
EFF's Panopticlick 2.0 Launches with Tracker Protection Tests - legind
https://panopticlick.eff.org/
======
r-w
The test over at [http://ip-check.info](http://ip-check.info), by JonDo, is
more comprehensive at the expense of not using information theoretical
measures like those of Panopticlick, which would give a realistic (if biased)
view of browser fingerprint uniqueness. They’ve developed a Firefox setup
profile called JonDoBrowser that’s optimized for their own test. While the
HTTP headers JonDoBrowser sends to sites can be easily distinguished from
those of other browsers (though they’ve attempted to standardize HTTP headers
within their own ecosystem), their proxying service compensates for that by
withholding all traceable details and eliminating all forms of local storage,
thus providing better privacy.

They’re located in Germany—a big legal plus—and their service uses an
international chain of independent servers, but they charge for data rates
greater than a few hundred kilobits per second. Thankfully, the browser
profile also supports faster Tor proxying while maintaining the same degree of
personal privacy. It also supports anything you can configure from your
computer’s settings, but if that means something other than Tor or JonDo, it’s
probably not redundant (i.e., comprising multiple independent proxy servers)
and therefore less reliable. It can be downloaded from [https://anonymous-
proxy-servers.net/en/software.html;](https://anonymous-proxy-
servers.net/en/software.html;) for those who wish to try it, I’ve found it
works best with Firefox ESR, which can be downloaded from
[https://www.mozilla.org/en-
US/firefox/organizations/all](https://www.mozilla.org/en-
US/firefox/organizations/all).

------
Dylan16807
That was weird, the no-js version didn't work. It just sat there spinning.

>Does your browser unblock 3rd parties that promise to honor Do Not Track? X
no

What, why would I unblock those?

Edit: Thanks HN for deleting the fancy X unicode!

~~~
pde3
> That was weird, the no-js version didn't work. It just sat there spinning.

What extensions do you have installed? There's a known and unfixable issue
with browsers that both block JS and absolutely block all requests to tracking
domains (eg AdAway, which modifies /etc/hosts).

> What, why would I unblock those?

To incentivise better behaviour by web publishers and advertisers!

~~~
Dylan16807
ublock was stopping requests to third parties. Though the javascript version
didn't care that third party requests were blocked, only the no-js version.

It's kind of weird for something specifically dedicated to measuring tracking
to get so confused by an anti-tracking mechanism.

> To incentivise better behaviour by web publishers and advertisers!

Maybe if it could have some legal teeth to it, otherwise it's too easy to lie
to get your tracker unblocked.

------
jordanlev
I browse with cookies disabled by default, and when I ran the browser test it
said this:

Are Cookies Enabled? No

one in x browsers have this value 3.94

...so according to the EFF's data, almost 1 in 4 people also browse with
cookies disabled? I thought I was in an extreme minority, and I know I come
across a TON of sites that don't work without cookies or localStorage enabled
(which is understandable for when you need to log in or if it's a more "app"-y
thing, but for just reading content it's a ridiculous requirement).

~~~
schoen
It's presumably 1 in 4 people who have tried Panopticlick, which isn't a
representative sample of general browsers (for example, a lot of people might
try it with Tor Browser or with private browsing mode).

------
relkor
Is there any solid guide to preventing browser fingerprinting? Or is the only
protection constantly changing your accept headers + user agent?

~~~
legind
"For day-to-day use, the best options are to run tools like Privacy Badger or
Disconnect that will block some (but unfortunately not all) of the domains
that try to perform fingerprinting, and/or to use a tool like NoScript for
Firefox, which greatly reduces the amount of data available to
fingerprinters."

[https://panopticlick.eff.org/about#defend-
against](https://panopticlick.eff.org/about#defend-against)

~~~
rocky1138
Will blocking them at the HOSTS file level decrease exposure as well? My gut
says yes, but I wanted to check.

Also, does this test check for that and/or give points for that?

Here is the HOSTS file I use to block ads:
[http://winhelp2002.mvps.org/hosts.txt](http://winhelp2002.mvps.org/hosts.txt)

~~~
XzetaU8
If you're on Linux i recommend 'Hosts-Update'[1], it's a bash script that
generates a Host file from multiple sources:

[http://adaway.org/hosts.txt](http://adaway.org/hosts.txt) [http://hosts-
file.net/ad_servers.txt](http://hosts-file.net/ad_servers.txt)
[http://malwaredomains.lehigh.edu/files/justdomains](http://malwaredomains.lehigh.edu/files/justdomains)
[http://pgl.yoyo.org/adservers](http://pgl.yoyo.org/adservers)
[http://someonewhocares.org/hosts/hosts](http://someonewhocares.org/hosts/hosts)
[http://winhelp2002.mvps.org/hosts.txt](http://winhelp2002.mvps.org/hosts.txt)
[http://www.malwaredomainlist.com/hostslist/hosts.txt](http://www.malwaredomainlist.com/hostslist/hosts.txt)

[1]: [https://github.com/zant95/hosts-update](https://github.com/zant95/hosts-
update)

------
dest
In fingerprinting, the browser plugins and user agent are the most identifying
parameters as far as I'm concerned. Does anybody know workarounds to hide or
standardize those parameters?

~~~
blacksmith_tb
For Firefox, you can automatically spoof the UA with a tool like
[https://addons.mozilla.org/en-US/firefox/addon/random-
agent-...](https://addons.mozilla.org/en-US/firefox/addon/random-agent-
spoofer/)

~~~
pde3
Spoofing your user agent on your own typically makes you easier to
fingerprint, not harder. See footnote 3 of the Panopticlick 1.0 paper:
[https://panopticlick.eff.org/static/browser-
uniqueness.pdf](https://panopticlick.eff.org/static/browser-uniqueness.pdf)

It's more plausible for a large population of browsers to share a single
spoofed user agent; all of the Tor Browsers pretend to be a single specific
version of Firefox for Windows.

~~~
rocky1138
How about we get together and decide on a common string that all of us can
use? We can set our browsers to use that, and our friends' as well.
Theoretically, the more people that use the same string, the harder we'll be
to track, correct?

~~~
redwards510
Yes! How would you say "I'm a generic modern browser that can interpret HTML5.
Do not send me flash."

~~~
StavrosK
Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26
(KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25

~~~
rocky1138
Won't that make some websites send you to the mobile version?

What's the desktop equivalent?

