Fingerprinting Browsers Using Protocol Handlers

If a user is masking their user-agent in Internet Explorer or Mozilla Firefox it is still possible to identify their browser and operating system using protocols which are unique to the browser, as follows:

The Mozilla Firefox protocols "moz-icon://", "jar:resource://" and "resource://" work even with "Load images automatically" turned off.

There's a bunch of images that can be used in Internet Explorer. Check out *.dll and *.dll.mui in %WINDIR%, %WINDIR%\system32\ and %WINDIR%\system32\en-US\ in Resource Hacker for more, for example:

Affected

Not Affected

Testing

Additional Information

Google Chrome seems secure as all local images are generated using the "data:" protocol. I have tested Opera and Konquerer a little without success.

It is possible to detect the operating system using Javascript alone (navigator.platform), however this is useless if the user is OSfuscating correctly. (See: IP Personality, FingerPrintFucker, Change your Windows OS TCP/TP Fingerprint to Confuse p0f, networkminer, ettercap, nmap, and, other OS detection tools.)

It is possible, although unlikely, to fingerprint installed applications or plugins and attempt a web based exploit.

This form of fingerprinting can be easily mitigated by disabling JavaScript or using a plugin such as NoScript for Mozilla Firefox. Alternatively in Internet Explorer you can set the Internet security level to High.

I image anyone paranoid enough to actually worry about this has Javascript disabled already or is using a commandline alternative.

Proof of concept