
Websites can now fingerprint a device when multiple browser instances are used - antouank
https://arstechnica.co.uk/security/2017/02/now-sites-can-fingerprint-you-online-even-when-you-use-multiple-browsers/
======
sleepychu
Resist! Use adblockers, disable cookies which live over the session by
default, turn off JS if you can. When we get to critical mass, the advertising
networks will come back with a new deal.

I wonder if we can come up with a widely adopt(able|ed) fingerprint that we
can mask ourselves with, do any of these identifying bits actually make the
web more usable for us?

~~~
taf2
I could be mistaken but doesn't the use of an adblocker make you even more
obvious - e.g. Your fingerprint becomes more easily discernible from the rest
of the Hurd, you become more obvious. Sure you could disable JavaScript but
then you have basically disabled any website that depends on it which might
equivalently disable the parts of the internet you wanted to access. Also it
becomes obvious that your location has a broken experience. Perhaps there is a
balance of blocking and blending in. My view on this is what kind of websites
are you visiting that make you feel you need to disable parts of it?

~~~
stymaar
> I could be mistaken but doesn't the use of an adblocker make you even more
> obvious - e.g. Your fingerprint becomes more easily discernible from the
> rest of the Hurd, you become more obvious.

In my generation (I'm 28), and even more in my cousins' (early twenties) it
looks like the hurd is using an adblocker. And I'm talking about art students,
acountants and chefs not IT engineers.

You just can't spend hours on YouTube videos without an adblocker on …

~~~
taf2
You could also pay ... $9.99 a month for ad-free youtube...

~~~
stymaar
Not available in my country. And I'm not sure any of the aforementioned people
would be willing to pay for something an adblocker provides for free.

------
rxlim
I have been browsing the web without Javascript enabled since 2006. The worst
is that once in a while you will click on a link to read some text, but arrive
at a completely blank page. Many times this can be solved by disabling CSS for
that page or using the Google cache, but it's still annoying.

I my view requiring Javascript just to display text or pictures is completely
brain-dead, web "designers" that think this is a good idea should probably no
be allowed to design anything. It also makes it hard for disabled people that
rely on accessibility tools to use the web.

I don't expect "web apps" like a video player to work without Javascript, but
basic things like reading text, viewing pictures or clicking on links should
never depend on it.

~~~
rsync
I use ublock origin with chrome.

Do I understand correctly that the simple tool to block javascript (noscript)
is not available on chrome ?

I'd like to disable javascript but the non-noscript recipes seem very complex
...

~~~
navs
Chrome allows you to enable/disable javascript on a per domain basis. It's not
an extension or very flexible but I've found it useful for most situations e.g
whitelisting js for my bank website.

------
osoba
Random idea: Couldn't browsers have two modes of browsing, one lightweight one
where only the most basic of JS features are enabled by default (this is
something that 99% of websites actually need) and the full version where
everything is enabled. The lightweight one is the default state and the users
can manually switch to full version. Or even better use logistic regression or
a neural network to decide when a website genuinely needs advanced features
and when it's just to track you. As a bonus the lightweight mode would also
probably render much faster? How realistic is this? What would be the
downside?

~~~
ioulian
These are my thoughts (as a webdeveloper):

We have 5 big browsers and 3 OS's that we need to support (different
rendering, different canvas rendering, not to mention 3d rendering quircks,
different installed fonts), I think we don't need yet another way to make our
lives difficult.

I understand that privacy is a big issue, but think about "normal" web
developers who just want to show a cool working website to their users, but
need to display this message to them: "Thank you for looking at our website,
but unfortunately your browser is in lite JavaScript mode. Please set it to
full functionality again and restart your browser en go to our site once
more.".

I have already used dirty hacks to support the default setting of 3rd party
cookies in Safari, while developing facebook apps or some apps inside an
iframe that have different domains. It's there to make users feel more secure,
but there are always ways around it.

It would be better to add the functionality you are suggesting as an option
and not by default, so people, who understand the "risks" of not viewing some
sites properly in favor of more privacy, will turn it on by themselves.

~~~
Majestic121
I understand the view and pains of the webdeveloper, but quite frankly I think
privacy issues are way more important. Not even in the same order of
magnitude.

