

Panopticlick – How Unique, and Trackable, Is Your Browser? - donnut
https://panopticlick.eff.org

======
mintplant
Previous discussions:

[http://news.ycombinator.com/item?id=6980085](http://news.ycombinator.com/item?id=6980085)

[http://news.ycombinator.com/item?id=1082464](http://news.ycombinator.com/item?id=1082464)

[http://news.ycombinator.com/item?id=1081309](http://news.ycombinator.com/item?id=1081309)

[http://news.ycombinator.com/item?id=6188543](http://news.ycombinator.com/item?id=6188543)

[http://news.ycombinator.com/item?id=1087975](http://news.ycombinator.com/item?id=1087975)

------
cpeterso
Firefox 28 restricts the enumeration of navigator.plugins[] to reduce the
impact of plugin fingerprinting. A website can directly query
navigator.plugins["Some Plugin Name"] to check for a plugin, but no website
should need to enumerate all installed plugins just to look for one particular
plugin. Unfortunately, many major websites do, so enumerating Firefox's
navigator.plugins[] will reveal QuickTime, Adobe Flash Player, Adobe Shockwave
Player, and Java to avoid breaking those websites.

[https://bugzilla.mozilla.org/show_bug.cgi?id=757726](https://bugzilla.mozilla.org/show_bug.cgi?id=757726)

------
engtech
Forgive me if I'm wrong, but it looks like if you could install a system font
on a computer then you could create a unique fingerprint for that computer
that is detectable by any website?

I am uniquely identifiable out of the 3.7 million samples because of my system
fonts.

~~~
bluesign
Also the funny thing is you cannot be tracked by this, because whenever you
install a new font, update a plugin, install a plugin etc, you change your
unique data.

~~~
skwirl
I'm not sure how your conclusion follows from your premise. You are still
trackable until you install a new font, update a plugin, install a plugin,
etc. This may not happen for some time.

Even when you do make a change, you could still easily be tracked in many
cases. If I see a new signature that I have never seen before that differs
from an existing signature only by the version of a plugin, I can probably
safely assume it's the same person, especially if I see that the plugin was
updated between the last time I saw the existing signature and now.

I have a feeling that web developers are extra vulnerable to this type of
tracking because we tend to install several useful developer extensions, and
many of us have our own unique combination of extensions.

~~~
jamesaguilar
> Even when you do make a change . . .

On top of that, if you use a resource that had only previously been used by
your previous fingerprint, your identity can probably be smeared that way too.
This is only measuring client-side entropy, but there is also server-side
entropy that can be used to make inferences about clients.

------
ds9
I'd like to have more control over the Javascript runtime in the browser.
Defeating this identification trick is only one of the reasons.

Suppose you had a list of options and could selectively disable, for example,
monitoring of mouse movements on one site, or ajax on another. And for this in
particular, something that would feed the site random values from a particular
range for fonts installed, plugins installed, screen size and other such
information.

Using that data in development would still work because 99% would keep the
default "true" values, and the few geeks who would change them would get what
they should/would expect on sites that rely on those values. But everyone
should have the power to control what info they're giving out, and what
Javascript is allowed to do on their own device.

~~~
WiseWeasel
They didn't use any JavaScript to get this information. Most of it is sent by
your browser in the request headers, and the font detection used Flash and
Java. They could have used JavaScript to detect fonts as a fall-back when Java
and Flash are disabled, but it's relatively complicated to do so (requiring
you to know the rendered width of a string for each font you're trying to
detect), and it was not included in this example.

Sending incorrect information for Java or Flash fonts is an interesting idea,
and likely would not affect user experience, as non-standard fonts are often
served with the animations. Sending the wrong screen size might get you a
mobile site served when you were wanting non-mobile or vice-versa. IP address
and ISP are valuable bits of identifying information as well, and those are
more difficult to address without using a proxy. But I would bet that
randomizing your screen size for each request would break most fingerprinting
code, since that would be assumed to be static.

~~~
JoeAcchino
"They didn't use any JavaScript to get this information."

The list of installed plugins is retrieved via JS: window.navigator.plugins.

Not sure about fonts, though.

~~~
WiseWeasel
Ah, good catch. I guess the JS navigator.plugins list is quite a bit more
thorough than the plugin information sent in your request headers (which I
believe is limited to Java: yes/no).

------
adrianmsmith
The concept of a browser fingerprint being "unique" implies "worrying" in the
sense that a user could then be tracked by their browser fingerprint.

But simply installing a font, changing screen resolutions, upgrading Java or
Flash ("Browser Plugin details") or entering/leaving daylight savings time
will result in the fingerprint changing.

So the browser fingerprint, as presented, isn't really a great way for
websites to track users.

(And removing the aspects of the fingerprint subject to change, such as
resolution and Browser Plugins etc., would then result in the fingerprint
being less unique.)

~~~
gurkendoktor
How often do people on TFT displays change their screen resolution? I don't
have either Java or Flash installed and I'm still unique.

