Hacker News new | past | comments | ask | show | jobs | submit login

Yeah, I'm playing around with the idea of using the background image trick to profile the integrity hash speed of the visiting browser.

That little background image feature in CSS has given up quite a bit of data in similar situations (people used to use it to check browsing history of :visited links before browser started blocking that).




You're profiling the what now?


<link> tags to include CSS and JavaScript on a page can have an integrity property, which is a SHA hash of the resource they link to.

It's intended to ensure that a CDN doesn't change the content they're serving to your users.

But it turns out you can approximate the speed a visiting browser computes those hashes to fingerprint browsers just by including some CSS on a page.


But that hash is a regular, fast hash that takes like 1µs to compute right? Doesn't that get lost in network jitter? Wouldn't averaging the time it takes to run for(i=0;i<Math.pow(2,18);i++); over 10 runs be much more accurate? Or is this meant to spite the 0.01% of visitors that really try not to be tracked and have turned off javascript?


> But that hash is a regular, fast hash that takes like 1µs to compute right?

They use SHA512 which is fast, but noticeable for large enough files.

> Or is this meant to spite the 0.01% of visitors that really try not to be tracked and have turned off javascript?

Yes, the point is that it works with blockers.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: