10

Is there a security benefit to using the browser's thumbprint in addition to a session identifier to identify a unique session?

Would it then be advisable to ask the user to reauthenticate (or simply refresh the session token) if the thumbprint changes?

Edit 1

Is anyone aware of server side implementations (DLLs) that I can incorporate into my own project?

Ideally I'd like a C# ASP.NET MVC compatible version, but I'll keep it open ended so other platforms may benefit as well.

Edit 2

A lot of these answers describe issues with a particular aspect of the thumbprint (screen resolution, etc). These "unsafe" values can be omitted from the session thumbprint, or perhaps they are a non issue, depending how the session expiration / renewal works.

There may also be values not present in the panopticlick website, that may be beneficial to tie to the session as well.

Community
  • 1
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • 1
    What asset is exposed by the authentication? Are users likely to use multiple browsers or be dormant for long periods (days or weeks) between authentications? – this.josh Nov 07 '11 at 23:04
  • @this.josh I would be interested in general guidance for both scenarios. – makerofthings7 Nov 08 '11 at 00:28
  • Multiple browsers and high latency between authentications are both cases where the users may appear different even though they are the same user. Depending on what assets are at stake causing inconvenience to a small portion of the user base may or may not be worth forcing them to reauthenticate. – this.josh Nov 09 '11 at 02:02

3 Answers3

8

Many things on which the thumbprint is defined may change quite often. For instance, the list of supported fonts. Also, some browsers implement transparent updates; Chrome is notorious for that: some updates can be even applied without requiring the user to restart his Web browser. Any such update can change the thumbprint.

As a user of a "secure" site (i.e. a site where there is an obvious need for security, such as online banking), any such apparently spurious "security reset" would make me nervous and jumpy. I do not think making your user nervous is a good thing; also, this would train them to reenter their credentials at random moments, which is bound to make them careless and vulnerable to phishing.

Therefore I advise not to deactivate a session because of a thumbprint change. Anyway, if an attacker can steal a session, he can probably mimic the thumbprint as well, so the envisioned security feature would catch only non-attackers, which is of questionable overall efficiency.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • 1
    +1, One of the commonly changing finger print property is the screensize: A notebook is attached to a docking station with an external screen or pulled out again. A device which flips between horizontal and landscape. – Hendrik Brummermann Nov 07 '11 at 21:52
  • Mostly agreed - but IMHO it would be reckless to ignore such changes - using more abstract/less variant identifiers as the basis of the fingerprint would be a better strategy (e.g. major version number, first 12 bits of IPV4 address, acccept headers) – symcbean Nov 09 '11 at 17:40
4

Yes, there is a possible benefit. A change in thumbprint signifies a possible change in the machine that is accessing the site. That is a symptom of connection sniffing / hijacking and the famous FireSheep. The downside is false-positives that require a user to re-login. That's annoying for the user if it happens a lot.

You may want to filter out common changes (minor browser or OS upgrades, screen resolution changes for us laptop folk that use monitors), but if credentials go from IE to Mozilla or Mac to Windows, it's probably worth flagging.

There is still the edge case of the user who walks around with their browser profile on a USB drive, but that's an edge case I'd probably just ignore.

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
  • I do not have an iPad or iPhone, but couldn't a scenario similar to the "browser profile on USB drive" occur naturally with the Apple gadgets, which are apparently very trigger-happy on the autosync ? – Tom Leek Nov 07 '11 at 20:10
  • Yes, if you've got other vulnerabilities in your system (insecure session cookies the case of firesheep) then this may give an indication that they are occurring - but is this the right strategy for detecting such problems? – symcbean Nov 09 '11 at 17:42
4

I wouldn't rely on browser fingerprinting as a strong security method; it is just security by obscurity (which may help keep out your kid sister from your data; but won't keep out strong adversaries who it will only be slightly annoying to defeat). Use SSL and secure cookies.

It seems fairly trivial to modify a web browser to alter its fingerprint to mimic another browser's fingerprint; e.g., change the UserAgent string/Time Zone/Screen size/etc.

I'm not sure if tools are readily available for faking plugin lists / system font lists, but in principle this is not difficult to fake and since browser fingerprinting is done in javascript, it wouldn't be that difficult to figure out exactly what its checking and having your custom browser replay the correct settings from the other browser.

dr jimbob
  • 38,768
  • 8
  • 92
  • 161