Make CreepJS accessible as an NPM library

[Arkenar]

I understand that the library is meant for educational purposes only but i believe that it would be invaluably helpful for bot prevention and moderation purposes. There is currently no documentation on how to embed it as a library.

There are alternative solutions to Creepjs such as FingerprintJS or ClientJS but none of them are as comprehensive and powerful as this one. The better alternatives are paid and only accessible through an external API.

Do you have any plans to implement it as an npm library, and if not, would it got against the spirit of the project if i work on a documented fork that would be usable as an npm package?

[abrahamjuliot]

I appreciate your interest in the project.

We want to avoid creating a library used for fingerprinting. The spirit of the project is to promote research and education. No plans to change this.

[Arkenar]

I understand and have a lot of respect for your motives and your project as a whole. I will refrain from attempting to build a usable fork.

On a side note, i was going through the source code and i noticed that the fingerprinting seems to be entirely reliant on JS being active, so i guess nothing of this would work if the client uses something like NoScript. Did you consider extending the project to include CSS fingerprinting? It's not nearly as accurate as JS fingerprinting but it can detect the following metrics:

• device dimensions
• fonts installed
• OS and browser used (and to some extent, even the version of the browser used based on the support for CSS features)
• whether the client uses noscript or similar plugins

(can be enhanced by using the visited selector and other selectors that detect current or previous user interraction with the page)

The data can then be sent to a server through the combination of conditional logic in css with "background-image" or "content" with urls pointing to your desired endpoints. There are also other ways to fingerprint using CSS by triggering permanent redirects to unique addresses.

Another approach would be fingerprinting through favicon redirects but although it can lead to more precise results it has it's flaws. Doesn't work on firefox, doesn't work with iframes, can be mitigated through cache eviction or by disabling favicons altogether.

CSS fingerprinting is fairly easy to implement and it can make this project more comprehensive by triggering a fallback when noscript is detected.

If you're interested in including it as a fallback within <noscript></noscript> i would love to contribute to the addition of this feature.

[abrahamjuliot]

CSS fingerprinting is on my mind. A while back, I did some experiments and decided the entropy was not worth it, even with fonts. It depends on the site, but no JS can be an incredibly unique fingerprint and not require anything further to detect.

However, I think it would be cool to implement these concepts on a test page similar to workers. Font URL detection in CSS would probably not work on GH pages, but I'm not sure.

A long-term goal is to move much of the client-side fingerprinting to test pages and provide more depth analysis, and then the main fingerprint script would be dead simple. With that in place, we would only use server-side anomaly detection and time series tracing.

[deadcoder0904]

yes please release it as an npm library.

my application is rate-limiting without user id.

that's where browser fingerprinting comes in to stop malicious attackers from bruteforcing.

there are tons of legit use-cases for this.