New Site Checks Your Browser's Fingerprint

"Does your web browser have a unique fingerprint? If so your web browser could be tracked across websites without techniques such as tracking cookies..." warns a new site created by the University of Adelaide and ACEMS, adding "the anonymization aspects of services such as Tor or VPNs could be negated if sites you visit track you using your browser fingerprint." AnonymousCube contacted Slashdot about their free browser fingerprinting test suite: On the site you can see what data can be used to track you and how unique your fingerprint is. The site includes new tests, such as detecting software such as Privacy Badger, via how social media buttons are disabled, and CSS only (no JavaScript or flash) tests to get screen size and installed fonts.
If you're serious about privacy, you might want to test the uniqueness of your browser's fingerprint.

"if you're serious about security"

[Anonymous Coward]

you've known that browser fingerprinting is real and beimg used for years.

Re:

[Mikkeles]

Yes; the only real value to such a new site is if they informed us as to what can be done to defeat it.

To my mind, it would be better for a server to tell us what it supports rather than for us (the client) to tell what we support.

Re:

[Joce640k]

Noscript works.

Enabling noscript switches my browser from 'unique' to 'one in 24'.

Re:

[Hylandr]

Browse the web through a VirtualBox instance running from an image downloaded daily from Github that is shared by thousands or millions.

Done.

Re:

[vux984]

Yes. But then you need to agree on such a virtual image, the browser, the addons, the settings of the browser. Do they use adblock plus or ublock origin?

Then you need to run it through a proxy or tor.

And then you have to not log in anywhere.

And then you have the problem that the fingerprinting folks can if they wish, detect this one particular configuration, and display the page as a 'An error has occurred. Your browser configuration is not compatible with this site." And in the process nuke the utility of

Re:

[mrchaotica]

Yes. But then you need to agree on such a virtual image, the browser, the addons, the settings of the browser. Do they use adblock plus or ublock origin?

What we need is a service that allows participating sites to publish the trailing most common configuration in real time, coupled with a browser extension that forges the reporting of your settings (regardless of what they actually are) to match.

Obviously, the fact that the "participating sites" will not include the most popular sites (which are heavily inv

Re:

[Mike Van Pelt]

I use NoScript on Linux, and got "Your browser fingerprint appears to be unique among the 13,318 tested so far." It'll be interesting to see how unique that stays after a larger number of samples are collected, but that's fairly impressive.

Re:

[GNious]

Make a plugin, that randomizes some of the tracked values?
Sometimes it reports an extra font, sometime removes a font from the list, sometimes add a random plugin's name, perhaps occasionally change the reported OS ...

Re:

[Z00L00K]

And the site seems to be slashdotted now.

well

[Anonymous Coward]

i don't ise a browser, i use telnet and type all of my headers by hand.

Re:

[houstonbofh]

So that is a very unique fingerprint. :) Truly secure behavior would be very unusual, and narrow it down to a very small group. For true anonymity you need something that is confusingly similar to a lot of others. Like the TAILS boot cd.

Re:

[arth1]

Fortunately or unfortunately, this site doesn't even work with non-graphical browsers with images enabled by default. They use a CAPTCHA that has no fallback method, so they just won't capture those who use browser that won't download the CAPTCHA by default.

[...]

a a a a a a a a a a a a a a a a a a

Please type the letters from the image into the box below.

CAPTCHA was incorrect. Please try again.

Re:

[Z00L00K]

Seems like the site needs some work since all I get is "CAPTCHA was incorrect. Please try again" even when filling in the captcha.

Re:

[AHuxley]

Just looking for some software gets a user on a list :)
"Whether you're a regular user of Web privacy tools like Tor and Tails, or you've just checked out their websites, the NSA could be tracking your online movements, a new investigation reveals."
http://www.cnet.com/news/nsa-l... [cnet.com] (4 July 2014)

Re:

[Mashiki]

Telnet? Filthy hipster. Real people use a combination of finger and gopher.

FTFY

[QuietLagoon]

...If you're serious about privacy, you might want to test the uniqueness of your browser's fingerprint. ...

If you're not serious about privacy, you might want to register your browser's fingerprint with that site. :)

Re:

[jeepies]

Doesn't really matter whether your register it or not. Any website you visit is capable of recording it.

Re:

[KiloByte]

And they do record it. Try for example browsing with Canvas Blocker with notifications on. Pretty much every major site will trigger it.

Re:

[KiloByte]

Dp they use Canvas for drawing or for reading what they've drawn? It's hard to come up with a valid reason for reading, while it's use for fingerprinting is ubiquitous (due to being included in some bloat.js library).

