
Browserprint: Browser fingerprint tool now can guess client OS even when spoofed - jerheinze
https://browserprint.info/#fingerprint
======
mpeg
Guessing OS is pretty simple though, I recommend the book "Silence on the
wire" [0] for a thorough explanation of passive network fingerprinting.

TL;DR is that the each TCP stack has unique characteristics that are hard to
spoof (you'd have to bypass the OS TCP stack and build your own that mimics
another) and definitely out of reach for tools that run in sandboxed
environments (like browser extensions)

edit: Also, the author of that book, Michal Zalewski, made open source tool
p0f [1] that implements some of those techniques to identify spoofed user
agents.

    
    
      [0]: https://www.amazon.com/gp/product/1593270461
      [1]: http://lcamtuf.coredump.cx/p0f3/

~~~
j_s
Nice! [https://amzn.com/dp/B008FRNHVY/](https://amzn.com/dp/B008FRNHVY/) $18

~~~
pbhjpbhj
$24 for me, perhaps i have a richer looking browser ...

~~~
j_s
Thanks for the heads-up, I fixed the link to point to the Kindle edition!

Amazon has indeed gotten called out for these types of shenanigans in the past
but that was a long time ago!
[https://en.wikipedia.org/wiki/Amazon.com_controversies#Diffe...](https://en.wikipedia.org/wiki/Amazon.com_controversies#Differential_pricing)

I missed this related discussion last month: _The High-Speed Trading Behind an
Amazon Purchase_ |
[https://news.ycombinator.com/item?id=13963743](https://news.ycombinator.com/item?id=13963743)

------
arnon
I had a project I did for university a few years back, and we'd identify the
browser or application just by looking at the timing information between
packets (without looking at ports, source/destination, etc.).

We could identify malware with around 85% accuracy, which was pretty good
without any other marker.

~~~
ArchReaper
That sounds really interesting, do you have any publicly available
documentation or articles about it?

------
lossolo
Wrote my thesis about passive and active fingerprinting, it's very easy to do,
most operating systems network stacks have different default values like
window size, ttl etc. p0f[1] was pretty good back then.

[http://lcamtuf.coredump.cx/p0f3/](http://lcamtuf.coredump.cx/p0f3/)

------
dbg31415
My fonts gave me away... Damn fonts, I need those for various design files I
open. Any way to limit my browser's access to my system fonts?

~~~
qwertwerker
Version 52 of Firefox lets you use a whitelist
[http://www.ghacks.net/2016/12/28/firefox-52-better-font-
fing...](http://www.ghacks.net/2016/12/28/firefox-52-better-font-
fingerprinting-protection/)

~~~
dbg31415
This works. (Don't forget to disable Flash.)

Canvas and Character Sizes are still making me fairly unique... Any ideas
there?

~~~
qwertwerker
Canvas is trickier! There's some add-ons out there that disable it in various
ways so they're your best bet I'd say (assuming canvas not working gives away
less information than it does normally, it's hard to tell). For character
sizes I'm not sure if there's many useful defences against it, I would have
thought it'll depend on a number of things, the Tor Browser might defend
against it well, you'd have to give it a look.

~~~
dbg31415
Yeah, I can't find much that gave any meaningful protection.

I tried various Firefox and Chrome extensions, tried Tor...

The problem is that at a certain point with security, everything just stops
working.

Wasn't able to get any sort of meaningful protection that still let me do much
of anything... including run the Browserprint tool.

~~~
qwertwerker
Sounds like the same problem I've run into in my college project :). It's
really tricky to get the balance right with privacy/usability, unless the
browsers put more work in to it one of the only good options is to either
constantly switch browsers or use different browsers for different types of
browsing.

------
Operyl
"An error has occurred" while trying to fingerprint my browser in iOS, (not
with the browser, but their toolset). Guess it failed to fingerprint me
technically hah.

~~~
M4v3R
Same here, Safari on iOS 10.3.1. I was curious about the result on the iOS
because there are not many things you can customize on Apple devices.

------
j_s
Is lower-level fingerprinting enough to detect the difference between ARM /
x86 linux?

How far would I have to go to setup a truly legit honeypot on a Raspberry Pi?
Is anyone already doing this? The following article doesn't get into userland
IP stack:

[https://www.redpill-
linpro.com/sysadvent/2016/12/19/raspberr...](https://www.redpill-
linpro.com/sysadvent/2016/12/19/raspberry-pi-honeynet.html)

------
nightbrawler
Previous Discussion:
[https://news.ycombinator.com/item?id=12198358](https://news.ycombinator.com/item?id=12198358)

------
dijit
it guessed I had a variant of Linux, yet I'm running FreeBSD with no spoofing
of any kind.

(which is corroborated in both the user agent and the javascript uname
sections)

~~~
FoeNyx
It guessed I had a variant of Windows, yet I'm running a Linux with no
spoofing of any kind.

By transitivity FreeBSD is a subvariant of Windows ... or maybe not.

------
michaelsbradley
TorBrowser 7.0a3: indicates it's running on Windows, but my OS was
fingerprinted as Linux. I'm actually running it on macOS.

~~~
andrewclunn
Under a VM, or a BSD jail?

~~~
michaelsbradley
No.

------
Kipters
It failed to recognize my browser as Edge, it thinks it's Firefox

[http://browserprint.info/view?source1=UUID&UUID1UUID=fa204a9...](http://browserprint.info/view?source1=UUID&UUID1UUID=fa204a95-8046-441e-9e97-33a0eb6ddb80)

~~~
lucb1e
Wishful thinking?

------
kakarot
I was a little concerned when it said I had a unique fingerprint out of the
25k tested so far, but then I remembered I'm spoofing a new user-agent every
few minutes. It still managed to guess my true operating system of course :)

~~~
tmalsburg2
Perhaps I misunderstand you but I think you're placing too much trust in
changing the user agent. The method they are using doesn't depend on the user
agent string and ignoring the user agent could even improve its performance.
Further, I think it should be relatively easy to detect spoofing of user agent
strings. For instance, if your user agent says your using a Linux browser but
your fonts include nothing but the standard fonts on OSX, it's pretty clear
then that your spoofing your user agent.

~~~
kakarot
I'm okay with the spoofing being detectable. The important thing is
obfuscating myself to ad agencies. It's OK if I have a unique fingerprint, if
that unique fingerprint is morphing every few minutes.

What is interesting is that my unspoofed user agent is 3x more rare than the
spoofed one, even though the spoofed one usually throws browser versions that
are out of date.

Unfortunately, my browser is still unique to the set of 25k whether spoofed or
not. Enabling javascript helps a little, but then I can be audio fingerprinted
which defeats the purpose.

I definitely have an exotic configuration. KVM / Firefox / No 3rd Party
Cookies / Blacklisted social media sites / Addons (including NoScript) that
take various steps to lock down information leaks and prevent loading of
blocked resources. I don't allow web fonts which is probably fairly exotic as
well.

If more would use script blockers and ad blockers maybe I wouldn't be unique,
but it seems to be a trade-off between privacy and security. And I just kind
of assume that privacy is off the table for now, so at least I can work
towards having security.

If I have to choose between the two, I'm more concerned with malware and being
tracked through 3rd party resources like Google Fonts, Google APIs (I cache
them and prevent subsequent resource loading) than I am being fingerprinted.

~~~
greglindahl
The point of this project is to not use the user-agent for fingerprinting.

~~~
kakarot
Are you saying it isn't worth spoofing your user agent?

~~~
greglindahl
I'm saying that user agents are a completely separate issue from what
Browserprint is measuring and using for fingerprinting. Browserprint's
fingerprint of your browser doesn't change when you change your user agent.

tmalsburg2 appears to have tried to make the same point.

~~~
kakarot
I think we're all misunderstanding each other. I'm aware Browserprint isn't
using user agents as their main source of information. It very clearly
outlines the information they are using in the results.

I was just remarking about the uniqueness of my spoofed user agent vs a non-
spoofed agent. After my initial post I went back and found I was still unique
even without a spoofed agent. That's really all there was to my comment, I'm
not insinuating that I was surprised to find I was uniquely fingerprinted by
other means like font and plugin enumeration.

------
OJFord
My randomised user-agent happened to tell it the truth, but browserprint
'detected' that I was instead using a different OS and browser.

I'm also using a fingerprint-blocking plugin, which seems to be doing its job!

~~~
jwilk
Randomized U-A makes you stand out.

You want single U-A that many other people use.

~~~
OJFord
I'll double check my settings, but I believe it's randomised among a set
common choices.

The may well be no additional value to that, though.

------
ArtDev
Both Hulu and Netflix block Ubuntu, so this sucks for people like me who use
Linux as their primary media OS.

Hopefully this doesn't catch on or we have to find another way to spoof these
sites.

------
nayuki
Seems similar to Panopticlick which was released years ago:
[https://panopticlick.eff.org/](https://panopticlick.eff.org/)

~~~
nosuchthing
One of the first things listed on the page:

    
    
      Browserprint is a free open source project designed to 
      provide the same and better functionality as the original 
      Panopticlick.

------
joshdance
What are the legitimate uses for fingerprinting?

~~~
ioulian
We've made an online action website where people can vote on things and the
people with most votes win prizes.

We thought it was a good idea to validate the user by email (by sending an
email with a unique link, that when clicked, the vote was authenticated.) We
thought it was good enough as a "security measure", but we thought wrong!

Some people made disposable email accounts and sent the emails to there, so
there were some people with thousands of votes, while most only had a few
dozen.

When looking in the database, we were glad that we stored some basic info like
IP, Agent Strings and timestamps. These people were smart enough to
(sometimes) change IP's but then when looking to the timestamps and agent
strings, we saw that these people were cheaters with disposable email
addresses.

We removed all these votes and the "winners" didn't win anything at the end,
because they had much less votes than "normal" players. They started sending
angry emails to the customer, and did not leave them alone.

We are currently making another action for that customer, but this time we
have added browser fingerprinting, that checks a lot of variables (like fonts,
canvas rendering, webgl, screen sizes, number of monitors, device pixel
ratios, ...). This way we'll going to identify cheaters much easily, ... BUT
you can still spoof it, so it's never a foolproof method of identifying users,
it just makes our lives a little bit easier when there's some cheating going
on ;)

// EDIT: some typos

~~~
i336_
I'm very curious to learn what website this is, perhaps via email. This type
of thing sounds like a fun way to spend a few minutes. :)

------
floatboth
Heh, my WebGL renderer "ANGLE (AMD Radeon (TM) RX 480 Direct3D11 vs_5_0
ps_5_0)" is unique. And character sizes o_0

------
lightedman
Still hasn't guessed my MenuetOS box.

------
nayuki
I keep failing the CAPTCHA. Why is this part designed so badly?

~~~
st0le
That is exactly what a bot would say.

------
pweissbrod
Apparently with firefox there is a request to enable flash (which i purposely
dont install)

I'm led to assume adobe flash is the piece which actually divulges all the
secrets about my machine. Not surprising.

~~~
qwertwerker
Flash makes it easier to get some of the information like your system fonts,
but JavaScript get the same information it's just more difficult. It has to
cycle through a list of fonts and test for them individually rather than Flash
which just gives the full list of fonts you have installed.

------
bradknowles
Hmm. Doesn't seem to work on iOS. ;)

------
reneberlin
damn, it doesn't work on lynx. should i update my browser?

