EFF Launches Panopticlick 2.0 (eff.org)

← Back to Stories (view on slashdot.org)

EFF Launches Panopticlick 2.0 (eff.org)

Posted by Soulskill on Friday December 18, 2015 @02:39AM from the onward-and-upward dept.

Peter Eckersley writes: The EFF has launched Panopticlick 2.0. In addition to measuring whether your browser exposes unique — and therefore trackable — settings and configuration to websites, the site can now test if you have correctly configured ad- and tracker-blocking software. Think you have correctly configured tracker-blocking software? Visit Panopticlick to test if you got it right.

31 of 63 comments (clear)

Min score:

Reason:

Sort:

interesting by Noah+Haders · 2015-12-18 02:55 · Score: 3, Interesting

2 interesting things about panopticlick: first, they report on browser fingerprinting, which is notoriously hard to defeat. second, they encourage users to allow ads from websites that purport to respect Do Not Track. there's no way to know if they actually respect it, and companies like google and facebook have been bald face liars in saying they respect it when they actually don't.
1. Re:interesting by Anonymous Coward · 2015-12-18 03:31 · Score: 3, Informative
  
  browser fingerprinting, which is notoriously hard to defeat.
  A large part of fingerprinting is done via javascript. Disable javascript and you remote their ability to query all kinds of things about your browser that they use for fingerprinting.
  It's not everything though. You still need to genericize your user agent string, and a few other things. But javascript queries are about 80-90% of what goes into fingerprinting.
2. Re:interesting by bluefoxlucid · 2015-12-18 03:38 · Score: 2
  
  They want you to install their EFF extension so they can monitor your privacy.
  
  --
  Support my political activism on Patreon.
3. Re:interesting by buchner.johannes · 2015-12-18 05:03 · Score: 2
  
  2 interesting things about panopticlick: first, they report on browser fingerprinting, which is notoriously hard to defeat.
  Would it help to add some randomisation into the properties? Quick googling suggests it might be a solution, and there are some plugins: https://addons.mozilla.org/en-... https://www.dephormation.org.u... https://addons.mozilla.org/en-...
  You would have to not only change the random agent though (which may hide the fact you are running Linux or 64bi-vs-32bit). The plugin string is also pretty damning -- which version of Flash you have (and additional plugins, etc). For any GNOME user, the gnome Firefox plugin is a give-away.
  It would be useful if there was a extension that shows plugins to a site only on request (the gnome plugin is only important for extensions.gnome.org), Flash may be only important for a few websites of your choosing. That does not exist at the moment.
  
  --
  NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
4. Re:interesting by Noah+Haders · 2015-12-18 05:38 · Score: 1
  
  presumably you just need to change one property? If they are just hashing together all these settings, this would scramble everything...
5. Re:interesting by buchner.johannes · 2015-12-18 09:26 · Score: 1
  
  You do not want a unique hash, you want to have the same hash as everyone else. So every field value has to be common to avoid fingerprinting.
  
  --
  NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
6. Re:interesting by Noah+Haders · 2015-12-18 09:31 · Score: 1
  
  its ok to have a unique hash as long as your hash is always changing.
7. Re:interesting by Peter+Eckersley · 2015-12-18 10:15 · Score: 3, Informative
  
  Well, our source code is available so you can check that we do not monitor what you do with your privacy :). But if you don't like Privacy Badger, try Disconnect, ublock, AdAway, AdBlock or Adblock Plus(though you'll need to manually subscribe to Easy Privacy for AB and ABP)!
  
  --
  Fixing copyright
8. Re:interesting by G00F · 2015-12-18 11:41 · Score: 2
  
  You're both right. Returning fingerprints that are not as unique and changing. But then you still have cookies and your IP.
  But I'm conflicted, as data like User Agent (OS info) and the window/screen sizes are very useful, and making them useless hurts those creating the sites.
  EFF's tool also shows so many bits of information, even getting rid of a dozen wont change much. I would assume trackers would take into consideration browser version changing and methods to track that can also over come random.
  
