|
|
|
|
|
|
by espadrine
639 days ago
|
|
|
We can make informed guesses. Such attackers likely use the same TCP stack and datacenter within the attack, so perhaps the cipher suite, the latency (based off the Date header?), the OS, the UA, the set of HTTP headers sent, are some of the signals they use. What other aspects could they harness? |
|
|
* IP path selected & latency
* TCP TTL, window settings & extensions
* TLS ClientHello: extensions, ciphers, hash algos, etc
* HTTP/2 settings & behavior
* HTTP request headers
If you're interested in digging further into this set, look up JA3, which has variants that address most or all of those above.
If they redirect you to an intermediate page, their attack surface gets much larger, including everything in the JavaScript APIs and browser behavior.
* Extended client hints
* Canvas fingerprint
* WebGPU fingerprint
* WebRTC fingerprint
* TTS voices
* Fonts
* Battery state
* <link> preload behavior and timing
(and the list goes on and on and on, because browsers are huge and only slightly designed for privacy)
This is assuming they aren't willing to use any of the persistent state techniques, like cache poisoning, HSTS pinning, or simple old cookies.
These are mostly useful for catching cases where someone is trying to lie about which OS or browser they are using, or where they are using the same machine and instrumented browser foolishly.