The Firefox "Random Agent Spoofer"* helps with this site at least. The biggest leak that needs to be plugged is the browser plugin details. Any obscure plugins at all are worth a lot towards unique identification. Why any script should be able to enumerate all plugins is beyond me.
Using panopticlick, system fonts seem to be worth a lot as well, which is strange to me as i feel like very few people ever touch their system fonts? or do they change with different OS updates/patches?
To anonymize ourselves, we must know what common values are used for specific points of measurement by servers. Unless we set up our own website (such as this) how else will we know we are increasing our anonymity?
Turning everything off, or disabling plugins is a unique data point in itself; I am not sure we'd want to avoid leaking our plugin configuration as if that is the default, we are then a very unique data point. Instead, we would have to know what values are common, then report those to servers.
Edit: Also, the cited Firefox plugin doesn't seem to spoof the client's display resolution correctly[1]. With such plugins, I can imagine our profiles become increasingly unique, as it may present potentially numerous combinations of metrics to servers that are not typical in the wild.
... then that is a means of hiding yourself among the masses. But if it's not enabled by default (when anyone downloads the browser to install) to hide your plugins, you will "stick out like a sore thumb" with your list inaccessible to servers.
Why do the browsers let the website know which plugins I have?
There are some things like Flash that should identify themselves, but those are few and far between, and the check should be feature specific and handled by the plugin.
Allowing every site to build a profile based on plugins [that is: a) fingerprint, and b) profile based on the plugins I use] is just an egregious violation of privacy.
At the very least, if there is some reason to expose browsers, let it be configurable.
Also, font testing should be made expensive [eg, one check per second]. Check if we have font "scrabble", OK, but not get list of all fonts.
Because browsers need to be able to declare what content can be displayed to the user.
If we only had Flash it would be simple, but considering the amount of content delivery systems that each browser implements and the fact that they are not consistent there isn't much way around it.
It's not true to claim that the browsers let anyone know which plugins you are running, this is limited to a specific subset of plugins that handle content.
There is no way to prevent "fingerprinting", infact what you suggest seems to indicate that you are thinking about it the wrong way. You can disable these plugins but that creates a fingerprint on it's own, if you only accept HTML (no HTML5 because it's also "evil") and no javascript well then you are a more unique fingerprint than your vanilla Chrome with Flash, PDF, and a few WebM and DRM plugins.
The only effective way of disabling fingerprinting is make all browsers identical, and more importantly all hardware and software configurations that those browsers operate in also identical.
You also need to understand the value of each fingerprint if you look at https://panopticlick.eff.org/ for example then most of the fingerprints produced are useless, half of them are shared between 30-80% of all browsers. The most unique one was the HTTP_ACCEPT Headers in my case which is unique for one out of ~1400 browsers so that is something I can now use to see if this is something that can be fixed.
The plugin fingerprint in my case is 1 out of 48 browsers, that is not unique in any case and from what I've tested every latest Chrome install on Windows 10 without any additional content plugins (e.g. Java) has the same fingerprint.
You're missing that these things don't have to be taken in isolation.
If you've got 4 metrics each of which slice about "1 in 50" then taking the combination you've got a metric that is unique between 1 in 50 and 1 in 6.25 million (depending on correlation).
The "fingerprint" is all that information put together, not each taken in isolation.
That only works when you actually have variance in the fingerprints greater than OS/platform based.
If I spin up 10 new Windows 10 machines install Chrome on them I would get the same fingerprints, oddly enough they would be identical to the fingerprints I'm getting on my own machine since I don't have any plugins installed (I do have multiple extensions).
The only real change in the fingerprint I've seen so far from my own internal testing is the screen resolution, and WebGL fingerprint (Intel/NVIDIA seem to produce a pretty identical one, AMD differs a bit).
However the main point i was trying to get across is that while trying to minimize your fingerprint or exposure you create your own unique fingerprint in the process.
For example using adblockers these addons can easily leak not only which adblocker you are using but which lists / filters you have enabled, if you are a non-English native and you are using a localized list that exposes a lot of information.
Addons / extensions that block things like HTML5 Canvas also leave a fingerprint - you run a modern browser by all accounts but don't support Canvas? whelp you are upto something!
Same goes with WebGL and many other plugins/vectors.
The problem here is that content delivery relies on the browser being interrogatable for certain information, if that information is not correct then the content will not be displayed properly (which on it's own can be detected), we want to move on from Flash, we want to move one from addons and plugins into more native stuff but this came at a cost of platforms being more unique and diverse which allows you to generate a more unique fingerprint.
Creating a browser that generates random fingerprints also won't really help, unless everyone uses it you would again stand out of the crowd even more.
That said however without specific targeted exploitation I have not yet seen a tool nor I managed to make one that creates a good fingerprint that can be easily used to identify a browser rather than just classify it and the platform it's running on.
> Also, font testing should be made expensive [eg, one check per second]. Check if we have font "scrabble", OK, but not get list of all fonts.
There's no way of doing that without making the whole browser really slow. Browsers don't expose any way to get a list of fonts: all you can do is try drawing some text with a given font "scrabble" and then see if it draws with different metrics to the fallback font. Therefore, you'd have to make every new font used on a page take a second before it got drawn, practically forcing every page to use a single font.
