Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Privacy Australia The Internet

New Site Checks Your Browser's Fingerprint 104

"Does your web browser have a unique fingerprint? If so your web browser could be tracked across websites without techniques such as tracking cookies..." warns a new site created by the University of Adelaide and ACEMS, adding "the anonymization aspects of services such as Tor or VPNs could be negated if sites you visit track you using your browser fingerprint." AnonymousCube contacted Slashdot about their free browser fingerprinting test suite: On the site you can see what data can be used to track you and how unique your fingerprint is. The site includes new tests, such as detecting software such as Privacy Badger, via how social media buttons are disabled, and CSS only (no JavaScript or flash) tests to get screen size and installed fonts.
If you're serious about privacy, you might want to test the uniqueness of your browser's fingerprint.
This discussion has been archived. No new comments can be posted.

New Site Checks Your Browser's Fingerprint

Comments Filter:
  • by Anonymous Coward on Sunday July 31, 2016 @02:41PM (#52616947)

    you've known that browser fingerprinting is real and beimg used for years.

    • Yes; the only real value to such a new site is if they informed us as to what can be done to defeat it.

      To my mind, it would be better for a server to tell us what it supports rather than for us (the client) to tell what we support.

      • Noscript works.

        Enabling noscript switches my browser from 'unique' to 'one in 24'.

        • by Hylandr ( 813770 )

          Browse the web through a VirtualBox instance running from an image downloaded daily from Github that is shared by thousands or millions.

          Done.

          • by vux984 ( 928602 )

            Yes. But then you need to agree on such a virtual image, the browser, the addons, the settings of the browser. Do they use adblock plus or ublock origin?

            Then you need to run it through a proxy or tor.

            And then you have to not log in anywhere.

            And then you have the problem that the fingerprinting folks can if they wish, detect this one particular configuration, and display the page as a 'An error has occurred. Your browser configuration is not compatible with this site." And in the process nuke the utility of

            • Yes. But then you need to agree on such a virtual image, the browser, the addons, the settings of the browser. Do they use adblock plus or ublock origin?

              What we need is a service that allows participating sites to publish the trailing most common configuration in real time, coupled with a browser extension that forges the reporting of your settings (regardless of what they actually are) to match.

              Obviously, the fact that the "participating sites" will not include the most popular sites (which are heavily inv

        • I use NoScript on Linux, and got "Your browser fingerprint appears to be unique among the 13,318 tested so far." It'll be interesting to see how unique that stays after a larger number of samples are collected, but that's fairly impressive.
      • by GNious ( 953874 )

        Make a plugin, that randomizes some of the tracked values?
        Sometimes it reports an extra font, sometime removes a font from the list, sometimes add a random plugin's name, perhaps occasionally change the reported OS ...

    • by Z00L00K ( 682162 )

      And the site seems to be slashdotted now.

  • by Anonymous Coward

    i don't ise a browser, i use telnet and type all of my headers by hand.

    • So that is a very unique fingerprint. :) Truly secure behavior would be very unusual, and narrow it down to a very small group. For true anonymity you need something that is confusingly similar to a lot of others. Like the TAILS boot cd.
      • by arth1 ( 260657 )

        Fortunately or unfortunately, this site doesn't even work with non-graphical browsers with images enabled by default. They use a CAPTCHA that has no fallback method, so they just won't capture those who use browser that won't download the CAPTCHA by default.

        [...]

        a a a a a a a a a a a a a a a a a a

        Please type the letters from the image into the box below.

        CAPTCHA was incorrect. Please try again.

        • by Z00L00K ( 682162 )

          Seems like the site needs some work since all I get is "CAPTCHA was incorrect. Please try again" even when filling in the captcha.

      • by AHuxley ( 892839 )
        Just looking for some software gets a user on a list :)
        "Whether you're a regular user of Web privacy tools like Tor and Tails, or you've just checked out their websites, the NSA could be tracking your online movements, a new investigation reveals."
        http://www.cnet.com/news/nsa-l... [cnet.com] (4 July 2014)
    • by Mashiki ( 184564 )

      Telnet? Filthy hipster. Real people use a combination of finger and gopher.

