
Browserprint: are you uniquely identifiable? - zevv
https://browserprint.info/
======
tux1968
The Firefox "Random Agent Spoofer"* helps with this site at least. The biggest
leak that needs to be plugged is the browser plugin details. Any obscure
plugins at all are worth a lot towards unique identification. Why any script
should be able to enumerate all plugins is beyond me.

* [https://addons.mozilla.org/en-us/firefox/addon/random-agent-...](https://addons.mozilla.org/en-us/firefox/addon/random-agent-spoofer/)

~~~
rbcgerard
Using panopticlick, system fonts seem to be worth a lot as well, which is
strange to me as i feel like very few people ever touch their system fonts? or
do they change with different OS updates/patches?

~~~
detaro
Often applications come with their own fonts as well.

~~~
rbcgerard
ahh, ok, thanks

------
sam_goody
Why do the browsers let the website know which plugins I have?

There are some things like Flash that should identify themselves, but those
are few and far between, and the check should be feature specific and handled
by the plugin.

Allowing every site to build a profile based on plugins [that is: a)
fingerprint, and b) profile based on the plugins I use] is just an egregious
violation of privacy.

At the very least, if there is some reason to expose browsers, let it be
configurable.

Also, font testing should be made expensive [eg, one check per second]. Check
if we have font "scrabble", OK, but not get list of all fonts.

~~~
dogma1138
Because browsers need to be able to declare what content can be displayed to
the user. If we only had Flash it would be simple, but considering the amount
of content delivery systems that each browser implements and the fact that
they are not consistent there isn't much way around it. It's not true to claim
that the browsers let anyone know which plugins you are running, this is
limited to a specific subset of plugins that handle content.

There is no way to prevent "fingerprinting", infact what you suggest seems to
indicate that you are thinking about it the wrong way. You can disable these
plugins but that creates a fingerprint on it's own, if you only accept HTML
(no HTML5 because it's also "evil") and no javascript well then you are a more
unique fingerprint than your vanilla Chrome with Flash, PDF, and a few WebM
and DRM plugins. The only effective way of disabling fingerprinting is make
all browsers identical, and more importantly all hardware and software
configurations that those browsers operate in also identical.

You also need to understand the value of each fingerprint if you look at
[https://panopticlick.eff.org/](https://panopticlick.eff.org/) for example
then most of the fingerprints produced are useless, half of them are shared
between 30-80% of all browsers. The most unique one was the HTTP_ACCEPT
Headers in my case which is unique for one out of ~1400 browsers so that is
something I can now use to see if this is something that can be fixed. The
plugin fingerprint in my case is 1 out of 48 browsers, that is not unique in
any case and from what I've tested every latest Chrome install on Windows 10
without any additional content plugins (e.g. Java) has the same fingerprint.

~~~
throwawayReply
You're missing that these things don't have to be taken in isolation.

If you've got 4 metrics each of which slice about "1 in 50" then taking the
combination you've got a metric that is unique between 1 in 50 and 1 in 6.25
million (depending on correlation).

The "fingerprint" is all that information put together, not each taken in
isolation.

~~~
dogma1138
That only works when you actually have variance in the fingerprints greater
than OS/platform based.

If I spin up 10 new Windows 10 machines install Chrome on them I would get the
same fingerprints, oddly enough they would be identical to the fingerprints
I'm getting on my own machine since I don't have any plugins installed (I do
have multiple extensions).

The only real change in the fingerprint I've seen so far from my own internal
testing is the screen resolution, and WebGL fingerprint (Intel/NVIDIA seem to
produce a pretty identical one, AMD differs a bit).

However the main point i was trying to get across is that while trying to
minimize your fingerprint or exposure you create your own unique fingerprint
in the process.

For example using adblockers these addons can easily leak not only which
adblocker you are using but which lists / filters you have enabled, if you are
a non-English native and you are using a localized list that exposes a lot of
information.

Addons / extensions that block things like HTML5 Canvas also leave a
fingerprint - you run a modern browser by all accounts but don't support
Canvas? whelp you are upto something!

Same goes with WebGL and many other plugins/vectors.

The problem here is that content delivery relies on the browser being
interrogatable for certain information, if that information is not correct
then the content will not be displayed properly (which on it's own can be
detected), we want to move on from Flash, we want to move one from addons and
plugins into more native stuff but this came at a cost of platforms being more
unique and diverse which allows you to generate a more unique fingerprint.
Creating a browser that generates random fingerprints also won't really help,
unless everyone uses it you would again stand out of the crowd even more.

That said however without specific targeted exploitation I have not yet seen a
tool nor I managed to make one that creates a good fingerprint that can be
easily used to identify a browser rather than just classify it and the
platform it's running on.

