Revisiting and updating two sections
Revisiting two of our sections:
Adds previous documentation on side-channel attacks which can be used to fingerprint users, presented in 2016. This means this type of microarchitectural deanonymization attack has been performed possibly as early on as the first day websites have been able to perform browser fingerprinting. It is still widely used, e.g., for fraud detection and paywalls.
This doesn't get as much media attention as pointed out by another researcher in attendance. Modern browsers have some specific Privacy & Security settings such as Do Not Track (DNT headers) that tell a website "hey, I am not interested in being tracked, please don't do it." Unfortunately, as shown, DNT can and is ignored by most (if not all) websites. You have the JavaScript running which produces a unique fingerprint.
This is sometimes anonymized, but not always. What's worse: sometimes this data is not handled properly in the process of fingerprinting or storage. All architectures and operating systems are victims of this fingerprinting. There is no indication of why DNT is ignored by websites and there is no evidence supporting the need for knowing all of the hundreds of fonts detected during this fingerprinting. When asked, Skype for instance, denied to comment on it.
It's simply an unknown and should be treated as unwanted and mitigated by the use of modern browser hardening and other means of avoiding tracking.
Fixes #70 (closed)