• tl;dr sec
  • Posts
  • Browser fingerprints for a more secure web

Browser fingerprints for a more secure web

This talk describes how Salesforce uses browser fingerprinting to protect users from having their accounts compromised. Their goal is to detect sessions being stolen, including by malware running on the same device as the victim (and thus has the same IP address).

Author

Clint Gibler
January 14, 2020

Julien Sobrier, Lead Security Product Owner, Salesforce linkedin
Ping Yan, Research Scientist, Salesforce linkedin
abstract slides video

They’re interested in detecting two types of cases:

  1. Per user - significant changes in the fingerprint of one user (targeted attack)

  2. Across users - many users now have the same fingerprint (e.g. many users infected by the same malware)

They use 19 fingerprint vectors, which are largely standard features used by prior work like Panopticlick and Browser Leaks:

  • User agent

  • Screen resolution and window size (height and width)

  • Pixel density, color depth

  • Time zone and language

  • Plugins and fonts installed

  • navigator.platform

  • canvas and media devices

  • If session storage, local storage, web sockets, and indexDB are supported

  • Codecs and DRM, if DNT is enabled

They needed to determine how much and often a user fingerprints changed, as if fingerprints were highly variable, their system may report many false positives, leading to bad user experience. If fingerprints tend not be very unique, then they may not be effective at detecting compromised user sessions.

Consistencies across sessions for a given user is pretty high (77% no change), and 78% of fingerprints are unique to one user. Thus, this approach is promising.

To measure how much a user’s fingerprint changes over time, they use Shannon entropy. A high entropy value indicates that the user’s fingerprint can be quite variable, while low entropy means it stays consistent.

This the approach from end to end - fingerprint data is collected client side from user browsers via JavaScript and sent to Salesforce servers. After a training period (say 2 weeks), each user is giving an entropy score based on how much their fingerprint changes over time. Then when a user is observed with a new fingerprint, they do ‘fingerprint diffing’, which weights how likely the user’s session is to change as well as the magnitude of the change. For example, having a totally different IP address vs a different one on the same subnet.

Out of the hundreds of millions of user sessions Salesforce sees per day, the system flags around 20-30 suspicious ones that are passed on to the SOC team to investigate. Of these, roughly half are truly compromised accounts.

One thing the system doesn’t yet effectively handle is users who consistently use more than one device, but that may be addressed in future work.