------
userbinator
The server appears to be timing out but the title and concept reminds me of
this: [https://panopticlick.eff.org/](https://panopticlick.eff.org/)

~~~
arviewer
Is my browser uniquely identifiable? Yes! This is no surprise, not anymore at
least.

I pass the first three tests here, but fingerprinting does the trick. About
one in 50k browsers has the same fonts as me. About one in 30k browsers have
the same addons and plugins. I bet those two don't overlap. Then there are
several other variables like language that narrow it down if that is still
needed.

They could try to explain how to make a browser not uniquely identifiable
however. What browser configuration is not unique? What do I have to do to get
that?

~~~
mirimir
I believe that Tor browser is least uniquely identifiable. That's a major Tor
Project goal. Ideally, all Tor users would be using the same browser, with no
modifications. There is a privacy/security slider, but there are only four
settings.

------
fovc
So the "Do not track" header is another data point in the fingerprint worth
~1bit on its own. Has it actually had any benefits or should we just get rid
of it?

~~~
oolongCat
DNT can't protect you against bad actors really. These are the
people/companies that are honoring the DNT clause.

[http://donottrack.us/implementations](http://donottrack.us/implementations)

~~~
Sylos
I like how the site loads something from ajax.googleapis.com, with Google
being known for not respecting DNT.

------
ibogunov
if you are so worried, tha you are identifiable - just use your iphone, same
hardware, same browser - same fingerprint(beside ip which can be dynamic &
useless) - so literally all iphone users are the same user. (i was trying to
make some start-up which required fingerprinting, but we pivoted =))

~~~
alex_duf
what's your startup doing now?

------
microcolonel
I bet it's really cool, however it seems the request never finishes. It could
be that it only works if you have javascript and/or cookies enabled.

~~~
elcapitan
Seems to be a problem with overload.

But speaking of javascript, how many of the fingerprinting checks will not be
possible if js is turned off? I could imagine that definitely all screen-
related stuff is immediately killed.

~~~
lewisl9029
Apparently my CSS font list alone can _uniquely_ identify my browser out of
those tested so far, which is rather concerning...

Is there some Firefox extension I can use to spoof my font list to some subset
of my existing font list to conform with some widely used system default? I do
have some custom fonts installed, but I'd prefer random websites I visit to
not know about them if possible.

Also, the way plugins are handled in Firefox has always bothered me quite a
bit. I can disable them, but not remove them. What gives?

~~~
Guillaume86
My HTTP_ACCEPT Headers uniquely identify me, but I think anyone with an OS set
to french using the last chrome version would have the same header, so it's
really not a big sample (13 709 currently).

------
arviewer
Just wondering - would it be possible to send a header back to webservers
forbidding them to fingerprint my browser? Would that have any chance legally?

~~~
enthdegree
If I understand it correctly, the way this fingerprinting works is just by
using questions you need to show the website properly.

 _' What is your screen resolution? What HTML5 features do you support? Do you
have this font/plugin?'_

Bar giving up all those facilities, the best you can do is ask and hope they
comply....

~~~
mpeg
There's browser extensions that will fake all of those to a standard value.
The tricky part is that with fingerprinting, depending on your chosen faked
value you could end up being more identifiable, if not enough people use it.

For instance, you can change your user agent and headers to some generic
Windows Chrome one but a savvy tracker will fingerprint your TCP connection
and realise you are actually on a Mac, and that can be used as a further
source of entropy to better identify you.

I've spent more time than is healthy looking into ways to uniquely identify
devices on the internet. While the company I was working for was always on the
safe side in terms of privacy, the more blackhat methods can be useful in
collaborating with law enforcement to deanonimise Tor users (think pedophiles,
not drugs)

Tor Browser devs have in turn been really good at hardening fingerprinting
attack vectors related to it (and rightly so, browsers don't rape people —
people rape people) but unless you're super paranoid it's not a great
experience for the average user.

I think a better solution will come (at least in the EU) from the proposal to
extend cookie law to any kind of fingerprinting (regardless of storage), which
takes use case in account and can be enforced through big fines.

~~~
pavel_lishin
> _There 's browser extensions that will fake all of those to a standard
> value. The tricky part is that with fingerprinting, depending on your chosen
> faked value you could end up being more identifiable, if not enough people
> use it._

Couldn't this be worked around by reporting random values every time?

~~~
mpeg
Kinda, but then the random values just become a flag for "has x browser
extension installed" and the trackers will still use the things you can't
change, like the OS networking stack, GPU, audio, etc. to track you.

It's very hard to get away completely... even with Tor, if you are the only
person who uses Tor to visit a certain site you are as trackable as anyone
else for that site.

------
rasz_pl
>Secure connection: fatal error (40)

yep, pretty unique

