1

I'm facing an issue with rampant scraping and abuse on a website that costs me a good chunk of money to maintain. So, I have been looking to implement a few solutions, and apparently these solutions fingerprint the client in some form.

However, the premise of fingerprinting seems problematic to me. Since fingerprinting involves a series of tests run on the browser which are then submitted to a server, it would be trivial to capture parameters involved with a good fingerprint from a browser, and submit them to the server each time such fingerprinting is attempted, thereby making it nearly useless.

Is there a reason why browser fingerprinting would work to detect a bot when it can be easily subverted?

  • 3
    "Why lock your doors when locks can be picked?" Your premise is faulty. Things do not need to work 100% of the time in order to be effective and to have a positive cost/benefit. – schroeder Dec 24 '19 at 11:28
  • Would Cloudflare's solution to defend against content scraping bots work in your case? https://www.cloudflare.com/learning/bots/what-is-data-scraping/ – mti2935 Dec 24 '19 at 21:17
  • Have you considered a social solution? Although it doesn't work in all cases, sometimes it's as simple as providing an efficient API for downloading. I had an issue like this with a media site, and the solution I found was to provide up-to-date torrents for the media. After I advertised that fact, the scraping stopped almost entirely. – forest Dec 25 '19 at 04:50

1 Answers1

4

Passive fingerprinting can easily be faked, and it is trivial to code responses that can pass passive fingerprinting. And yet, it can still work because not every bot includes this feature because not every target fingerprints. It's a pure cost/benefit scenario.

Active fingerprinting takes more complex coding to spoof, and not all bots have the facility (or space) to include this level of deception and do it effectively.

Security controls are based on a concept of risk. You employ a control to bring the risks down to an acceptable level (risks cannot be eliminated entirely). So, given the threats you face and the impact you want to prevent, can the given control reduce the risk? That's the question.

Since the threats (bots, in your case) at this point in time do not often include fingerprint deception, then passive fingerprinting can have a positive effect on your risks. It doesn't matter what the threats could do in the future or what they could be doing now but aren't.

"But what if bots get really good at deception?" Then you need to re-assess the risk at that point. But you cannot then make the leap to conclude that the control has no value now. Controls are effective against specific risks in a threat scenario. Just because they might not be effective in other risk contexts does not make them poor controls. There is no silver bullet.

schroeder
  • 123,438
  • 55
  • 284
  • 319