
Browser Fingerprinting - dedalus
https://sites.google.com/a/chromium.org/dev/Home/chromium-security/client-identification-mechanisms
======
the8472
Mozilla and Tor devs are currently working on upstreaming some Tor Browser
patches[0] that reduce fingerprinting surface. E.g. cookie isolation based the
domain shown in the URL bar[1] and making canvas readback opt-in[2]

[0]
[https://wiki.mozilla.org/Security/Tor_Uplift/Tracking](https://wiki.mozilla.org/Security/Tor_Uplift/Tracking)
[1]
[https://bugzilla.mozilla.org/show_bug.cgi?id=1299996](https://bugzilla.mozilla.org/show_bug.cgi?id=1299996)
[2]
[https://bugzilla.mozilla.org/show_bug.cgi?id=967895](https://bugzilla.mozilla.org/show_bug.cgi?id=967895)

~~~
rnhmjoj
What about these?
[https://www.browserleaks.com/firefox](https://www.browserleaks.com/firefox)
[https://bugzilla.mozilla.org/show_bug.cgi?id=863246](https://bugzilla.mozilla.org/show_bug.cgi?id=863246)
[https://bugzilla.mozilla.org/show_bug.cgi?id=903959](https://bugzilla.mozilla.org/show_bug.cgi?id=903959)

~~~
the8472
Hence the "E.g."

------
0xmohit
[https://panopticlick.eff.org/](https://panopticlick.eff.org/)

~~~
Retr0spectrum
My font set was completely unique, which I partly expected. However, my canvas
fingerprint was also completely unique, which did surprise me.

~~~
fractal618
Any idea where we can find the most common subset of system fonts?

Isn't canvas fingerprint linked to your window size, if you maximize your
browser, does that help?

------
marco1
In Firefox, you can control a lot via the `about:config` directives. You can
put all that into a `user.js` for portability and reference, like this:

[https://github.com/delight-im/Secure-Firefox](https://github.com/delight-
im/Secure-Firefox)

But unfortunately, there are _so_ many things that can contribute to
identification of your browser, and many of them cannot reasonably be blocked.
The important section of the Chromium list is "(2) Machine-specific
characteristics". You need most of that, so you can't block or hide it.

Privacy is not easy. Not to mention the situation for non-technical users.

~~~
dao-
Hidden prefs are hidden for a reason and can be a foot-gun. The warning when
opening about:config is no exaggeration, and copying-and-pasting a bunch of
hidden prefs from an untrusted source is not a good idea.

For instance:

> user_pref("network.cookie.cookieBehavior", 1);

If I remember correctly, this may break some sites.

> user_pref("dom.battery.enabled", false);

Questionable value for privacy / fingerprinting. If you plug-in your computer
or pull the plug (a pretty common scenario), the site trying to identify you
will suddenly think you're a different users.

> user_pref("general.buildID.override", "20100101");

Pointless since 20100101 is already the default used in the user agent string.
Makes me think this list is severely outdated or the author doesn't know what
he's doing.

> user_pref("browser.newtabpage.enabled", false);

Little impact on privacy (is this about the "somebody opens a new tab in my
profile and sees what sites I frequently visit" scenario?), no impact on
fingerprinting. The readme says "Impacts on user experience should be
minimized, erring on the side of convenience." How does disabling the new tab
page satisfy that?

~~~
marco1
> The warning when opening about:config is no exaggeration

If you feel uncomfortable in that section, feel free to avoid touching it. But
if you know what you do, there are zero problems. Want to change your user
agent? Do it there. No problems. The warning is for your average non-technical
user, justifiably.

Well, perhaps you need to read up on those a little bit again.

> If I remember correctly, this may break some sites.

Sure, _everything_ may break _some_ sites. But this is about blocking third
party cookies, which blocks not a single site I know (Do you know a popular
one?) while being one of the most effective measures against tracking (which
_uses_ fingerprinting) out there.

> Questionable value for privacy / fingerprinting. If you plug-in your
> computer ...

Sure, agreed for privacy.

> Pointless since 20100101 is already the default used in the user agent
> string

Yes, since late 2015 only, and keeping a default hardly does any harm. By the
way, try outputting `navigator.buildID` in your JavaScript console -- oops,
not even this setting helped. The real ID is right there. So it's not as easy
as you might think.

> is this about the "stranger opens a new tab in my profile and sees what
> sites I frequently visit" scenario?