Is my browser uniquely identifiable? Yes! This is no surprise, not anymore at least.
I pass the first three tests here, but fingerprinting does the trick. About one in 50k browsers has the same fonts as me. About one in 30k browsers have the same addons and plugins. I bet those two don't overlap. Then there are several other variables like language that narrow it down if that is still needed.
They could try to explain how to make a browser not uniquely identifiable however. What browser configuration is not unique? What do I have to do to get that?
I believe that Tor browser is least uniquely identifiable. That's a major Tor Project goal. Ideally, all Tor users would be using the same browser, with no modifications. There is a privacy/security slider, but there are only four settings.
And panopticlick isn't exactly new. Have browser vendors done anything to deal with browser fingerprinting? It is a little concerning that now pretty much all browsers are developed or sponsored by companies that aim at monetizing their users data (Google, Microsoft, Apple, Yahoo, etc).
So the "Do not track" header is another data point in the fingerprint worth ~1bit on its own. Has it actually had any benefits or should we just get rid of it?
if you are so worried, tha you are identifiable - just use your iphone, same hardware, same browser - same fingerprint(beside ip which can be dynamic & useless) - so literally all iphone users are the same user. (i was trying to make some start-up which required fingerprinting, but we pivoted =))
But speaking of javascript, how many of the fingerprinting checks will not be possible if js is turned off? I could imagine that definitely all screen-related stuff is immediately killed.
Based on the number of websites which flat out collapse in the face of NoScript - being fingerprinted is probably not a problem. Of course, if you actually want to see the content you're probably boned unless the tracking gubbinz is hosted from elsewhere.
Apparently my CSS font list alone can uniquely identify my browser out of those tested so far, which is rather concerning...
Is there some Firefox extension I can use to spoof my font list to some subset of my existing font list to conform with some widely used system default? I do have some custom fonts installed, but I'd prefer random websites I visit to not know about them if possible.
Also, the way plugins are handled in Firefox has always bothered me quite a bit. I can disable them, but not remove them. What gives?
My HTTP_ACCEPT Headers uniquely identify me, but I think anyone with an OS set to french using the last chrome version would have the same header, so it's really not a big sample (13 709 currently).
Just wondering - would it be possible to send a header back to webservers forbidding them to fingerprint my browser? Would that have any chance legally?
There's browser extensions that will fake all of those to a standard value. The tricky part is that with fingerprinting, depending on your chosen faked value you could end up being more identifiable, if not enough people use it.
For instance, you can change your user agent and headers to some generic Windows Chrome one but a savvy tracker will fingerprint your TCP connection and realise you are actually on a Mac, and that can be used as a further source of entropy to better identify you.
I've spent more time than is healthy looking into ways to uniquely identify devices on the internet. While the company I was working for was always on the safe side in terms of privacy, the more blackhat methods can be useful in collaborating with law enforcement to deanonimise Tor users (think pedophiles, not drugs)
Tor Browser devs have in turn been really good at hardening fingerprinting attack vectors related to it (and rightly so, browsers don't rape people — people rape people) but unless you're super paranoid it's not a great experience for the average user.
I think a better solution will come (at least in the EU) from the proposal to extend cookie law to any kind of fingerprinting (regardless of storage), which takes use case in account and can be enforced through big fines.
> There's browser extensions that will fake all of those to a standard value. The tricky part is that with fingerprinting, depending on your chosen faked value you could end up being more identifiable, if not enough people use it.
Couldn't this be worked around by reporting random values every time?
Kinda, but then the random values just become a flag for "has x browser extension installed" and the trackers will still use the things you can't change, like the OS networking stack, GPU, audio, etc. to track you.
It's very hard to get away completely... even with Tor, if you are the only person who uses Tor to visit a certain site you are as trackable as anyone else for that site.
Well, in my experience it was done in a case-by-case basis and led through the great work of NGO "Thorn" (the one founded by Ashton Kutchen & Demi Moore)
I don't know about accountability, but we provided support in a proactive way and never more than we were comfortable with (no carte blanche access to data for LEOs, etc.)
No, that doesn't work. 1. If this were purely based on a 'may I do this' concept, the server would simply ignore you. 2., it's actually 99% client-based, it's using questions that you can't really deny since it makes rendering any webpage useless. Unless you like empty screens as websites, it will be possible to fingerprint you.
And then the server wouldn't know what the specs of your browser are and either send you useless pages or not send you anything at all. The browser is designed to let the server and client side scripting languages know what it is and what it's capable off. There is simply no scenario where you can have a usable internet without sending any parameters on what you want to the party owning the website. It's like trying to use the internet without using TCP/IP...
In the EU there's a proposal to extend the law around consent for storage (AKA the cookie consent law) to fingerprinting, whether or not it accesses device storage.
The law even has exemptions for security-related applications — your bank already fingerprints your device and uses it as a first line of protection against card theft.
I look forward to "We fingerprint you for totally legit reasons. Click OK to hide this message. By continuing to use this site you consent to this." on every page.
* https://addons.mozilla.org/en-us/firefox/addon/random-agent-...