Hacker News new | ask | show | jobs
by littlestymaar 1173 days ago
You only get fingerprinting from your method if the variation of the “fingerprint“ between two different runs by the same user is lower than the difference you get between two different users. This is far from obvious since it depends a lot on the workload running on the machine at the time.

I'm not aware of a single fingerprinting tool that primarily use this king of timing attack rather than more traditional fingerprinting methods.
1 comments
Timja 1173 days ago
Not sure if the workload makes a difference.

We would have to make examples of what Computation1 is and what Computation2 is to make a prediction if certain types of workloads will impact the ratio of their performance.

Example:

    s=performance.now();
    r=0;
    for (i=0; i<1000000; i++) r+=1;
    t1=performance.now()-s;

    s=performance.now();
    r=0;
    for (i=0; i<1000000; i++) r+="bladibla".match(/bla/)[0].length;
    t2=performance.now()-s;

    console.log("Ratio: " + t2/t1);
For me, the ratio is consistently larger in Chrome than in Firefox. Which workload would reverse that?
link
littlestymaar 1173 days ago
Fingerprinting in the usual sense the term isn't about distinguishing Chrome from Firefox, it's about distinguishing user A from user B, … user X reliably in order to be able to track the user across website and navigation sessions.

Your example is unlikely to get you far.

Edit: in a quick test, I got a range between 8 and 49 in Chrome, and between 1.27 and 51 (!) on Firefox, on the same computer, the results are very noisy.

link
Timja 1173 days ago
Chrome and Firefox here are an example for "Two users who use exactly the same hardware but different software".

To distinguish between users between of a larger set, you do more such tests and add them all together. Each test adding a few bits of information.

To make the above code more reliable, you can measure the ratio multiple times:

https://jsfiddle.net/dov1zqtL/

I get 9-10 in Firefox and 3-4 in Chrome very reliably when measuring it 10 times.

link
littlestymaar 1173 days ago
> Chrome and Firefox here are an example for "Two users who use exactly the same hardware but different software".

But it's also the most pathological example one can think of, yet the results are extremely noisy (while being very costly, which means you won't be able to make a big number of such test without dramatically affecting the user's ability to just browse your website).

link