No. If I remember correctly, the "new tab" page is about the ads.

~~~
dao-
> If you feel uncomfortable in that section, feel free to avoid touching it.

I feel very comfortable touching hidden prefs in Firefox. That's not my point.
My point is that random users stumbling upon your github page may not know
what they're doing.

> Sure, everything may break some sites. But this is about blocking third
> party cookies, which blocks not a single site I know (Do you know a popular
> one?)

I quickly googled this for you, found this:

[https://bugzilla.mozilla.org/show_bug.cgi?id=849948](https://bugzilla.mozilla.org/show_bug.cgi?id=849948)

[https://news.ycombinator.com/item?id=5272069](https://news.ycombinator.com/item?id=5272069)

[https://getsatisfaction.com/getsatisfaction/topics/bad_user_...](https://getsatisfaction.com/getsatisfaction/topics/bad_user_experience_with_third_party_cookies_disabled)

[https://planapple.uservoice.com/knowledgebase/articles/50965...](https://planapple.uservoice.com/knowledgebase/articles/509652-blocking-
third-party-cookies-breaks-the-save-butto)

> No. If I remember correctly, the "new tab" page is about the ads.

The new tab page displays frequently visited sites. In new profiles without a
browsing history, it would also suggest sites, some of which would be
"sponsored" (i.e. ads). If I remember correctly, Firefox would pick the ads
locally without leaking information about you. So what's the privacy impact?
Also, it doesn't even do that anymore: [http://arstechnica.com/information-
technology/2015/12/firefo...](http://arstechnica.com/information-
technology/2015/12/firefox-retires-much-maligned-sponsored-tiles-hunts-for-
new-revenue-streams/)

~~~
marco1
> I quickly googled this for you, found this

Right, "1292 days ago". Now that we've just talked about information that is
out-of-date.

> Blocking 3rd party cookies breaks surprisingly _few_ things

Agreed. A comment from the post that you linked to.

Disqus being one of the few exceptions that _don 't_ work (because it's
embedded as a third-party on first-party sites), personally, I can live with
that. Everybody has to decide for themselves. If some setting doesn't work, it
can simply be undone.

~~~
marco1
Facebook login, Google login, etc. still work (at least with most
implementations), since they _redirect_ to the SSO site, which is what every
reasonable site should do, instead of using an iframe/embed.

Good luck finding something that considerably improves your privacy while
breaking 0.000% of modern sites.

~~~
dao-
I'm not blaming you for the fact that disabling third-party cookies may break
some sites. The problem is that you provided a long list of preferences
privacy-sensitive users allegedly should set, without explaining what these
prefs do let alone warning about the possible negative impact.

------
franze
Once talked with over a beer with a web performance head of company X, he said
that you can use the web performance profile - without looking at any other
browser identifiers - to pretty accurately do browser fingerprinting. When you
then look additionally at the interaction speed within an webapp you can even
profile different users.

------
nwrk
[http://valve.github.io/fingerprintjs2/](http://valve.github.io/fingerprintjs2/)

------
splatcollision
In one of the sections:

> for example, TCP/IP traffic will often reveal high-resolution system uptime
> data through TCP timestamps.

Is this something that's on by default? Dependent on OS? Not deeply familiar
with the details of the TCP stack, but have never hard of something like this
being exposed via TCP requests!

~~~
splatcollision
Did some research - it's off by default in recent macOS versions. Configurable
via the "sysctl net.inet.icmp.timestamp" flag.

[http://superuser.com/questions/680200/os-x-how-to-make-it-
re...](http://superuser.com/questions/680200/os-x-how-to-make-it-reply-to-
icmp-time-stamp-query)

------
fractal618
I just tried this out, and it seems that "system fonts" are the biggest
identifier of mine.

Any idea where I can find the most common subset of system fonts?

~~~
sspiff
I'd love a settings checkbox saying something like "Disable user-installed
fonts".

------
amelius
Is there a way to easily change (some) browser plugins every five minutes, so
fingerprinting becomes useless?

~~~
executesorder66
On Chrome you can use this[0] user-agent spoofer(one example) It will
randomize your user agent for each session, thus changing your fingerprint.

I'm sure there are various other extensions that do similar things that
randomize the parameters of whatever is used to fingerprint you.

[0] [https://chrome.google.com/webstore/detail/random-user-
agent/...](https://chrome.google.com/webstore/detail/random-user-
agent/einpaelgookohagofgnnkcfjbkkgepnp?utm_source=chrome-ntp-icon)

~~~
adrr
That will set off some fraud detection on sites as there will be mismatch
between user agent and the browser being used. You can easily profile the DOM
and Javascript features to figure out what browser a person is using.

------
mirimir
Using multiple VMs with diverse connectivity, one can sidestep all "Explicitly
assigned client-side identifiers" and "Machine-specific characteristics". For
evading WebGL, VM OS diversity is essential. It's harder to obscure "User-
dependent behaviors and preferences", especially mouse and keyboard stuff. But
it helps to switch keyboards, and between using mouse and touchpad.

------
mbym
"users who extensively tweak their settings from the defaults may be actually
making their browsers considerably easier to uniquely fingerprint"
...interesting comment in section, "User-dependent behaviors and preferences"

------
deusex_
I don't see evercookie mentioned:
[http://samy.pl/evercookie/](http://samy.pl/evercookie/) which implements
something similar

------
hackuser
Related:

Internet Tracking Has Moved Beyond Cookies

[https://fivethirtyeight.com/features/internet-tracking-
has-m...](https://fivethirtyeight.com/features/internet-tracking-has-moved-
beyond-cookies/)

