FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Browser fingerprinting?
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
Browser fingerprinting? [message #182780] Thu, 12 September 2013 21:56 Go to next message
Gilles Ganault is currently offline  Gilles Ganault
Messages: 27
Registered: September 2010
Karma: 0
Junior Member
Hello

I googled the archives of this ng, but didn't find much.

I'd like to find some good PHP code that does what Panopticlick does,
namely uniquely identify a user's browser even when they connect as
anonymously as they can, ie. either in incognito mode or by running a
browser in a virtual host:

www.lifehacker.com/5458513/panopticlick-shows-how-easy-your-browser-is-to-t rack

The goal is to keep trolls away from a site. As there aren't that many
browser available, they should tire quickly, profited they even think
of installing another browser.

Is there some code PHP code for that?

Thank you.
Re: Browser fingerprinting? [message #182781 is a reply to message #182780] Thu, 12 September 2013 22:26 Go to previous messageGo to next message
Denis McMahon is currently offline  Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
Senior Member
On Thu, 12 Sep 2013 23:56:12 +0200, Gilles wrote:

> I googled the archives of this ng, but didn't find much.

Did you try a wider google search?

http://www.lmgtfy.com/q=php+browser+fingerprinting

--
Denis McMahon, denismfmcmahon(at)gmail(dot)com
Re: Browser fingerprinting? [message #182782 is a reply to message #182780] Thu, 12 September 2013 22:19 Go to previous messageGo to next message
jimp is currently offline  jimp
Messages: 22
Registered: December 2010
Karma: 0
Junior Member
Gilles <nospam(at)nospam(dot)com> wrote:
> Hello
>
> I googled the archives of this ng, but didn't find much.
>
> I'd like to find some good PHP code that does what Panopticlick does,
> namely uniquely identify a user's browser even when they connect as
> anonymously as they can, ie. either in incognito mode or by running a
> browser in a virtual host:
>
> www.lifehacker.com/5458513/panopticlick-shows-how-easy-your-browser-is-to-t rack
>
> The goal is to keep trolls away from a site. As there aren't that many
> browser available, they should tire quickly, profited they even think
> of installing another browser.
>
> Is there some code PHP code for that?
>
> Thank you.

Look at the PHP documentation for the get_browser function.

Be sure to read all the notes.

FYI it is rather trivial to fake what browser is in use.



--
Jim Pennino
Re: Browser fingerprinting? [message #182783 is a reply to message #182781] Thu, 12 September 2013 22:38 Go to previous messageGo to next message
Gilles Ganault is currently offline  Gilles Ganault
Messages: 27
Registered: September 2010
Karma: 0
Junior Member
On Thu, 12 Sep 2013 22:26:46 +0000 (UTC), Denis McMahon
<denismfmcmahon(at)gmail(dot)com> wrote:
> Did you try a wider google search?
>
> http://www.lmgtfy.com/q=php+browser+fingerprinting

Yes, but mostly found some theoretical discussions rather than some
actual working solution.
Re: Browser fingerprinting? [message #182784 is a reply to message #182783] Thu, 12 September 2013 22:43 Go to previous messageGo to next message
Gilles Ganault is currently offline  Gilles Ganault
Messages: 27
Registered: September 2010
Karma: 0
Junior Member
On Fri, 13 Sep 2013 00:38:57 +0200, Gilles <nospam(at)nospam(dot)com> wrote:

> On Thu, 12 Sep 2013 22:26:46 +0000 (UTC), Denis McMahon
> <denismfmcmahon(at)gmail(dot)com> wrote:
>> Did you try a wider google search?
>>
>> http://www.lmgtfy.com/q=php+browser+fingerprinting
>
> Yes, but mostly found some theoretical discussions rather than some
> actual working solution.

I'll experiment with eg. "md5(implode('',$_SERVER));" and see how it
goes.

Thank you.
Re: Browser fingerprinting? [message #182785 is a reply to message #182784] Thu, 12 September 2013 23:29 Go to previous messageGo to next message
Denis McMahon is currently offline  Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
Senior Member
On Fri, 13 Sep 2013 00:43:49 +0200, Gilles wrote:

> I'll experiment with eg. "md5(implode('',$_SERVER));" and see how it
> goes.

Comparing md5s of anything that contains timestamps is unlikely to match
across multiple checks.

Comparing md5s of anything that contains remote ports is unlikely to
match across multiple browser sessions.

Comparing md5s of anything that contains remote ip addresses is unlikely
to uniquely identify any sort of malicious user using proxies / tor etc.

Note - it's a lot easier to work out what won't work than to work out
what will.

--
Denis McMahon, denismfmcmahon(at)gmail(dot)com
Re: Browser fingerprinting? [message #182786 is a reply to message #182780] Fri, 13 September 2013 00:31 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 9/12/2013 5:56 PM, Gilles wrote:
> Hello
>
> I googled the archives of this ng, but didn't find much.
>
> I'd like to find some good PHP code that does what Panopticlick does,
> namely uniquely identify a user's browser even when they connect as
> anonymously as they can, ie. either in incognito mode or by running a
> browser in a virtual host:
>
> www.lifehacker.com/5458513/panopticlick-shows-how-easy-your-browser-is-to-t rack
>
> The goal is to keep trolls away from a site. As there aren't that many
> browser available, they should tire quickly, profited they even think
> of installing another browser.
>
> Is there some code PHP code for that?
>
> Thank you.
>

You can easily detect the browser the user is using, and you can detect
the IP address.

However, browsers can easily be forged (as others have indicated), and
since there are only a few browsers available, a lot of people use them.

You can detect IP addresses, but there is no way to determine the REAL
IP address if the user is using an anonymous proxy.

The bottom line is - you really can't protect against trolls; they have
too many ways around things.

The article you reference is good marketing material - I would suspect
it works on both browser and IP address. But in real life it has more
holes than swiss cheese.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: Browser fingerprinting? [message #182787 is a reply to message #182780] Fri, 13 September 2013 03:04 Go to previous messageGo to next message
Fiver is currently offline  Fiver
Messages: 35
Registered: July 2013
Karma: 0
Member
On 2013-09-12 23:56, Gilles wrote:
> I'd like to find some good PHP code that does what Panopticlick does,
> namely uniquely identify a user's browser even when they connect as
> anonymously as they can, ie. either in incognito mode or by running a
> browser in a virtual host:
>
> www.lifehacker.com/5458513/panopticlick-shows-how-easy-your-browser-is-to-t rack
>
> The goal is to keep trolls away from a site.

In that case, forget it.

The Panopticlick demo isn't intended as something to emulate in
practice, but rather as something to be aware of. It works best on
visitors who don't know or don't care about how much information they
divulge. When I visit the demo site with all of the default plugins
enabled, I'm a unique snowflake. On the other hand, if I wanted to hide,
I'd turn plugins and scripting off for that site, and maybe go through a
proxy, and then I'm just one in a million.

If you target your troll too closely, he can trivially evade your
filter. If your constraints are too loose, you'll hit some legitimate
visitors. There's just no way you can win this battle by fingerprinting
the troll.

Forget it.


regards,
5er
Re: Browser fingerprinting? [message #182788 is a reply to message #182786] Fri, 13 September 2013 04:59 Go to previous messageGo to next message
J.O. Aho is currently offline  J.O. Aho
Messages: 194
Registered: September 2010
Karma: 0
Senior Member
On 13/09/13 02:31, Jerry Stuckle wrote:
> On 9/12/2013 5:56 PM, Gilles wrote:
>> Hello
>>
>> I googled the archives of this ng, but didn't find much.
>>
>> I'd like to find some good PHP code that does what Panopticlick does,
>> namely uniquely identify a user's browser even when they connect as
>> anonymously as they can, ie. either in incognito mode or by running a
>> browser in a virtual host:
>>
>> www.lifehacker.com/5458513/panopticlick-shows-how-easy-your-browser-is-to-t rack
>>
>>
>> The goal is to keep trolls away from a site. As there aren't that many
>> browser available, they should tire quickly, profited they even think
>> of installing another browser.
>>
>> Is there some code PHP code for that?
>>
>> Thank you.
>>
>
> You can easily detect the browser the user is using, and you can detect
> the IP address.
>
> However, browsers can easily be forged (as others have indicated), and
> since there are only a few browsers available, a lot of people use them.

The idea with browser fingerprint is to look other things than the
browser itself as operating system, installed plugins and supported
fonts, those usually will stay the same even if you change browser, but
the information need ain't accessible for PHP, you would need to relay
on javascript and then we are off topic and the OP should be looking for
answers elsewhere.

--

//Aho
Re: Browser fingerprinting? [message #182789 is a reply to message #182787] Fri, 13 September 2013 05:49 Go to previous messageGo to next message
Michael Vilain is currently offline  Michael Vilain
Messages: 88
Registered: September 2010
Karma: 0
Member
In article <l0tvb5$2ot$1(at)dont-email(dot)me>, Fiver <numeralfive(at)gmail(dot)com>
wrote:

> On 2013-09-12 23:56, Gilles wrote:
>> I'd like to find some good PHP code that does what Panopticlick does,
>> namely uniquely identify a user's browser even when they connect as
>> anonymously as they can, ie. either in incognito mode or by running a
>> browser in a virtual host:
>>
>> www.lifehacker.com/5458513/panopticlick-shows-how-easy-your-browser-is-to-t r
>> ack
>>
>> The goal is to keep trolls away from a site.
>
> In that case, forget it.
>
> The Panopticlick demo isn't intended as something to emulate in
> practice, but rather as something to be aware of. It works best on
> visitors who don't know or don't care about how much information they
> divulge. When I visit the demo site with all of the default plugins
> enabled, I'm a unique snowflake. On the other hand, if I wanted to hide,
> I'd turn plugins and scripting off for that site, and maybe go through a
> proxy, and then I'm just one in a million.
>
> If you target your troll too closely, he can trivially evade your
> filter. If your constraints are too loose, you'll hit some legitimate
> visitors. There's just no way you can win this battle by fingerprinting
> the troll.
>
> Forget it.
>
>
> regards,
> 5er

I kept getting humans evading my CAPATCHA and sending me marketing SPAM
through my web site's contact form. After a while, I would just go
through the web long and find the IP address that completed the form and
block the entire subnet. So far, entire swaths of China, South America,
and Russia can't view my site. Their connection is refused based on
their IP address.

A broad brush, I know, but I haven't had any marketing emails to improve
my SEO score, improve my site, or better my mortgage interest rate.

--
DeeDee, don't press that button! DeeDee! NO! Dee...
[I filter all Goggle Groups posts, so any reply may be automatically ignored]
Re: Browser fingerprinting? [message #182790 is a reply to message #182787] Fri, 13 September 2013 07:22 Go to previous messageGo to next message
Gilles Ganault is currently offline  Gilles Ganault
Messages: 27
Registered: September 2010
Karma: 0
Junior Member
On Fri, 13 Sep 2013 05:04:04 +0200, Fiver <numeralfive(at)gmail(dot)com>
wrote:
> The Panopticlick demo isn't intended as something to emulate in
> practice, but rather as something to be aware of. It works best on
> visitors who don't know or don't care about how much information they
> divulge. When I visit the demo site with all of the default plugins
> enabled, I'm a unique snowflake. On the other hand, if I wanted to hide,
> I'd turn plugins and scripting off for that site, and maybe go through a
> proxy, and then I'm just one in a million.

But then, most trolls aren't technically-savvy, and wouldn't even
think of installing a new browser after being banned.

And even then, after trying Chrome, Firefox, and IE, what else would
most of them think of doing?

I'll read up on what PHP + JS can do about that.

Thank you.
Re: Browser fingerprinting? [message #182791 is a reply to message #182785] Fri, 13 September 2013 07:23 Go to previous messageGo to next message
Gilles Ganault is currently offline  Gilles Ganault
Messages: 27
Registered: September 2010
Karma: 0
Junior Member
On Thu, 12 Sep 2013 23:29:14 +0000 (UTC), Denis McMahon
<denismfmcmahon(at)gmail(dot)com> wrote:
> Note - it's a lot easier to work out what won't work than to work out
> what will.

Thanks for the tip. This looks interesting:

"Is browser fingerprinting a viable technique for identifying
anonymous users?"
http://programmers.stackexchange.com/questions/122372/
Re: Browser fingerprinting? [message #182792 is a reply to message #182791] Fri, 13 September 2013 13:32 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 9/13/2013 3:23 AM, Gilles wrote:
> On Thu, 12 Sep 2013 23:29:14 +0000 (UTC), Denis McMahon
> <denismfmcmahon(at)gmail(dot)com> wrote:
>> Note - it's a lot easier to work out what won't work than to work out
>> what will.
>
> Thanks for the tip. This looks interesting:
>
> "Is browser fingerprinting a viable technique for identifying
> anonymous users?"
> http://programmers.stackexchange.com/questions/122372/
>

No.

You can't stop the trolls. And some are more technically literate than
you think. After all, they're used to being banned, and have learned
how to get around those bans.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: Browser fingerprinting? [message #182793 is a reply to message #182789] Fri, 13 September 2013 13:35 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 9/13/2013 1:49 AM, Michael Vilain wrote:
> In article <l0tvb5$2ot$1(at)dont-email(dot)me>, Fiver <numeralfive(at)gmail(dot)com>
> wrote:
>
>> On 2013-09-12 23:56, Gilles wrote:
>>> I'd like to find some good PHP code that does what Panopticlick does,
>>> namely uniquely identify a user's browser even when they connect as
>>> anonymously as they can, ie. either in incognito mode or by running a
>>> browser in a virtual host:
>>>
>>> www.lifehacker.com/5458513/panopticlick-shows-how-easy-your-browser-is-to-t r
>>> ack
>>>
>>> The goal is to keep trolls away from a site.
>>
>> In that case, forget it.
>>
>> The Panopticlick demo isn't intended as something to emulate in
>> practice, but rather as something to be aware of. It works best on
>> visitors who don't know or don't care about how much information they
>> divulge. When I visit the demo site with all of the default plugins
>> enabled, I'm a unique snowflake. On the other hand, if I wanted to hide,
>> I'd turn plugins and scripting off for that site, and maybe go through a
>> proxy, and then I'm just one in a million.
>>
>> If you target your troll too closely, he can trivially evade your
>> filter. If your constraints are too loose, you'll hit some legitimate
>> visitors. There's just no way you can win this battle by fingerprinting
>> the troll.
>>
>> Forget it.
>>
>>
>> regards,
>> 5er
>
> I kept getting humans evading my CAPATCHA and sending me marketing SPAM
> through my web site's contact form. After a while, I would just go
> through the web long and find the IP address that completed the form and
> block the entire subnet. So far, entire swaths of China, South America,
> and Russia can't view my site. Their connection is refused based on
> their IP address.
>
> A broad brush, I know, but I haven't had any marketing emails to improve
> my SEO score, improve my site, or better my mortgage interest rate.
>

You probably need a different CAPTCHA. Many of the commonly available
ones have been broken.

I wrote my own and my spam rate has dropped to zero.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: Browser fingerprinting? [message #182794 is a reply to message #182789] Fri, 13 September 2013 14:42 Go to previous messageGo to next message
Martin Leese is currently offline  Martin Leese
Messages: 23
Registered: June 2012
Karma: 0
Junior Member
Michael Vilain wrote:

> I kept getting humans evading my CAPATCHA and sending me marketing SPAM
> through my web site's contact form. After a while, I would just go
> through the web long and find the IP address that completed the form and
> block the entire subnet. So far, entire swaths of China, South America,
> and Russia can't view my site. Their connection is refused based on
> their IP address.
>
> A broad brush, I know, but I haven't had any marketing emails to improve
> my SEO score, improve my site, or better my mortgage interest rate.

You can improve on this by flicking the
power switch on your computer. Then you
will be guaranteed to receive no SPAM at
all.

--
Regards,
Martin Leese
E-mail: please(at)see(dot)Web(dot)for(dot)e-mail(dot)INVALID
Web: http://members.tripod.com/martin_leese/
Re: Browser fingerprinting? [message #182795 is a reply to message #182781] Fri, 13 September 2013 23:13 Go to previous messageGo to next message
bill is currently offline  bill
Messages: 310
Registered: October 2010
Karma: 0
Senior Member
On 2013-09-12 6:26 PM, Denis McMahon wrote:
> On Thu, 12 Sep 2013 23:56:12 +0200, Gilles wrote:
>
>> I googled the archives of this ng, but didn't find much.
>
> Did you try a wider google search?
>
> http://www.lmgtfy.com/q=php+browser+fingerprinting
>
That link now seems to be a 404
Re: Browser fingerprinting? [message #182796 is a reply to message #182795] Fri, 13 September 2013 23:30 Go to previous messageGo to next message
Christoph Michael Bec is currently offline  Christoph Michael Bec
Messages: 207
Registered: June 2013
Karma: 0
Senior Member
Twayne wrote:

> On 2013-09-12 6:26 PM, Denis McMahon wrote:
>> On Thu, 12 Sep 2013 23:56:12 +0200, Gilles wrote:
>>
>>> I googled the archives of this ng, but didn't find much.
>>
>> Did you try a wider google search?
>>
>> http://www.lmgtfy.com/q=php+browser+fingerprinting
>>
> That link now seems to be a 404

It should have been:

<http://www.lmgtfy.com/?q=php+browser+fingerprinting>

--
Christoph M. Becker
Re: Browser fingerprinting? [message #182797 is a reply to message #182790] Fri, 13 September 2013 23:30 Go to previous messageGo to next message
bill is currently offline  bill
Messages: 310
Registered: October 2010
Karma: 0
Senior Member
On 2013-09-13 3:22 AM, Gilles wrote:
> On Fri, 13 Sep 2013 05:04:04 +0200, Fiver <numeralfive(at)gmail(dot)com>
> wrote:
....


then I'm just one in a million.
>
> But then, most trolls aren't technically-savvy, and wouldn't even
> think of installing a new browser after being banned.
>
> And even then, after trying Chrome, Firefox, and IE, what else would
> most of them think of doing?

They don't need tech-savvy; all they need are the easily available
spam/scam et al applications of which there are many. There is very
little you can do about it at all. In the end you can end up making it
as hard on humans as it is for robots and other miscreants who want to
compromise you for whatever reason.
IMO solid, as unbreakable as you know how to make it, validation is
about all you can do. If there are no reasons to have tags in anything,
then strip the out and throw it away. Same for say hex, where there is
no reason to expect hex in a text. Stop the data and you stop the abuse.
But of course there is no 100% solution and I doubt there ever will be.
EVERY data input can be spoofed, so instead of over-watching for that,
be pro-active about ANY unexpected data!

If it were easy to do, it'd also be widely publicized and available.

HTH,

Twayne`
Re: Browser fingerprinting? [message #182801 is a reply to message #182797] Sat, 14 September 2013 22:11 Go to previous messageGo to next message
Gilles Ganault is currently offline  Gilles Ganault
Messages: 27
Registered: September 2010
Karma: 0
Junior Member
On Fri, 13 Sep 2013 19:30:18 -0400, Twayne <nobody(at)spamcop(dot)net> wrote:
> If it were easy to do, it'd also be widely publicized and available.

Thanks for the feedback.
Re: Browser fingerprinting? [message #182802 is a reply to message #182789] Sun, 15 September 2013 18:57 Go to previous messageGo to next message
Thomas 'PointedEars'  is currently offline  Thomas 'PointedEars'
Messages: 701
Registered: October 2010
Karma: 0
Senior Member
Michael Vilain wrote:

> I kept getting humans evading my CAPATCHA and sending me marketing SPAM
> through my web site's contact form. After a while, I would just go
> through the web long and find the IP address that completed the form and
> block the entire subnet. So far, entire swaths of China, South America,
> and Russia can't view my site. Their connection is refused based on
> their IP address.
>
> A broad brush, I know, but I haven't had any marketing emails to improve
> my SEO score, improve my site, or better my mortgage interest rate.

And no serious attempts at communication from those places either. Your
logic is flawed.


PointedEars
--
Danny Goodman's books are out of date and teach practices that are
positively harmful for cross-browser scripting.
-- Richard Cornford, cljs, <cife6q$253$1$8300dec7(at)news(dot)demon(dot)co(dot)uk> (2004)
Re: Browser fingerprinting? [message #182803 is a reply to message #182801] Sun, 15 September 2013 20:27 Go to previous messageGo to next message
bill is currently offline  bill
Messages: 310
Registered: October 2010
Karma: 0
Senior Member
Path: textnews.cambrium.nl!feeder2.cambriumusenet.nl!feed.tweaknews.nl!212.27.60. 9.MISMATCH!feeder2-2.proxad.net!proxad.net!feeder1-2.proxad.net!usenet-fr.n et!gegeweb.org!aioe.org!.POSTED!not-for-mail
From: Twayne <nobody(at)spamcop(dot)net>
Newsgroups: comp.lang.php
Subject: Re: Browser fingerprinting?
Date: Sun, 15 Sep 2013 16:27:28 -0400
Organization: Aioe.org NNTP Server
Lines: 31
Message-ID: <l1557f$gfq$1(at)speranza(dot)aioe(dot)org>
References: <9sd439tbmqhqgqice5psd6nd3018rcr5v6(at)4ax(dot)com> <l0tvb5$2ot$1(at)dont-email(dot)me> <f4f539loti3ds3elv7s5qifjnv3o9ham1k(at)4ax(dot)com> <l1076e$a9s$1(at)speranza(dot)aioe(dot)org> <vmn939pmm184ciferi83kb1gbklgv370l4(at)4ax(dot)com>
NNTP-Posting-Host: sxz+YiVX1xGhpfYRODJHIA.user.speranza.aioe.org
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Complaints-To: abuse(at)aioe(dot)org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
X-Notice: Filtered by postfilter v. 0.8.2
Xref: textnews.cambrium.nl comp.lang.php:142314

On 2013-09-14 6:11 PM, Gilles wrote:
> On Fri, 13 Sep 2013 19:30:18 -0400, Twayne <nobody(at)spamcop(dot)net> wrote:
>> If it were easy to do, it'd also be widely publicized and available.
>
> Thanks for the feedback.
>

Welcome.
I'm empathetic because I'm working along the same research lines as you
are. The only thing I'm sure of is, it has to be done server-side;
anything client-side can weed out some of it and save a tiny bit of
server traffic, but from the client side it's too easy. Those guys won't
be allowing js on their machines so js isn't going to be much good.
Right now all I can see doing is sanitizing and especially
validation of ALL inputted data. There are ways to catch enough of them
that at least it becomes too much effort for the bad guys to bother
with. And never forget htmlentities and htmlspecialcharacters; along
with the right sanitizing, they can at least render anything that comes
through useless.
The biggest problem IMHO is to make a textarea safe. HTML 5 now
includes the max length attribute but a miscreant isn't going to be
using anything 5 compliant if he's got more than one brain cell.
Personally I've managed so far to avoid javascript and instead look at
things like ctype, str-replace for validation uses, and whatever filters
will work. Counting page views help, in addition to keeping a list of
miscreant IPs and their proxy information when you can get it, but the
smart ones are still going to be by it.
All you can do is your best :)

Twayne`
Re: Browser fingerprinting? [message #182804 is a reply to message #182803] Mon, 16 September 2013 02:07 Go to previous messageGo to next message
Peter H. Coffin is currently offline  Peter H. Coffin
Messages: 245
Registered: September 2010
Karma: 0
Senior Member
On Sun, 15 Sep 2013 16:27:28 -0400, Twayne wrote:
> The biggest problem IMHO is to make a textarea safe. HTML 5 now
> includes the max length attribute but a miscreant isn't going to be
> using anything 5 compliant if he's got more than one brain cell.

substr() does wonders for cutting length for safety. Cosmetically, it
may be less than ideal, but...

--
36. I will not imprison members of the same party in the same cell
block, let alone the same cell. If they are important prisoners, I
will keep the only key to the cell door on my person instead of
handing out copies to every bottom-rung guard in the prison. --EOList
Re: Browser fingerprinting? [message #182806 is a reply to message #182803] Mon, 16 September 2013 09:36 Go to previous messageGo to next message
Gregor Kofler is currently offline  Gregor Kofler
Messages: 69
Registered: September 2010
Karma: 0
Member
Am 15.09.2013 22:27, Twayne meinte:

> The biggest problem IMHO is to make a textarea safe. HTML 5 now
> includes the max length attribute but a miscreant isn't going to be
> using anything 5 compliant if he's got more than one brain cell.

Maybe he/she isn't even using a browser...
Re: Browser fingerprinting? [message #182807 is a reply to message #182803] Mon, 16 September 2013 10:13 Go to previous messageGo to next message
Norman Peelman is currently offline  Norman Peelman
Messages: 126
Registered: September 2010
Karma: 0
Senior Member
On 09/15/2013 04:27 PM, Twayne wrote:
> On 2013-09-14 6:11 PM, Gilles wrote:
>> On Fri, 13 Sep 2013 19:30:18 -0400, Twayne <nobody(at)spamcop(dot)net> wrote:
>>> If it were easy to do, it'd also be widely publicized and available.
>>
>> Thanks for the feedback.
>>
>
> Welcome.
> I'm empathetic because I'm working along the same research lines as you
> are. The only thing I'm sure of is, it has to be done server-side;
> anything client-side can weed out some of it and save a tiny bit of
> server traffic, but from the client side it's too easy. Those guys won't
> be allowing js on their machines so js isn't going to be much good.
> Right now all I can see doing is sanitizing and especially
> validation of ALL inputted data. There are ways to catch enough of them
> that at least it becomes too much effort for the bad guys to bother
> with. And never forget htmlentities and htmlspecialcharacters; along
> with the right sanitizing, they can at least render anything that comes
> through useless.
> The biggest problem IMHO is to make a textarea safe. HTML 5 now
> includes the max length attribute but a miscreant isn't going to be
> using anything 5 compliant if he's got more than one brain cell.
> Personally I've managed so far to avoid javascript and instead look at
> things like ctype, str-replace for validation uses, and whatever filters
> will work. Counting page views help, in addition to keeping a list of
> miscreant IPs and their proxy information when you can get it, but the
> smart ones are still going to be by it.
> All you can do is your best :)
>
> Twayne`
>

