Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Identifiable Are You On the Web?

Posted by timothy on from the your-unique-aroma dept.

An anonymous reader writes How identifiable are you on the web? This updated browser fingerprinting tool implements the current state of the art in browser fingerprinting techniques(including canvas fingerprinting) to show you how unique your browser is on the web. Good food for thought when three-letter agencies talk about "mere metadata."

18 of 160 comments (clear)

  1. /.ed? by whoever57 · · Score: 5, Interesting

    I haven't seen a /. effect for a long time.

    --
    The real "Libtards" are the Libertarians!
    1. Re:/.ed? by darkain · · Score: 5, Informative

      Agreed! Page isn't loading, that was fast as hell.

      For those looking for other resources tho, that DO load

      http://samy.pl/evercookie/

      https://panopticlick.eff.org/

  2. Totally and completely identifiable... by Bob_Who · · Score: 4, Insightful

    Always have been, and always will, for as long as light echos through space and time. But nobody really cares who I am. They know who I am, nevertheless.

    I am the walrus.

  3. Identifiable enough that Google targets ads by Anonymous Coward · · Score: 4, Interesting

    Google serves my computer ads for mens watches, it serves my wifes computer, on the same NAT, (the same PC, same screen resolution) ads for shoes. Both have cookies blocked and flash is disabled by default. Mine also blocks lots of google sites, yet I have yet to find a way to block doubleclick. Our browsers are both set to tell sites to "do no track". Neither of us uses Google for search these days, switching to Duck Duck Go.

    So the fingerprinting is enough for Google to send us personalized adverts.

    Now if someone can tell me the full list of domains I need to block to prevent DoubleClick (also from Google) from serving ads, I'd appreciate it.

    1. Re: Identifiable enough that Google targets ads by networkzombie · · Score: 4, Informative

      Actually, no. Web surfing involves visiting a multitude of sites. Whitelisting would be painstakingly difficult, especially with the wife. Even whitelisting cookies is tedious, but cookies are what you should be whitelisting. After your accept all the cookies you need (bank, Slashdot, etc...) then block the rest. Simply visiting a web site is no reason to accept a cookie. If you can identify any sites to block (DoubleClick) then blacklisting is the way to go. We're not talking about a server here, it is a web browser. Imagine whitelisting 20 sites per hour while shopping for a pair of shoes.
      What I do is to identify what sites are serving me ads, surf those sites while capturing packets using your favorite tool (NetworkTrafficView from Nirsoft if using Windows is easy) and block those sites using your firewall (IPs) and/or hosts file (FQDNs). I haven't seen a DoubleClick ad in years. In Windows my hosts file looks like this:
      0.0.0.0 ad.doubleclick.net
      0.0.0.0 ad.uk.doubleclick.net
      0.0.0.0 ad.n2434.doubleclick.net
      0.0.0.0 doubleclick.net
      0.0.0.0 a.doubleclick.net
      The Slashdot filter made me cut quite a bit out, but you get the idea.
      This work has already been done and gets updated for you here: http://someonewhocares.org/hos...
      My Windows Firewall is more extensive. I block massive subnets in Russia, Ukraine, and China (ex. LACNIC Latin American and Caribbean 190.0.0.0/8). This is all for a laptop that leaves the house. For an in-home solution you should get a better router and block them at the gateway so your iPad is safe too. pfSense is very flexible, but DD-WRT can do some neat tricks.

    2. Re:Identifiable enough that Google targets ads by ledow · · Score: 4, Interesting

      Not being funny, but that's hardly tracking unless you are actually after a watch or shoes. I imagine a watch / shoes ad is the kind of thing that a company will push to everyone this near to Christmas.

      Also, I once got several months of leotard adverts because I happened to click something in our (school) web logs to check it was okay for pupils to see. There's just a correlation on the ad networks between your IP and something you may have clicked / searched / been on. It doesn't mean they are tracking you, per se. They just realise that you are two separate browsers with two separate signatures. Lots of things can do that, even being a single plugin different. Just being logged into a certain account on one site might push certain ads your way.

