July 16, 2024
Anti-bot solutions have historically used browser fingerprinting to detect bots. Ad vendors unfortunately borrowed some of the same techniques to track users across the web. This potential for tracking users has caused browser makers to remove most of the features these strategies relied upon.
At the same time, blackhats have improved and commercialized new techniques to bypass or block fingerprinting, rendering these legacy strategies largely ineffective at stopping website attacks.
At hCaptcha, we have pioneered privacy-preserving technologies for reliable detection of abuse without needing to track people across the web or attempting to uniquely identify them. We'll cover some of them in this report.
Browser fingerprinting is the process of collecting a set of browser attributes to create a unique identifier in order to verify a user. These attributes together form a fingerprint, which can be used to verify whether a given browser is what it claims to be.
The collection of attributes can vary in complexity. More advanced solutions classify different types of hardware by running tests on the hardware that demonstrate its properties, for instance with canvas fingerprinting.
Canvas fingerprinting is done by drawing an image in the browser and analyzing its properties, which can form a unique identifier as they can subtly vary between device types.
Every advancement in fingerprinting techniques has led to browser makers attempting to stop it from working and bot developers attempting to imitate the fingerprint to avoid detection. This game of cat and mouse has become increasingly professionalized on all sides, shortening the cycle of discovery to abuse to disablement and making it difficult to rely on conventional fingerprinting techniques as a robust defense against malicious activities.
At hCaptcha, we have worked for many years with Apple and other companies to standardize a privacy-preserving replacement for some of the functionality of browser fingerprinting called Private Access Tokens.
This allows security companies like hCaptcha to validate cryptographically that a given device is what it claims to be, i.e. answering the question "is this request from an iPhone?" without gaining any information that would identify a specific user.
It is important to note that hardware attestation cannot replace our other avenues for detecting automation, and indeed we have already seen abuse in the wild from fully attested devices.
However, when combined with our other technologies it can provide some useful information to evaluate the security properties of a given session.
As anti-bot solutions have faced increasing challenges in detecting bots, they often resorted to invasive fingerprinting, further encroaching on user privacy and raising ethical concerns.
This strategy is coming to an end: privacy-centric browsers like Brave and DuckDuckGo have surged in popularity, and traditional web browsers like Safari and Firefox, now address privacy concerns by incorporating fingerprint-blocking modes like private browsing and enhanced tracking protection. Even Chrome now blocks many signals, rendering anti-bot systems that mainly rely on them useless.
Moreover, many blackhat anti-detection packages now imitate authentic browsers and blend in with conventional fingerprints. Even more advanced solutions that rely on previously state-of-the-art hardware fingerprints have found their effectiveness diminished, as we've heard from new customers who migrated to hCaptcha Enterprise due to low abuse detection rates with their legacy solutions.
At hCaptcha, we have taken a completely different approach to solving these problems, with a focus on strong instantaneous detection, advanced humanity challenges, and our other innovations like Private Learning to produce custom models that address human as well as automated abuse.
Combining our understanding of AI capabilities with a continuously evolving system has enabled us to create a durable platform for detection that is robust to tampering of all kinds and does not need to rely on legacy fingerprinting techniques for its security guarantees.
Building privacy-preserving security systems is much harder than doing things the way every other vendor has done it in the past, but we think it's the right thing to do, and have demonstrated that in the rapidly evolving security landscape our approach is in fact more durable.
Browser makers and improved blackhat techniques have together rendered traditional fingerprinting methods nearly useless in many cases. Threat actors are constantly evolving their methods and can easily bypass static detection methods.
However, privacy-preserving AI/ML technology can allow organizations to protect themselves from the most advanced and emerging threat actors without relying on legacy fingerprinting strategies or attempting to track people across the internet.
hCaptcha offers the most advanced machine-learning driven bot detection available, including industry-unique edge learning that puts privacy first.
hCaptcha Enterprise is an ideal solution to help organizations stay ahead of even the most sophisticated threat actors while maintaining low user friction.