Your comment feels like a restaurant saying 'Ok, I understand cleanliness is
important, but as a cook washing dishes all the time is really annoying so I
only wash them if customers ask for clean dishes'

~~~
ioulian
Haha, good one, but joking aside, I would rather prefer that the dishes can
never get dirty, no matter what.

I don't think it's in Google best interest to add anti tracking features into
Chrome browser (and same with MS and Apple). So for now on we must bring our
own cloth to clean out the dishes or go to another restaurant where the dishes
are always clean.

The problem is that it's impossible to change the current behaviour of the
browsers without breaking the whole internet. It would be much easier and
better to create a new browser (look at Tor Browser for example), that has a
lot of anti tracking features enabled by default.

People know that if they want privacy, they can use this browser. But it's
still a "big" hassle to install it, not to mention my grandmother knows
Chrome/Firefox, but not Tor Browser so she will never use it.

We do not need to change the browsers to let them defend us, but to teach folk
what privacy is and what to do if you don't want to get tracked.

PS: keep in mind that browser is 1 item in the big picture of "tracking
private data". IoT devices are really booming now, and everything is tracking
us, our watches, refrigerators, thermostats, ... we can't just install a
AdBlocker there.

~~~
Silhouette
_The problem is that it 's impossible to change the current behaviour of the
browsers without breaking the whole internet._

That just doesn't track, sorry.

For one thing, plenty of sites would continue to work just fine if browsers
(for example) wouldn't allow any JS to upload anything without the user's
explicit consent. That would immediately solve a significant part of the
problem, for a cost of one click the first time a user visits a site where
they do want to allow it.

For another thing, web developers respond plenty quick enough to new
opportunities to exploit browser functionality. If the major browser
developers told them where to go, they'd fix their broken sites plenty quickly
too.

 _IoT devices are really booming now, and everything is tracking us, our
watches, refrigerators, thermostats, ... we can 't just install a AdBlocker
there._

Maybe they're booming where you are. I've yet to see anyone, from my most
gadget-obsessed geek friends to my least technical family members, actually
use one, other than devices specifically made for some communications purpose
or whose main/only function is to provide access to some remote service.
Certainly I've yet to meet anyone who thought everyday household appliances
like their fridge or thermostat needed to phone home to do their jobs.

As for installing a blocker, I've already seen multiple places interested in
implementing something that is essentially a privacy firewall for home devices
and/or building a database of which devices try to communicate with which
remote hosts for which purposes. If IoT really does outgrow the marketing
hype, tools to limit its capabilities for privacy and security reasons will
surely follow, maybe even at ISP level in the same way that a lot of spam no
longer even reaches our junk folders.

------
mirimir
If you don't want to be tracked, the simplest solution is to disable WebGL and
HTML5 stuff, and minimize use of Javascript. That's part of what Tor browser
does. If you want that stuff, you can compartmentalize in multiple VMs.

However, even that can be vulnerable. Browsers in all Debian-based VMs have
the same HTML5 canvas fingerprint on given hardware. Because the fingerprint
is based on both the VM's graphics driver and the host's graphics hardware. To
avoid that, you can use unrelated OS in your VMs. In my experience, Windows,
OSX, Fedora, PC-BSD and Debian VMs have distinct HTML5 canvas fingerprints on
given hardware.

------
deltaprotocol
Well, if we can't have privacy, at least lets make it clear that we DO want it
and do what we can to have it.

Not being able to defend ourselves doesn't mean that we should give up.

A crowd can gather in front of a building and demand changes, unarmed and
shouting. They may be heard or not, but still they fight. Sometimes the crowd
is really huge and the other side has no option but to hear.

Use Firefox. Use uBlock Origin. Use uMatrix or NoScript if you can. Use HTTPS
Everywhere. Use DecentralEyes and Privacy Settings (an addon to streamline
setting the cryptic browser settings in favor of your security and privacy).

If you can, edit text fields through an external editor using things like
Vimperator/Pentadactyl C-i command or extensions such as Its All Text or
Wasavi.

Use a firewall. Use a firewall in your phone as well.

Search through DuckDuckGo or Startpage. Use F-Droid apps on your Android
device, it even has a privacy conscious browser called Privacy Browser, a
great and encryption friendly email client called K-9 and key wallet called
OpenKeychain. Use Free Software.

Drop the use of Google Drive and Dropbox in favor of solutions such as
Syncthing.

