Applet Fingerprinting

WIP games, tools & toy projects
#21 


rO0ABXNyABlhbGJpb24uY29tbW9uLkZpbmdlcnByaW50AAAAAAAAAAECAAJbAA1mb250SGlzdG9ncmFtdAACW0lMAAdtaW51dGlhdAAPTGphdmEvdXRpbC9NYXA7eHB1cgACW0lNumAmduqypQIAAHhwAAAAGwAAAAAAAAAIAAAABAAAAAsAAAAPAAAABAAAAAQAAAAKAAAAAAAAAAMAAAABAAAABgAAAAgAAAAdAAAAAwAAAAEAAAAEAAAAAAAAAAIAAAASAAAABQAAAAEAAAAEAAAAAgAAAAAAAAAAAAAAAHNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAABh3CAAAACAAAAAXdAAMZGV2aWNlMFdpZHRodAAEMTkyMHQAD3dpbi5tZW51LmhlaWdodHQAAjE5dAALZGV2aWNlQ291bnR0AAExdAANd2luLm1lbnUuZm9udHQAQGphdmEuYXd0LkZvbnRbZmFtaWx5PVNlZ29lIFVJLG5hbWU9U2Vnb2UgVUksc3R5bGU9cGxhaW4sc2l6ZT0xMl10AA9qYXZhLnZlbmRvci51cmx0ABRodHRwOi8vamF2YS5zdW4uY29tL3QAFGF3dC5tb3VzZS5udW1CdXR0b25zdAABNXQAFWF3dC53aGVlbE1vdXNlUHJlc2VudHQABHRydWV0AAtkZXZpY2UwTmFtZXQACVxEaXNwbGF5MHQADmRldmljZTBSZWZyZXNodAACNTl0AAdvcy5uYW1ldAAJV2luZG93cyA3dAANZGV2aWNlMEhlaWdodHQABDEwODB0ABx3aW4uZnJhbWUuY2FwdGlvbkdyYWRpZW50c09ucQB+ABV0ABh3aW4ubWVudS5iYWNrZ3JvdW5kQ29sb3J0ACFqYXZhLmF3dC5Db2xvcltyPTI0MCxnPTI0MCxiPTI0MF10AApvcy52ZXJzaW9udAADNi4xdAAXd2luLnhwc3R5bGUudGhlbWVBY3RpdmVxAH4AFXQAFWF3dC5mb250LmRlc2t0b3BoaW50c3QAa3tUZXh0LXNwZWNpZmljIExDRCBjb250cmFzdCBrZXk9MTIwLCBUZXh0LXNwZWNpZmljIGFudGlhbGlhc2luZyBlbmFibGUga2V5PUxDRCBIUkdCIGFudGlhbGlhc2luZyB0ZXh0IG1vZGV9dAAHb3MuYXJjaHQAA3g4NnQAGGF3dC5maWxlLnNob3dIaWRkZW5GaWxlc3EAfgAVdAAMamF2YS52ZXJzaW9udAAIMS42LjBfMjB0ABZhd3QubXVsdGlDbGlja0ludGVydmFsdAADNTAwdAAbd2luLmRlc2t0b3AuYmFja2dyb3VuZENvbG9ydAAbamF2YS5hd3QuQ29sb3Jbcj0wLGc9MCxiPTBddAALamF2YS52ZW5kb3J0ABVTdW4gTWljcm9zeXN0ZW1zIEluYy50ABZhd3QuZmlsZS5zaG93QXR0cmliQ29sdAAFZmFsc2V4

very interesting idea. Ill be keen to see how effective this is at handling accounts.

#22

Im guessing it could only help to generate serverside info, such as source IP address.

does the fingerprint currently include local network address.
http://reglos.de/myaddress/MyAddress.html

#23

correct me if i’m wrong but it seems that unsigned applets can get the MAC Address, isn’t this enough to uniquely identify a computer?

http://techdetails.agwego.com/2008/02/11/37/

#24

Not on its own but combined with just 1 or 2 other bits of information it’d probably be perfectly adequate.

Cas :slight_smile:

#25

I’ve looked into getting the mac before and IIRC the method mentioned there is massively unreliable (especially when you start talking about non-windows or non-java6 VMs). The only reliable way to get the mac address in java required signed code.

That said, it could be integrated into the fingerprinting to provide more accurate results on the platforms that do actually return something.

#26

I have been thinking about this idea a bit lately, I thought of another great instance for varation.

I know there are issues with cookies, but i think it would make sence to try at least implement it, so that it takes a random generated cookie into account for the fingerprint.
cant hurt can it?

#27

another option that could be used http://developer.yahoo.com/yui/swfstore/ should be more reliable then cookies and work the same crossplatfrom/crossbrowsers.

#28

Hmm, I think that if you have a main menu screen where they can enter a “Ships name” and then a “Ships password” with a little tip underneath it explaining what it is used for, then you should be fine because the only thing that turns off most people in “registering” is when it asks for your email and then you have to go verify etc etc. But if you can just type some stuff in and start, it should be fine.

#29

Why not look at it from the other side?

What is registering and logging in:

  1. Submitting a username/password
  2. The server creates / looks up a database row for you
  3. A cookie is sent back to the client, which the client uses every request to confirm it is logged in.

Why don’t we do it a different way, as in the end, the only thing a client needs is a cookie. The username/password are only a way to deliver the right serial (cookie) to the right client. If the client knows the serial, it can ignore logging in. We can take it one step further: we don’t even need a username/password, at all, ever.

Each new client gets a serial (cookie) from the server and that will be his sole identifier. The serial can be queried in the UI, and used to login into another browser, or another computer. It can even be sent to an emailaddress, if the user wishes to do so.

In conclusion: the first hit you make to a site is your registration process: the generated serial is stored in the database. It happens behind the scenes, the user doesn’t know. The serial is the ‘applet fingerprint’.

Regarding your current fingerprinting algorithm: it’s flaky at best. I wouldn’t want to trust any identification of any user on it. Random serial numbers are much more effective, and more importantly: you can use the same serial to login from different browsers or machines.