EFF Launches Panopticlick 2.0 (eff.org) 63
Peter Eckersley writes: The EFF has launched Panopticlick 2.0. In addition to measuring whether your browser exposes unique — and therefore trackable — settings and configuration to websites, the site can now test if you have correctly configured ad- and tracker-blocking software. Think you have correctly configured tracker-blocking software? Visit Panopticlick to test if you got it right.
interesting (Score:4, Interesting)
2 interesting things about panopticlick: first, they report on browser fingerprinting, which is notoriously hard to defeat. second, they encourage users to allow ads from websites that purport to respect Do Not Track. there's no way to know if they actually respect it, and companies like google and facebook have been bald face liars in saying they respect it when they actually don't.
Re: (Score:3, Informative)
browser fingerprinting, which is notoriously hard to defeat.
A large part of fingerprinting is done via javascript. Disable javascript and you remote their ability to query all kinds of things about your browser that they use for fingerprinting.
It's not everything though. You still need to genericize your user agent string, and a few other things. But javascript queries are about 80-90% of what goes into fingerprinting.
Separate browser use (Score:3)
Use different browsers for different web sites. I use firefox, seamonkey, chromium, konqueror, each one for a different kind of browsing (banking & bill payments vs. shopping vs. videos, etc.) At most they can figure out only a quarter of what I do online.
Re: (Score:1)
Well if all those requests for your different browsers come from the same IP, they can be easily tied to the same identity that way.
It might work if you can masquerade as 4 different (and totally unrelated) IPS, such as through VPNs, and get the same VPN for the same browser each time.
Re: (Score:2)
you just need one VPN. All of your browsers will have the same IP, but so will 10,000 other browsers from other users on that VPN.
Re: (Score:2)
Use different browsers for different web sites.
*wink*
Noscript. Fonts. User Agents (Score:2)
Mine came out much less unique than previous versions, because I had NoScript blocking much of it (even after I temporarily allowed evil-tracker.com and do-not-track.com or whatever their domains were called. User agent string was fairly unique. In the past, fonts have been the big surprise information leaker - my work machines all have a font loaded on them that's used to get $COMPANY_LOGO to render correctly, aside from any other fonts I've randomly added over the years.
Re: (Score:3)
They want you to install their EFF extension so they can monitor your privacy.
Re:interesting (Score:4, Informative)
Well, our source code is available [github.com] so you can check that we do not monitor what you do with your privacy :). But if you don't like Privacy Badger, try Disconnect [disconnect.me], ublock [ublock.org], AdAway [f-droid.org], AdBlock [getadblock.com] or Adblock Plus [adblock.org](though you'll need to manually subscribe to Easy Privacy for AB and ABP)!
Re: (Score:2)
Re: (Score:2)
Absolutely! Why on earth would the EFF tell you that you should blindly trust sites that claim they honour DNT? We all know that basically everyone has their browser set to DNT, basically all malicious advertisers claim to honour it, and in reality nobody does. Why would I intentionally disable my tracking blocking for someone who lies and says to trust them? Shame on you EFF!
Re: (Score:3)
2 interesting things about panopticlick: first, they report on browser fingerprinting, which is notoriously hard to defeat.
Would it help to add some randomisation into the properties? Quick googling suggests it might be a solution, and there are some plugins: https://addons.mozilla.org/en-... [mozilla.org] https://www.dephormation.org.u... [dephormation.org.uk] https://addons.mozilla.org/en-... [mozilla.org]
You would have to not only change the random agent though (which may hide the fact you are running Linux or 64bi-vs-32bit). The plugin string is also pretty damning -- which version of Flash you have (and additional plugins, etc). For any GNOME user, the gnome Firefox plugi
Re: (Score:2)
presumably you just need to change one property? If they are just hashing together all these settings, this would scramble everything...
Re: (Score:2)
You do not want a unique hash, you want to have the same hash as everyone else. So every field value has to be common to avoid fingerprinting.
