A test on browser fingerprinting by the Electronic Frontier Foundation (EFF) has shown how uniquely identifiable a user’s browser is on the web. What that test is unable to do is to identify individual users. This, however, is the goal of an experiment by the International Secure Systems Lab (Isec Lab). Originally founded by the Vienna University of Technology (TUV), Isec Lab is now a collaborative venture between TUV, Eurécom and the University of California in Santa Barbara. The test makes use of Xing, a platform widely-used in Europe on which many millions of users have published profiles.
The test essentially exploits the fact that many Xing users are identifiable by their membership of various groups. According to Thorsten Holz, one of the researchers who designed the experiment, there are very few people on any social network who belong to exactly the same groups. A ‘group fingerprint’ could thus allow websites to identify previously anonymous visitors.
Gilbert Wondracek, Thorsten Holz, Engin Kirda and Christopher Kruegel describe the principles of the test in full in “A Practical Attack to De-Anonymize Social Network Users“. The paper also describes practical remedies for protecting against this kind of de-anonymisation attack, all of which are aimed at hampering history stealing. On the server-side, operators could insert random tokens into URLs, making it much more difficult to probe URLs at a later date. Client-side, users can block access to browser history by, for example, visiting certain sites in incognito mode, using protective plug-ins such as NoScript for Firefox or regularly clearing their history.
Read more on The H Security.