jaingaa
asked on
Device Fingerprinting
Hi,
I have a web application and i would need to uniquely identify every client system aka device fingerprinting
that access my application, The device fingerprint should be made such that even when the user changes a few attributes wrt his system
or use a new browser or alter any other info, still i should be able to identify the device with confidence.
I have read a lot of articles about device fingerprinting and could see some commercial solutions available to achieve the same
but i wish to integrate it into my system without having to incur that cost. Morover, reading over the internet, it seems that browser fingerprinting alone cannot suffice this purpose
and i have to capture some other details specific to the user machine. Running an applet can be a work around but that will prompt the user every time he comes to my website and can slow things down for him as well
The application is written in Java and the users are authenticated before they can access the system.
Any points on this problem would be highly appreciable
Thanks
I have a web application and i would need to uniquely identify every client system aka device fingerprinting
that access my application, The device fingerprint should be made such that even when the user changes a few attributes wrt his system
or use a new browser or alter any other info, still i should be able to identify the device with confidence.
I have read a lot of articles about device fingerprinting and could see some commercial solutions available to achieve the same
but i wish to integrate it into my system without having to incur that cost. Morover, reading over the internet, it seems that browser fingerprinting alone cannot suffice this purpose
and i have to capture some other details specific to the user machine. Running an applet can be a work around but that will prompt the user every time he comes to my website and can slow things down for him as well
The application is written in Java and the users are authenticated before they can access the system.
Any points on this problem would be highly appreciable
Thanks
In a nutshell, if you are trying to uniquely identify a PC by querying things unique to the machine, such as cpu speed, memory, disk serial numbers, etc ... then creating a hash and/or a encrypted representation and keying off of it, then it will be patent infringement.
You are free to query combinations of software settings like operating system/patches; any software configurable setting, cookies, obviously.
Now I volunteer I am biased towards patent holders, as I have one myself in this area of uniquely identifying a machine, so I speak from experience here on what you can and can't do, and have even been an expert witness in this area in only a 9-figure lawsuit. Please take my advice. License patented technology or go without.
You are free to query combinations of software settings like operating system/patches; any software configurable setting, cookies, obviously.
Now I volunteer I am biased towards patent holders, as I have one myself in this area of uniquely identifying a machine, so I speak from experience here on what you can and can't do, and have even been an expert witness in this area in only a 9-figure lawsuit. Please take my advice. License patented technology or go without.
ASKER
I am not trying to do any patent infringement. All i am interested in knowing is whether there is some useful information from TCP/IP packets which can be used to generate a matrix to identify a returning machine with good level of confidence. Cookies are definitely a way to do it but this would be good enough only for the authentic users. Fraudsters can easily get away with that.
Also, i would like to know a way to understand if my website is being hit for an ip which is hiding behind a proxy. If somebody can suggest some approach towards that or some sample code that can help achieve that, that would be helpful too
Also, i would like to know a way to understand if my website is being hit for an ip which is hiding behind a proxy. If somebody can suggest some approach towards that or some sample code that can help achieve that, that would be helpful too
Then that is a very different problem. You don't really need to identify a particular piece of equipment, you need to identify a specific instance of an operating system. Also if you did go down the path of trying to identify the hardware .. let's assume for the moment no intellectual property issue.
Then somebody like me could defeat you in a heartbeat with a matter of minutes (I don't care to put that technique out there in a public forum, but if you really want to know how then contact me via my profile and I'll share how easy it would be for what you are trying to do)..
Anyway you don't need a huge applet.
You could generate a public/private key first time they attach and use cookies to identify sessions. Is the IP number at that time as part of the encryption along with the UTC time. If they intercept & clone the information, it would be too late as your back-end server would always change it. Make sure cookies are unique
Then somebody like me could defeat you in a heartbeat with a matter of minutes (I don't care to put that technique out there in a public forum, but if you really want to know how then contact me via my profile and I'll share how easy it would be for what you are trying to do)..
Anyway you don't need a huge applet.
You could generate a public/private key first time they attach and use cookies to identify sessions. Is the IP number at that time as part of the encryption along with the UTC time. If they intercept & clone the information, it would be too late as your back-end server would always change it. Make sure cookies are unique
ASKER
dlethe - Thanks for reverting back.
Agreed that i can track returning devices using cookies but cookies are not reliable at all and can be easily tempered with. I am looking for something which can identify a device ( all kinds of computer, mobile, ipad etc ) with good level of confidence. Unless i get some of the hardware info ( which i thought i can get sniffing through the tcp/ip packets ), the fingerprint wont be reliable and the user can easily play with that. I need to have this solution which can support all browser types and all OS's
I need to know what info in these packets is of use and how can i get that info through my java code ?
Agreed that i can track returning devices using cookies but cookies are not reliable at all and can be easily tempered with. I am looking for something which can identify a device ( all kinds of computer, mobile, ipad etc ) with good level of confidence. Unless i get some of the hardware info ( which i thought i can get sniffing through the tcp/ip packets ), the fingerprint wont be reliable and the user can easily play with that. I need to have this solution which can support all browser types and all OS's
I need to know what info in these packets is of use and how can i get that info through my java code ?
You own the web server, so you are delivering the content, any content, and have a real-time clock that can't be tampered with. You also have ability to send out unique encrypted tokens that have a time-stamp that are good JUST for that session.
You could access the serial # of their O/S, a public/private key. You could add session information and detect if same account is logging on elsewhere
If you identify hardware via querying serial #s make/model, etc, then you violate the patent. You just can't do that w/o infringing.
You could access the serial # of their O/S, a public/private key. You could add session information and detect if same account is logging on elsewhere
If you identify hardware via querying serial #s make/model, etc, then you violate the patent. You just can't do that w/o infringing.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
I am also thinking that checking for presence of Virtual Machine can be useful but that would be dependent on the script running in specific OS
http://support.microsoft.com/kb/309620
http://codehill.com/2010/05/detect-if-you-are-running-a-virtual-machine/
http://support.microsoft.com/kb/309620
http://codehill.com/2010/05/detect-if-you-are-running-a-virtual-machine/
ASKER
breadtan - I shall accept your answer though all these things i am already aware of but the links you have provided may help with my research further.
I understand that the device identification is currently a difficult task and all the solutions that exist currently are patented or commercial solutions. I assume that even they would be using a mix of browser fingerprinting, applets, hardware fingerprinting etc to come to the device id which would again have a 90% success rate
In case you come up witth more ideas/solutions on this, i would be happy to hear your advice
Thanks
I understand that the device identification is currently a difficult task and all the solutions that exist currently are patented or commercial solutions. I assume that even they would be using a mix of browser fingerprinting, applets, hardware fingerprinting etc to come to the device id which would again have a 90% success rate
In case you come up witth more ideas/solutions on this, i would be happy to hear your advice
Thanks
You pretty much have to go with it unless you introduce a dongle or some other hardware you bundle. The owner got a patent shortly after the IBM PC came out to differentiate them with hardware. MIcrosoft even lost to them, and that is why MSFT changed their licensing for Office & operating systems a few years ago.
My advice is that if Microsoft had to move away from hardware fingerprinting and pay those guys a half billion dollars and redo all of their licensing, then you reconsider. What you are attempting most likely is patent infringement.