  --
  The spirit of resistance to government is so valuable on certain occasions that I wish it to be always kept alive
9. Re:interesting by Noah+Haders · 2015-12-18 13:09 · Score: 1
  
  i think randomizing some of the bits (as opposed to blocking them completely) would make a good bit of difference. Imagine this problem:
  * match a fingerprint against a database, assuming all bits are correct: easy, there's only one database call.
  * match a fingerprint against a database, assuming one bit is incorrect: harder,
  * match assuming only n out of N bits are correct and the rest are randomized (although you don't know which): incredibly hard.
10. Re:interesting by green1 · 2015-12-18 14:37 · Score: 1
  
  Absolutely! Why on earth would the EFF tell you that you should blindly trust sites that claim they honour DNT? We all know that basically everyone has their browser set to DNT, basically all malicious advertisers claim to honour it, and in reality nobody does. Why would I intentionally disable my tracking blocking for someone who lies and says to trust them? Shame on you EFF!
11. Re:interesting by unixisc · 2015-12-19 04:03 · Score: 1
  
  I visited that site from Chromium. It asked me to confirm whether my carrier is Charter, then took me to a page where I could select a free gift. Nothing about whether my browser has been breached
12. Re:interesting by bluefoxlucid · 2015-12-21 05:20 · Score: 1
  
  A lot of the privacy wargarble is unsubstantiated. Facebook and Google are mining your information, and we have tracking cookies to deal with; the vast majority of outcry is at Internet-connected services that don't bother with any of that. Even the cry about Amazon is overblown: Ubuntu goes and searches Amazon for products when you type into Unity search, and people lose their shit like Amazon is generating a profile on them somehow and filing it with their medical history.
  
  --
  Support my political activism on Patreon.
doesn't work without javascript by Anonymous Coward · 2015-12-18 03:28 · Score: 4, Informative

The site doesn't work at all for me. Presumably, it requires javascript, which is exactly what nobody should be enabling by default. Javascript has been one of the largest exploit vectors of the modern web. It should at best be whitelisted on a very, very few sites such as trusted banking and finance sites. But absolutely not enabled in general - that's a big part of how people's systems end up severely jacked.
1. Re:doesn't work without javascript by Anonymous Coward · 2015-12-18 03:54 · Score: 2, Informative
  
  Absolutely true. However, any site you're going to use for transactions is going to use it also. And they're the ones who are also tracking you with dozens of bots.
  So yes, you're safe from casual snarfing as you google stuff, but go to pull the trigger on a shopping cart and you're naked to ALL of them, unless xyz ghostery etc.
  Blocking javascript won't stop that but it IS the #1 step in securing your browser generally.
2. Re:doesn't work without javascript by bentcd · 2015-12-18 04:10 · Score: 1
  
  Except you got the results for someone who allows redirects, rather than the results for you.
  
  --
  sigs are hazardous to your health
3. Re: doesn't work without javascript by grub · 2015-12-18 05:54 · Score: 1
  
  What? No it isn't, stop spreading FUD. The biggest issues is retards downloading exes with names like hot-tranny.mp4.exe and running them
  
  Being Slashdot, I assume you mean "wine hot-tranny.mp4.exe"
  
  --
  Trolling is a art,
4. Re:doesn't work without javascript by Blue+Stone · 2015-12-18 07:29 · Score: 1
  
  What I want to know, is why Firefox doesn't protect against this kind of fingerprinting.
  
  --
  Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
5. Re:doesn't work without javascript by Peter+Eckersley · 2015-12-18 10:08 · Score: 3, Informative
  
  Yes our simulation of third party tracking involves visiting three synthetic first party domains that share a third party tracker. That works if you have various types of blockers installed, or if JavaScript is disabled. But if you have a browser that both blocks JS and blocks redirects or blocks absolutely all loads of tracking domains (eg via an /etc/hosts blacklister like AdAway), the test won't work. Congratulations, you have pretty good protections in place :)
  We're going to provide a fingerprinting-only URL for Panopticlick 2 that works even for people with a NoScript + AdAway or NoScript + redirect blocking, will post a link on the site when it's ready.
  
