This browser does not support HTML5 Canvas
This is a simple Proof-of-Concept that Browser Fingerprinting is possible without any of User-Agent identifiers.
The method is based on the fact that the same HTML5 Canvas element can produce exceptional pixels on a different web browsers, depending on the system on which it was executed.
This happens for several reasons: at the image format level — web browsers uses different image processing engines, export options, compression level, final images may got different hashes even if they are pixel-perfect; at the pixmap level — operating systems use different algorithms and settings for anti-aliasing and sub-pixel rendering. We don't know all the reasons, but we have already collected more than a thousand unique signatures.
Well, let's begin. After the tables we give a brief explanation…
| Canvas (basic support) | × False | ||
| Text API for Canvas | × False | ||
| Total Visitors Processed | |
| Total Sets (User-Agents) | |
| Total Groups (Signatures) | |
| Signature | |||
| Found in DB | |||
| General Conclusion | It is very likely that you are using Web Browser on Operating System Your system fingerprint appears to be unique, yet we don't collect signatures here, just check. | ||
| Sets in this Group | |||||
Unlike the other «browser detection» tricks, it deals with many OS features related on graphics environment. Potentially it can be used to identify the video adapter, especially if you are use WebGL profiling, not just Canvas 2D Context. By the way different graphics card drivers can also sometimes affect to regular fonts rendering.
This technique is good to make a unique/trackable signature when it is combined with other common methods, e.g. in systems such as EFF's Panopticlick or PET's Fingerprinting.
Much more difficult to obtain specific parameters of the system. It is signature-based, and the problem of signature collection is the main limiting factor why it is not so easy at the moment. We can produce Canvas/WebGL pixmap, and associate its fingerprint with own machine, but we cannot ask each visitor individually about his system and hardware. Certainly, there are ways to get such info: malware, social engineering, mturk, but for now we do not consider them, for now :)
First of all, there will be no any ready-to-embed solutions, this is only demo. We are just going to share some snippets how it works under the hood.
Our signatures DB is based on a simple association between «Canvas Fingerprint» and «HTTP User-Agent», so it is very prone to false positives because of the faked headers, etc. If your fingerprint matches one that is stored in database, the program will show you which User-Agents have the same signature. Otherwise, well, your browser seems unique for our modest DB, but we cannot sign you here in any way, because we do not collect signatures from this website.
Here is the javascript code that produce the pixels:
| The result will be the image | ×Your browser does not support HTML5 Canvas |
To create a signature from the canvas, we must export the pixels from the application's memory using the toDataURL() method, which will return the base64-encoded string of the binary image file. Then we can just create MD5 hash of this string.
But for the PoC we came up with a slightly more interesting decision. As we know, PNG files is divided into chunks, and last part of each chunk is a 32-bit CRC checksum calculated on the preceding bytes. So all we need is to extract the IDAT CRC — that will be the browser fingerprint: