Device Fingerprinting

Often it can be beneficial to ‘more’ uniquely identify your users. For applications this is trivial, but in a web browser this can be accomplished via only a few attributes.

  • HTTP – User-Agent, IP Address, Content types and languages accepted.
  • HTTPS/SSL – the keys and encryption methods available to a specific user may vary for each client configuration.
  • HTML5 – local storage and capabilities supported.
  • Geolocation – this is included in HTML5, but also supported in many clients without full HTML5 support, or via browser extensions.
  • JavaScript – Installed version – and many DOM attributes/capabilities such as timezone, installed plugins, screen sizes and fonts from the browser can be detected.
  • Java (Applet) – Installed version – this can often be used to get additional information regarding the client system directly from the VM or Operating System itself. (* Persistent Cookies possible)
  • Flash – Installed version – this can often be used to get additional information regarding the client system directly from the Operating System itself. (* Persistent Cookies possible)
  • Silverlight (for Microsoft Windows) – – Installed version and additional information from Operating System?
  • GoogleGEARS (deprecated) – Installed version and additional information from Operating System such as Geolocation

REFERENCES:

crossdomain.xml

Adobe FlashPlayer 7 added several security features. I first became aware of this one as I saw a large number of HTTP 404 errors for a file named ‘crossdomain.xml’ in my webserver logs. (see also clientaccesspolicy.xml)

If you use flash on your website, I’d suggest adding an appropriate copy of this file to limit your exposure to some potential security issues.

Restricted domains

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.example.com" />
<allow-access-from domain="example.com" />
</cross-domain-policy>

Open to all domains (not recommended, but fully backward compatible)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"/>
<allow-access-from domain="*"/>
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

REFERENCES:

Cross-browser Copy To Clipboard Functionality

Due to various security models, it can be difficult to create a simple way to copy data from a browser application into the OS’es “clipboard” with simple javascript. There are several libraries out there to assist in making this work across various platforms, most utilize Flash.

Here are a few notable methods:

Fix for Flash files ignoring z-index

Flash objects often interfere with your layering within your DHTML applications and appear above them in the DOM stacking order, standard CSS and HTML solutions do not have any impact. Fortunately there is a simple solution to this ‘problem’ thats been supported in all common browsers since MSIE4.

On <object>
<param name="wmode" value="transparent" />

In <embed ... wmode="transparent" >

REFERENCES:

Covert Flash to HTML5

Now that HTML5 support has grown, and Apple continues to resist Flash on their IOS devices, it may be advantageous to make use of the newer markup standard in your web applications.

There are currently three separate methods to convert your Flash applications:

Flash Cookies / Website Storage

If you’ve been online at all in the last decade, you’ve heard of the “dangers” of HTTP Cookies. More nefarious and harder to remove are Flash Cookies as they are handled by a plugin/extension/addon to the browser and exist outside of the normal security settings.

To see or delete Flash data, you’ve got to visit the following URL:
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html

You will probably be suprised to see many of the sites listed, as Flash is often being used to present you with ads in addition to the interactive elements that you might expect.

REFERENCES:

Safari/WebKit background flash on page load

I was recently working on a website that had a black/dark background and while the typical suite of browsers that I test with seemed fine, Safari showed an annoying white flash when the page was loading.

Some research into this lead to a startling discovery as I personally consider this a bug in the Safari browser’s rendering. It’s often referred to as FOUC (Flash of Unstyled Content). There are several methods that I’ve seen, most employ JavaScript or ordering of CSS files to hide the <body> prior to the page completely loading.

The simplest fix, while not elegant, is to an explicit ‘style’ attribute on the <html> tag.

<html style=”background-color:black;”>

Reference:

Flash ‘Cookies’ and Security Settings

I’ve found that a large percentage of Internet users don’t realize just how they are being tracked on a website. Most people are aware of HTTP Cookies, but very few realize that browser plugin technologies like Adobe Flash also maintain data about a user’s activities.  Worse yet, while HTTP Cookies are limited to 4k, Flash can store up to 100k per website.

Clearing of standard HTTP cookies is relatively easy to do in mainstream browsers.   However, while Flash is almost ubiquitous, it’s settings are not easy to locate… in fact you cannot even find them in your browser or computer settings, you have to visit a website!

When you visit this link you will first see the sites and amount of data they have stored about you,
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager06.html

Secondly, if you look on the other tabs or follow the next link you’ll be able to control Flash access to your microphone and webcam (provided that you have them connected).
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager02.html

Other tabs will allow you to control various settings related to updates and global security settings, as documentation is provided for each tab it should be relatively easy for you to decide which configuration you prefer in each case.

FYI – I can see some real potential for misuse of these settings if they could be altered externally by a motivated hacker.

References:

Cheers!