Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Site Checks Your Browser's Fingerprint

Posted by EditorDavid on from the unique-identifiers dept.

"Does your web browser have a unique fingerprint? If so your web browser could be tracked across websites without techniques such as tracking cookies..." warns a new site created by the University of Adelaide and ACEMS, adding "the anonymization aspects of services such as Tor or VPNs could be negated if sites you visit track you using your browser fingerprint." AnonymousCube contacted Slashdot about their free browser fingerprinting test suite: On the site you can see what data can be used to track you and how unique your fingerprint is. The site includes new tests, such as detecting software such as Privacy Badger, via how social media buttons are disabled, and CSS only (no JavaScript or flash) tests to get screen size and installed fonts.
If you're serious about privacy, you might want to test the uniqueness of your browser's fingerprint.

67 of 104 comments (clear)

  1. "if you're serious about security" by Anonymous Coward · · Score: 5, Informative

    you've known that browser fingerprinting is real and beimg used for years.

    1. Re:"if you're serious about security" by Mikkeles · · Score: 1

      Yes; the only real value to such a new site is if they informed us as to what can be done to defeat it.

      To my mind, it would be better for a server to tell us what it supports rather than for us (the client) to tell what we support.

      --
      Great minds think alike; fools seldom differ.
    2. Re:"if you're serious about security" by Joce640k · · Score: 2

      Noscript works.

      Enabling noscript switches my browser from 'unique' to 'one in 24'.

      --
      No sig today...
    3. Re:"if you're serious about security" by Hylandr · · Score: 1

      Browse the web through a VirtualBox instance running from an image downloaded daily from Github that is shared by thousands or millions.

      Done.

      --
      ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
    4. Re:"if you're serious about security" by GNious · · Score: 1

      Make a plugin, that randomizes some of the tracked values?
      Sometimes it reports an extra font, sometime removes a font from the list, sometimes add a random plugin's name, perhaps occasionally change the reported OS ...

    5. Re:"if you're serious about security" by Z00L00K · · Score: 1

      And the site seems to be slashdotted now.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    6. Re:"if you're serious about security" by vux984 · · Score: 1

      Yes. But then you need to agree on such a virtual image, the browser, the addons, the settings of the browser. Do they use adblock plus or ublock origin?

      Then you need to run it through a proxy or tor.

      And then you have to not log in anywhere.

      And then you have the problem that the fingerprinting folks can if they wish, detect this one particular configuration, and display the page as a 'An error has occurred. Your browser configuration is not compatible with this site." And in the process nuke the utility of the image.

    7. Re:"if you're serious about security" by mrchaotica · · Score: 1

      Yes. But then you need to agree on such a virtual image, the browser, the addons, the settings of the browser. Do they use adblock plus or ublock origin?

      What we need is a service that allows participating sites to publish the trailing most common configuration in real time, coupled with a browser extension that forges the reporting of your settings (regardless of what they actually are) to match.

      Obviously, the fact that the "participating sites" will not include the most popular sites (which are heavily invested in tracking and thus not sympathetic to the cause -- or trustworthy anyway) means that we'd end up mimicking the most common configuration among privacy nuts instead of among the public as a whole, but even that is better than nothing!

      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

    8. Re:"if you're serious about security" by Mike+Van+Pelt · · Score: 1

      I use NoScript on Linux, and got "Your browser fingerprint appears to be unique among the 13,318 tested so far." It'll be interesting to see how unique that stays after a larger number of samples are collected, but that's fairly impressive.

  2. well by Anonymous Coward · · Score: 1

    i don't ise a browser, i use telnet and type all of my headers by hand.

    1. Re:well by houstonbofh · · Score: 1

      So that is a very unique fingerprint. :) Truly secure behavior would be very unusual, and narrow it down to a very small group. For true anonymity you need something that is confusingly similar to a lot of others. Like the TAILS boot cd.

