discuitnet/discuit

[Discussion] Browser Fingerprinting

Opened this issue · 3 comments

reallytiredofclowns commented

Does anyone have any expertise with fingerprinting? Related to the suggestion with IP banning, I know Reddit does implement some sort of procedure to help detect ban evasion. This might help with the recurring !@#$-disturber on Discuit.

Here is an overview article of fingerprinting that I found fairly comprehensible, as someone completely new to the idea.

Codycody31 commented

This could be possible. Though I believe it would case of once we block a user the fingerprint is added to a list that is blocked. A main issue with implementing this though would be privacy as we would need to store the fingerprint anyways to tie it back to a specific user/person.

Something like this maybe (just a same demo idea)

// getIP extracts the IP address of the client from the request
func getIP(r *http.Request) string {
	// Standard proxy forwarding header
	forwarded := r.Header.Get("X-Forwarded-For")
	if forwarded != "" {
		return strings.Split(forwarded, ",")[0] // return the first IP if multiple are present
	}
	return strings.Split(r.RemoteAddr, ":")[0] // fallback to direct connection IP
}

// browserFingerprint generates a unique identifier for a user based on their browser details
func browserFingerprint(r *http.Request) string {
	userAgent := r.UserAgent()
	acceptLang := r.Header.Get("Accept-Language")
	encoding := r.Header.Get("Accept-Encoding")
	ip := getIP(r)

	// Combine the collected details to form a unique identifier
	rawIdentifier := fmt.Sprintf("%s|%s|%s|%s", userAgent, acceptLang, encoding, ip)

	// Hash the combined string using SHA-256 for a consistent, anonymized identifier
	hasher := sha256.New()
	hasher.Write([]byte(rawIdentifier))
	hashedIdentifier := hex.EncodeToString(hasher.Sum(nil))

	return hashedIdentifier
}
reallytiredofclowns commented

I don't think having the IP address as a part of the hash is helpful in this particular case, as the user in question is apparently hopping IPs like crazy. But the general idea is interesting.

Codycody31 commented

Ah, then that tends to make it harder. Either way, they could just spoof a new browser which is pretty easy