how to detect a client’s browser senior seminar cs498
DESCRIPTION
How to Detect a Client’s Browser Senior Seminar CS498. Conrad Kennington. Kount. Stops e-commerce fraud Passively identifies devices. Your device automatically sends information about itself. Why?. = mobile site. = mobile site. = desktop site. = mobile site. en-US. - PowerPoint PPT PresentationTRANSCRIPT
How to Detect a Client’s Browser
Senior Seminar CS498
Conrad Kennington
Kount
•Stops e-commerce fraudPassively identifies devices
Your device automatically sends
information about itself
Why?
= mobile site
= mobile site
= desktop site
= mobile site
= desktop site
en-US
= mobile site
= desktop site
en-US = English site
= mobile site
= desktop site
en-US = English site
ja-JA
= mobile site
= desktop site
en-US = English siteja-JA = Japanese
site
=
What information?
What they know
Device location (~30 miles)Business typeIf you’re a return visitorWhen you last visited
If they care:Browser versionBrowser plugins installedPlugins can gather additional system informationOperating system versionLocal timezoneLanguage settingsLimited device specsResolutionScreen sizeColor depth
What they know
Device location (~30 miles)Business typeIf you’re a return visitorWhen you last visited
If they care:Browser versionBrowser plugins installedPlugins can gather additional system informationOperating system versionLocal timezoneLanguage settingsLimited device specsResolutionScreen sizeColor depth
What they don’t know
• Name• Age• Gender• Weight• Address• Profession• Phone• Credit card number• Major• Salary• Social Security Number• Medical history• Facebook relationship status• Mother’s maiden name• Licensed watercraft• Outstanding parking tickets• Favorite ice-cream• Overdue library books• Credit score
• Grades• Favorite bands• High school sweethearts• Eye color• Nicknames• Netflix recently watched• Email addresses• Tax returns• Candy Crush score• Batting average• Attendance records• Instant messages• Pirated music/movies• Magazine subscriptions• Purchase history• World of Warcraft
achievements• Books read• Adderall dosage• MySpace Top 10• Travel schedule• Birthday• Voting records• Smart phone contact list• Student loan balance
• Tattoos• Fingerprints• Drivers license number• License plate• Dental records• Guns owned• Magic the Gathering decks• Costco membership status• Unredeemed rewards points• Average commute time• Hobbies• Mile run• Favorite restaurants• Merit badges• Religion• Pets• Mood• Amazon wish list• Marital status• 401k balance• Therapist• Phone logs• YouTube comments• Number of children
Pretty much nothing about your
person
Location
71.33.*.*
71.33.*.*This means Boise,
Idaho
71.33.*.*This means Boise,
IdahoFor now.
82.148.97.69
82.148.97.69
This means Qatar
82.148.97.69
This means Qatar
The whole country.
Mask my IP, mask my location?
Mask my IP, mask my location?
Not exactly.
Mask my IP, mask my location?
Not exactly.Timezone, language, etc
Browser
HTTP Request Headers
Request method GETRequest URI /Request protocol HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept charsetAccept encoding gzip,deflate,sdchAccept language en-US,en;q=0.8Connection keep-aliveHost myhttp.infoReferer https://www.google.com/User agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1801.3 Safari/537.36
Parsing a user agent
string sucks
Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/19.0
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:15.0) Gecko/20100101 Firefox/15.0.1
Googlebot/2.1 (+http://www.google.com/bot.html)
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 2.0.50727; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 6.1; Windows XP)
None of your business.
Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2)
Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10
Opera/9.80 (Android; Opera Mini/7.5.33361/31.1350; U; en) Presto/2.8.119 Version/11.10
‘; DELETE FROM user_agents;
Mozilla/5.0 (PLAYSTATION 3; 2.00)
Mozilla/5.0 (BlackBerry; U; BlackBerry 9900; en) AppleWebKit/534.11+ (KHTML, like Gecko) Version/7.1.0.346 Mobile Safari/534.11+
Mozilla/5.0 (Linux armv6l; Maemo; Opera Mobi/8; U; en-GB; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 Opera 11.00
Mozilla/5.0 (X11; U; Linux i686; ru; rv:33.2.3.12) Gecko/20120201 SeaMonkey/8.2.8
Mozilla/5.0 (X11; U; OpenBSD arm; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Safari/531.2+ Epiphany/2.30.0
Mozilla/5.0 (compatible; Konqueror/4.3; Linux) KHTML/4.3.1 (like Gecko) Fedora/4.3.1-3.fc11
Mozilla/5.0 (Windows; U; MSIE 9.0; WIndows NT 9.0; en-US))
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Mozilla/5.0 ( ; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (Windows; U; Windows NT 6.1) AppleWebKit/526.3 (KHTML, like Gecko) Chrome/14.0.564.21 Safari/526.3
HTTP Header OrderChrome 34 on a Macbook
Host: pgl.yoyo.orgConnection: keep-aliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1801.3 Safari/537.36Referer: https://www.google.com/Accept-Encoding: gzip,deflate,sdchAccept-Language: en-US,en;q=0.8
Firefox 5 on a Macbook
Host: pgl.yoyo.orgUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:19.0) Gecko/20100101 Firefox/19.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alive
Safari 7 on a Macbook
Host: pgl.yoyo.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-usConnection: keep-aliveAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.73.11 (KHTML, like Gecko) Version/7.0.1 Safari/537.73.11
JavaScript
Good at detecting browser features and
capabilities.
Good at detecting browser features and
capabilities.
