Tracking Browsers Without Cookies Or IP Addresses?

Peter Eckersley writes "The EFF has launched a research project called Panopticlick, to determine whether seemingly innocuous browser configuration information (like User Agent strings, plugin versions and fonts) may create unique fingerprints that allow web users to be tracked, even if they limit or delete cookies. Preliminary results indicate that the User Agent string alone has 10.5 bits of entropy, which means that for a typical Internet user, only one in about 1,500 (2 ^ 10.5) others will share their User Agent string. If you visit Panopticlick, you can get a reading of how rare or unique your browser configuration is, as well as helping EFF to collect better data about this problem and how best to defend against it." I remember laughing years ago when I would see users who had modified their user agent string with some sort of defiant pro-privacy message, without realizing that their action made them uniquely identifiable out of hundreds of thousands of others.

Re:Results and flash cookies

[TheCarp]

Speaking of.... I have numbers on how well this works.

I have 2 mozilla profiles. One for "open browsing", and one for tor use, with torbutton set to default to tor enabled.
Both use noscript.

"Open"
Scripts on: Unique!
Scripts off: 1 in 261

Torbutton:
Scripts off: 1 in 4775
Scripts on: 1 in 14,605

I would call that a pretty big win for torbutton. A pretty big loss for open browsing in mozilla firefox without noscript (especially if you install a few addons)

-Steve