Use a password manager and strong passwords.

Fight the good fight. Using this tools you can still enable resources for
websites where you need them, literally unblocking the web with each use case.
It works if you need to work and learn through browsers. For anything else,
use Tor Browser. Maintain an installed version. Open it and update it often.

Privacy is a right that we must fight for everyday and, sincerely, its an
honor to be part of the resistance in this dark age.

User rights actvists know how hard it can be to teach people the importance of
this things. Its hard and not always effective and often backfires.

If you are a developer, don't put your tail between your legs and accept that
you must for monetary reasons circumvent user rights, talk with your team, be
the guy with weird thoughts and be proud. You know the importance and they
don't. Isn't it like this when a math teacher struggles with his younglings?
They just don't know. Be patient.

We can BE the change we want.

Edit: Use Signal. Support Riot. SUPPORT THE EFF! There are so many beautiful
people fighting the fight with us. Thanks to everyone involved in the
development of this products and services, often left in the shadows and
unpaid. You are love.

~~~
eganist
Do all of this and you'll be fingerprinted as being in the fringe minority of
privacy-craving web users, so for this effort to succeed, it might help for
there to be some form of orchestration/automation and education to achieve all
of these together with a wide population of people.

That'd be a startup or nonprofit project, not necessarily anything any of us
can individually do and not stick out like a sore thumb unless somebody
capitalizes on anti-privacy revelations which can galvanize the population in
favor of self-education on privacy hygiene.

Paraphrasing (probably inaccurately) Bruce Schneier's answer to a question of
mine on this topic at DEF CON: the best privacy solutions are the ones
embraced by many people.

~~~
deltaprotocol
This isn't about being invisible. 99.9% of the people can't, including most of
the HN crowd. It has become literally almost impossible. This is about making
a statement for what you believe and fighting for digital world we want.

You can always use techniques such as blending in if you really must, tools
such as Tails or QubesOS.

If they want to put a red pin on me with the words activist and "conscious of
us", let them while and if they can.

Edit: changed the word "secure" to "invisible" because they are different
things entangled in this scenario.

------
erikrothoff
I can see why the industry didn't adopt the Do Not Track header, as it would
basically kill all targeting revenue goodness that's been built up over the
years. Why not try and push for a unified IDFA instead, which has its benefits
for targeting but also more control from a user perspective?

I don't really see an industry adoption of these fingerprinting techniques.
The linked page took 20 seconds and 100% CPU before getting a fingerprint ID,
so running that at scale seems pretty useless?

~~~
manigandham
Yes. Device/OS level "advertising ID" that can be reset at anytime by the
client is sorely needed and would be used by every ad network, greatly
improving privacy and performance of ads on the web.

------
na85
I note without surprise that most of this tracking leverages JavaScript. When
do we say that enough is enough? When do we finally agree that the web was
better without JavaScript tracking us everywhere we go, and when do we finally
admit that not all ideas (JavaScript) were good ideas?

My browser works against me these days. Sad times.

~~~
netsharc
Throwing web-interactivity (via Javascript) away today is like throwing your
computer away. Computers help you be more productive, but it also helps the
people who want to profile you. What's the alternative?

If it's not Javascript, any functionality that offers access to the hardware
(via however many layers) to "apps" from the "cloud" can be exploited this
way. Maybe we should disallow hardware access, how will YouTube play videos?
Should we all install youtubeplayer.exe ?

~~~
mikegerwitz
JS is different---your browser automatically downloads and executes untrusted,
unsigned, arbitrary, ephemeral code that can do whatever it feels like. Almost
worse: is does so silently without the user's knowledge, and has the illusion
of remote execution, misleading the user into thinking no software is actually
running on their own computer.

~~~
Silhouette
_JS is different---your browser automatically downloads and executes
untrusted, unsigned, arbitrary, ephemeral code that can do whatever it feels
like._

It really doesn't. There are severe limits on what JS downloaded from some
random site can do via a browser on your local device. A few tricks to detect
some environment-based signals and invade privacy might be undesirable, but
that intrusion is nothing compared to the kind of stunts native software has
pulled over the years, and the major desktop and mobile operating systems are
pathetically ineffective at sandboxing that software compared to what browsers
do with JS, even taking into account the unwanted side effects of recently
expanded capabilities that we're discussing here.

~~~
omginternets
>It really doesn't. There are severe limits on what JS downloaded from some
random site can do via a browser on your local device.

That's missing the point.

With respect to tracking a user, most of those restrictions don't matter. Your
browser _does_ download/execute untrusted, unsigned, arbitrary, ephemeral code
that can do any kind of tracking it wants.

