Skip to content
Advertisement

Challenge to uniquely identify a computer from any of its browsers

In an HTML5 web app, I’m building a feature that relies on client-to-client communication (with pusher). It’s made of PHP on the server-side and Javascript with Vue on the client side.

The typical scenario is: a window popup is opened, and from there it communicates directly with some other windows opened into any another browser on the same computer. Let’s say you have 2 browsers installed, you open the web app popup with Firefox and it communicates with its web app sister page you did open previously into Chrome.

The only (half-)way we have found so far is to use the public IP address to build a private channel named with the IP address… It’s basic and efficient.

However, if there is more than 1 computer connected to the same router, all of them will share the same public IP, and that’s where things become difficult!

A solution could be to add the computer’s local IP to the channel name (that was already built with the public IP), but despite a few nice workarounds I found to get this info from an initiated RTC Connection, this looks quite unreliable and often goes against browsers privacy rules…

Obviously, I cannot use session information with PHP on the server-side, nor cookies / local storage on the client-side, as all those solutions are tightly coupled with the browser itself (thank God Chrome won’t share its cookies with Firefox on your computer). Those solutions would be perfect (and no need for a pusher) if we were using 1 single browser, but we need to handle multiple browsers on the same machine.

That’s where I’m wondering if anyone would have already dealt with this design challenge and shared some tips, it would be awesome! Thanks for reading so far!

Advertisement

Answer

  • You can check the user agent of the browser.
  • You can check a combination of the request headers coming from different browsers.
  • You can explicitly throw and catch an error in the user’s browser and send it in the request header/body to determine what browser they’re using.
  • You can do canvas drawings to see the user’s GPU/CPU information (since you’re already using html5 that’s a bonus).
  • You can directly use webgl to do the same with perhaps different metrics (since canvas uses webgl anyways).
  • You can check their typing speed or even build up a profile of their vocabulary and use of language.
  • If you ask for permissions you can see all of their connected media devices like headphones, even just asking for audio permissions will show you all of them.
  • You can benchmark their CPU with things like the time it takes to find primes or encrypt a key.
  • You can use audio fingerprinting, which is almost as unique as your voice, since each browser and CPU architecture slightly differ in the digital pattern and oscillations created from audio, which can be captured.
  • You can check their window size and screen size and screen resolution.
  • There’s probably even more I didn’t think of now, you can also use any of them in combination to fingerprint a device.

For more information research browser sniffing and digital fingerprinting. What’s more is that you can uniquely identify the user across their own browsers on the same computer and also different users from different devices using a combination of browser sniffing/digital fingerprinting.

In your specific case you can’t use all the browser sniffing techniques but you can still use some of them, like the user agent since it will still give you the user device information even if they’re using a different browser.

The idea with digital fingerprinting is that you want to build up a probability high enough that you can be fairly certain it’s the same user, you can’t ever be truly sure, but sure enough. Something like screen size doesn’t mean much by itself, there’s millions of devices using i.e. a size 1600 screen, however consider the following hypothetical example:

  • User’s device has screen size of 1600, that’s i.e. ~1/8 users.
  • User’s device took 20ms to encrypt a 4096 key, that’s i.e. ~1/8 users.
  • User’s device took 40ms to draw a canvas image, that’s i.e. 1/8 users.

Now you already have a 8 * 8 * 8 = 1/512 probability of knowing what user it is and that value goes up way higher very quickly, based on 3 fundamentally unidentifiable things.

However it should be noted that using any browser sniffing or digital finger printing techniques like above fall under privacy regulations (at least in some countries). A lot of things like the user agent is being deprecated and if you do things like this on a site you’ll get into trouble with things like GDPR. I believe you can get around that if you explicitly ask the user for their permission and let them know that i.e. their browser is being fingerprinted. However you have to be careful because doing this can get you in trouble if it’s malicious, doing things like this without a user’s knowledge is unethical.

User contributions licensed under: CC BY-SA
7 People found this is helpful
Advertisement