    2. Re:well by arth1 · · Score: 2

      Fortunately or unfortunately, this site doesn't even work with non-graphical browsers with images enabled by default. They use a CAPTCHA that has no fallback method, so they just won't capture those who use browser that won't download the CAPTCHA by default.

      [...]

            a a a a a a a a a a a a a a a a a a

            Please type the letters from the image into the box below.

            CAPTCHA was incorrect. Please try again.

    3. Re:well by AHuxley · · Score: 1

      Just looking for some software gets a user on a list :)
      "Whether you're a regular user of Web privacy tools like Tor and Tails, or you've just checked out their websites, the NSA could be tracking your online movements, a new investigation reveals."
      http://www.cnet.com/news/nsa-l... (4 July 2014)

      --
      Domestic spying is now "Benign Information Gathering"
    4. Re:well by Mashiki · · Score: 1

      Telnet? Filthy hipster. Real people use a combination of finger and gopher.

      --
      Om, nomnomnom...
    5. Re:well by Z00L00K · · Score: 1

      Seems like the site needs some work since all I get is "CAPTCHA was incorrect. Please try again" even when filling in the captcha.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  3. FTFY by QuietLagoon · · Score: 5, Funny

    ...If you're serious about privacy, you might want to test the uniqueness of your browser's fingerprint. ...

    If you're not serious about privacy, you might want to register your browser's fingerprint with that site. :)

    1. Re:FTFY by jeepies · · Score: 1

      Doesn't really matter whether your register it or not. Any website you visit is capable of recording it.

    2. Re:FTFY by KiloByte · · Score: 1

      And they do record it. Try for example browsing with Canvas Blocker with notifications on. Pretty much every major site will trigger it.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    3. Re:FTFY by KiloByte · · Score: 1

      Dp they use Canvas for drawing or for reading what they've drawn? It's hard to come up with a valid reason for reading, while it's use for fingerprinting is ubiquitous (due to being included in some bloat.js library).

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  4. Utility and deviance of the User Agent by hcs_$reboot · · Score: 1

    The User Agent sent by my browser (Chrome) gives the web server enough information to adjust the page to my device, would it be a desktop, a mobile phone, or the kind of browser... But my UA gives, among others: 1) exact version of the (Mac) OS a.b.c, 2) exact version of chrome a.b.c.d which is IMO too much info. The OS and Chrome should be limited to 2 numbers a.b. We all remember the infamous IE6 ... with only ONE number the web server had enough information to understand it has to deal with a crappy browser.

    --
    Slashdot, fix the reply notifications... You won't get away with it...
    1. Re:Utility and deviance of the User Agent by houstonbofh · · Score: 1

      It is not just a refer. How about if it queries what fonts you support? Any of them not standard? How about media support? What java and flash are you on? What is your screen resolution? Browser window size if not full screen? There is a lot to catch...

    2. Re:Utility and deviance of the User Agent by NotAPK · · Score: 4, Informative

      "It is not just a refer. How about if it queries what fonts you support? Any of them not standard? How about media support? What java and flash are you on? What is your screen resolution? Browser window size if not full screen? There is a lot to catch..."

      HTTP is request based. The client asks for what it needs: the server does not push out what it thinks the client needs.

      Font support: the server has no need to know about my fonts. The CSS should suggest the preferred fonts, but if I don't have their preferred font installed then my browser will substitute. The server never needs to know this.

      Media: my browser will ask for the media it wants to display. If it can't display media it won't ask for it. If it asks for something complex, like a movie file (for example) and the file downloads and then it is unable to handle the file, then surely this should have been managed my correctly identifying the MIME type of the file. The browser can then terminate the download, knowing that it won't be able to play it. Yes, I appreciate codecs make this trickier than it has to be: HTML5 should have fixed this. Comments?

      Screen Resolution: none of the server's business.

      Window Size: again, none of the server's business. If your website is so crappy that it must autosize in some stupid [yes, there are **few** caveats] way then this should be done using local JavaScript.

