Internet privacy and security course
Aa font
AA font size
20
About translation
Next

Chapter 93

Deanonymization of VPN and proxy users through the User agent and browser fingerprints

I want to make a note straight away that in this article I use the “User agent” as a generalized term for the information collected by the sites. Although it is not totally correct in terms of terminology, it is pretty simple and understandable for readers.

I’ve already mentioned the threat of uniqueness and now it’s time to consider the practical use of uniqueness for deanonymization. This topic scares many unskilled users with its complexity, but in reality, there is nothing complicated about it.

Each of you surfs around the sites and uses for this purpose special software called a browser. We work with different browsers, someone works with Chrome, someone does it with Safari, someone works with Yandex Browser, the most reasonable ones use Mozilla, some still have Internet Explorer. But even if three people have the same browser, for example Mozilla Firefox, one works with the Windows operating system, the other one works with macOS, and the third one does it with Linux Mint. One updates the browser on time, and the other still uses the outdated version, one’s browser language ​​is English, and the other’s is Russian.

The site needs information about your browser, for example, the browser language to understand which version of the multilingual site show you to; permission to understand the mobile or regular version of the site to provide you with.

Web-sites can see a lot, even your system time, it is often used to simply check for a VPN or proxy. Suppose you are using a VPN and your IP address indicates that you are in the glorious city of Washington. But your system time and Russian browser say that you rather are somewhere in the European part of Russia.

You can observe information about your browser following this link.

Once the site received information about you, like the type and version of the browser, the type of operating system, language, system time, screen resolution and some other technical information. Do you think there are many people who have all these data match? In fact, they are not so few, and in some combinations, there may be millions.

We are not talking about any uniqueness, just about narrowing of the circle. More indicators are needed to make this site visitor even more unique, and this is the point fingerprints come into the game, such as Canvas, WebGl and audio fingerprint.

In this course we will have not just one chapter devoted to these fingerprints, I will say briefly here about the ones. Canvas and WebGL are the prints obtained due to the fact that all our browsers process 2D and 3D graphics in a little bit different way. Altogether these fingerprints have rather high uniqueness. You can see your Canvas fingerprint here and WebGL here.

Audio fingerprint are the ones obtained by the features of sound processing. View your fingerprints following this link.

The uniqueness of each individual fingerprint is not so high, if you do not use any plugin to replace the Canvas or WebGL. As a rule, these plugins give an absolutely unique value of the fingerprint and in this case your uniqueness becomes one hundred percent. It’s hard to come up with something worse than using a similar plugin.

But even if you do not use the one, when your fingerprints are combined together, other browser data is added to them and the uniqueness becomes very high, up to 1-10 devices worldwide.

Myth

By fingerprints one can define the user.

Fact

Fingerprints, as well as the User agent, in total lead only to uniqueness, but not to the estimation (deanonymization) of the user.

So, with the help of browser data and fingerprints, we have uniquely defined the user's browser, but what about the deanonymization, in other words, getting the original IP address or the user's identity straight away?

Imagine a situation that a criminal buys goods from an online store, having paid with a stolen card. The store uses an antifraud system that collects data about customers, including all their fingerprints. The owner of the store has an IP address, which obviously does not belong to the user (for such scammers, traffic proxying using an SS