Tracking Browsers Without Cookies Or IP Addresses? 265
Peter Eckersley writes "The EFF has launched a research project called Panopticlick, to determine whether seemingly innocuous browser configuration information (like User Agent strings, plugin versions and fonts) may create unique fingerprints that allow web users to be tracked, even if they limit or delete cookies. Preliminary results indicate that the User Agent string alone has 10.5 bits of entropy, which means that for a typical Internet user, only one in about 1,500 (2 ^ 10.5) others will share their User Agent string.
If you visit Panopticlick, you can get a reading of how rare or unique your browser configuration is, as well as helping EFF to collect better data about this problem and how best to defend against it." I remember laughing years ago when I would see users who had modified their user agent string with some sort of defiant pro-privacy message, without realizing that their action made them uniquely identifiable out of hundreds of thousands of others.
Results and flash cookies (Score:5, Informative)
I compared between IE, Firefox, Chrome and Opera. Both IE and Firefox were completely unique even with the user agent because of the .NET versions there. Opera and Chrome were quite genetic.
Plugins were also completely unique and really easy to detect in any other browser than IE8. Interestingly IE's plugin list was really small and not at all so unique. IE's top "warning" bar asked me if I want to run specific plugins (probably to detect them). System fonts were completely unique and looks like easy to detect.
Remember that this is info that for example Google gets all over the internet via Analytics - they don't even need those tracking cookies because your browser leaves so much unique data behind it that it doesn't matter. And so does every website owner.
Another thing people usually forget about when clearing cookies is that Flash has cookies too and they don't clear along. When have you last time cleared them? Probably never. You can use BleachBit" [sourceforge.net] to clear those along with other software, history and temp data.
Already being done (Score:5, Informative)
Lynx apparently more popular than I thought (Score:4, Informative)
Browser Characteristic : User Agent
bits of identifying information : 11.09+
one in x browsers have this value : 2183
value : Lynx/2.8.5rel.1 libwww-FM/2.14FM SSL-MM/1.4.1 OpenSSL/0.9.7d-dev
(Course, i'm also two minor releases behind...but still, 1 per 2000 is more common than I would've guessed)
Shows who your true friends are. Thank Microsoft. (Score:2, Informative)
There is an option for privacy enhanced web browsing: IE compatibility test virtualization images. [microsoft.com] A very common OS packaged with a vanilla install of a very common browser, neatly resettable in a virtual machine. Thank you, Microsoft.
Re:Results and flash cookies (Score:3, Informative)
https://addons.mozilla.org/en-US/firefox/addon/6581 [mozilla.org]
too late, they beat you to it.
Re:Results and flash cookies (Score:5, Informative)
You are misreading the statistics. If only one in a few thousand computers matches yours, then you are very trackable. Your computer sticks out in a crowd. You want to be as close to 1:1 as you can get, as in, my computer looks like every other computer.
Re:Results and flash cookies (Score:5, Informative)
Or actually, I read that wrong... looks like a huge win for open browsing and scripts off, and huge loss for torbutton with scripts off... especially at under 20k tested so far.
browserrecon project (Score:2, Informative)
Hello,
I would like to refer to an old project of mine. browserrecon is an implementation which uses application fingerprint techniques to identify web clients:
http://www.computec.ch/projekte/browserrecon/ [computec.ch]
Bye, Marc
Re:Little Bobby Tables in User Agent String (Score:5, Informative)
1) Type "about:config" in the addressbar, if you haven't been there before you must confirm that you are actually a geek.
2) Filter for "useragent", then append whatever you want [xkcd.com] to the general.useragent.extra.firefoxComment key.
3) Help -> About shows your current user agent, btw.
4) Wait for lawsuits? Or Profit? I forgot...