25 Sep 2019
I recently wrote a post called how online tracking works, that post mainly focussed on cookies and how they can be used to track you. But even if a site isn’t using cookies, browser fingerprinting can still be used to track you.
These fingerprints can include data such as geographic location, the browser and operating system that is in use, screen resolution, system fonts, system architecture, browser plugins and system hardware.
Like all tracking technology, browser fingerprinting can be used both legitimately and maliciously.
Fingerprints can be used to prevent fraud or credential hijacking, by checking that a user who is attempting to login is likely legitimate. For example, if you have logged in to
cool-website.com for the last 5 years from the UK and using Ubuntu, then someone attempts to login to your account from Germany on a Windows system, this can flag as potentially illegitimate.
But like most things online, browser fingerprints can also be used in more nefarious way, to track you across web sites and collect information about your habits and tastes without you even knowing it.
Browser fingerprinting can even be used in a downright malicious way; if an attacker knows which operating system, software, versions, plugins and hardware you’re using, they can potentially deliver exploits that are specifically crafted for your machine and therefore are more likely to be successful.
Browser fingerprints do not require cookies or any kind of user interaction. The fingerprinting process simply runs when a website is loaded. This means that the act of fingerprinting your browser is completely transparent. Browser fingerprinting can be achieved in a number of ways:
This post only scratches the surface of browser fingerprinting, but hopefully it will give you a better idea of how it works.
I will leave you with this final thought - I just tested my browser fingerprint using this tool from the EFF. My browser was found to be completely unique among the 228,000 browsers tested in the last 45 days.
That’s how powerful browser fingerprinting is!
So even if you have 3rd party cookies blocked, you can still be identified and tracked online. Worse still, there’s currently no easy way of preventing browser fingerprinting.