      So, provided I haven't pissed everyone off: assuming all clients implement the HTTP standards correctly and uniformly, please remind me why the server needs to know anything about the client?

    3. Re:Utility and deviance of the User Agent by houstonbofh · · Score: 2

      Window Size: again, none of the server's business. If your website is so crappy that it must autosize in some stupid [yes, there are **few** caveats] way then this should be done using local JavaScript.

      This is now used in html5 websites extensively to decide if you will have a menu bar or a hidden menu. It is the desktop vs mobile for websites thing that Google actually looks for and grades you on. The rest is also very common in the "rich web experience" that is common now and most browsers support this. Go to the panopticon page and see. It will show your screen resolution.

    4. Re:Utility and deviance of the User Agent by houstonbofh · · Score: 1

      Oops. https://panopticlick.eff.org/

    5. Re:Utility and deviance of the User Agent by Actually,+I+do+RTFA · · Score: 1

      Well, for the media, I can imagine cases where I have the same asset in a variety of formats (because I really want you to see ti if you're on my page) and I want to make sure you get it in a format you can use.

      --
      Your ad here. Ask me how!
    6. Re:Utility and deviance of the User Agent by Bite+The+Pillow · · Score: 1

      Several popular toolkits generate fancy charts and graphs as images, server side, and provide them as images. And for testing, it is useful to know the most common browser sizes. Because CSS and HTML in general let things flow and get cocked up.

      Finally, the client and servers both need to reflect standards completely and accurately, which is a huge assumption. Much better to control your fingerprint, because your vision of reality is just not going to happen. Or preach to the choir if you really need to vent.

    7. Re:Utility and deviance of the User Agent by UnderCoverPenguin · · Score: 1

      For example Firefox used to have a plugins.enumerable_names preference so you could control whether or not a website could figure out which addons and extensions are installed (a big source of fingerprinting data). But they removed the preference last year and now every website gets to sniff your plugins again.

      That's called "Kissing the hand that feeds you." Mozilla received a lot of money from Yahoo. And Google before that.

      --
      Don't try to out wierd me, three-eyes. I get stranger things than you, free with my breakfast cereal. --Zaphod Beeblebr
  5. Re:On (Cron) FrontPage.Post.FireHose.getLatestTren by Anonymous Coward · · Score: 1

    You don't need to sign everything you write. That little coloured bar above your post has your name on it. Idiot.

  6. Is there a reason to stop using panopticlick? by Anonymous Coward · · Score: 1

    panopticlick.eff.org for anyone who hasn't heard of it yet, though I really can't imagine there's a whole lot of people on Slashdot who haven't heard of it...

    1. Re:Is there a reason to stop using panopticlick? by houstonbofh · · Score: 1

      They added some new audio testing that may defeat things like TAILS for uniqueness.

  7. Old site also checks your browser's fingerprint by wonkey_monkey · · Score: 5, Informative

    https://panopticlick.eff.org/

    --
    systemd is Roko's Basilisk.
    1. Re:Old site also checks your browser's fingerprint by houstonbofh · · Score: 2

      That link is on the webpage of the test mentioned as well.

    2. Re:Old site also checks your browser's fingerprint by Anonymous Coward · · Score: 1

      this submission reeks of being paid for, though. editors of /. SHOULD know that there is absolutely nothing "new" about a web site that can evaluate your browser for this... and i look at .INFO domains as being worthless, scammy and malware infested by default.. because odds are, they are... so no visit from me, tyvm, take your browser and ip sniffing and data compiling site and gtfo.

    3. Re:Old site also checks your browser's fingerprint by Anonymous Coward · · Score: 1

      It totally doesn't, though. At least, not if you have JS and redirects disabled. One notable thing about the new test is that it still works with damnear everything except css/images disabled.