•Support multiple backgrounds?
Good at detecting browser features and
capabilities.
•Support multiple backgrounds?•HTML5 canvas?
Good at detecting browser features and
capabilities.
•Support multiple backgrounds?•HTML5 canvas?•Border radius?
Good at detecting browser features and
capabilities.
•Support multiple backgrounds?•HTML5 canvas?•Border radius?•Box shadow?
Good at detecting browser features and
capabilities.
•Support multiple backgrounds?•HTML5 canvas?•Border radius?•Box shadow?•Available events?
Good at detecting browser features and
capabilities.
•Support multiple backgrounds?•HTML5 canvas?•Border radius?•Box shadow?•Available events?•CSS properties recognized?
Good at detecting browser features and
capabilities.
•Support multiple backgrounds?•HTML5 canvas?•Border radius?•Box shadow?•Available events?•CSS properties recognized?•CSS animations?
Good at detecting browser features and
capabilities.
•Support multiple backgrounds?•HTML5 canvas?•Border radius?•Box shadow?•Available events?•CSS properties recognized?•CSS animations?•DOM prefixes available?
SSL Ciphers
Client Handshake Packet
Chrome 34 on a Macbook
ECDHE-ECDSA-AES128-GCM-SHA256ECDHE-RSA-AES128-GCM-SHA256DHE-RSA-AES128-GCM-SHA256ECDHE-ECDSA-AES256-SHAECDHE-ECDSA-AES128-SHAECDHE-RSA-AES128-SHAECDHE-RSA-AES256-SHAECDHE-ECDSA-RC4128-SHAECDHE-RSA-RC4128-SHADHE-RSA-AES128-SHADHE-DSS-AES128-SHADHE-RSA-AES256-SHARSA-AES128-GCM-SHA256RSA-AES128-SHARSA-AES256-SHARSA-3DES-EDE-SHARSA-RC4128-SHARSA-RC4128-MD5
Firefox 5 on a Macbook
ECDHE-ECDSA-AES256-SHAECDHE-RSA-AES256-SHADHE-RSA-CAMELLIA256-SHADHE-DSS-CAMELLIA256-SHADHE-RSA-AES256-SHADHE-DSS-AES256-SHAECDH-RSA-AES256-SHAECDH-ECDSA-AES256-SHARSA-CAMELLIA256-SHARSA-AES256-SHAECDHE-ECDSA-RC4128-SHAECDHE-ECDSA-AES128-SHAECDHE-RSA-RC4128-SHAECDHE-RSA-AES128-SHADHE-RSA-CAMELLIA128-SHADHE-DSS-CAMELLIA128-SHADHE-RSA-AES128-SHADHE-DSS-AES128-SHAECDH-RSA-RC4128-SHAECDH-RSA-AES128-SHAECDH-ECDSA-RC4128-SHAECDH-ECDSA-AES128-SHARSA-SEED-SHARSA-CAMELLIA128-SHARSA-RC4128-SHARSA-RC4128-MD5RSA-AES128-SHAECDHE-ECDSA-3DES-EDE-SHAECDHE-RSA-3DES-EDE-SHADHE-RSA-3DES-EDE-SHADHE-DSS-3DES-EDE-SHAECDH-RSA-3DES-EDE-SHAECDH-ECDSA-3DES-EDE-SHARSA-FIPS-3DES-EDE-SHARSA-3DES-EDE-SHA
curl 7.30 on a Macbook
ECDHE-ECDSA-AES256-SHA384ECDHE-ECDSA-AES128-SHA256ECDHE-ECDSA-AES256-SHAECDHE-ECDSA-AES128-SHAECDHE-ECDSA-RC4128-SHAECDHE-ECDSA-3DES-EDE-SHAECDHE-RSA-AES256-SHA384ECDHE-RSA-AES128-SHA256ECDHE-RSA-AES256-SHAECDHE-RSA-AES128-SHAECDHE-RSA-RC4128-SHAECDHE-RSA-3DES-EDE-SHAECDH-ECDSA-AES256-SHA384ECDH-ECDSA-AES128-SHA256ECDH-RSA-AES256-SHA384ECDH-RSA-AES128-SHA256ECDH-ECDSA-AES256-SHAECDH-ECDSA-AES128-SHAECDH-ECDSA-RC4128-SHAECDH-ECDSA-3DES-EDE-SHAECDH-RSA-AES256-SHAECDH-RSA-AES128-SHAECDH-RSA-RC4128-SHAECDH-RSA-3DES-EDE-SHADH-RSA-MISTY1-SHADH-DSS-MISTY1-SHARSA-AES128-SHARSA-RC4128-SHARSA-RC4128-MD5RSA-AES256-SHARSA-3DES-EDE-SHADHE-RSA-AES128-SHA256DHE-RSA-AES256-SHA256DHE-RSA-AES128-SHADHE-RSA-AES256-SHADHE-RSA-3DES-EDE-SHAPSK-AES256-SHAPSK-AES128-SHAPSK-RC4128-SHA
So…
What they know
Device locationIf you’re a return visitorWhen you last visited
Browser versionBrowser plugins installedPlugins can gather additional system informationOperating system versionLocal timezoneLanguage settingsLimited device specsResolutionScreen sizeColor depth
How they know it
•IP address, HTTP headers•Cookie•Cookie •HTTP headers, ciphers, JS•HTTP headers •Depends on the plugin
•HTTP headers, ciphers•JavaScript•HTTP headers•JavaScript•JavaScript
• JavaScript•Javascript
Questions