Why is a textarea any different than any other form control?

--
Norman
Registered Linux user #461062
-Have you been to www.php.net yet?-
Re: Browser fingerprinting? [message #182809 is a reply to message #182807] Mon, 16 September 2013 11:03 Go to previous messageGo to next message
Denis McMahon is currently offline  Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
Senior Member
On Mon, 16 Sep 2013 06:13:52 -0400, Norman Peelman wrote:

> On 09/15/2013 04:27 PM, Twayne wrote:

>> The biggest problem IMHO is to make a textarea safe. .....

> Why is a textarea any different than any other form control?

It's not. Any form control is fine provided that it's sensibly[1] handled
in the server. I know that, you know that, most intelligent web
developers know that regardless of whether their server side is java, js,
asp, php, python, perl, a compiled cgi or something esoteric, but some
people seem to have their own unique worldview which doesn't seem to
involve what most of us would consider sensible handling of form controls
in the server.

[1] appropriate verification, validation and handling of data to prevent
injection of potentially harmful content.

--
Denis McMahon, denismfmcmahon(at)gmail(dot)com
Re: Browser fingerprinting? [message #182829 is a reply to message #182801] Tue, 17 September 2013 20:53 Go to previous messageGo to next message
Marc van Lieshout is currently offline  Marc van Lieshout
Messages: 10
Registered: March 2011
Karma: 0
Junior Member
On 15-09-13 00:11, Gilles wrote:
> On Fri, 13 Sep 2013 19:30:18 -0400, Twayne <nobody(at)spamcop(dot)net> wrote:
>> If it were easy to do, it'd also be widely publicized and available.
>
> Thanks for the feedback.
>

It IS easy to do and widely available.

Look at the firefox add-on called SecretAgent. It's at:
https://www.dephormation.org.uk/?page=81

It has some 150 browser identification strings aboard (Including Amaya,
Dillo, Bluefish), spoofs x-forwarded-for and via, spoof ETags and send
random Accept: headers.

Then rethink your question.
Re: Browser fingerprinting? [message #182830 is a reply to message #182806] Wed, 18 September 2013 00:02 Go to previous messageGo to next message
bill is currently offline  bill
Messages: 310
Registered: October 2010
Karma: 0
Senior Member
On 2013-09-16 5:36 AM, Gregor Kofler wrote:
> Am 15.09.2013 22:27, Twayne meinte:
>
>> The biggest problem IMHO is to make a textarea safe. HTML 5 now
>> includes the max length attribute but a miscreant isn't going to be
>> using anything 5 compliant if he's got more than one brain cell.
>
> Maybe he/she isn't even using a browser...
>

Very true; I didn't mention that because I didn't want to start any side
convos :)

Twayne`
Re: Browser fingerprinting? [message #182831 is a reply to message #182807] Wed, 18 September 2013 00:06 Go to previous messageGo to next message
bill is currently offline  bill
Messages: 310
Registered: October 2010
Karma: 0
Senior Member
On 2013-09-16 6:13 AM, Norman Peelman wrote:
> 4:27 PM, Twayne wrote:
>> On 2013-09-14 6:11 PM, Gilles wrote:
>>> On Fri, 13 Sep 2013 19:30:18 -0400, Twayne <nobody(at)spamcop(dot)net> wrote:
>>>> If it were easy to do, it'd also be widely publicized and available.
>>>
>>> Thanks for the feedback.
>>>
>>
>> Welcome.

....

>> All you can do is your best :)

> Why is a textarea any different than any other form control?

Don't recall the details & history, but it is different from text boxes
et al.

Wikipedia, I think, had a history on it with plenty of links.
Re: Browser fingerprinting? [message #182832 is a reply to message #182809] Wed, 18 September 2013 00:11 Go to previous messageGo to next message
bill is currently offline  bill
Messages: 310
Registered: October 2010
Karma: 0
Senior Member
On 2013-09-16 7:03 AM, Denis McMahon wrote:
> On Mon, 16 Sep 2013 06:13:52 -0400, Norman Peelman wrote:
>
>> On 09/15/2013 04:27 PM, Twayne wrote:
>
>>> The biggest problem IMHO is to make a textarea safe. .....
>
>> Why is a textarea any different than any other form control?
>
> It's not. Any form control is fine provided that it's sensibly[1] handled
> in the server. I know that, you know that, most intelligent web
> developers know that regardless of whether their server side is java, js,
> asp, php, python, perl, a compiled cgi or something esoteric, but some
> people seem to have their own unique worldview which doesn't seem to
> involve what most of us would consider sensible handling of form controls
> in the server.
>
> [1] appropriate verification, validation and handling of data to prevent
> injection of potentially harmful content.
>

Didn't understand much of that long run-on sentence, but there was a
reason that at the time probably sounded logical. But I've wondered the
same thing myself; seems like it was unnecessary to have to wait for 5
to come along to implement it. Shoulda been done years ago!