    4. Re:Old site also checks your browser's fingerprint by BitterKraut · · Score: 1

      In fact, browserprint.info looks exactly like the panopticlick.eff.org site I used to know, while the latter now shows much less info than it used to. Am I getting senile, or what's going on here?

    5. Re:Old site also checks your browser's fingerprint by Anonymous Coward · · Score: 1

      The old information is there, but it's now buried in an "advanced" link below the test results.

    6. Re:Old site also checks your browser's fingerprint by Pinkbunnyman · · Score: 1

      If it fails to run on my browser do I fully pass?

  8. Fingerprint Randomizer by crow · · Score: 4, Insightful

    People have talked about browser fingerprints for years, but I haven't heard any solid reports of sites making use of them. For example, news sites that limit you to a few free articles before paywalling you are easily viewed in a private window or with self-destructing cookies.

    If this becomes a real issue, then a browser extension that sanitizes and randomizes the fingerprint would defeat the process. Some aspects might be harder to sanitize or randomize than others, but with a bit of effort, fingerprints could be rendered useless.

    Maybe this should be the next extension offered by the EFF.

    1. Re:Fingerprint Randomizer by Anonymous Coward · · Score: 1

      Really want to drive them nuts?

      An extension that sets your fingerprint data to be the exact same as everyone else. That would be amusing.

      Browser do leak way too much information, though. For example, why does my browser expose monitor contrast level? Why is my user agent a long string of crap and not just "Chrome/51"? Why does it expose the fonts that I have installed?

      And really, given that web standards have become so standard, why does the server need to know my user agent at all? Wasn't XHTML+CSS+Responsive Design supposed to solve the problem of rendering the same content on different platforms and screen sizes?

    2. Re:Fingerprint Randomizer by Anonymous Coward · · Score: 3, Interesting

      > I haven't heard any solid reports of sites making use of them.

      I installed CanvasBlocker which has a setting to alert me every time the fingerprint is queried.

      So far I've noticed it on every page of github.com, the front page of pof.com, every page on medium.com, accounts.firefox.com - there are probably lots more, but I disable javascript by default so most sites don't even get a chance to fingerprint me.

      Canvasblocker randomizes on every page load. I think that makes you stand out more. I use task-specific profiles in firefox (e.g. banking profile, facebook profile, gmail profile, etc) and in most of those profiles I use Canvas Defender which lets you manually generate a new fingerprint and then keep it indefinitely but it doesn't warn you when a site is trying to take your fingerprint.

    3. Re:Fingerprint Randomizer by houstonbofh · · Score: 2

      But most of this fingerprinting is actually supported settings and are needed to display things correctly. Yes, you could set for least common denominator, but that means no video compression, and mp3 only audio.

    4. Re:Fingerprint Randomizer by Anonymous Coward · · Score: 4, Interesting

      > An extension that sets your fingerprint data to be the exact same as everyone else. That would be amusing.

      It would be ineffective unless a TON of people were using it. Until then it would just make you stand out more because they could easily recognize you as having that extension installed and then combined with all your other info (ip address, user agent, timezone, screen size, list of installed fonts, etc) you'd still be trackable.

      > For example, why does my browser expose monitor contrast level?

      It doesn't. YOU exposed it. When you filled out that captcha. The image in the captcha has a character that is invisible on low contrast monitors. So they discriminate your monitor contrast based on whether or not you typed in that character.

    5. Re:Fingerprint Randomizer by Zocalo · · Score: 3, Interesting

      Or you could be a little selective and just reduce the number of things that help make your fingerprint unique. That's the biggest failing in these fingerprinting sites so far; they don't really help you figure out how to do that, and what the effects on your fingerprint's uniqueness might be if you did to help you decide whether it's worth the effort or not. What I'd like to see is each parameter have a way of telling me right there what the common value options for that parameter are, they effect on your fingerprint of setting it to that value, and some suggestions as to how to go about doing that, especially where it's something as simple as downloading the US-English version of a browser intead of the UK-English one.

      --
      UNIX? They're not even circumcised! Savages!
    6. Re:Fingerprint Randomizer by Anonymous Coward · · Score: 1

      You mean like BlendIn? Yeah, I've been using that for years and given the multitude of factors that go into fingerprinting browser requests, it doesn't do shit. All it does is falsely drive up the amount of Windows 7 hits in log files, because I appear to be a win7 user and not a lunix (gentoo) user. The issue isn't the user agent string, it's everything else.

      Even using something that's supposed to be homogeneous like the tor browser is actually very fingerprintable in many cases.

      You are right about web standards, though. Man, they really have become so standard lately.

    7. Re:Fingerprint Randomizer by AHuxley · · Score: 1

      How unique would a very average resolution, new OS and new browser be in a VM become?
      The problem then becomes how unique the user wants to be with other settings. No flash? Fonts used, Do not track set, blocking ads, like/share buttons blocked, WebGL Renderer..
      A default new browser, same OS every time from a VM? A browser that pools a lot of users real settings to present very random data back might be fun.
      How unique are countermeasures to the fingerprint issue :)
      Just the habit of a user to always install ad blocking or select one OS and hardware over another... the need to fix a list of defaults becomes tempting and telling.

      --
      Domestic spying is now "Benign Information Gathering"
    8. Re:Fingerprint Randomizer by houghi · · Score: 1

      I believe that Google uses them. I delete everything when I start browing on YouTube. I do not log in, yet the results are clearly influnced in previous searches and the like.
      I also block doubleclick and other sites as much as possible.
      As Google is all about getting data, why would they NOT use it?

      OTOH they are unable to read the prefered language of my browser and rather give me a language depending on location (Fun if you live in Belgium), so perhaps they ARE too stoopid to do so.

      --
      Don't fight for your country, if your country does not fight for you.
  9. Re:er, this is not a good idea by houstonbofh · · Score: 4, Informative

    It is a fork of https://panopticlick.eff.org/ and about the same thing with a few more tests. And I am unique on both.

  10. Re:er, this is not a good idea by Anonymous Coward · · Score: 1

    So they know exactly who you are.

    The goal is NOT TO BE UNIQUE.

  11. Re:er, this is not a good idea by Anonymous Coward · · Score: 1

    I still just don't trust it. The US makes me afraid lately. I don't care how much PR they pump into being 'the good guys' their evil as hell and I don't think the rest of the world would shed a tear if the whole place got turned into a glass desert.

  12. Re:On (Cron) FrontPage.Post.FireHose.getLatestTren by Fwipp · · Score: 4, Funny

    Pssh, like that can't be forged.

    -dk

  13. Spoof fingerprints the next thing by Wild_dog! · · Score: 1

    I suppose if peoples unique browser fingerprints will be able to be tracked then the next thing is randomized fake browser fingerprints.

    Technology always provides.

    1. Re:Spoof fingerprints the next thing by houstonbofh · · Score: 1

      Technology always provides.

      On both sides. Look at the old EFF one with no script, and it finds a LOT less. Look at the new one with no script and it still finds most things.

    2. Re:Spoof fingerprints the next thing by Wild_dog! · · Score: 1

      Yes Tech provides on both sides.... in an ongoing fashion.

      Not sure what you are referring to in terms of the "old EFF one with no script".
      Can you explain that reference to me in more detail. I fear I am ignorant on the subject to which you are referring.

      Thanks in advance.

    3. Re:Spoof fingerprints the next thing by houstonbofh · · Score: 1

      The noscript plugin blocks javascript from running in your browser. That is how the EFF page got most of it's data. So with noscript active, it has a harder time identifying you. The new site does not have this problem.

  14. So what can we do? by qintar · · Score: 1

    I see a lot of posts about how to measure the "uniqueness" of your signature. But what (if anything) can be done about it?
    Is this a standards issue? Or are there plug-ins that can mitigate some of this?