  • FTFY (Score:5, Funny)

    by QuietLagoon ( 813062 ) on Sunday July 31, 2016 @02:46PM (#52616973)

    ...If you're serious about privacy, you might want to test the uniqueness of your browser's fingerprint. ...

    If you're not serious about privacy, you might want to register your browser's fingerprint with that site. :)

    • Doesn't really matter whether your register it or not. Any website you visit is capable of recording it.
      • And they do record it. Try for example browsing with Canvas Blocker with notifications on. Pretty much every major site will trigger it.

  • The User Agent sent by my browser (Chrome) gives the web server enough information to adjust the page to my device, would it be a desktop, a mobile phone, or the kind of browser... But my UA gives, among others: 1) exact version of the (Mac) OS a.b.c, 2) exact version of chrome a.b.c.d which is IMO too much info. The OS and Chrome should be limited to 2 numbers a.b. We all remember the infamous IE6 ... with only ONE number the web server had enough information to understand it has to deal with a crappy brow
    • It is not just a refer. How about if it queries what fonts you support? Any of them not standard? How about media support? What java and flash are you on? What is your screen resolution? Browser window size if not full screen? There is a lot to catch...
      • by NotAPK ( 4529127 ) on Sunday July 31, 2016 @03:43PM (#52617151)

        "It is not just a refer. How about if it queries what fonts you support? Any of them not standard? How about media support? What java and flash are you on? What is your screen resolution? Browser window size if not full screen? There is a lot to catch..."

        HTTP is request based. The client asks for what it needs: the server does not push out what it thinks the client needs.

        Font support: the server has no need to know about my fonts. The CSS should suggest the preferred fonts, but if I don't have their preferred font installed then my browser will substitute. The server never needs to know this.

        Media: my browser will ask for the media it wants to display. If it can't display media it won't ask for it. If it asks for something complex, like a movie file (for example) and the file downloads and then it is unable to handle the file, then surely this should have been managed my correctly identifying the MIME type of the file. The browser can then terminate the download, knowing that it won't be able to play it. Yes, I appreciate codecs make this trickier than it has to be: HTML5 should have fixed this. Comments?

        Screen Resolution: none of the server's business.

        Window Size: again, none of the server's business. If your website is so crappy that it must autosize in some stupid [yes, there are **few** caveats] way then this should be done using local JavaScript.

        So, provided I haven't pissed everyone off: assuming all clients implement the HTTP standards correctly and uniformly, please remind me why the server needs to know anything about the client?

        • Window Size: again, none of the server's business. If your website is so crappy that it must autosize in some stupid [yes, there are **few** caveats] way then this should be done using local JavaScript.

          This is now used in html5 websites extensively to decide if you will have a menu bar or a hidden menu. It is the desktop vs mobile for websites thing that Google actually looks for and grades you on. The rest is also very common in the "rich web experience" that is common now and most browsers support this. Go to the panopticon page and see. It will show your screen resolution.

        • Well, for the media, I can imagine cases where I have the same asset in a variety of formats (because I really want you to see ti if you're on my page) and I want to make sure you get it in a format you can use.

        • Several popular toolkits generate fancy charts and graphs as images, server side, and provide them as images. And for testing, it is useful to know the most common browser sizes. Because CSS and HTML in general let things flow and get cocked up.

          Finally, the client and servers both need to reflect standards completely and accurately, which is a huge assumption. Much better to control your fingerprint, because your vision of reality is just not going to happen. Or preach to the choir if you really need to ven

    • my UA gives, among others: 1) exact version of the (Mac) OS a.b.c, 2) exact version of chrome a.b.c.d which is IMO too much info. The OS and Chrome should be limited to 2 numbers a.b.

      I would have thought that the more numbers in the version number then the more frequently it'll change which makes fingerprinting (slightly) harder over time?