~~~
kojoru
The fact that java and flash are not installed makes you quite unique by
itself.

~~~
gurkendoktor
Well, that's the default state in which Macs are shipped :) So I'm surprised
that I'm unique to begin with.

------
weslly
If anyone is wondering how to disable the font list:
[http://superuser.com/questions/292666/how-to-disable-
permiss...](http://superuser.com/questions/292666/how-to-disable-permission-
to-read-system-fonts-and-browser-plugin-details-in)

~~~
hoers
thanks!

------
malandrew
What are the browser makers doing to reduce the number of identifiable bits of
data leaked?

Most of the bits of identifiable information listed there has a reason to leak
since 99.999% of front-end developers have no reason to need that information
to create an acceptable cross-browser experience for all users.

------
amenod
And whenever you wish to test if your browser can be "hard-tracked" (not just
by probability), you can use this tool:
[http://www.canyoutrackme.com/](http://www.canyoutrackme.com/)

------
evoloution
Mine is unique too, I checked Firefox, chrome and IE. I guess it is trivial
for large companies to generate unique ID numbers for these unique
fingerprints and crosscheck against cookie/login databases to extract
e-identity. Is there an easy way from stopping browsers to broadcast this
information? Using the Internet anonymously is really hard these days...

EDIT: Maybe it is even better for browsers to broadcast the most common
settings if EFF discloses this information.

------
JoeAcchino
I don't know how useful is this to track unique visitors, the next month I
will probably have a different fingerprint.

All it takes is a new release of Firefox (different version in the User-Agent
string) a new font or any plugin update.

So with that fingerprint you can possibly identify me now, but you cannot
track me over time.

~~~
WiseWeasel
You can account for those factors by parsing only certain bits of the User
Agent string, and allowing for the addition of fonts to the list (most
typically don't uninstall fonts). With the plugins, you can ignore the version
number and just go by the names. There are bits like browser name, OS name,
screen resolution and the presence of all previously detected fonts and plugin
names that you can be pretty sure won't change for most users. As long as you
can uniquely match by certain factors, it'll be enough to link you to your
previous session.

For a purpose like ad tracking, the period of time you need to track people is
likely pretty short, as in from when they click on a banner or text link until
they complete a purchase, so you can compare lots of data points to identify
them. If you need to track for longer periods, like to retarget an ad to
people who have completed purchases for x, then you would need to compare
fewer, more stable points and hope you find a unique match.

------
SkyAtWork
I'm somewhat surprised to see that Chrome on my Nexus 10 shows up as unique,
based primarily on user agent and screen size/color depth. Both seem to be
surprisingly less common than I'd expect inasmuch as they would seem to be
identical across all such devices.

------
greenwalls
Does anyone know any good Firefox/Chrome plugins that help make your browser
less unique?

~~~
gorhill
Well I am using my own extension, with which you can block selectively
cookies/javascript (among other stuff) and...

With cookies/js/plugins enabled I get: 1 in 3,719,197.

With cookies/js/plugins disabled I get: 1 in less than 160,100

Extension:
[https://github.com/gorhill/httpswitchboard](https://github.com/gorhill/httpswitchboard)

EDIT: redid the tests with clearing cache before.

------
ams6110
Browser plugin that randomizes the user agent and other details with each
request?

~~~
ugexe
Great for destroying user experience that uses these for valid reasons.

Use throw away virtual machines if you must, otherwise there is no easy
workaround

------
chimeracoder
Interestingly, I just tired this using Vidalia (the Tor browser).

> Your browser fingerprint appears to be unique among the 3,726,837 tested so
> far.

I may be using an outdated version of Tor. Did they reset their data at some
point? I can't believe I'm the first person to have tried the test using the
Tor browser in my time zone.

~~~
meowface
Is your NoScript activated on the eff domain? If it isn't, that statistic is
highly possible.

~~~
chimeracoder
It's the Tor browser, so I haven't installed any extensions on it (the whole
point of the Tor browser, as I understand it, is to present the same
fingerprint to all browsers).

~~~
meowface
That is not the point of the Tor browser, though it is at times a goal.

That goal is absolutely impossible if you don't use NoScript, though. Tor
browser includes NoScript by default, as well as many other extensions, but
NoScript is initially set in "globally allow" mode which means it won't block
any JS or Flash.

------
aaren
Why does it need to run a java applet to do this?

~~~
maxerickson
It uses flash and Java to try to access the system font list.

~~~
aaren
Ah ok, it is just getting all of the info that a website could potentially get
from your browser.

------
nikentic
Why does it need java?

~~~
chippy
it does not. But if your system allows it to run, it will get more
information.

------
jamesaguilar
iPad == anonymous.

------
notastartup
will they share the 4 million browser stats?