Utility and deviance of the User Agent

[hcs_$reboot]

The User Agent sent by my browser (Chrome) gives the web server enough information to adjust the page to my device, would it be a desktop, a mobile phone, or the kind of browser... But my UA gives, among others: 1) exact version of the (Mac) OS a.b.c, 2) exact version of chrome a.b.c.d which is IMO too much info. The OS and Chrome should be limited to 2 numbers a.b. We all remember the infamous IE6 ... with only ONE number the web server had enough information to understand it has to deal with a crappy brow

Re:

[houstonbofh]

It is not just a refer. How about if it queries what fonts you support? Any of them not standard? How about media support? What java and flash are you on? What is your screen resolution? Browser window size if not full screen? There is a lot to catch...

Re:Utility and deviance of the User Agent

[NotAPK]

"It is not just a refer. How about if it queries what fonts you support? Any of them not standard? How about media support? What java and flash are you on? What is your screen resolution? Browser window size if not full screen? There is a lot to catch..."

HTTP is request based. The client asks for what it needs: the server does not push out what it thinks the client needs.

Font support: the server has no need to know about my fonts. The CSS should suggest the preferred fonts, but if I don't have their preferred font installed then my browser will substitute. The server never needs to know this.

Media: my browser will ask for the media it wants to display. If it can't display media it won't ask for it. If it asks for something complex, like a movie file (for example) and the file downloads and then it is unable to handle the file, then surely this should have been managed my correctly identifying the MIME type of the file. The browser can then terminate the download, knowing that it won't be able to play it. Yes, I appreciate codecs make this trickier than it has to be: HTML5 should have fixed this. Comments?

Screen Resolution: none of the server's business.

Window Size: again, none of the server's business. If your website is so crappy that it must autosize in some stupid [yes, there are **few** caveats] way then this should be done using local JavaScript.

So, provided I haven't pissed everyone off: assuming all clients implement the HTTP standards correctly and uniformly, please remind me why the server needs to know anything about the client?

Re:

[houstonbofh]

Window Size: again, none of the server's business. If your website is so crappy that it must autosize in some stupid [yes, there are **few** caveats] way then this should be done using local JavaScript.

This is now used in html5 websites extensively to decide if you will have a menu bar or a hidden menu. It is the desktop vs mobile for websites thing that Google actually looks for and grades you on. The rest is also very common in the "rich web experience" that is common now and most browsers support this. Go to the panopticon page and see. It will show your screen resolution.

Re:

[houstonbofh]

Oops. https://panopticlick.eff.org/ [eff.org]

Re:

[Actually, I do RTFA]

Well, for the media, I can imagine cases where I have the same asset in a variety of formats (because I really want you to see ti if you're on my page) and I want to make sure you get it in a format you can use.

Re:

[Bite The Pillow]

Several popular toolkits generate fancy charts and graphs as images, server side, and provide them as images. And for testing, it is useful to know the most common browser sizes. Because CSS and HTML in general let things flow and get cocked up.

Finally, the client and servers both need to reflect standards completely and accurately, which is a huge assumption. Much better to control your fingerprint, because your vision of reality is just not going to happen. Or preach to the choir if you really need to ven

Re:

[UnderCoverPenguin]

For example Firefox used to have a plugins.enumerable_names preference so you could control whether or not a website could figure out which addons and extensions are installed (a big source of fingerprinting data). But they removed the preference last year and now every website gets to sniff your plugins again.

That's called "Kissing the hand that feeds you." Mozilla received a lot of money from Yahoo. And Google before that.

Re:

[telchine]

my UA gives, among others: 1) exact version of the (Mac) OS a.b.c, 2) exact version of chrome a.b.c.d which is IMO too much info. The OS and Chrome should be limited to 2 numbers a.b.

I would have thought that the more numbers in the version number then the more frequently it'll change which makes fingerprinting (slightly) harder over time?

Re:

[Anonymous Coward]

You don't need to sign everything you write. That little coloured bar above your post has your name on it. Idiot.

Re:On (Cron) FrontPage.Post.FireHose.getLatestTren

[Fwipp]

Pssh, like that can't be forged.

-dk

Is there a reason to stop using panopticlick?

[Anonymous Coward]

panopticlick.eff.org for anyone who hasn't heard of it yet, though I really can't imagine there's a whole lot of people on Slashdot who haven't heard of it...

Re:

[houstonbofh]

They added some new audio testing that may defeat things like TAILS for uniqueness.

Old site also checks your browser's fingerprint

[wonkey_monkey]

https://panopticlick.eff.org/ [eff.org]

Re:

[houstonbofh]

That link is on the webpage of the test mentioned as well.

