
Panopticlick - J3L2404
http://panopticlick.eff.org/
======
mey
Impressive idea for fingerprinting a user, especially along the font/plugin
vector.

Looking at just Java plugins, and the number of releases, you could also in
theory age a browser, on how long it's been operational on how far back in
versions of a plugin the browser maintains.

------
evandavid
Wow! I am quite surprised. I use a Macbook running Snow Leopard, fully up-to-
date software, with Safari. I don't (yet) have any after market fonts
installed. And yet "Your browser fingerprint appears to be unique among the
47,390 tested so far." That is creepy.

Who is using this type of profiling as an alternative to cookies and other
techniques? I would love to see some examples.

~~~
ascuttlefish
Apparently I have a unique browser fingerprint as well. With so many different
plugin and font combinations, I think that there are bound to be quite a few
uniques.

Kind of terrifying, really.

~~~
siegler
Mine is unique too. Only 7 other people at the time of my test had the same
plugin profile, and nobody had the same exact fonts (only thing I've knowingly
added are MS fonts and ProggyCleanTTSZ).

~~~
kelnos
Heh, I have an experimental NPAPI plugin that I wrote myself, so my plugin
profile isn't shared by anyone else.

Creepy that sites can query this info so easily, though I suppose I shouldn't
be surprised.

------
CapitalistCartr
Yeah, I guess HN readers are more likely than average to have unique setups.

"Your browser fingerprint appears to be unique among the 48,820 tested so
far."

"Currently, we estimate that your browser has a fingerprint that conveys at
least 15.58 bits of identifying information."

~~~
krakensden
What is .58 bits?

~~~
Pistos2
If you keep refreshing, you can watch the numbers change. (If not, try
disallowing cookies first; then Javascript second.) This leads me to think
that, since the numbers are shrinking slowly (12.5 bits... 12.1 bits... 11.8
bits...), it means that: of the full collection of data that your browser is
sending, only __ bits actually makes you unique. Meaning to say, some of the
data is common to others, so isn't useful for distinguishing you from them.

Some formulae and explanation over here:
[https://www.eff.org/deeplinks/2010/01/primer-information-
the...](https://www.eff.org/deeplinks/2010/01/primer-information-theory-and-
privacy)

------
moe
Those fingerprints are mostly based on information that your browser gives out
voluntarily for no good reason (the server doesn't need to know your fonts,
screen resolution, plugins or user-agent).

Thus an easy workaround would be to use a plugin that randomizes all this,
which turns your one unique identity into many unique identities.

~~~
ytinas
user-agent is most definitely needed. My server gives different content
depending on which kind of client accesses the page and I certainly don't want
to do that in javascript.

~~~
moe
Then your server is broken. That's what the "accept*" headers are for.

~~~
ytinas
Accept headers are going to tell me what CSS bugs are present?

~~~
moe
That's what conditionals inside the CSS are for.

Browser sniffing simply doesn't work and only brings you pain. Enough so that
jquery abandoned the practice a year ago;
<http://docs.jquery.com/Release:jQuery_1.3>

------
bioweek
Does my browser send all of that stuff on every HTTP request? It seems
wasteful.

~~~
paraschopra
No, most of the stuff you have explicitly derive from DOM (as far as I know)

------
kbob
I, too, am a unique snowflake. Unique among 52,301.

But here's a surprise. My UserAgent string is for the version of Firefox
distributed three weeks ago as a security patch to Ubuntu Linux 9.10. One in
45.01 browsers has that exact rev. of Firefox.

So over 2% of EFF visitors are running this exact version of Firefox and
Ubuntu Linux? That's much more popular than expected.

------
houseabsolute
Fascinating. It's hard to believe that my Safari setup has a lot of entropy in
the plugins, since I don't have anything special installed there, just
Click2Flash and Silverlight. My system fonts, though, are more unique. Not
many people have Macs with Consolas installed on them.

~~~
chaosmachine
_Not many people have Macs with Consolas installed on them._

I do. Best programming font ever.

------
dan_the_welder
Initial after some browsing:

Your browser fingerprint appears to be unique among the 71,124 tested so far.

Enabled Private Browsing:

Within our dataset of about ten thousand visitors, only one in 36,313 browsers
have the same fingerprint as yours.

A few minutes later public browsing:

Within our dataset of about ten thousand visitors, only one in 18,187 browsers
have the same fingerprint as yours.

How did they go from 70k to 10k? WTF EFF?

~~~
plaes
Hmm.. I only saw bunch of MySQL errors after running the test. But it made me
unique :)

[Edit] Now that I tested again with two of the browsers I am using, both
browsers were labelled as unique :S

Browsers are Epiphany with Webkit-backend and Firefox, both on 64-bit Gentoo
Linux.

------
tdoggette
Has anyone _not_ been unique?

~~~
greyboy
Me. Of course, without JavaScript, it didn't pick much of anything up.

~~~
holygoat
These days, having JavaScript disabled is itself a good uniqueness
contributor.

~~~
pronoiac
I'm running NoScript - it said 1 in 6 browsers had no JavaScript. The visitors
must be self-selecting for that mias, right?

------
pbh
After some thought, this sort of seems like it's missing the point.

What I'm curious about is what the current state of cookie and user click
stream sharing among analytics/advertising companies is. What proportion of my
browsing history is known to any given company, and what proportion given
collusion? Are there any studies on this?

------
kaens
So, it looks like you can get fairly close to unique identification (at least
so far), by paying attention to system fonts. I actually find it a bit hard to
believe that I'm the only one out of 59,132 with this set of system fonts.

------
cookingrobot
Every time I re-visit the page it says I'm unique. That's not much of a
fingerprint.

~~~
gills
Indeed, mine as well.

~~~
dreyfiz
I was puzzled by that too, but when I deleted the cookie from
panopticlick.eff.org it no longer claimed I was unique among 60-some thousand,
but among half that number.

------
ivankirigin
thanks, eff, for letting a bunch of people know about an awesome new analytics
business idea.

Seriously, this is brilliant. Even with cookies off, it'll work. NoScript
should still block it though.

~~~
pronoiac
NoScript & FlashBlock together help quite a bit, but other items can still
leak a surprising amount of information.

------
nym
I'd love to see how many fingerprints they've collected.

------
sailormoon
This can't be right. According to that site, my HTTP_ACCEPT header of
"text/html, _/_ UTF-8,* gzip,deflate en-au,en-us;q=0.7,en;q=0.3" is unique. Uh
.. is it? Looks fairly standard to me?

System fonts are a very telling fingerprint, though. I tried the test on two
browsers; the first time it said I was one in ~60k, the second time was one in
~30k. So it is working.

~~~
brown9-2
Your language settings probably have something to do with the quoted
uniqueness of your HTTP_ACCEPT.

~~~
sailormoon
Yeah, but I haven't changed them? Maybe FF is doing something weird since it's
the US english firefox running on an Australian English user account but I
wouldn't have thought I'm the only person in the world doing that. I suppose
it's possible I'm the first to visit that page, though. 60k people isn't much
really.

