The test over at http://ip-check.info, by JonDo, is more comprehensive at the expense of not using information theoretical measures like those of Panopticlick, which would give a realistic (if biased) view of browser fingerprint uniqueness. They’ve developed a Firefox setup profile called JonDoBrowser that’s optimized for their own test. While the HTTP headers JonDoBrowser sends to sites can be easily distinguished from those of other browsers (though they’ve attempted to standardize HTTP headers within their own ecosystem), their proxying service compensates for that by withholding all traceable details and eliminating all forms of local storage, thus providing better privacy.
They’re located in Germany—a big legal plus—and their service uses an international chain of independent servers, but they charge for data rates greater than a few hundred kilobits per second. Thankfully, the browser profile also supports faster Tor proxying while maintaining the same degree of personal privacy. It also supports anything you can configure from your computer’s settings, but if that means something other than Tor or JonDo, it’s probably not redundant (i.e., comprising multiple independent proxy servers) and therefore less reliable. It can be downloaded from https://anonymous-proxy-servers.net/en/software.html; for those who wish to try it, I’ve found it works best with Firefox ESR, which can be downloaded from https://www.mozilla.org/en-US/firefox/organizations/all.
> That was weird, the no-js version didn't work. It just sat there spinning.
What extensions do you have installed? There's a known and unfixable issue with browsers that both block JS and absolutely block all requests to tracking domains (eg AdAway, which modifies /etc/hosts).
> What, why would I unblock those?
To incentivise better behaviour by web publishers and advertisers!
ublock was stopping requests to third parties. Though the javascript version didn't care that third party requests were blocked, only the no-js version.
It's kind of weird for something specifically dedicated to measuring tracking to get so confused by an anti-tracking mechanism.
> To incentivise better behaviour by web publishers and advertisers!
Maybe if it could have some legal teeth to it, otherwise it's too easy to lie to get your tracker unblocked.
>To incentivise better behaviour by web publishers and advertisers!
I switched off "Do Not Track" in my options since only good-behaving websites listen to it, such as those using Piwik analytics, which respects privacy. Therefore I only would harm good people with Do Not Track on.
With certain rare configurations (if you have a domain-based blacklist blocker and javascript disabled) this may occur. I suggest turning your js back on just for the test.
I browse with cookies disabled by default, and when I ran the browser test it said this:
Are Cookies Enabled?
No
one in x browsers have this value
3.94
...so according to the EFF's data, almost 1 in 4 people also browse with cookies disabled? I thought I was in an extreme minority, and I know I come across a TON of sites that don't work without cookies or localStorage enabled (which is understandable for when you need to log in or if it's a more "app"-y thing, but for just reading content it's a ridiculous requirement).
It's presumably 1 in 4 people who have tried Panopticlick, which isn't a representative sample of general browsers (for example, a lot of people might try it with Tor Browser or with private browsing mode).
The Tor project submitted some of their fingerprinting protection patches to Firefox. They can be enabled by setting the "privacy.resistFingerprinting" about:config pref.
https://bugzil.la/418986 - Bug 418986 - Resist fingerprinting by preventing exposure of screen and system info
And the W3C has shared some information about the obligations of W3C specification authors and working groups of new Web platform features:
"For day-to-day use, the best options are to run tools like Privacy Badger or Disconnect that will block some (but unfortunately not all) of the domains that try to perform fingerprinting, and/or to use a tool like NoScript for Firefox, which greatly reduces the amount of data available to fingerprinters."
Yes, our test does work for that and various hosts-based blockers are supported (like AdAway for Android, for example). In order for our test to give accurate results, the host-based blocker has to add our simulated trackers to its block list, which some lists may not have done yet.
In fingerprinting, the browser plugins and user agent are the most identifying parameters as far as I'm concerned. Does anybody know workarounds to hide or standardize those parameters?
It's more plausible for a large population of browsers to share a single spoofed user agent; all of the Tor Browsers pretend to be a single specific version of Firefox for Windows.
I used to spoof user agents, randomly mutating. Then last month I started to run into sites that refused to load/render for incorrect strings. It appears the Google and other large companies are now sending customized versions of their page based on the user agent which I can only speculate is an attempt to save bandwidth. By taking advantage of implementation specific features, they not only eliminate all of the extra JS and browser workarounds, but they also can take shortcuts.
How about we get together and decide on a common string that all of us can use? We can set our browsers to use that, and our friends' as well. Theoretically, the more people that use the same string, the harder we'll be to track, correct?
JonDo has done exactly that: “Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101 Firefox/38.0”. It hasn’t changed things much, thanks to its relative obscurity and the network effect involved. You should try it out!
That's right, though it's a bit more difficult. Lots of sites use the User-Agent header to determine how to render a page, and may not render it at all if it's an unexpected value. Pages that allow you to install addons to your browsers also use this string to figure out if you're really running the target browser.
You can just use about:config if you're going to update it manually. But that's not nearly the worst part of fingerprinting, with plugins and fonts and apparently webgl, etc.
Is there a way to pretend plugins are disabled when they're on click to play?
Yes, everyone knows you can change the user agent string, but how do you change the list of plugins returned by the browser? Do you have to actually patch the binary?!
navigator.__defineGetter__('plugins', function(){
return new Object();
});
Of course, you'd actually have to do a bit more work to make it bulletproof (otherwise fingerprinters could use the fact that you modified your default navigator object as a way to uniquely identify you !)
I imagine ultimately it's almost impossible to defeat fingerprinters in JS, as they could do tricky stuff like timing attacks to get you.
What plugins do you have installed? Given Chrome doesn't support NPAPI plugins anymore I'd think nearly all Chrome users would have the exact same plugin list. Firefox is also planning to remove NPAPI plugin support so I except the situation to be similar there in the near-ish future
They’re located in Germany—a big legal plus—and their service uses an international chain of independent servers, but they charge for data rates greater than a few hundred kilobits per second. Thankfully, the browser profile also supports faster Tor proxying while maintaining the same degree of personal privacy. It also supports anything you can configure from your computer’s settings, but if that means something other than Tor or JonDo, it’s probably not redundant (i.e., comprising multiple independent proxy servers) and therefore less reliable. It can be downloaded from https://anonymous-proxy-servers.net/en/software.html; for those who wish to try it, I’ve found it works best with Firefox ESR, which can be downloaded from https://www.mozilla.org/en-US/firefox/organizations/all.