      Load up Ghostery and visit your normal sites. See how many of them are also serving up ads etc. that can form correlations between your browser and a certain product. Cookies blocked everywhere? I don't believe it, you'd never be able to log into anything. Flash disabled? Well, yes, I have that by default but for security not tracking. "Do not track" is an absolute waste of time. And just because duckduckgo doesn't track you, doesn't mean the sites you land on don't.

      Take this "for instance" - your wife went on a shoe shop once. You went on a watch shop once. Both the same IP. But one of you was also logged in elsewhere on a single other site. Bam. You get different ads. Just being a 0.1 version out on your browser will distinguish one from the other. Or having slightly different plugins. Or even just having different source port numbers (as NAT'ing will ensure).

      Sorry if you don't realise this, but the amount of effort you're putting into making your life hard and hiding, is actually just making you stand out just the same. How many hours have you wasted trying to block this stuff, and still you're identifiable?

      Either start fresh every session with a Privoxy proxy and fake user-agent strings, or don't bother. And even that won't hide you. And even then, you'll never know if the watch advert was for something you clicked years ago, or random spam because they know nothing about you and pick a random product. Hell, do you even know if you haven't each separately cached a random advert?

    3. Re:Identifiable enough that Google targets ads by Runaway1956 · · Score: 3, Informative

      Apparently, Ghostery is pretty effective at blocking doubleclick. I do not get those personalized advertisements. The ONLY place where "ads" are even somewhat accurately aimed at me, is Amazon. If/when I clear cookies, and browse without signng in, their limited accuracy disappears.

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
  4. MEH by Jane+Q.+Public · · Score: 4, Informative

    First, the simplest of script blockers completely prevented the home page from loading at all.

    Second, when I allowed the site in my script blocker, it was slow as hell to load.

    But Third, and more to the point: EFF's Panopticlick has been around for a long time now, and it's far better.

  5. Fonts make you very identifiable by billstewart · · Score: 4, Interesting

    Standard Mozilla behaviour last time this question came up is to include a list of fonts that your browser can display; I don't know whether other browsers do the same, or if they've changed it, but it's the kind of "feature" that hopelessly breaks your chances of non-uniqueness if you've ever installed fonts.

    My work laptop has a font that's the Official Corporate-Branded font for $DAYJOB's corporate logo. Almost every Windows machine at my company has that (at least, every physical machine and the virtual machines running on the hosted virtual desktop cloud; there may be some lab machines that don't, and maybe some contractors, etc.) You might work for a smaller company that does the same. In my case, I've installed all sorts of other random fonts, either to see what they looked like, or simply because back in the 80s of course you wanted Elvish and Dwarvish fonts on your computer, or because I wanted a better monospaced programming font than the default MS one or Courier New.

    Lots of other things leak information as well (cookies, etc.), but fonts are a quick and dirty way around identifying people who block those.

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
    1. Re:Fonts make you very identifiable by vux984 · · Score: 3, Insightful

      It seems to me that it would be simpler for Firefox (and other browsers) to just whitelist a default set of fonts and those are the only ones it uses regardless of what might be installed on the system on any site you are trying to limit tracking. (It can allow for web embedded fonts; it just won't load anything but the default set from the system.)

      If MS wanted to do it for IE, they'd just have the non-default font set blocked for the "Internet Zone" and allowed for the "Trusted Zone" which should cover most intranet scenarios where they've got custom fonts.

      I suppose an "exceptions" list could be managed separately as well if was really necessary; or it could be tied to the cookie exceptions list -- which would be logical from a "privacy reasoning" perspective... but counter-intuitive from the "why are local fonts not loading for this site just because i blocked cookies" perspective.

      In any case the upshot is that any given version of any given browser on any given platform will have the same fonts available as any other instance of that version of that browser on that platform -- then "font profiling" adds nothing to the basic platform information they already had.

  6. Re:I'm a special snowflake apparently. by arth1 · · Score: 4, Informative

    Fonts seems to be what does it. With many programs coming with extra/special fonts, it quickly narrows the users down based on what they have installed.

    Of course, for fonts that only come as part of a software package but install fonts as system fonts (why?), it also tells remote sites what you have installed, which is an additional privacy concern.

  7. Numbers Don't Lie, But -- by Anna+Merikin · · Score: 4, Insightful

    Their sample size is 11-thousand. According to my results, 1-in-6 computers are running Linux!

    This is absurd, unscientific to the extreme, fear-mongering.

    In your example, based only on the statistics you provided, there were 11099x0.0109 or 120 people in the central time zone *in their sample*, which is the sample size of UTC-6 users.

    Their data is useless.

    In comparison, https://panopticlick.eff.org/i... has almost 5-million in their database. This is somewhat more helpful.

  8. Why don't browsers clean it up? by tlhIngan · · Score: 4, Interesting

    GIven most of the data is what's reported by a browser, why don't browsers filter the data?

    Especially if "Do Not Track" is set to on - why don't they limit the data to send back?

    Fonts - Microsoft released 6 fonts for the web over a decade ago - just report those 6 across all platforms and maybe a few standard system ones (you can get this from the User-Agent anyways). Make it whitelist of fonts.

    Sure, some data is gathered through plugins, but I thought many are now click-to-run so you can't get that data unless you specifically run those plugins.

    Is there a reason why browsers like Firefox return everything?

  9. Re:I'm a special snowflake apparently. by KiloByte · · Score: 3, Interesting

    The problem is not in fonts (on non-embedded there's no such thing as too many good fonts!), but in letting a random webpage poke that deeply into your system.

    The message "No Flash or Java fonts detected" suggests who the culprits are. Flash belongs behind FlashBlock, Java belongs in /dev/null.

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  10. Re:I'm a special snowflake apparently. by Pieroxy · · Score: 4, Informative

    What are you talking about? Browsers don't send installed fonts list to anybody!

    The detection occurs when in CSS you specify font-family: XYZ. This is going to be displayed in the default font, unless the font XYZ is installed. By analyzing the width of the element you specified the font for (or drawing it into a canvas element) you can distinguish the cases where the font is installed from the case where the default font is used instead.

    Hard to circumvent...

    --
    Write boring code, not shiny code!
  11. Re:I'm a special snowflake apparently. by Pieroxy · · Score: 4, Informative

    This page will detect the fonts on your system without Java or Flash.

    --
    Write boring code, not shiny code!
  12. Re:I'm a special snowflake apparently. by rudametkin · · Score: 4, Interesting

    But I wonder why my browser needs to provide details about the plugins I have installed to any website I visit. What kind of legitimate use could that have?

    Sites recover the plugin list to see if you support whatever content they want to send you. If you don't have a certain plugin the site can fallback to some other way of displaying the information or it can refuse to do anything. For example, trying Flash to diplay a video then falling back to html5.

    Is it useful ?
    Somewhat, albeit less and less with html5. Also, there's many plugins sites don't need to know about, as for example a pdf plugin. Some plugins should be totally transparent because they don't interact with the site.

    Is it bad for anonymity? Yes, it's terrible.

  13. Re:Not impressed by rudametkin · · Score: 3, Interesting

    Your understanding of their last statement is mistaken. The 1 over 11099 has nothing to do with the above statistics. It only says that of the 11099 browser tested, there are only 1 with the union of the above elements.

    You're spot on, that's exactly what it says.

    How big a set is, is irrelevant when considering its union with one or multiple other sets.

    However, what the statistics do tell you is which of those parameters is more or less common with the ensemble. Eliminating a rarely occurring parameter could move you to a more common set intersection, making you thus less traceable. But deducing the union probability from the set statistics is not trivial, if possible at all without further constraints.

    We're looking into putting in a recommendation system to help users improve their anonymity.

    But I am wondering if 11099 trials can be considered significant in this case. There are looking at 6 or more parameters which have countless possible values.

    It's sufficient for us to do quite a bit of analyses on the data and to possibly implement and provide the recommendation system. The data is however highly skewed towards geeks and towards user's in France (a.k.a french geeks!).

    Disclaimer: a couple of colleagues and I created amiunique.org to get some data to understand fingerprinting better. It's a small student project but we feel there's potential. We were not ready for so many people to take an interest :)