
An advanced browser fingerprint calculator aimed mainly at Tor Browser users - jerheinze
https://fpcentral.irisa.fr
======
gregw134
I worked on designing tracking scripts for six months (Sorry. Fortunately they
aren't in production). Fingerprinting was very difficult to pull off in
practice: even with canvas fingerprinting, font enumeration, plugin
enumeration, etc. most mobile phones are still indistinguishable. Desktops are
easier to fingerprint because they often have unique browser plugins or a
unique set of fonts installed. Even with desktops, fonts and other settings
usually change within a matter of days, so its difficult to identify a user
unless they're browsing from the same ip address you've seen them at before.

What used to work really well were Flash cookies. Adobe had a security hole
where Flash cookies weren't cleared when you cleared your regular cookies. The
only way to clear your Flash cookies was to open the Flash application on your
laptop and clear all content, or visit a special webpage Adobe built to help
users clear their cookies. So for years marketers could store any cookies they
wanted this way. This only ended when Chrome began embedding a version of
Flash into the browser so Flash cookies could be deleted when other cookies
are deleted.

The other mechanism that was really interesting was ETag tracking. When you
request a picture or other asset from a website, the website can send you an
etag id which is supposed to signify the picture's version. When the client
revisits the page, the client sends back the etag to confirm the version
cached is the same as the version on the server. The security leak is that the
etag protocol allows arbitrary text to be set as an etag, so to set an etag
cookie all you have to do is place a 1x1 pixel on each page with a random
GUID, and when the user revisits the page the browser will resend the tracking
etag in its request for the 1x1 tracking pixel. This works for browsers with
cookies disabled, and will remain when cookies are cleared. The only way to
clear it is to clear all browsing history entirely, including cached images.
Fortunately, Chrome now clears cached images by default when you clear your
cookies.

~~~
trendia
While you were working on it, how did you feel about the ethics of trying to
unmask people who are clearly trying to browse privately?

~~~
gregw134
I thought it was very questionable, but I was in debt and that was the only
job I could get at the time. There's actually a positive use for browser
fingerprinting in that it could theoretically detect Mitm attacks or stolen
cookies. Basically, if you place a unique cookie on each device, and then a
user/device shows up with that cookie but a totally different browser
fingerprint, it's possible that the account was hacked. The client I was
working for was a bank so I was pushing for it to be used in this way. But
realistically, I knew it was probably going to be used for marketing or
privacy invasion but felt like I needed to keep the job to pay the bills.

~~~
G3E9
The detecting of hijacked sessions with browser fingerprinting (mouse
movements, typing speed, etc.) is a very neat idea - something that could be
used to throw off red flags or have users sign-in again with the appropriate
warnings and education.

------
shultays
I have a few questions about finger printing.

Why Tor sends window size to servers? If it has to, why it can't send closest
multiple of 100 instead of real value?

Why servers request size of client windows anyway? I assume so they can serve
different resolution images to clients or maybe different layouts, is this
correct? But then instead of sending 1920x1080, simply sending 1900x1100 would
also work right?

Same goes for fonts, as soon as you install a few different fonts, you are
pretty much unique now. Why does a browser has to send the fonts you have?
Shouldn't it be possible to only send the fonts you have? Default fonts of
OSes enabled by default, and new fonts are disabled?

~~~
dtech
This is all done client side with Flash/Javascript. For Tor it is recommended
to disable JS, and I believe the Tor browser bundle comes with NoScript by
default. Plugins should be disabled because they are very exploitable to de-
tor someone.

~~~
driverdan
Tor comes with NoScript but JS is still enabled. The very first thing you
should do after installing Tor is disable JS.

------
shmolyneaux
Under the "Tor" tab it states that the browser should be set to a window size
of 1000x1000 or a multiple of 200x100. Is this to stay consistent across all
Tor users? I would have thought that 1920x1080 would be fine to help stay
anonymous.

~~~
kibwen
Assuming the browser window is maximized, even if most screens are 1920x1080
the browser viewport area will differ based on OS, window manager, and custom
settings.

------
Walf
Surely there's some way to detect when a script touches far too many APIs such
as setting several font families in succession. Then pause execution, warn the
user about potential fingerprinting, and either disable script or blackhole
its network requests.

~~~
jerheinze
TBB already does that for example with HTML5 canvas element, it shows you this
box:
[https://pbs.twimg.com/media/C1_n50BW8AACLKq.jpg](https://pbs.twimg.com/media/C1_n50BW8AACLKq.jpg)

------
mrferos
Have used several browser fingerprinting services and have tried a few of the
techniques myself, they're incredibly useful for fraud prevention when said
fingerprint is reported against a central database alongside with the fraud
that happened to _you_. The next time said fingerprint shows up at an
eCommerce site, they'll be blocked off from purchasing or at least flagged for
additional verification.

They're also just useful for super targeted ads.

 _shrug_

~~~
gregw134
They could also be useful, in theory, for detecting session hijacking through
cookie sniffing. Did somebody's device fingerprint change mid-session? It's
possible that person's account has been hacked, so they should at least be
made to log in again.

------
eptcyka
Why don't we just create a VM with the tor browser preinstalled ? Surely, it
would be a lot harder to do fingerprinting. ETags would still make you
vulnerable, but caching can also be disabled. Then you're left with cookies.

~~~
TazeTSchnitzel
TAILS exists, but that doesn't necessarily prevent fingerprinting.

------
beardog
A good fingerprinting method (only applies to devices on private networks), is
using JavaScript to enumerate the devices/services on a user's network
(running HTTP(S) or other services if they are in the 'safe' port range).

You can also test for models/versions of a router on their network (for
example, many routers allow access to static content such as images without
authentication), so if a unique/uncommon image, CSS, or JavaScript URL can be
accessed without authentication, then the user can be fingerprinted not just
across browsers, but across devices as well (even in a VM). This is done using
network timing (to test if TCP servers exist) and the onload/onerror XHR
events which can be done even for 3rd party origins, by creating img or iframe
elements.

------
throwaway2016a
I'm confused at the "Aimed mainly at Tor" part. A lot of these techniques use
Javascript and the Tor browser blocks Javascript in general and warns strongly
against enabling it. So it seems that part of the technique will be
ineffective against most Tor users.

~~~
eugeniub
What? JavaScript is enabled by default on the Tor Browser Bundle, and users
are not actively encouraged to turn it off.

~~~
mirimir
It's complicated. Javascript is enabled, but NoScript is installed. But
NoScript by default allows all "honest" scripts, although it does block some
stuff. But that's in the default "low security" mode. The goal is having
websites work, so users won't give up on Tor, while providing some security.
Users can increase security, but there are only three options (low, medium and
high). That's to keep user profiles in fewer bins. In the "high security"
mode, all scripts are blocked.

~~~
cookiecaper
I used NoScript roughly ten years ago and it was a lot of work to manually
enable JavaScripts all over the place. I used it for a couple of years solid,
but eventually gave up on it, since I was practically just enabling
JavaScripts on every site anyway. Everyone I tried to introduce it to gave up
on it after a few weeks at most.

To NoScript's credit, it did block a phishing site that I otherwise would've
fallen for once.

That was before the era of single-page apps. Like it or not, JavaScript is
mandatory for even basic functionality on the modern web.

Telling users to introduce 4 clicks to load every new domain and potentially
experience some significant breakages (e.g., I remember some checkout
processes failing because they'd bounce the request around between scripts
from processors, fraud prevention, etc.) just on the remote chance that
they'll encounter malicious JavaScript is simply a non-starter. Something like
Ghostery that mostly-transparently blocks things is a better proposition for
ordinary adoption.

------
suvelx
I've noticed that the Tails and other privacy focused tools go to great
lengths to look the same as other users. And as far as my understanding goes,
this is somewhat tricky with things like canvas fingerprinting.

Is there a reason why they want to look the same? Could the same result be
achieved as looking unique every time? e.g. Instead of attempting to make
every canvas fingerprint the same, instead make every fingerprint unique by
introducing noise.

------
kreetx
There's a layout bug where the nav bar covers content at >768px of with to
whenever the logo and nav links are on the same row again.

------
golergka
I symphathise with that, but HN is a US-centric liberal echo chamber when it
comes to political issues, so everything that got to do with government,
intelligence and surveillance is automatically labelled 'evil'.

~~~
dang
It's common for ideologically committed users to see HN as being aligned
against them. But this perception is in the eye of the beholder, i.e. it's a
cognitive bias. Plenty of comments make opposite claims about HN; the
difference isn't in HN but in what the commenter identifies with.

Edit: I've written about this in plenty of places:
[https://hn.algolia.com/?query=by:dang%20cognitive%20bias&sor...](https://hn.algolia.com/?query=by:dang%20cognitive%20bias&sort=byDate&prefix&page=0&dateRange=all&type=comment).
Not all of those posts are about perceptions of political bias; some are about
perceptions of astroturfing. But the two phenomena are variations of the same
thing.

We detached this comment from
[https://news.ycombinator.com/item?id=13930232](https://news.ycombinator.com/item?id=13930232)
and marked it off-topic.

~~~
golergka
Why did you mark my comment off-topic? Wasn't it directly related to topic
discussed in the parent thread?

~~~
dang
Your comment was about Hacker News, not the topic. Also, it was unsubstantive,
and those are always off-topic.