Re:

[Anonymous Coward]

this submission reeks of being paid for, though. editors of /. SHOULD know that there is absolutely nothing "new" about a web site that can evaluate your browser for this... and i look at .INFO domains as being worthless, scammy and malware infested by default.. because odds are, they are... so no visit from me, tyvm, take your browser and ip sniffing and data compiling site and gtfo.

Re:

[Anonymous Coward]

It totally doesn't, though. At least, not if you have JS and redirects disabled. One notable thing about the new test is that it still works with damnear everything except css/images disabled.

Re:

[BitterKraut]

In fact, browserprint.info looks exactly like the panopticlick.eff.org site I used to know, while the latter now shows much less info than it used to. Am I getting senile, or what's going on here?

Re:

[Anonymous Coward]

The old information is there, but it's now buried in an "advanced" link below the test results.

Re:

[Pinkbunnyman]

If it fails to run on my browser do I fully pass?

Fingerprint Randomizer

[crow]

People have talked about browser fingerprints for years, but I haven't heard any solid reports of sites making use of them. For example, news sites that limit you to a few free articles before paywalling you are easily viewed in a private window or with self-destructing cookies.

If this becomes a real issue, then a browser extension that sanitizes and randomizes the fingerprint would defeat the process. Some aspects might be harder to sanitize or randomize than others, but with a bit of effort, fingerprints could be rendered useless.

Maybe this should be the next extension offered by the EFF.

Re:

[Anonymous Coward]

Really want to drive them nuts?

An extension that sets your fingerprint data to be the exact same as everyone else. That would be amusing.

Browser do leak way too much information, though. For example, why does my browser expose monitor contrast level? Why is my user agent a long string of crap and not just "Chrome/51"? Why does it expose the fonts that I have installed?

And really, given that web standards have become so standard, why does the server need to know my user agent at all? Wasn't XHTML+CSS+Respons

Re:

[houstonbofh]

But most of this fingerprinting is actually supported settings and are needed to display things correctly. Yes, you could set for least common denominator, but that means no video compression, and mp3 only audio.

Re:Fingerprint Randomizer

[Zocalo]

Or you could be a little selective and just reduce the number of things that help make your fingerprint unique. That's the biggest failing in these fingerprinting sites so far; they don't really help you figure out how to do that, and what the effects on your fingerprint's uniqueness might be if you did to help you decide whether it's worth the effort or not. What I'd like to see is each parameter have a way of telling me right there what the common value options for that parameter are, they effect on your fingerprint of setting it to that value, and some suggestions as to how to go about doing that, especially where it's something as simple as downloading the US-English version of a browser intead of the UK-English one.

Re:Fingerprint Randomizer

[Anonymous Coward]

> An extension that sets your fingerprint data to be the exact same as everyone else. That would be amusing.

It would be ineffective unless a TON of people were using it. Until then it would just make you stand out more because they could easily recognize you as having that extension installed and then combined with all your other info (ip address, user agent, timezone, screen size, list of installed fonts, etc) you'd still be trackable.

> For example, why does my browser expose monitor contrast level?

It doesn't. YOU exposed it. When you filled out that captcha. The image in the captcha has a character that is invisible on low contrast monitors. So they discriminate your monitor contrast based on whether or not you typed in that character.

Re:

[Anonymous Coward]

You mean like BlendIn? Yeah, I've been using that for years and given the multitude of factors that go into fingerprinting browser requests, it doesn't do shit. All it does is falsely drive up the amount of Windows 7 hits in log files, because I appear to be a win7 user and not a lunix (gentoo) user. The issue isn't the user agent string, it's everything else.

Even using something that's supposed to be homogeneous like the tor browser is actually very fingerprintable in many cases.

You are right about web sta

Re:

[Anonymous Coward]

> I haven't heard any solid reports of sites making use of them.

I installed CanvasBlocker [mozilla.org] which has a setting to alert me every time the fingerprint is queried.

So far I've noticed it on every page of github.com, the front page of pof.com, every page on medium.com, accounts.firefox.com - there are probably lots more, but I disable javascript by default so most sites don't even get a chance to fingerprint me.

Canvasblocker randomizes on every page load. I think that makes you stand out more. I use task-

Re:

[AHuxley]

How unique would a very average resolution, new OS and new browser be in a VM become?
The problem then becomes how unique the user wants to be with other settings. No flash? Fonts used, Do not track set, blocking ads, like/share buttons blocked, WebGL Renderer..
A default new browser, same OS every time from a VM? A browser that pools a lot of users real settings to present very random data back might be fun.
How unique are countermeasures to the fingerprint issue :)
Just the habit of a user to alw

Re:

[account_deleted]

Comment removed based on user account deletion

Spoof fingerprints the next thing

[Wild_dog!]