    1. Re:So what can we do? by houstonbofh · · Score: 1

      TAILS is a damn good start. Any Live CD will help. But this new system also tracks a lot of hardware, so it will be limited... Ideally, TAILS running in a VM on VirtualBox is probably going to be the most common thing.

    2. Re:So what can we do? by Actually,+I+do+RTFA · · Score: 1

      The EFF panopticon page not only measures your uniqueness, but it also identifies the most distinct parts of your signature. It offers some solutions to shrinking your fingerprint. https://panopticlick.eff.org/

      --
      Your ad here. Ask me how!
  15. Hold on a minute by fred911 · · Score: 1

    I "finger printed" my browser and the website reported two different fingerprints. I changed nothing. So the UUID the website says is my fingerprint (by itself) is basically useless for tracking this browser.

    --
    09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  16. Re:er, this is not a good idea by houstonbofh · · Score: 1

    Neither do we! And it will get worse when one of those two bozos running becomes president. (And keep in mind that a people and a government are different. Some times VERY different.)

  17. Re:er, this is not a good idea by houstonbofh · · Score: 1

    I can be less unique if I need to be. More importantly, I can be a different unique person when I really need to be. The trick is remembering to never let unique person A access a forum used by unique person B.

  18. Re:EFF offered this years ago... by houstonbofh · · Score: 2

    Oh for fucks sake! It is the University of Adelaide and it is in the fucking summery! And the EFF website for the same thing is on their page! And a tiny bit of effort would tell you that they have overcome the measures put in place to block a lot of the old tracking, like no script.

    Did you have nothing to add other then FUD in your post?

  19. Re:EFF offered this years ago... by destinyland · · Score: 1

    Here's a blog post on the University of Adelaide's web site linking to the browserprint.info URL, if there's any doubt...

    https://www.adelaide.edu.au/ne...

  20. Re:er, this is not a good idea by AHuxley · · Score: 1

    AC they have via "GCHQ Created Spoofed LinkedIn and Slashdot Sites To Serve Malware" https://news.slashdot.org/stor...
    The way out is not be a very interesting person online.
    Visit the same news sites, run the same updates. Been repetitive to the same short list of news sites, sports, games is not interesting to the security services.
    They want to follow interesting people into newly formed sites, forums, chats, web 2.0 and then get back into their more secure computer usage or get admin rights over larger invite only online groups.
    The main issues is collection has to be online as thats all the gov's can collect from. Larger teams in shifts been detected wandering around getting overtime watching one person is an issue in very inward looking communities and many sections of cities.

    --
    Domestic spying is now "Benign Information Gathering"
  21. Test More Than Once by DERoss · · Score: 3, Interesting

    Visit the test Web site more than once. If subsequent visits indicate that you remain unique -- that you are the only one out of all visits including your own prior visits -- then you are somewhat safe from tracking. Even better is when it reports inconsistent results from several visits within a short period of time. I did that, and the report was that I was unique twice relative to HTTP_ACCEPT Headers. Also, the Monitor Contrast Level was not the same for two consecutive visits.

    I get this result by installing the Secret Agent extension from https://www.dephormation.org.u.... Panopticlick has similar problems characterizing my browser. And various Web sites that attempt geolocation have me all over the globe.

  22. Stop reducing the fingerprint, increase it by allo · · Score: 1

    Change so much on each visit, that you're unique every time. You will not eliminate all data, but if everything is zero except one identifier, i get you using this one. If everything always changes, i always think i identified somebody new.

  23. Re:Restore VM snapshot by allo · · Score: 1

    Always the same snapshot, always the same fingerprint.
    You at least need to share your vm with a lot of people to be secure.

  24. Re:Font detection issues? by peawormsworth · · Score: 1

    Your question is good. I ran it on a tor-browser and the only real identifier was the CSS font list, which is said was unique.

    Does anybody know if this is a bug, or does is a tor-browser uniquely identifiable based on unique font lists per installation.