publishing date icon
August 5, 2022
read time icon
5 min. read

The good, the bad, and the ugly about browser fingerprinting

Privacy versus Security versus Usability. Who will win?

Author image
Eemeli Ali-Kippari
Junior Social Engineer: Team Vanguard
Post hero image

When talking about browser fingerprinting, you have to talk about cookies first. Which is exactly what we're going to do.

If you've been on the internet for any length of time — and, if you're reading this, it's safe to assume that you've been "on the net" for a while — you've probably been made aware of cookies. They're not the type your grandma used to make. They're used to track your activity around the internet and make your visits to certain websites easier. Cookies have been around since 1991, and the term was coined by browser programmer Lou Montulli as a shortened version of "magic cookie" — which itself was a codeword of sort for a package of data that a browser receives and then sends back out.

Cookies have been necessary because HTTPS (the protocol used for browsers to connect to websites) is a lot like a goldfish in that it doesn't remember the connections it has made previously. So, we need something else to remember our preferences and other information regarding the website we are visiting. Enter: cookies. Cookies are assigned to your browser by the website you're visiting. In the case of third party cookies, they are placed on websites usually by an advertising company. These cookies are then checked by the next website you visit to remind it of who you are and where have you been. While this provides a better user experience, it does so at the cost of some of your privacy.

For this very reason, third party cookies are disappearing from the internet. Google even announced they were starting to phase out third party cookie support back in 2020. Since advertisers rely so heavily on cookies to generate better ROI (return on investment) for their customers, they have felt the need to do something to keep third party cookies around as long as possible. They have some tricks up their sleeve to get you to keep using cookies, and ... unfortunately for the rest of us... advertisers aren’t the only ones using these same tricks.

Cookie Monster. Source: Flickr, Creative Commons

Getting around the cookie issue

So, if cookies are on their way out, what else can people use to identify users on the internet? Another piece of data that websites can glean from their users besides cookies is their IP address. An IP address is necessary to create a connection between any device and a website. It provides (paraphrasing hugely here) the "address" of your computer or device so that it can communicate over a network. Your IP address, combined with some additional information, means that you can be identified on the internet even without cookies. This brings us to IP loggers and how they are used both maliciously and legitimately.

An IP logger does exactly what the name implies: it collects a log of IP addresses that have made a connection with it. It can also pair an IP address with additional information from your GPU model and name to your approximate location; this is called browser fingerprinting. This is usually done by executing Javascript on the user's browser, as the browser sends the website all the information it asks about the system and the browser itself. Below is a partial list of information it can collect besides the IP address.

  • City, or location
  • Battery level
  • Screen size
  • GPU
  • Browser name and version
  • System date and time
  • Language
  • Host Name

... and much more!

Just like cookies, this information can make you unique and identifiable across the internet. You can even check if your connection and device is actually unique from an IP loggers perspective by visiting amiunique.org. What makes this so effective are the numerous possibilities of different configuration combinations. Unlike cookies, you can’t easily remove this information from your device. Now that we know what an IP logger is, let's see how and where it is used.

Clint Eastwood. Source: Flickr, Creative Commons

The good and the bad...

Even though almost every website you visit could be classified as an IP logger, it doesn’t mean that just logging an IP address is malicious in intent. For a normal website IP logging can be done for security and compliance reasons. Sometimes even browser fingerprinting is done for simple security reasons. Ultimately, it is all about how this information is used, and who has this information.

Your IP and other data mentioned above can be logged in several ways, but we will focus on two of the most prevalent methods that allow for effective browser fingerprinting from the perspective of an email user. The terms IP logger and browser fingerprinting will be used unambiguously, because IP loggers can do both and they are commonly paired together.

Method 1: Redirect link

Although not too dangerous in itself, you can get fingerprinted in the blink of an eye when clicking on a link in your inbox. An attacker can craft a unique link to you which has a unique ID based on your email address. This way, the attacker knows which users have clicked on the links they have sent. In addition, your fingerprint could be taken when the link you clicked redirects you to the intended site — fingerprinting you along the way. This method can be combined with either another redirecting link or a link shortener. This way it becomes near impossible to figure out the links' legitimacy by just hovering over the link. These are used both legitimately and maliciously.

Legitimate use cases are for statistical and analysis purposes, such as affiliate marketing, which is a huge part of modern e-commerce. However, one malicious way to use redirecting IP loggers is to send them as a link in a phishing email. It is more likely to be sent as a part of an attack rather than by itself. Your valuable fingerprint, combined with other information you might give as a part of an attack, is a powerful dataset to use against you... if the attacker wishes to.

Not all bad links lead to a website made by the attacker. But even if a legitimate website is used as the landing page in a phishing attack, your IP and browser fingerprint can be collected along the way. In this case the link may lead to a news article, but you were redirected there through an IP logger. In a worst-case-scenario using fingerprinting, the redirect service could detect a vulnerability on your browser and exploit it. This is yet another reason to avoid clicking on links even if you’re smart enough to never enter your credentials or open downloaded files.

Method 2: Fingerprinting on the target website

Like we've mentioned already, almost any website that you connect to has not only your IP address but also a plethora of other information if they choose to collect and store it. There is no easy and surefire way to know if you have been fingerprinted maliciously unless you know how to interpret the Javascript code used on the site. Even then, it might be obfuscated to make it almost unreadable and understanding the code becomes a backbreaking task.

Alternatively, a link could lead you to a legit website and it doesn't fingerprint you. Sounds alright, right? Well (heavy sigh), this time it is the hosting company you have to worry about. It might be a data hungry company collecting everything they can on their visitors. Or it could just be regular IP logging and nothing else. Sometimes internet providing services are mandated to give their You need to consider what the meaning of privacy is for you and what is acceptable to share. Be it for companies or attackers.

Source: Kapwing

... and the ugly

Great, now an attacker has our IP and our browser fingerprint. So what might be the consequences of this?

  • Your location can be leaked. Not with complete accuracy, but usually your city can be located from your IP address alone. While revealing your city is not necessarily concerning in itself, with some OSINT the attacker might get a much more accurate location. This information is used for marketing and analysis purposes as well.
  • Hacking your device. An IP address has a device behind it, which may be running multiple services. What are the chances that every service is up to date and not vulnerable? This is unlikely to happen to just anyone; no hacker wants to spend the time and resources it would take to scan all those services on someone who is not a high value target, like a C-suite member. On the other hand, it could be possible for an automated script to exploit your browser if the fingerprinting detects an out of date browser version or an extension on your machine. You should know that some level of scanning happens on the internet all the time by various entities, but we are talking about more intensive and targeted scanning.
  • Online tracking. Once your fingerprint has been taken, you can be tracked across the internet. If one entity - an advertiser for example - has your fingerprint from website1.com and sees the same fingerprint visit website2.com that the advertiser is also advertising on, they know it’s the same person on both occasions. Normally this is done with cookies, but you can always delete them or use incognito mode.
  • Loss of privacy. In general, fingerprinting is one technique to bypass cookies or improve their effectiveness. Under GDPR browser fingerprinting is under managing personal data and thus requires consent. Usually websites ask permission to do that while also asking for cookie consent. It can be expressed in many ways, but usually follows along the lines of “unique device characteristics” or “device identifiers”.

So... what can be done? 

Hate to be the bearer of bad news, but: there is currently no easy-peasy way to reduce your fingerprint on the internet.

If you install a bunch of privacy extensions, spoof your user agent, and even disable javascript to avoid browser fingerprinting, you’ll paradoxically become even more unique on the internet. Take the 'disabling javascript' option, for example. The majority of people have javascript enabled because it makes websites much more user friendly and sometimes they don’t even work without it. If you’re the one person in 15,000 who has it disabled... it makes you that much easier to identify.

But... hey! Don't give up hope yet. There are still some things you can do to protect your privacy. One should remember that these techniques can fend off websites from fingerprinting you, but none of these solutions are a magic cure-all. It is advisable to use multiple techniques instead of just one.

  • Update your stuff
    The best practice, if you ask me (and if you've made it this far in the article, you did) is to always keep your cybersecurity software updated. Your browser and all its extensions are at risk and updating them frequently with the newest protections will help you immensely.
  • Use a VPN
    A VPN doesn’t do much regarding fingerprinting, but it is a simple trick to conceal your IP address and consequently your IP based location. VPN's also have other additional benefits such as encrypting your traffic.
  • Browser extensions
    Oh my, my, my, dear reader. The duality of these extensions is flabbergasting. On one hand, you could keep them to a minimum, on the other you could also add more privacy enhancing extensions. However, it is best practise to remove all the unnecessary browser extensions you currently. Any given combination of them is unlikely matched by other users, and having several of them makes you incrementally more unique. Using desktop versions of an extension is a better alternative... if available.
  • Privacy focused browsers
    Different browsers have varying levels of privacy. Firefox, for example, blocks fingerprinting from third-party companies that are known to do so. Tor browser is committed to blocking browser fingerprinting by trying to make all Tor browser users seem  identical to one another, and one neat detail is that the Tor browser opens up in a specific resolution to prevent screen dimensions to be identifiable measurements. It should be mentioned that Brave browser offers fingerprinting protection as well.
A battle, much like the one going on in your browser. Source: Flickr, Creative Commons.

Privacy VS Security VS Usability: The age-old battle

At the end of the day privacy, security, and usability are like the dads on Full House. They all stand for different things... but they have a lot to do with each other. You need to think how changing one of them affects the others, and which of them is a priority to you. It’s not the most convenient to have all possible security and privacy measures in place because you have to jump through a few extra hoops compared to a “normal” user experience, but having all user experience enhancing features on will most likely harm your privacy or even your overall security.

Having your IP logged or browser fingerprinted by companies isn’t the end of the world and chances are that it has been done to you multiple times a month and will be done again in the future even without you noticing it. But do you really want companies to have all that data? After all, the online advertising market is worth hundreds of billions of dollars. Browser fingerprinting is extremely popular as a quarter of the top 10 000 websites in the world do it to their users and thus it is highly unlikely that it is going anywhere anytime soon. Even as cookies seem to slowly die off, it is one possibility that browser fingerprinting completely takes over.

Subscribe to our newsletter