I suppose if peoples unique browser fingerprints will be able to be tracked then the next thing is randomized fake browser fingerprints.

Technology always provides.

Re:

[houstonbofh]

Technology always provides.

On both sides. Look at the old EFF one with no script, and it finds a LOT less. Look at the new one with no script and it still finds most things.

Re:

[Wild_dog!]

Yes Tech provides on both sides.... in an ongoing fashion.

Not sure what you are referring to in terms of the "old EFF one with no script".
Can you explain that reference to me in more detail. I fear I am ignorant on the subject to which you are referring.

Thanks in advance.

Re:

[houstonbofh]

The noscript plugin blocks javascript from running in your browser. That is how the EFF page got most of it's data. So with noscript active, it has a harder time identifying you. The new site does not have this problem.

Re:

[houstonbofh]

Oh for fucks sake! It is the University of Adelaide and it is in the fucking summery! And the EFF website for the same thing is on their page! And a tiny bit of effort would tell you that they have overcome the measures put in place to block a lot of the old tracking, like no script.

Did you have nothing to add other then FUD in your post?

Re:

[destinyland]

Here's a blog post on the University of Adelaide's web site linking to the browserprint.info URL, if there's any doubt...

https://www.adelaide.edu.au/ne... [adelaide.edu.au]

So what can we do?

[qintar]

I see a lot of posts about how to measure the "uniqueness" of your signature. But what (if anything) can be done about it?
Is this a standards issue? Or are there plug-ins that can mitigate some of this?

Re:

[houstonbofh]

TAILS is a damn good start. Any Live CD will help. But this new system also tracks a lot of hardware, so it will be limited... Ideally, TAILS running in a VM on VirtualBox is probably going to be the most common thing.

Re:

[Actually, I do RTFA]

The EFF panopticon page not only measures your uniqueness, but it also identifies the most distinct parts of your signature. It offers some solutions to shrinking your fingerprint. https://panopticlick.eff.org/ [eff.org]

Hold on a minute

[fred911]

I "finger printed" my browser and the website reported two different fingerprints. I changed nothing. So the UUID the website says is my fingerprint (by itself) is basically useless for tracking this browser.

Re:

[peawormsworth]

Your question is good. I ran it on a tor-browser and the only real identifier was the CSS font list, which is said was unique.

Does anybody know if this is a bug, or does is a tor-browser uniquely identifiable based on unique font lists per installation.

Test More Than Once

[DERoss]

Visit the test Web site more than once. If subsequent visits indicate that you remain unique -- that you are the only one out of all visits including your own prior visits -- then you are somewhat safe from tracking. Even better is when it reports inconsistent results from several visits within a short period of time. I did that, and the report was that I was unique twice relative to HTTP_ACCEPT Headers. Also, the Monitor Contrast Level was not the same for two consecutive visits.

I get this result by installing the Secret Agent extension from https://www.dephormation.org.u... [dephormation.org.uk]. Panopticlick has similar problems characterizing my browser. And various Web sites that attempt geolocation have me all over the globe.

Re:

[allo]

Always the same snapshot, always the same fingerprint.
You at least need to share your vm with a lot of people to be secure.

Stop reducing the fingerprint, increase it

[allo]

Change so much on each visit, that you're unique every time. You will not eliminate all data, but if everything is zero except one identifier, i get you using this one. If everything always changes, i always think i identified somebody new.

Re:er, this is not a good idea

[houstonbofh]

It is a fork of https://panopticlick.eff.org/ [eff.org] and about the same thing with a few more tests. And I am unique on both.

Re:

[Anonymous Coward]

So they know exactly who you are.

The goal is NOT TO BE UNIQUE.

Re:

[houstonbofh]

I can be less unique if I need to be. More importantly, I can be a different unique person when I really need to be. The trick is remembering to never let unique person A access a forum used by unique person B.

Re:

[AHuxley]

AC they have via "GCHQ Created Spoofed LinkedIn and Slashdot Sites To Serve Malware" https://news.slashdot.org/stor... [slashdot.org]
The way out is not be a very interesting person online.
Visit the same news sites, run the same updates. Been repetitive to the same short list of news sites, sports, games is not interesting to the security services.
They want to follow interesting people into newly formed sites, forums, chats, web 2.0 and then get back into their more secure computer usage or get admin rights over l

Re:

[Anonymous Coward]

I still just don't trust it. The US makes me afraid lately. I don't care how much PR they pump into being 'the good guys' their evil as hell and I don't think the rest of the world would shed a tear if the whole place got turned into a glass desert.

Re:

[houstonbofh]

Neither do we! And it will get worse when one of those two bozos running becomes president. (And keep in mind that a people and a government are different. Some times VERY different.)