  • panopticlick.eff.org for anyone who hasn't heard of it yet, though I really can't imagine there's a whole lot of people on Slashdot who haven't heard of it...

    • That link is on the webpage of the test mentioned as well.
      • by Anonymous Coward

        this submission reeks of being paid for, though. editors of /. SHOULD know that there is absolutely nothing "new" about a web site that can evaluate your browser for this... and i look at .INFO domains as being worthless, scammy and malware infested by default.. because odds are, they are... so no visit from me, tyvm, take your browser and ip sniffing and data compiling site and gtfo.

    • by Anonymous Coward

      It totally doesn't, though. At least, not if you have JS and redirects disabled. One notable thing about the new test is that it still works with damnear everything except css/images disabled.

    • In fact, browserprint.info looks exactly like the panopticlick.eff.org site I used to know, while the latter now shows much less info than it used to. Am I getting senile, or what's going on here?
      • by Anonymous Coward

        The old information is there, but it's now buried in an "advanced" link below the test results.

    • If it fails to run on my browser do I fully pass?
  • by crow ( 16139 ) on Sunday July 31, 2016 @03:20PM (#52617071) Homepage Journal

    People have talked about browser fingerprints for years, but I haven't heard any solid reports of sites making use of them. For example, news sites that limit you to a few free articles before paywalling you are easily viewed in a private window or with self-destructing cookies.

    If this becomes a real issue, then a browser extension that sanitizes and randomizes the fingerprint would defeat the process. Some aspects might be harder to sanitize or randomize than others, but with a bit of effort, fingerprints could be rendered useless.

    Maybe this should be the next extension offered by the EFF.

    • by Anonymous Coward

      Really want to drive them nuts?

      An extension that sets your fingerprint data to be the exact same as everyone else. That would be amusing.

      Browser do leak way too much information, though. For example, why does my browser expose monitor contrast level? Why is my user agent a long string of crap and not just "Chrome/51"? Why does it expose the fonts that I have installed?

      And really, given that web standards have become so standard, why does the server need to know my user agent at all? Wasn't XHTML+CSS+Respons

      • But most of this fingerprinting is actually supported settings and are needed to display things correctly. Yes, you could set for least common denominator, but that means no video compression, and mp3 only audio.
        • by Zocalo ( 252965 ) on Sunday July 31, 2016 @05:14PM (#52617445) Homepage
          Or you could be a little selective and just reduce the number of things that help make your fingerprint unique. That's the biggest failing in these fingerprinting sites so far; they don't really help you figure out how to do that, and what the effects on your fingerprint's uniqueness might be if you did to help you decide whether it's worth the effort or not. What I'd like to see is each parameter have a way of telling me right there what the common value options for that parameter are, they effect on your fingerprint of setting it to that value, and some suggestions as to how to go about doing that, especially where it's something as simple as downloading the US-English version of a browser intead of the UK-English one.
      • by Anonymous Coward on Sunday July 31, 2016 @04:45PM (#52617351)

        > An extension that sets your fingerprint data to be the exact same as everyone else. That would be amusing.

        It would be ineffective unless a TON of people were using it. Until then it would just make you stand out more because they could easily recognize you as having that extension installed and then combined with all your other info (ip address, user agent, timezone, screen size, list of installed fonts, etc) you'd still be trackable.

        > For example, why does my browser expose monitor contrast level?

        It doesn't. YOU exposed it. When you filled out that captcha. The image in the captcha has a character that is invisible on low contrast monitors. So they discriminate your monitor contrast based on whether or not you typed in that character.

      • by Anonymous Coward

        You mean like BlendIn? Yeah, I've been using that for years and given the multitude of factors that go into fingerprinting browser requests, it doesn't do shit. All it does is falsely drive up the amount of Windows 7 hits in log files, because I appear to be a win7 user and not a lunix (gentoo) user. The issue isn't the user agent string, it's everything else.

        Even using something that's supposed to be homogeneous like the tor browser is actually very fingerprintable in many cases.