  --
  Fixing copyright
Re:poor tool by NMBob · 2015-12-18 03:31 · Score: 1

And they encourage you to share your results on FB/T/G+. Huh?
Separate browser use by Kludge · 2015-12-18 03:43 · Score: 2

Use different browsers for different web sites. I use firefox, seamonkey, chromium, konqueror, each one for a different kind of browsing (banking & bill payments vs. shopping vs. videos, etc.) At most they can figure out only a quarter of what I do online.
1. Re:Separate browser use by Anonymous Coward · 2015-12-18 03:48 · Score: 1
  
  Well if all those requests for your different browsers come from the same IP, they can be easily tied to the same identity that way.
  It might work if you can masquerade as 4 different (and totally unrelated) IPS, such as through VPNs, and get the same VPN for the same browser each time.
2. Re:Separate browser use by Noah+Haders · 2015-12-18 05:35 · Score: 1
  
  Use different browsers for different web sites.
  *wink*
3. Re:Separate browser use by Noah+Haders · 2015-12-18 05:37 · Score: 1
  
  you just need one VPN. All of your browsers will have the same IP, but so will 10,000 other browsers from other users on that VPN.
SELinux triggered by RevRagnarok · 2015-12-18 03:49 · Score: 1

Nice. I just had an SELinux popup saying that plugin-container was trying to do something... also a pop-up about "fonts" trying to run so I said "nope."

--
I should put something clever here. Maybe someday.
More interesting if ... by MacTO · 2015-12-18 03:57 · Score: 1

It would be more interesting if they would suggest configuration changes to produce a non-unique fingerprint. Their only suggestion is to use an extension like NoScript, which they admit is impractical.
I can see ways to make fingerprinting less effective, at least among privacy oriented individuals, but it needs something like Panopticlick to collect and analyze data in order to recommend optimal, non-unique fingerprints. In some cases this can be handled by browser settings. In other cases, it may require some sort of add-on. Yet it should be possible to create non-unique combinations.
The best that I can do with the present setup is to guess how to configure to my browser to make it less unique. For individual parameters, it is quite effective. Yet the only way to create a unique fingerprint is by sheer luck.
1. Re:More interesting if ... by The+Eight-Bit+Link · 2015-12-18 04:02 · Score: 1
  
  The most identifying piece amongst the people I talked to is fonts. Fonts are what made my browser completely unique in Panopticlick. Are there tools that will either hide your font list from trackers or produce a random one each time so it's harder to keep a fingerprint on you?
Re:poor tool by MacTO · 2015-12-18 04:02 · Score: 1

In there defense, this is not about security. It is about how easy it is for a third party to track individuals based upon the properties of their web browser. Many of those properties are obtained through scripting. While turning off scripting will make you less identifiable, it seems to defeat the point that they are trying to make.
21.56 bits on fonts alone, another 11 on plugins. by jthill · 2015-12-18 06:49 · Score: 1

Time to present a limited set of fonts and plugins to untrusted urls?

--
As always, all IMO. Insert "I think" everywhere grammatically possible.
Re:This test seems better than EFF's site by KGIII · 2015-12-18 07:50 · Score: 1

Heh... It has all sorts of funny and incorrect information (which is not its fault). I'm using a VPN and I'm connected by VNC to my home in Maine, and I'm using a VPN from there. (It's a long story, boredom was a big part in that choice.) But, I have a connection at my place here so I guess I can stop connecting to my home. Of course, the few computers that I had here are horribly out of date and the house cleaners didn't quite get everything ready for me in time (my fault) and now I have my doggy back with me. So, I'll get to getting these squared away...
Anyhow, to get to my point, the test there was kind of nice. I enjoyed it, thanks. I'll check into their paid service after I see how well it works on Linux and when I get the time. It takes a few days to get a whole separate house up to speed. Add in a new lady friend, a dog and his human friend who rode down on the plane with him, and it gets hectic. I did download the .deb file and I made it a point to save it locally and at the remote site.
In other words, if you're the owner of this site - then you may have made a sale. I'm usually spam averse but I do, at times, enjoy topical ads. If you are the owner then, for better or worse, I'd actually probably buy the product outright today (with less testing) as a backup had you simply disclosed that you were. Dunno if you're the owner or not but I figure I'll add that as it's topical and important to me.

--
"So long and thanks for all the fish."
Noscript. Fonts. User Agents by billstewart · 2015-12-18 12:48 · Score: 1

Mine came out much less unique than previous versions, because I had NoScript blocking much of it (even after I temporarily allowed evil-tracker.com and do-not-track.com or whatever their domains were called. User agent string was fairly unique. In the past, fonts have been the big surprise information leaker - my work machines all have a font loaded on them that's used to get $COMPANY_LOGO to render correctly, aside from any other fonts I've randomly added over the years.

--

Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks