
Browser Fingerprinting: An Introduction and the Challenges Ahead - jakobdabo
https://blog.torproject.org/browser-fingerprinting-introduction-and-challenges-ahead
======
jedimastert
Fun fact about the example fingerprint in the article:

On almost any other distro you're just going to see "Linux" for the platform.
The reason "Fedora" is in this particular one is that there are packages that
are installed by default on both Firefox and Chrome that add it to the
useragent string for no reason.

I know this because, for a few glorious days, there was a bug in the Chrome
plugin that meant that there was another "Fedora; " added for every redirect
in a redirect chain (i.e. "Fedora; " to "Fedora; Fedora; " etc.), which broke
a whole bunch of whitelists and fingerprinting bot detection scripts.

There's absolutely no reason for it, there's no benefit to having there, but
everytime someone files a bug about it the maintainers don't see what the
problem is and WontFix the bug. [1]

[1]:
[https://bugzilla.redhat.com/show_bug.cgi?id=1266569](https://bugzilla.redhat.com/show_bug.cgi?id=1266569)

~~~
paulryanrogers
User agent strings discourage feature detection and proliferate as browsers
converge and imitate one another. They should be dropped entirely.

Sadly maintaining exceptions for broken sites that demand them is too much for
one person.

------
superfrank
I did a little bit of research on browser fingerprinting years ago and even
tried to write my own library to do it and ever since, I've always questioned
how useful it actually is.

Using the list of measurement points on
[https://amiunique.org](https://amiunique.org) as guide most of the things
that are constant about my computer like platform, browser, or requested
language are not really unique to me and are shared by a large percentage of
the other users who have come to the site.

On the other hand, most of the data points that are unique to my machine
change semi-frequently. User agent and version change on browser updates,
timezone changes when I travel, screen size and resolution change when I plug
into my external monitor, new fonts will slowly be installed over time, and
even things like how the canvases are rendered can change slightly depending
on how much strain my GPU is under at the time I get fingerprinted.

Just plugging in to my external monitor was enough to get amiunique to treat
me as a different user. (if you want to try, be sure to clear your local
storage and cookies in between visits as the site saves a uuid there and will
serve you your previous results if it finds it).

I'm sure there's some magic formula that gives different weights to different
data points that can give a decent guess at who you are, but I doubt it can
say with 100% accuracy that you are who it thinks you are.

It seems to me all it would take to defeat fingerprinting is a browser
extension that modifies the browser apis to randomly slightly alter the
requested data (add a random font to the list, add some nonsense to the user
agent, etc). Sure, the fingerprint would still be unique, but it would be
unique on every visit which would defeat the ability to track a user across
visits.

*I'm not an expert on this subject at all, so if I got something wrong, please correct me

~~~
ryacko
Cookie + IP Address + Fingerprint + URL Referral + Social Media

It’s possible to be anonymous if you only log into websites with proper
privacy policies, delete cookies & cache every day, and hide behind carrier
NAT.

Adding a random font shouldn’t stop fingerprinting, people install new
applications all the time. You make a lot of points, but ad tech can get
around it.

Ideally ad corporations would be forced to delete records on people after 30
days.

~~~
auslander
> delete cookies & cache every day

I'm browsing everywhere in Safari's Private mode by default, 3 years no
problems.

~~~
cm2187
It is becoming increasingly difficult though. Google captchas everywhere.
Authentication requesting 2 factor because it thinks it is a new browser. The
web is progressively becoming unusable unless you are loaded with cookies and
tracked. And the culprits are the likes of Amazon, Cloudflare, Google, etc.
Not easy to move them.

~~~
auslander
Cloudflare somehow got better lately, I'm curious to know how :) Google search
works fine and I'm not using other Google services. I see surprisingly few
captchas. Yeah, I'm on VPN too, maybe they treat it differently.

~~~
jgrahamc
Better at what?

~~~
auslander
Less captchas.

------
fabian2k
One case of possible fingerprinting I encountered in an ad recently surprised
me by how many different obscure tests it seemed to perform. The entire script
is 80kB minified, and it looks like it's just hundreds of tests that check for
all kinds of properties of the environment.

Many of the test seem to look for the presence of specific APIs, or test
various features of the JS environment. Which I'd expect to not give more
information than the user agent, but of course is not as easy to fake as the
user agent it.

I'm not sure this script is entirely about fingerprinting, but I really can't
see any other reason for it. Though the minification of course makes it a bit
harder to see exactly what it does.

The script in question is the following:

[https://static.adsafeprotected.com/sca.17.4.95.js](https://static.adsafeprotected.com/sca.17.4.95.js)

~~~
mwexler
While it's indeed used for "ad tracking", this snippet is actually closer to a
white-hat tool. This is from Integral Ad Science
[https://integralads.com/](https://integralads.com/) which attempts to detect
ad fraud. If you hate ads, it won't matter, but in the fight to make ads less
invasive, potentially more useful, and still viable as an economic model for
those who want to participate with it, Integral and WhiteOps
([https://www.whiteops.com/](https://www.whiteops.com/)) both do some great
data work to try to stop disruptive bots.

If one hates all ads and tracking, of course, then none of this will matter,
but just thought I'd point out the "why" for the fingerprinting in this case.

------
modo_
Tor's anti-fingerprinting measures are available in Firefox. They're off by
default, but you can enable them by going to the about:config page, searching
"privacy.resistFingerprinting" and setting to "true"

Interesting discussion from six months back:
[https://news.ycombinator.com/item?id=19323032](https://news.ycombinator.com/item?id=19323032)

~~~
jlmorton
Even with `privacy.resistFingerprinting` enabled, my fingerprint is unique
all-time on [https://amiunique.org](https://amiunique.org).

~~~
Quarrel
I wouldn't put much stock in amiunique right now. It might be great, but needs
a bigger sample size.

I am unique purely based on my content language: "en-AU,en,en-US"

While we like to think we're special in Australia, I'm not THAT special.

------
visarga
> all Tor users should have the exact same fingerprint

Wouldn't it be better to impersonate at random a different combination of
fingerprints for each page? Otherwise any browser with this fingerprint would
be risking being blocked for being part of the Tor network.

------
seph-reed
The link to amiunique.com was pretty interesting. In particular, I enjoyed the
webgl render. Hardware/driver dependent things such as that are.. a conundrum
of anonymity.

~~~
mcny
If someone didn't read the OP and tried to go to the amiunique, the website is
dot org

[https://amiunique.org](https://amiunique.org)

~~~
seph-reed
ah. bollocks. thank you for the correction.

~~~
TooCleverByHalf
Tis editable, albeit difficult to find, in case you weren't aware (click
timestamp of the comment you'd like to edit).

------
Santosh83
As long as browsers are heading into the direction of more and more
functionality, APIs and complexity, I get the feeling that being un-
fingerprintable is going to be a lost battle. The best you can do is to be a
unique device every single time and thereby defeat server-side profile
building.

------
2T1Qka0rEiPr
I have "resist fingerprinting" set on Firefox, but it doesn't seem to do much
good. Any suggestions other than to entirely turn off JS, which to me seems
akin to not using the majority of the web?

~~~
corint
I accept that this reply is basically saying "Turn it off", but look at
umatrix. You can allow/block JS by default but then add certain hosts or
domains to the allow list.

I browse with JS disabled, but when I hit a site which doesn't work properly
(and which I want to use still), I can allow only the domains which it needs
to work.

It's quite surprising how quickly many sites now load!

------
saagarjha
I was interested in hearing what they did to prevent fingerprinting with
regards to things like window size, but it seems like they just discourage the
user from changing it :( It looks like this isn't going to be improved anytime
soon.

~~~
Chirael
I would love a button or menu action to RESET my window to the standard size
in regular Firefox but so far I can’t find any easy way to do it. You’d think
an extension would do it but when I checked, all the extensions related to
window size did different things.

~~~
toper-centage
I guess some window managers like i3wm let you do just that.

------
danis1
As long as browsers are inherently insecure in regards to fingerprinting
protection, the only viable protection is to create an extensive list of known
JS fingerprinters.

Additionally one needs to disallow all third party javascript sources by
default.

Both strategies are possible with a good content blocker.

These strategies protect against all known and almost all unknown
fingerprinting scripts. The only scenario where it doesn't work is unknown
first-party scripts, but cross-site tracking is impossible.

------
crtasm
> TBB masks the underlying OS by claiming it is running on a Windows machine.

Note that for some time now TBB on Linux identifies as Linux in both the
platform string and the useragent.

Edit: the platform string is mentioned later in the article.

------
6c696e7578
I've been using this[1] for a while, not so much for the privacy, but to
segregate internet things from my desktop user.

    
    
      1: https://gitlab.com/edneville/newuserbrowser

------
tinus_hn
The advantage is that if you block all the cookies you can get a new identity
by just resizing your window.

