Internet privacy and security course
About translation
Previous Next

Chapter 72

Deanonymization of VPN and proxy users through the User agent and browser fingerprints

I want to make a note straight away that in this article I use the “User agent” as a generalized term for the information collected by the sites. Although it is not totally correct in terms of terminology, it is pretty simple and understandable for readers.

I’ve already mentioned the threat of uniqueness and now it’s time to consider the practical use of uniqueness for deanonymization. This topic scares many unskilled users with its complexity, but in reality, there is nothing complicated about it.

Each of you surfs around the sites and uses for this purpose special software called a browser. We work with different browsers, someone works with Chrome, someone does it with Safari, someone works with Yandex Browser, the most reasonable ones use Mozilla, some still have Internet Explorer. But even if three people have the same browser, for example Mozilla Firefox, one works with the Windows operating system, the other one works with macOS, and the third one does it with Linux Mint. One updates the browser on time, and the other still uses the outdated version, one’s browser language ​​is English, and the other’s is Russian.

The site needs information about your browser, for example, the browser language to understand which version of the multilingual site show you to; permission to understand the mobile or regular version of the site to provide you with.

Web-sites can see a lot, even your system time, it is often used to simply check for a VPN or proxy. Suppose you are using a VPN and your IP address indicates that you are in the glorious city of Washington. But your system time and Russian browser say that you rather are somewhere in the European part of Russia.

You can observe information about your browser following this link.

Once the site received information about you, like the type and version of the browser, the type of operating system, language, system time, screen resolution and some other technical information. Do you think there are many people who have all these data match? In fact, they are not so few, and in some combinations, there may be millions.

We are not talking about any uniqueness, just about narrowing of the circle. More indicators are needed to make this site visitor even more unique, and this is the point fingerprints come into the game, such as Canvas, WebGl and audio fingerprint.

In this course we will have not just one chapter devoted to these fingerprints, I will say briefly here about the ones. Canvas and WebGL are the prints obtained due to the fact that all our browsers process 2D and 3D graphics in a little bit different way. Altogether these fingerprints have rather high uniqueness. You can see your Canvas fingerprint here and WebGL here.

Audio fingerprint are the ones obtained by the features of sound processing. View your fingerprints following this link.

The uniqueness of each individual fingerprint is not so high, if you do not use any plugin to replace the Canvas or WebGL. As a rule, these plugins give an absolutely unique value of the fingerprint and in this case your uniqueness becomes one hundred percent. It’s hard to come up with something worse than using a similar plugin.

But even if you do not use the one, when your fingerprints are combined together, other browser data is added to them and the uniqueness becomes very high, up to 1-10 devices worldwide.

 

Myth

By fingerprints one can define the user.

Fact

Fingerprints, as well as the User agent, in total lead only to uniqueness, but not to the estimation (deanonymization) of the user.

So, with the help of browser data and fingerprints, we have uniquely defined the user's browser, but what about the deanonymization, in other words, getting the original IP address or the user's identity straight away?

Imagine a situation that a criminal buys goods from an online store, having paid with a stolen card. The store uses an antifraud system that collects data about customers, including all their fingerprints. The owner of the store has an IP address, which obviously does not belong to the user (for such scammers, traffic proxying using an SSH tunnel is common), along with all their browser data, including the User agent and fingerprints.

Firstly, the store owner can add them to the blacklist, so the criminal without changing fingerprints will not buy anything else, but if they replace the fingerprints, modern antifraud systems detect such substitutions and restrict the users.

Secondly, they can contact the law enforcement authorities. Imagine that the store owner has lost a lot of money and goes to law enforcement services. The FBI takes over. Cyber ​​fraud has become their key point for long ago, and many cyber criminals from around the world visited the American court bench.

From the information about the criminal there is an IP-address of the server which they proxied Internet traffic through. The first thing they will certainly check for is who has been connected to the server. Scammers often use hacked servers bought on the black market and connect to them via SSH.

The FBI has contact with both Interpol and with all the leading hosting and Internet providers, and even if not, few people decide not to respond to their request. The cybercriminal probably uses several levels of protection, connecting to the final proxy through another traffic proxying tool. It will not cause problems, it just takes a little longer.

Russian cybercriminals are usually well aware of these capabilities of the special services and do not overestimate the protection provided by the proxy and VPN. Therefore, they use the mobile Internet with 4G modems and SIM cards purchased without registration for their data, as a result, special services have only an approximate place of cybercriminal access to the network.

This is where browser fingerprints come to help. Are you probably waiting to hear that the browser fingerprints left by the criminal are taken, and they are deanonymized by them? No, this is impossible, no matter how one may frighten you with fingerprints, they are not so dangerous in this case.

However, they are effective in another case. For example, a scammer has several Google accounts in one browser. From one of them one sends fraudulent letters, the other one they use for personal purposes. It doesn't have to be Google, let it be Facebook. Both Google and Facebook collect fingerprints and use them to find accounts registered from one device.

The fraud is well familiar with security issues, uses incognito mode for “dirty business” and various VPNs. But thanks to the User agent and the fingerprints, the system sees that it is one person.

Then their crimes form the basis of the criminal case, and law enforcement services send a request to, let’s say, Google in order to obtain information about the user, including information about what other accounts one has. As you understand, they will receive all the accounts of a fraud, including personal ones, by which they can be identified.

The proposed method practically does not work against users of the Tor browser, although many companies are trying to unify them, according to my information, as long as it works out for them very mediocre. But the main protection against this threat is the use of different browsers. In this case, both the User agent and the browser fingerprints will be different.

Previous
6550
Next