How guarantee the fingerprint value was not faked in the request from client side

Question

A JS fingerprint is calculated in client side using a library like fingerprint2.

My question is, If i send this value through ajax, the user can fake this value with a minor effort, and just make a fake post request that will be interpreted by server code like legit.

My question is, if this can happen, this library can be easily bypassed without even change any property in browser (that will change the browser fingerprint).

My interpretation is right? How can i ensure the integrity of that value?

Answer 1

You can't, and I wouldn't really worry about it.

Rule number 1: All input coming from the users computer can be faked and can't be relied on 100%.

If you want you can double with with serverside fingerprinting with libraries as piwik device detector to match up data, but you're giving yourself a headache without cause.

90% of the users visiting you, will not have a clue what you are doing and provide you with reliable data. They won't even have an adblock. They will give you reliable data.

9% of the visitors might have an adblocker, which may or may not block those ajax requests. They wish you to respect their privacy, do that so you keep them as customers. 1% might know what those ajax requests do, but they'll never find out because they can't be bothered to inspect the console of every website their visit. 1% of that 1% might take a peek at the browser console and figure out the browser finger printing.

1% of that 1% of that 1% will steal your fingerprinting code. another 1% of the 1% of the 1% will try to fake it just for the lulz and then forget about it.

So in short, don't bother. people won't bother either.

But if you really must bother, and give yourself a headache:

• store a userid in your database on the clients computer in the form of a tracking cookie. Also store it in the session storage, local storage, any database engines the browser may provide. (note that you need to put it in your cookie usage disclaimer why you are storing data on the users computer when european users visit your site)
• use that userid to match finger print to user. Note that this id may be deleted at any time by any cache clearing mechanic(cccleaner, virus scanner, user clicking on empty history, etc..)
• put the user id in the window.name object. as long as the tab is open, used it will be persisted, and try to reset/save it on the users computer.
• Add an E-TAG to your images, the users computer will try to request that image with that etag number the next time he comes. Intercept that request(don't let the webserver handle it, but handle it in php/jsp/asp/whatever) so you can identify the user. Set a session variable with the correct userid and 'respond' that the image is still valid under that etag value and return with cookies the correct user id
• put "timestamp" values behind a javascript request based on the user id and set the requested page including that javascript file to expire in what, 180 days or so. Each time the user comes back and the user has not cleared his history, it'll make the javascript request with the given "timestamp" get parameter gotcha.js?time=1283737273873 use serverside scripting again to intercept. You can then use ajax to update the contents of the page.
• include something like google maps on your page. If they use gmail or any google service and they gave consent to google for setting cookies google will dump their browser full of cookies, which might persist for a while. google maps cookies stay the same for at least the browser session and are readable by javascript/serverside script.
• use piwik device detector to build a server side browser fingerprint, use it to narrow down guesses as to which user it is.
• encode your request as a bytebuffer/stream and base64 encode it to make guessing of what its harder, even if they base64 decode it and send the request in two parts, one with verification hash, and one with the fingerprint. then match the hash and contents and if it matches you can be sure that if it's spoofed someone went through a lot of effort.
• minify and obfuscate your code, also at a lot of useless sidestreets in your javascript code. Put each line in its own function and chain them together to make a cohesive thing. make it too much effort to deduct what's going on there.

Other than that, I really can recommend you: don't bother. it's not worth the effort. people who want to circumvent will circumvent. they'll disable javascript, exclude that script, erase all cookies before continuing or leaving the site, change registered fonts plugins, etc... Don't chase those that don't wish to be chased. Focus on the group who doesn't care.