Identifying Browsers
The Panopticlick project is an interesting data collection exercise and experiment aimed at understanding just how unique a browser (yours, not to put too fine a point on it) is.
In essence, the EFF researchers show how to fingerprint a browser (1) without storing any state in the browser and (2) simply by executing code that reads public properties and configuration that your browser makes available (this information includes the “UserAgent” string, but goes far beyond it to detect other properties like installed fonts and plug-ins, screen size, screen resolution, and time zone, among others).
I first heard about this project from Bruce Schneier’s February Cryptogram (covering his January 29 blog post – most of the comments, including one from the EFF researcher, Peter Eckersley, are enlightening), but then a paper about the system crossed my email Inbox. Going to the site, I found that my browser (as of 15 March) has about 19.5 bits of entropy and is unique out of 741,612 browsers that have visited the page. Like most other people have experienced, the most distinct parts of my fingerprint are my system fonts and my plug-in details. My user-agent (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6), time zone (EDT), and screen details (1440×900x24) also give away some bits of identifying information, but much less than the fonts and plug-ins.
Schneier’s blog links to this Arstechnica news story.
Other related work is the browserrecon project.
Upcoming Article on Attack Scripts
The upcoming May/June issue of IEEE S&P magazine has a column (written by me under the “Education” department run by Matt Bishop and Cynthia Irvine) that discusses how we can help students nurture a dual frame of mind when writing code. The article discusses the lack of opportunity, time, and encouragement for students within the traditional CS curriculum to explore the edges of a system or uncover and test the hidden assumptions of a designer or implementor. I’m trying to get my students to write attack scripts with every assignment they submit to help them get into this simultaenous black hat/white hat mindset.