~~~
Silhouette
And compared to the kinds of technologies used for copy protection and
telemetry in native applications, what JS can do within a browser is still
very limited.

Yes, the browser executes JS code from untrusted sources, but only if you
visit a page that loads scripts from those sources, and always (barring
security bugs) within a sandbox that limits their capabilities.

I fail to see how this can possibly be any worse than installing software in
other ways such as running a native executable you downloaded from somewhere,
or following a "curl | sh" installation process as advocated by plenty of
popular OSS tools, or allowing native software that you already installed to
install arbitrary automatic updates that it fetches from remote sources.

The argument netsharc made was essentially that turning off JS would disable a
lot of useful functionality for a lot of people, and that providing that
functionality would still involve similar risks if it were done some other
way. The reply from mikegerwitz argued that JS is different, but I still don't
see how. The relevant comparison isn't against just turning JS off, it's
against turning JS off and implementing the same functionality some other way,
and compared to the sandboxed environment of JS, the most likely alternatives
with today's technology would be even worse in terms of security and privacy.

~~~
mikegerwitz
> compared to the kinds of technologies used for copy protection and telemetry
> in native applications

Compared to the damage a logging truck can do to my car, a snow plow is very
limited. I still don't want to be hit by a snow plow.

The threats to privacy posed by JS are severe and constantly evolving. Being
able to profile based on hardware is effectively breaking the sandbox.

> (barring security bugs)

Which are far from uncommon. But you can't predicate a security discussion
with the phrase "barring security bugs".

> I fail to see how this can possibly be any worse than installing software in
> other ways such as running a native executable you downloaded from
> somewhere, or following a "curl | sh" installation process as advocated by
> plenty of popular OSS tools, or allowing native software that you already
> installed to install arbitrary automatic updates that it fetches from remote
> sources.

Each of these requires explicit user authorization at some point (barring
malicious operating systems). In the case of automatic updates, the initial
install required user consent.

That isn't the case on the Web when you click on some random link I send you
and automatically download and execute a program.

~~~
Silhouette
_The threats to privacy posed by JS are severe and constantly evolving._

What exactly are the big threats you see here?

Yes, JS can be used to track whether the same computer is being used to visit
different web sites. But there are other tracking techniques based on other
web technologies that are also very accurate and require no cooperation from
JS in the browser. The ultimate risk is the same in both cases: being tracked
from one web site to another, and therefore potentially identified in real
life if the other data held by those web sites in combination is sufficient to
remove anonymity.

As I've said elsewhere in this discussion, I'd be the first to agree that this
is undesirable, and that we should try to do something about it by limiting
the access that is available by default and now being exploited for unintended
purposes. I just don't see that the general risk is unique to JS or that JS is
qualitatively worse in the danger than other web or general software
technologies.

 _Each of these requires explicit user authorization at some point (barring
malicious operating systems). In the case of automatic updates, the initial
install required user consent._

Again, how is this any different to giving a user a link to a web site, which
they then choose to follow? If you want to use some interactive functionality,
how does it make the slightest bit of difference whether you're trusting JS
code that runs directly or indirectly from a web site you voluntarily visit,
scripts that run directly or indirectly via a script you curl|sh, or whatever
is in some executable that you download and run? There is an inherent element
of trust in all of these cases, and unscrupulous actors have betrayed that
trust with nasty results in all of these cases. Again, I'm not saying the
situation with JS is good, I'm just saying it's not significantly different to
the situation with other current technologies that might be used to provide
similar functionality in alternative ways.

------
spaceboy
JS increases the finerprintability a huge amount. It's worth looking at
ClientJS to see how many bits of identifying information can be hoovered up
with JS.

[1] [https://clientjs.org](https://clientjs.org)

------
Cieplak
Time to start patching your browser or proxying requests to munge http headers
and strip out all identifiable data, and to throw random garbage in there.
Obviously you can detect this pattern as well, but it makes it harder. Browser
vendors are not on our side. Spend a couple minutes with tcpdump and a fresh
install of any modern browser, and you'll see what I mean.

------
z123
Tried their sandbox site from firefox and chrome on my Mac. They were able to
calculate same 'Computer fingerprint'. Looks impressive from tech
perspective.. though bad for privacy

------
EGreg
Is there a point to third party cookie policies, given this?

What is the extent of the ability to track a user between sites these days
even if they blocked third party cookies? Meaning, given an advertiser with
1,000,000 users what are the chances it knows that you just visited sites A,
B, C if it has ads installed on each one?

------
afpx
Although I can't discuss much, I've seen similar techniques used years ago.
Or, in other words, it's fairly easy to come up with new signiture producing
schemes. That's why some people disable Javascript.

------
manigandham
Identity (as in a stable handle for your browser/device/profile) is an
important part of the web. It's tied into all kinds of functionality and
security.

What we really need is a device/OS level "ID" that can be read by any app or
website so that it is stable. Since it's controlled by the OS, resetting your
identity is as simple as generating a new ID. This single change would improve
security and performance across the web and remove the vast majority of
fingerprinting being used today.

~~~
Paul-ish
This wouldn't give us any more privacy. It would just become another signal in
the tracker's model, they wouldn't solely rely on it. Cookies were the same
idea limited to a single website. We were told to clear our cookies and we
could prevent tracking. We have seen what cookies have become, with zombie
cookies[1][2] raising from the dead after we think they are gone. At the end
of the day, advertisers and trackers didn't really want us to have the
capability to reset our identity with them.

If you try to change the ID, trackers will use other things to try to keep
tracking your browser session.

[1]
[https://en.wikipedia.org/wiki/Zombie_cookie](https://en.wikipedia.org/wiki/Zombie_cookie)

[2]
[https://en.wikipedia.org/wiki/Evercookie](https://en.wikipedia.org/wiki/Evercookie)

~~~
manigandham
The functionality (and corresponding machine implementation) matrix of a user
will always give enough entropy to construct an identity, but much of this was
created because of the lack of any other reliable and stable option. A stable
ID would definitely be used since services now spend a considerable amount of
time and effort in constantly figuring it out through other means.

A single website is too narrow since things like ad networks (which are the
economic backbone of the web) work across many sites. A single root domain is
an outdated isolation model on the modern web.

Outside of that, the only other answer is regulation. Something that is
missing in many areas although some countries seem to be making good progress.

------
ikeboy
1\. Are ad companies ahead of the research and have been doing things like
this all along?

2\. In theory you can look at JavaScript served from ad sites and reverse
engineer to see what they are tracking. Has anybody tried to make a database
of which ad vendors run which things in browsers? (Similar to how malware is
reverse engineered?)

~~~
mpeg
Yes and yes.

Take a look at the work of Steven Englehardt around cookie syncing and gpu
fingerprinting [0] [1]

[0]: [https://freedom-to-tinker.com/2014/08/07/the-hidden-
perils-o...](https://freedom-to-tinker.com/2014/08/07/the-hidden-perils-of-
cookie-syncing/)

[1]: [https://freedom-to-tinker.com/2016/01/12/retrospective-
look-...](https://freedom-to-tinker.com/2016/01/12/retrospective-look-at-
canvas-fingerprinting/)

~~~
ikeboy
Checking what sites use specific techniques is not the same as reversing JS to
find new techniques.

~~~
mpeg
There's no new techniques, this stuff all uses the same javascript APIs and
that's what the crawlers that look for this stuff look for.

People have been doing GPU fingerprinting since the canvas APIs were
available, with accuracy rates of over 90%, this further refines it by
exploiting subtle differences in 3D rendering via webgl but the API surface is
pretty small

And you really don't need to reverse JS, you can just run it in a controlled
environment and hook into certain calls etc. not too different to how you'd do
analysis of vm / packed binaries though some of the scripts that do this stuff
will try to detect these sandboxed environments and deactivate themselves
(google does that, for example, cause they run their fingerprinting inside a
custom VM in javascript)

------
metafunctor
For some reason, this didn't fully work for me. I tried Safari, Chrome, and
Firefox on MacOS. The results for the Audio feature were the same for Chrome
and Firefox, but different for Safari.

------
lucaspiller
I'd imagine for most home users the combination of the following is enough to
track them across multiple browsers:

{ip, device pixel ratio, screen resolution, time zone}

You can then identify more unique browser features to track them across
multiple locations. Even if it's not completely unique, you can build up a
network graph that's probably good enough for most things - people living in
the same house probably have similar interests.

~~~
deckiedan
I imagine you could have a browser plugin that randomized the values that
javascript sees for those, except for sites where they matter? (Very few, I'd
guess).

------
swearfu
How is this news? The adult and casino industries have been using this
technology for years now to avoid fraud.

~~~
sleepychu
What fraud attack do those industries share which is prevented by
fingerprinting?

To address your question, the technique is novel and more accurate.

~~~
swearfu
Charge backs. For a long time those industries were dominated by affiliate
programs, and so affiliates would hire firms in other countries to use stolen
credit cards to inflate memberships, then charge back after the affiliate got
their payout. By using shared networks of the finger prints we were able to
identify computers already used for fraud on other sites or our own sites and
refuse them the chance to even sign up.

EDIT: Sorry, to be clear, the people using the stolen credit cards didn't
charge back, the actual owners of the cards would. But this affected the
industries two-fold, first in constantly having to battle with credit card and
billing companies that didn't want to provide services for an industry with
such a high charge back rate, but it also hurt us in paying out to affiliates
who cost us money instead of bringing it in.

------
TazeTSchnitzel
I wonder what “machine” means here in practice. It gives the same result for
Firefox, Chrome and Safari on macOS, but if I booted into Windows, perhaps I'd
get a different result. Or perhaps if I switched to the internal monitor.

------
aluhut
This script crashed here on FF:

Skript:
[http://www.uniquemachine.org/fingerprint/js/fontdetect.js:61](http://www.uniquemachine.org/fingerprint/js/fontdetect.js:61)

------
angry_octet
Using WebGL while browsing with Tor? What could go wrong!

~~~
coldtea
Nothing much. What do you think could go wrong?

~~~
angry_octet
I don't know, maybe massive pwnage?

I'm sure you know that and are just being difficult. Its because
OpenGL/DirectX drivers run a large compiler in the kernel and then send the
compiled code to the GPU. None of that code is inspectable. Drivers routinely
have special hacks to tweak the performance of particular games or matching
patterns of use that tweak special paths, making thorough testing particularly
hard.

[https://medium.com/@afd_icl/hey-a-web-page-just-restarted-
my...](https://medium.com/@afd_icl/hey-a-web-page-just-restarted-my-
phone-c06d3db76542)
[https://twitter.com/alexstamos/status/829124727289544704](https://twitter.com/alexstamos/status/829124727289544704)

~~~
coldtea
> _I don 't know, maybe massive pwnage?_

Any real examples besides proofs of concept and academic concerns? As in,
examples that affect the average user, not some specifically targeted person?

------
anotheryou
Does anyone actually bother to do this? I mean to ctach the 99% of normal
users for advertising you don't have to go through any trouble.

------
wtbob
This is one of the reasons I disable JavaScript.

The web is an interlinked _web_ of documents called pages. It's not a
distributed application platform: although it can be twisted into that, it
turns out that no-one actually carefully considered all the potential
security, privacy & performance implications of doing that — and it's no
surprise that the security, privacy & performance of the single-page app web
is abominably atrocious.

------
agotterer
Would something like this even be legal under some of the more stringent
cookie and tracking laws?

------
andai
Does anyone know about any research for fingerprinting the host inside a
virtual machine?

------
ibogunov
Just use iphone & default safari, its retardingly difficult to discern 2
iphones, they are literally the same hardware only IOS version can be a bit
different. Problem solved.

------
reirob
tldr: "The new technique relies on code that instructs browsers to perform a
variety of tasks. Those tasks, in turn, draw on operating-system and hardware
resources—including graphics cards, multiple CPU cores, audio cards, and
installed fonts—that are slightly different for each computer. For instance,
the cross-browser fingerprinting carries out 20 carefully selected tasks that
use the WebGL standard for rendering 3D graphics in browsers. In all, 36 new
features work independent of a specific browser."

~~~
tim333
The browsers should have an incognito mode that lies about that stuff - that
just says it's a generic new macbook of something like that. 99% of sites
would still work even with the wrong info on your OS, screen size etc.