Twayne`
Re: Browser fingerprinting? [message #182833 is a reply to message #182829] Wed, 18 September 2013 00:20 Go to previous messageGo to next message
bill is currently offline  bill
Messages: 310
Registered: October 2010
Karma: 0
Senior Member
On 2013-09-17 4:53 PM, Marc van Lieshout wrote:
> On 15-09-13 00:11, Gilles wrote:
>> On Fri, 13 Sep 2013 19:30:18 -0400, Twayne <nobody(at)spamcop(dot)net> wrote:
>>> If it were easy to do, it'd also be widely publicized and available.
>>
>> Thanks for the feedback.
>>
>
> It IS easy to do and widely available.
For only one browser? And what if the miscreant isn't using a browser?
Such apps are readily available and have been for years, and they grow
smarter with each iteration.
So, no, it's not easy to do with the exception of keeping say FF
users from over-typing the boundaries. And if they are running js, which
miscreants are not going to do.
>
> Look at the firefox add-on called SecretAgent. It's at:
> https://www.dephormation.org.uk/?page=81
>
> It has some 150 browser identification strings aboard (Including Amaya,
> Dillo, Bluefish), spoofs x-forwarded-for and via, spoof ETags and send
> random Accept: headers.
>
> Then rethink your question.
>

I wasn't aware of FF's addon for that, but it wouldn't influence me in
any way; one browser amongst many and thinking they're going to be used
by all miscreants is a dangerous assumption when what you want to avoid
is a message bomb which is the max an OS can handle. And as has been
mentioned a few times, it's not enough for actual security purposes;
it's only one possibility to watch out for. A text bomb can be a real PITA.
I'm not sure rethinking the question based on that is a wise decision.

Twayne`

Twayne`
Re: Browser fingerprinting? [message #182835 is a reply to message #182831] Wed, 18 September 2013 00:33 Go to previous messageGo to next message
The Natural Philosoph is currently offline  The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
Senior Member
On 18/09/13 01:06, Twayne wrote:
> On 2013-09-16 6:13 AM, Norman Peelman wrote:
>> 4:27 PM, Twayne wrote:
>>> On 2013-09-14 6:11 PM, Gilles wrote:
>>>> On Fri, 13 Sep 2013 19:30:18 -0400, Twayne <nobody(at)spamcop(dot)net> wrote:
>>>> > If it were easy to do, it'd also be widely publicized and available.
>>>>
>>>> Thanks for the feedback.
>>>>
>>>
>>> Welcome.
>
> ...
>
>>> All you can do is your best :)
>
>> Why is a textarea any different than any other form control?
>
> Don't recall the details & history, but it is different from text
> boxes et al.
>
yep

most textareas will auto add scroll bars to accommodate 'more text'

> Wikipedia, I think, had a history on it with plenty of links.
>


--
Ineptocracy

(in-ep-toc’-ra-cy) – a system of government where the least capable to lead are elected by the least capable of producing, and where the members of society least likely to sustain themselves or succeed, are rewarded with goods and services paid for by the confiscated wealth of a diminishing number of producers.
Re: Browser fingerprinting? [message #182836 is a reply to message #182830] Wed, 18 September 2013 03:47 Go to previous messageGo to next message
Peter H. Coffin is currently offline  Peter H. Coffin
Messages: 245
Registered: September 2010
Karma: 0
Senior Member
On Tue, 17 Sep 2013 20:02:43 -0400, Twayne wrote:
> On 2013-09-16 5:36 AM, Gregor Kofler wrote:
>> Am 15.09.2013 22:27, Twayne meinte:
>>
>>> The biggest problem IMHO is to make a textarea safe. HTML 5 now
>>> includes the max length attribute but a miscreant isn't going to be
>>> using anything 5 compliant if he's got more than one brain cell.
>>
>> Maybe he/she isn't even using a browser...
>>
>
> Very true; I didn't mention that because I didn't want to start any side
> convos :)

But... but... That's what we DO here!

--
Windows is a pane in the ass....
Re: Browser fingerprinting? [message #182837 is a reply to message #182829] Wed, 18 September 2013 05:06 Go to previous messageGo to next message
Denis McMahon is currently offline  Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
Senior Member
On Tue, 17 Sep 2013 22:53:30 +0200, Marc van Lieshout wrote:

> On 15-09-13 00:11, Gilles wrote:
>> On Fri, 13 Sep 2013 19:30:18 -0400, Twayne <nobody(at)spamcop(dot)net> wrote:
>>> If it were easy to do, it'd also be widely publicized and available.

>> Thanks for the feedback.

> It IS easy to do and widely available.

No it's not.

