Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Electronic Frontier Foundation Privacy Security

EFF Launches Panopticlick 2.0 (eff.org) 63

Peter Eckersley writes: The EFF has launched Panopticlick 2.0. In addition to measuring whether your browser exposes unique — and therefore trackable — settings and configuration to websites, the site can now test if you have correctly configured ad- and tracker-blocking software. Think you have correctly configured tracker-blocking software? Visit Panopticlick to test if you got it right.
This discussion has been archived. No new comments can be posted.

EFF Launches Panopticlick 2.0

Comments Filter:
  • interesting (Score:4, Interesting)

    by Noah Haders ( 3621429 ) on Friday December 18, 2015 @09:55AM (#51143183)

    2 interesting things about panopticlick: first, they report on browser fingerprinting, which is notoriously hard to defeat. second, they encourage users to allow ads from websites that purport to respect Do Not Track. there's no way to know if they actually respect it, and companies like google and facebook have been bald face liars in saying they respect it when they actually don't.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      browser fingerprinting, which is notoriously hard to defeat.

      A large part of fingerprinting is done via javascript. Disable javascript and you remote their ability to query all kinds of things about your browser that they use for fingerprinting.

      It's not everything though. You still need to genericize your user agent string, and a few other things. But javascript queries are about 80-90% of what goes into fingerprinting.

      • Use different browsers for different web sites. I use firefox, seamonkey, chromium, konqueror, each one for a different kind of browsing (banking & bill payments vs. shopping vs. videos, etc.) At most they can figure out only a quarter of what I do online.

        • by Anonymous Coward

          Well if all those requests for your different browsers come from the same IP, they can be easily tied to the same identity that way.

          It might work if you can masquerade as 4 different (and totally unrelated) IPS, such as through VPNs, and get the same VPN for the same browser each time.

          • you just need one VPN. All of your browsers will have the same IP, but so will 10,000 other browsers from other users on that VPN.

        • Use different browsers for different web sites.

          *wink*

      • Mine came out much less unique than previous versions, because I had NoScript blocking much of it (even after I temporarily allowed evil-tracker.com and do-not-track.com or whatever their domains were called. User agent string was fairly unique. In the past, fonts have been the big surprise information leaker - my work machines all have a font loaded on them that's used to get $COMPANY_LOGO to render correctly, aside from any other fonts I've randomly added over the years.

    • They want you to install their EFF extension so they can monitor your privacy.

      • Re:interesting (Score:4, Informative)

        by Peter Eckersley ( 66542 ) on Friday December 18, 2015 @05:15PM (#51146607) Homepage

        Well, our source code is available [github.com] so you can check that we do not monitor what you do with your privacy :). But if you don't like Privacy Badger, try Disconnect [disconnect.me], ublock [ublock.org], AdAway [f-droid.org], AdBlock [getadblock.com] or Adblock Plus [adblock.org](though you'll need to manually subscribe to Easy Privacy for AB and ABP)!

        • A lot of the privacy wargarble is unsubstantiated. Facebook and Google are mining your information, and we have tracking cookies to deal with; the vast majority of outcry is at Internet-connected services that don't bother with any of that. Even the cry about Amazon is overblown: Ubuntu goes and searches Amazon for products when you type into Unity search, and people lose their shit like Amazon is generating a profile on them somehow and filing it with their medical history.
    • 2 interesting things about panopticlick: first, they report on browser fingerprinting, which is notoriously hard to defeat.

      Would it help to add some randomisation into the properties? Quick googling suggests it might be a solution, and there are some plugins: https://addons.mozilla.org/en-... [mozilla.org] https://www.dephormation.org.u... [dephormation.org.uk] https://addons.mozilla.org/en-... [mozilla.org]

      You would have to not only change the random agent though (which may hide the fact you are running Linux or 64bi-vs-32bit). The plugin string is also pretty damning -- which version of Flash you have (and additional plugins, etc). For any GNOME user, the gnome Firefox plugi

      • presumably you just need to change one property? If they are just hashing together all these settings, this would scramble everything...

        • You do not want a unique hash, you want to have the same hash as everyone else. So every field value has to be common to avoid fingerprinting.

          • its ok to have a unique hash as long as your hash is always changing.

            • by G00F ( 241765 )

              You're both right. Returning fingerprints that are not as unique and changing. But then you still have cookies and your IP.

              But I'm conflicted, as data like User Agent (OS info) and the window/screen sizes are very useful, and making them useless hurts those creating the sites.

              EFF's tool also shows so many bits of information, even getting rid of a dozen wont change much. I would assume trackers would take into consideration browser version changing and methods to track that can also over come random.

              • i think randomizing some of the bits (as opposed to blocking them completely) would make a good bit of difference. Imagine this problem:
                * match a fingerprint against a database, assuming all bits are correct: easy, there's only one database call.
                * match a fingerprint against a database, assuming one bit is incorrect: harder,
                * match assuming only n out of N bits are correct and the rest are randomized (although you don't know which): incredibly hard.

    • I visited that site from Chromium. It asked me to confirm whether my carrier is Charter, then took me to a page where I could select a free gift. Nothing about whether my browser has been breached
  • by Anonymous Coward on Friday December 18, 2015 @10:28AM (#51143425)

    The site doesn't work at all for me. Presumably, it requires javascript, which is exactly what nobody should be enabling by default. Javascript has been one of the largest exploit vectors of the modern web. It should at best be whitelisted on a very, very few sites such as trusted banking and finance sites. But absolutely not enabled in general - that's a big part of how people's systems end up severely jacked.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Absolutely true. However, any site you're going to use for transactions is going to use it also. And they're the ones who are also tracking you with dozens of bots.
      So yes, you're safe from casual snarfing as you google stuff, but go to pull the trigger on a shopping cart and you're naked to ALL of them, unless xyz ghostery etc.

      Blocking javascript won't stop that but it IS the #1 step in securing your browser generally.

    • What I want to know, is why Firefox doesn't protect against this kind of fingerprinting.

    • by Peter Eckersley ( 66542 ) on Friday December 18, 2015 @05:08PM (#51146567) Homepage

      Yes our simulation of third party tracking involves visiting three synthetic first party domains that share a third party tracker. That works if you have various types of blockers installed, or if JavaScript is disabled. But if you have a browser that both blocks JS and blocks redirects or blocks absolutely all loads of tracking domains (eg via an /etc/hosts blacklister like AdAway), the test won't work. Congratulations, you have pretty good protections in place :)

      We're going to provide a fingerprinting-only URL for Panopticlick 2 that works even for people with a NoScript + AdAway or NoScript + redirect blocking, will post a link on the site when it's ready.

  • Nice. I just had an SELinux popup saying that plugin-container was trying to do something... also a pop-up about "fonts" trying to run so I said "nope."

  • It would be more interesting if they would suggest configuration changes to produce a non-unique fingerprint. Their only suggestion is to use an extension like NoScript, which they admit is impractical.

    I can see ways to make fingerprinting less effective, at least among privacy oriented individuals, but it needs something like Panopticlick to collect and analyze data in order to recommend optimal, non-unique fingerprints. In some cases this can be handled by browser settings. In other cases, it may requi

    • The most identifying piece amongst the people I talked to is fonts. Fonts are what made my browser completely unique in Panopticlick. Are there tools that will either hide your font list from trackers or produce a random one each time so it's harder to keep a fingerprint on you?
  • Time to present a limited set of fonts and plugins to untrusted urls?

"Free markets select for winning solutions." -- Eric S. Raymond

Working...