Re: (Score:2)
its ok to have a unique hash as long as your hash is always changing.
Re: (Score:3)
You're both right. Returning fingerprints that are not as unique and changing. But then you still have cookies and your IP.
But I'm conflicted, as data like User Agent (OS info) and the window/screen sizes are very useful, and making them useless hurts those creating the sites.
EFF's tool also shows so many bits of information, even getting rid of a dozen wont change much. I would assume trackers would take into consideration browser version changing and methods to track that can also over come random.
Re: (Score:2)
i think randomizing some of the bits (as opposed to blocking them completely) would make a good bit of difference. Imagine this problem:
* match a fingerprint against a database, assuming all bits are correct: easy, there's only one database call.
* match a fingerprint against a database, assuming one bit is incorrect: harder,
* match assuming only n out of N bits are correct and the rest are randomized (although you don't know which): incredibly hard.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
In there defense, this is not about security. It is about how easy it is for a third party to track individuals based upon the properties of their web browser. Many of those properties are obtained through scripting. While turning off scripting will make you less identifiable, it seems to defeat the point that they are trying to make.
doesn't work without javascript (Score:4, Informative)
The site doesn't work at all for me. Presumably, it requires javascript, which is exactly what nobody should be enabling by default. Javascript has been one of the largest exploit vectors of the modern web. It should at best be whitelisted on a very, very few sites such as trusted banking and finance sites. But absolutely not enabled in general - that's a big part of how people's systems end up severely jacked.
Re: (Score:2, Informative)
Absolutely true. However, any site you're going to use for transactions is going to use it also. And they're the ones who are also tracking you with dozens of bots.
So yes, you're safe from casual snarfing as you google stuff, but go to pull the trigger on a shopping cart and you're naked to ALL of them, unless xyz ghostery etc.
Blocking javascript won't stop that but it IS the #1 step in securing your browser generally.
Re: (Score:2)
Except you got the results for someone who allows redirects, rather than the results for you.
Re: (Score:2)
Being Slashdot, I assume you mean "wine hot-tranny.mp4.exe"
Re: (Score:2)
What I want to know, is why Firefox doesn't protect against this kind of fingerprinting.
Re:doesn't work without javascript (Score:4, Informative)
Yes our simulation of third party tracking involves visiting three synthetic first party domains that share a third party tracker. That works if you have various types of blockers installed, or if JavaScript is disabled. But if you have a browser that both blocks JS and blocks redirects or blocks absolutely all loads of tracking domains (eg via an /etc/hosts blacklister like AdAway), the test won't work. Congratulations, you have pretty good protections in place :)
We're going to provide a fingerprinting-only URL for Panopticlick 2 that works even for people with a NoScript + AdAway or NoScript + redirect blocking, will post a link on the site when it's ready.
SELinux triggered (Score:2)
Nice. I just had an SELinux popup saying that plugin-container was trying to do something... also a pop-up about "fonts" trying to run so I said "nope."
More interesting if ... (Score:2)
It would be more interesting if they would suggest configuration changes to produce a non-unique fingerprint. Their only suggestion is to use an extension like NoScript, which they admit is impractical.
I can see ways to make fingerprinting less effective, at least among privacy oriented individuals, but it needs something like Panopticlick to collect and analyze data in order to recommend optimal, non-unique fingerprints. In some cases this can be handled by browser settings. In other cases, it may requi
Re: (Score:1)
Re: (Score:1)
Heh... It has all sorts of funny and incorrect information (which is not its fault). I'm using a VPN and I'm connected by VNC to my home in Maine, and I'm using a VPN from there. (It's a long story, boredom was a big part in that choice.) But, I have a connection at my place here so I guess I can stop connecting to my home. Of course, the few computers that I had here are horribly out of date and the house cleaners didn't quite get everything ready for me in time (my fault) and now I have my doggy back with
21.56 bits on fonts alone, another 11 on plugins. (Score:2)