> Look at the firefox add-on called SecretAgent. It's at:
> https://www.dephormation.org.uk/?page=81

> It has some 150 browser identification strings aboard (Including Amaya,
> Dillo, Bluefish), spoofs x-forwarded-for and via, spoof ETags and send
> random Accept: headers.

That's spoofing, not fingerprinting.

Spoofing is easy. Fingerprinting is not. Fingerprinting is attempting to
uniquely identify visitors to a site at the site server. Spoofing is
trying to tell the server you're someone different in some way to who you
really are. They're not the same thing, and while spoofing is easy,
fingerprinting accurately and reliably is incredibly difficult.

If I visit your website today using firefox on my unix pc over my adsl
connection, and tomorrow using chrome on my android tablet over it's 3g
connection, how are you going to fingerprint me? I don't need to use
anything as "technical" as spoofing the browser id. You lost the game as
soon as I started playing!

--
Denis McMahon, denismfmcmahon(at)gmail(dot)com
Re: Browser fingerprinting? [message #182838 is a reply to message #182837] Wed, 18 September 2013 13:09 Go to previous messageGo to next message
Scott Johnson is currently offline  Scott Johnson
Messages: 196
Registered: January 2012
Karma: 0
Senior Member
On 9/17/2013 10:06 PM, Denis McMahon wrote:
> On Tue, 17 Sep 2013 22:53:30 +0200, Marc van Lieshout wrote:
>
>> On 15-09-13 00:11, Gilles wrote:
>>> On Fri, 13 Sep 2013 19:30:18 -0400, Twayne <nobody(at)spamcop(dot)net> wrote:
>>>> If it were easy to do, it'd also be widely publicized and available.
>
>>> Thanks for the feedback.
>
>> It IS easy to do and widely available.
>
> No it's not.
>
>> Look at the firefox add-on called SecretAgent. It's at:
>> https://www.dephormation.org.uk/?page=81
>
>> It has some 150 browser identification strings aboard (Including Amaya,
>> Dillo, Bluefish), spoofs x-forwarded-for and via, spoof ETags and send
>> random Accept: headers.
>
> That's spoofing, not fingerprinting.
>
> Spoofing is easy. Fingerprinting is not. Fingerprinting is attempting to
> uniquely identify visitors to a site at the site server. Spoofing is
> trying to tell the server you're someone different in some way to who you
> really are. They're not the same thing, and while spoofing is easy,
> fingerprinting accurately and reliably is incredibly difficult.
>
> If I visit your website today using firefox on my unix pc over my adsl
> connection, and tomorrow using chrome on my android tablet over it's 3g
> connection, how are you going to fingerprint me? I don't need to use
> anything as "technical" as spoofing the browser id. You lost the game as
> soon as I started playing!
>

I think the point he was trying to make, which is what I took out of it,
was how easy it is to minimize the practical use of fingerprinting.
Spoofing and fingerprinting are related in those terms.

The easier and multiple way to spoof the harder to fingerprint a single
source reliably.

In a prior post, I think the OP, was asking for proof on how easy it is
to make fingerprinting unreliable, and one particular way was shown.

Scotty
Re: Browser fingerprinting? [message #182839 is a reply to message #182838] Wed, 18 September 2013 16:24 Go to previous message
J.O. Aho is currently offline  J.O. Aho
Messages: 194
Registered: September 2010
Karma: 0
Senior Member
On 18/09/13 15:09, Scott Johnson wrote:
> On 9/17/2013 10:06 PM, Denis McMahon wrote:
>> On Tue, 17 Sep 2013 22:53:30 +0200, Marc van Lieshout wrote:

>>> It has some 150 browser identification strings aboard (Including Amaya,
>>> Dillo, Bluefish), spoofs x-forwarded-for and via, spoof ETags and send
>>> random Accept: headers.
>>
>> That's spoofing, not fingerprinting.
>>
>> Spoofing is easy. Fingerprinting is not. Fingerprinting is attempting to
>> uniquely identify visitors to a site at the site server. Spoofing is
>> trying to tell the server you're someone different in some way to who you
>> really are. They're not the same thing, and while spoofing is easy,
>> fingerprinting accurately and reliably is incredibly difficult.
>>
>> If I visit your website today using firefox on my unix pc over my adsl
>> connection, and tomorrow using chrome on my android tablet over it's 3g
>> connection, how are you going to fingerprint me? I don't need to use
>> anything as "technical" as spoofing the browser id. You lost the game as
>> soon as I started playing!
>>
>
> I think the point he was trying to make, which is what I took out of it,
> was how easy it is to minimize the practical use of fingerprinting.
> Spoofing and fingerprinting are related in those terms.

Fingerprinting will most likely disregard the UA-string and just look
what they can get out of the plug-ins and fonts installed, those are
fare more static for a user over a long time. There are companies who
offer this kind of fingerprint detection to those willing to pay for it.


> In a prior post, I think the OP, was asking for proof on how easy it is
> to make fingerprinting unreliable, and one particular way was shown.

That really depends on the method for fingerprinting" and most of the
techniques are out of scope in the usergroup.


--

//Aho
  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: syntax error or notepad++ error?
Next Topic: Learing PHP, Javascript, and Python on the Cheap, Help!
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Nov 24 02:33:49 GMT 2024

Total time taken to generate the page: 0.02634 seconds