrome extensions in a 1536×1024 resolution on a Microsoft Laptop Go with 8 GB of RAM and Intel UHD graphics on driver version 27.20.100.9621? It might just be the one.
Different Fingerprinting Techniques
HTTP Fingerprinting
HTTP fingerprinting involves looking at the implementation of a device’s HTTP protocol. Servers, in particular, often have minor differences in how they configured their HTTP protocols. The most basic form of HTTP fingerprinting involves sending an HTTP request to the user to look at its HTTP response header. More advanced HTTP fingerprinting involves sending generally forbidden requests, such as DELETE / HTTP/1.0, or improper requests, such as GET / HTTP/3.0.
TLS Fingerprinting
The Transport Layer Security (TLS) protocol is the successor to SSL. It is a cryptographic protocol that encrypts application layer information, such as the user-agent in the HTTP header. TLS fingerprinting captures the generally static text parameters of the Client- and ServerHello messages. So despite TLS’s cryptographic nature, devices are still identifiable because of TLS fingerprinting.
TCP Fingerprinting
The Transmission Control Protocol (TCP) is another fundamental protocol of the Internet. Just like the HTTP and TLS protocols, TCP leaves clues. TCP fingerprinting means capturing TCP/IP fields such as initial packet size, initial TTL, window size, and whatever flags messages come with.
Mobile Fingerprinting
Mobile fingerprinting uses the hardware and software identifiers of your mobile device. These include your MAC address, IMEI number, OS version, device settings, IMSI number, installed apps, and many more. This is what allows mobile developers to identify your device from others browsing their apps.
Canvas Fingerprinting
Canvas fingerprinting uses HTML’s <canvas> element to draw an image, overlay text on it, and see how your device renders it. Each device will render the image and text differently, which is how the canvas fingerprinting script separates users from each other. This all happens in the background, without it ever having an impact on the user’s experience.
WebGL Fingerprinting
WebGL is a JavaScript API that renders 3D graphics. All major web browsers support WebGL by default. WebGL fingerprinting is similar to canvas fingerprinting because it’s also a script that tests how WebGL renders an image. Minor changes in the rendering are what distinguish devices from each other.
Media Device Fingerprinting
Media device fingerprinting shows a list of all the connected media devices and their respective IDs of a particular request. This fingerprinting technique isn’t frequently used, because it requires the user to provide access to their webcam and microphone (for a full list, at least). So the only services that tend to use this are those that naturally require your microphone and webcam access (e.g. videoconference software).
Audio Fingerprinting
Audio fingerprinting checks how your device plays sound. Not all sound is created equal: Devices play sound differently because of minor differences in browser versions, CPU architecture, and other variables. The complexity of the web audio API makes this a fingerprint that cannot be spoofed easily.
How does this tie into bot and online fraud detection?
Browser fingerprinting is crucially important in the fight against online fraud. The first step to stopping fraudsters is identifying them. Browser fingerprinting is powerful because any request that exhibits suspicious behavior can be identified and tracked across browsing sessions. Fraudsters cannot hide behind a VPN, an incognito session, or a new browser. They would need an entirely different device for every request, which is simply too expensive.
DataDome’s fraud protection solution uses a large amount of fingerprint signals to distinguish genuine users from malicious bots, to the point where we process one trillion pieces of data from server- and client-side signals every day. Additionally, we are always updating our fingerprint signals so we stay ahead of the latest bot trends.
Using browser fingerprints is one of the ways we protect your websites, mobile apps, and APIs. Best of all, we do this without affecting your users. They’ll never know we’re there, but we keep them safe from fraud and other online threats. If that sounds interesting to you, start your free DataDome trial today. Alternatively, contact us to request a demo of our software.