FP-Block

FP-Block (XPI, 240kb) is a proof-of-concept open-source Firefox plugin that prevents fingerprint-based cross-domain tracking. FP-Block is an implementation of the concept "separation of web identities". This concept ensures that embedded third-party content such as social media buttons (Facebook's Like, Pinterest's PinIt, Google's + button) cannot track the user over different websites. More details below.

A detailed write up can be found in the ESORICS'15 paper. FP-Block is an extension of Christof Ferreira Torres' Bachelor project.

Installation instructions

News

About fingerprint-based online tracking

Fingerprint-based tracking is the process of tracking a user across different web sites by determining various characteristics, such as screen resolution, browser version, IP address, HTTP header order, etc. Together, such a "fingerprint" is unique and therefore allows the fingerprinter to track the user without using HTTP cookies or other client-side storage.

Most pages on the web embed some content from a third party. Examples of such embedded content include:

When a page embedding such a service is visited, the page rendering triggers the browser to contact the third party. This allows the third party to begin fingerprinting. Moreover, often a script is requested. This makes it trivial for the third party to inject active fingerprinting.

How FP-Block stops fingerprint-based tracking

When a user visits a website A, FP-Block generates a unique fingerprint for website A: IDA. This identity is then used for all contact with website A, as well as any contacts to retrieve content embedded on website A. This identity is never used otherwise. Since any new identity is generated such that it is distinct from all previously generated identities, no two identities are the same.

Example:
Suppose a user visits two websites, A and B, which both contain a Facebook like button. When visiting site A, Facebook will receive a request for their like button from a browser with fingerprint IDA. When visiting site B, Facebook will get the request from a browser with fingerprint IDB. Since IDA and IDB are different, Facebook cannot link these two visits.

Technical details

FP-Block thwarts both active (JavaScript) and passive (HTTP) fingerprinting. It does so by a combination of spoofing and blocking access to typically fingerprinted attribute values.

Compatibility:
In general, using FP-Block in combination with other plugins that block or change attributes may lead to interesting behaviour. We tested FP-Block with Disconnect, AdBlock Plus, Ghostery, and Privacy Badger. FP-Block cooperates with the default settings of these plugins. When using such a pluing to block 3rd parties also blocked by FP-Block, however, interference will occur.

Team

FP-Block was created by Christof Ferreira Torres, Hugo Jonker and Sjouke Mauw.