Identify Browser with JavaScript Engine Fingerprinting

How efficient are browser JavaScript Engines?

Identify Browser with JavaScript Engine Fingerprinting
In the usage of the internet, web browsers are playing the most crucial role in the software components and it can be identified with javascript engine.

But there are many browsers on the market, so to make a decision to which browser should specifically consider a nontrivial problem and it depends on javascript engine. Because online security and privacy do matter and drive-by downloads and user tracking can improve user’s security. So everyone just makes their own trust and making decisions using their own allurement.

Here going to propose some new method to identify web browsers based on their JavaScript engine, And by executed test results can help users to make better decisions.

Basic tests of browsers

1. Efficient JavaScript Fingerprinting

While JavaScript conformance tests like Sputnik consist of thousands of independent test cases, Actually not all of them are not necessary for browser identification.

In fact, a single test case may be sufficient to differ two bowsers-if one browser fails to and another does not.

Example: On some tests, Opera 11.64 only fails in 4 out of more than 10,000 test cases but while the most recent version of Internet Explorer 9 at that time failed in almost 400 test cases. That is sufficient to reliably distinguish those two browsers and can be executed within a fraction of a second.

2. Minimal Fingerprint

Using a greedy algorithm to find a fingerprint for a given test set. It starts by running some tests for each browser that fails for each case. As the JavaScript Engine is a static of the browser, this needs to be done once per every browser and calculate for each failed test case the number of browsers that fail. Which browser stands for the winner.

Example: The browsers in the test set are Firefox 12, Opera 11.64, Internet Explorer 9 and Chrome 20, with a resulting minimal fingerprint consisting of only 4 tests. With the algorithm explained above, we calculate the minimal fingerprints as follows: For every test case, the uniqueness in the test set is calculated. If a test fails for a specific browser, it receives a checkmark in the table, and if the browser does not fail that test, it is crossed out.

3.Building Decision Tree

To identify a user’s browser without relying a priori on the user. Have to build a binary decision tree for a given test set if the browser is included in it by running multiple test rounds. For every test, the next step will be a decision until the leaf node. This will justify which browser is faster.

Descision tree (Source)

In the ideal case, every inner node in the tree splits the subset of browsers in the test set in half, and the total number of tests that need to be executed at the client is only O(logn) compared to O(n) for executing the minimal fingerprints.

4. Implication on Security and Privacy

While the UserAgent string is traditionally used to report the web browser and version to a river. This is often not sufficient as the user can change it arbitrarily. In the context of browser security, current malware often relies on vulnerabilities in browsers for launching exploits. It like a black hole that has been shown to use the user to exploit client-side vulnerabilities.

It is furthermore well known in the security community that JavaScript and drive-by download attacks can be used to endanger client security and privacy. For the implications of privacy, we use the security model of Tor and the definition of an anonymity set, which could be decreased by a malicious website using JavaScript engine fingerprinting. Section VI discusses numerous recent papers that have been using browser fingerprinting to endanger user’s online privacy

5. Benign Uses of Fingerprinting

Here we discuss some benign use cases in addition to the sections discussing the framework and our results, respectively. To protect against session hijacking, web servers could use JavaScript engine fingerprinting to verify or refute the validity of HTTP sessions, such as session hijackers usually clone all possibly identifying plaintext information like browser session cookies or the complete HTTP header. Thus JavaScript fingerprinting can be used to raise the bar for session hijacking in the arms race against attackers. This method could also be used for connections that are secured with HTTPS to prevent HTTPS

Recently hacked CAs like DigiNotar and “Operation Black Tulip” have shown that HTTPS alone is simply not enough to secure online communication anymore.

On research, they try all techniques to judge browsers. And also they come up with a decision by their result.

They collected browsers with different versions and different operating system combinations for desktop and smartphone and browsers engine generation in the database. They try every possible test according to these techniques.

The runtime for the entire test was short, with 90ms on average for PCs and 200ms on average for smartphones.

Testing report (Source)

The results above show that JavaScript engine fingerprinting is a feasible approach to identify or verify a given browser, even for mobile devices like smartphones. With only a small overhead regarding execution time on the client and bandwidth. On the server-side, the impact is negligible, as it can be implemented as a small number of database lookups.

The “best” browser regarding JavaScript standard conformance in our set of tested browsers was Opera. (This decision based on 2013–16 browser version), with only 4 failed tests in its most recent versions. Firefox and Chrome improved the engine constantly between releases, which happen at a much higher pace. Internet Explorer used a different XMLHttpRequest method before version 8 and thus did not work with a test like test262 and Sputnik tests and test numbers for fingerprint generation in Section IV-C.

That it is not the total number of failed test cases that are of importance, but if there is a difference between the browsers in the test set.

For browser identification and with respect to the chosen test set. A single test case per browser is often sufficient to distinguish between two or more browsers. Also, these results and the number of failed tests are not static in nature. Browsers, ECMAscript, and the test suites are under active development and are constantly improved. With ECMAscript currently preparing version 12 of the standard.

Here some basic techniques to compare the browser on JavaScript Engine level there have many more techniques to differ them.

There are too many browsers to choose from and they have strong competition. Mostly they release a new upgrade version and many new features. So I think most browsers have close competition, and everyone just wants to come on the top. According to me, Chrome is the best browser ever.

Source — It is taken from a research paper and told you in a short version. You can also read the whole research paper pdf.

Thank you for reading. If I wrote something wrong, let me know your response.

Leave a Reply

Your email address will not be published.