Fingerprinting Browsers Using Protocol Handlers
If a user is masking their user-agent in Internet Explorer or Mozilla Firefox it is still possible to identify their browser and operating system using protocols which are unique to the browser, as follows:
The Mozilla Firefox protocols "moz-icon://", "jar:resource://" and "resource://" work even with "Load images automatically" turned off.
There's a bunch of images that can be used in Internet Explorer. Check out *.dll and *.dll.mui in %WINDIR%, %WINDIR%\system32\ and %WINDIR%\system32\en-US\ in Resource Hacker for more, for example:
Affected
- Firefox/3.6.2 and prior
- Internet Explorer 8.0.6x and prior
Not Affected
- Opera 10.51
- Google Chrome 4.0.249.89
Testing
- Firefox 3.6.2
- Internet Explorer 8.0.6001.18882
- Internet Explorer 6.0.2900.2180
- Opera 10.51
- Google Chrome 4.0.249.89
Additional Information
Google Chrome seems secure as all local images are generated using the "data:" protocol. I have tested Opera and Konquerer a little without success.
It is possible to detect the operating system using Javascript alone (navigator.platform), however this is useless if the user is OSfuscating correctly. (See: IP Personality, FingerPrintFucker, Change your Windows OS TCP/TP Fingerprint to Confuse p0f, networkminer, ettercap, nmap, and, other OS detection tools.)
It is possible, although unlikely, to fingerprint installed applications or plugins and attempt a web based exploit.
This form of fingerprinting can be easily mitigated by disabling JavaScript or using a plugin such as NoScript for Mozilla Firefox. Alternatively in Internet Explorer you can set the Internet security level to High.
I image anyone paranoid enough to actually worry about this has Javascript disabled already or is using a commandline alternative.