        You are right about web sta

    • Re: (Score:3, Interesting)

      by Anonymous Coward

      > I haven't heard any solid reports of sites making use of them.

      I installed CanvasBlocker [mozilla.org] which has a setting to alert me every time the fingerprint is queried.

      So far I've noticed it on every page of github.com, the front page of pof.com, every page on medium.com, accounts.firefox.com - there are probably lots more, but I disable javascript by default so most sites don't even get a chance to fingerprint me.

      Canvasblocker randomizes on every page load. I think that makes you stand out more. I use task-

    • by AHuxley ( 892839 )
      How unique would a very average resolution, new OS and new browser be in a VM become?
      The problem then becomes how unique the user wants to be with other settings. No flash? Fonts used, Do not track set, blocking ads, like/share buttons blocked, WebGL Renderer..
      A default new browser, same OS every time from a VM? A browser that pools a lot of users real settings to present very random data back might be fun.
      How unique are countermeasures to the fingerprint issue :)
      Just the habit of a user to alw
    • by houghi ( 78078 )

      I believe that Google uses them. I delete everything when I start browing on YouTube. I do not log in, yet the results are clearly influnced in previous searches and the like.
      I also block doubleclick and other sites as much as possible.
      As Google is all about getting data, why would they NOT use it?

      OTOH they are unable to read the prefered language of my browser and rather give me a language depending on location (Fun if you live in Belgium), so perhaps they ARE too stoopid to do so.

  • I suppose if peoples unique browser fingerprints will be able to be tracked then the next thing is randomized fake browser fingerprints.

    Technology always provides.

    • Technology always provides.

      On both sides. Look at the old EFF one with no script, and it finds a LOT less. Look at the new one with no script and it still finds most things.

      • Yes Tech provides on both sides.... in an ongoing fashion.

        Not sure what you are referring to in terms of the "old EFF one with no script".
        Can you explain that reference to me in more detail. I fear I am ignorant on the subject to which you are referring.

        Thanks in advance.

        • The noscript plugin blocks javascript from running in your browser. That is how the EFF page got most of it's data. So with noscript active, it has a harder time identifying you. The new site does not have this problem.
  • I see a lot of posts about how to measure the "uniqueness" of your signature. But what (if anything) can be done about it?
    Is this a standards issue? Or are there plug-ins that can mitigate some of this?

    • TAILS is a damn good start. Any Live CD will help. But this new system also tracks a lot of hardware, so it will be limited... Ideally, TAILS running in a VM on VirtualBox is probably going to be the most common thing.
    • The EFF panopticon page not only measures your uniqueness, but it also identifies the most distinct parts of your signature. It offers some solutions to shrinking your fingerprint. https://panopticlick.eff.org/ [eff.org]

  • I "finger printed" my browser and the website reported two different fingerprints. I changed nothing. So the UUID the website says is my fingerprint (by itself) is basically useless for tracking this browser.

  • Test More Than Once (Score:4, Interesting)

    by DERoss ( 1919496 ) on Sunday July 31, 2016 @11:31PM (#52618871)

    Visit the test Web site more than once. If subsequent visits indicate that you remain unique -- that you are the only one out of all visits including your own prior visits -- then you are somewhat safe from tracking. Even better is when it reports inconsistent results from several visits within a short period of time. I did that, and the report was that I was unique twice relative to HTTP_ACCEPT Headers. Also, the Monitor Contrast Level was not the same for two consecutive visits.

    I get this result by installing the Secret Agent extension from https://www.dephormation.org.u... [dephormation.org.uk]. Panopticlick has similar problems characterizing my browser. And various Web sites that attempt geolocation have me all over the globe.

  • Change so much on each visit, that you're unique every time. You will not eliminate all data, but if everything is zero except one identifier, i get you using this one. If everything always changes, i always think i identified somebody new.

Who goeth a-borrowing goeth a-sorrowing. -- Thomas Tusser

Working...