'Browser' Fingerprinting

[ceejay13]

Found this article over on Lifehacker and was shocked at how identifiable I/My computer am/is over the internet.

Next question, how do you combat this as the browser extensions and fonts on your system are a BIG giveaway.

[lotuseclat79]

How your Web browser rats you out online.

Quote:

You're concerned about your online privacy, and you do all the right things to keep from being tracked around the Web: purge your cookies regularly, clean out Flash "supercookies," even switch to browsers like Browzar, which lets you "search and surf the web without leaving traces on your computer." Doesn't matter—your browser is giving you away.

-- Tom

[ceejay13]

So basically Javascript has a lot to answer for!!

I have mine down to 1 in 17,740 which makes me ~40 times less trackable than the original 1 in 850,000. Turning off Javascript was the only thing that significantly decreased my 'uniqueness'. Private Browsing made hardly any impact on the score.

As I am on a static IP, I guess I am snagged anyway, whatever the browser says!

[m00nbl00d]

You can minimize what web sites may get from your browser.

I run Chromium browser with 3 user profiles:

One profile to access gmail and other sites where I need to login and want to be remembered, running in Incognito mode;

Another with Incognito mode + Cookies blocked (all cookies!): for sites I trust and require no login, or that I don't mind to login all over again, after for example, I disconnect from the Internet for a second or so.

And a third one with Incognito + Cookies blocked (all cookies!) + plugins disabled + javascript disabled + java disabled + no referrer + no geolocation + different user-agent

You may even make the browser (or any other) access content specifically created for the iphone!

[chronomatic]

I think it would be pretty simple for someone to make an add-on that will randomize these identifiers at every start-up.

[ceejay13]

@m00nbl00d

This is OK or those who understand about the threats that are out there and know what to do to mitigate the probability of being unique and so identifiable.
I also use several profiles in Firefox that are customised to suit different circumstances. Sandboxie doesn't provide the isolation with default configuration.

... which leads us to chronomatic's response. Maybe either an extension or some configuration settings in Sandboxie or similar could be made.

Even with the changes, the idea is to make your browser look like everyone elses and so whatever is done needs to be done by everyone to make us look anonymous. Would a proxy server or VPN work? Or can the Browser still be seen?

[m00nbl00d]

Quote:

Originally Posted by ceejay13

@m00nbl00d

This is OK or those who understand about the threats that are out there and know what to do to mitigate the probability of being unique and so identifiable.
I also use several profiles in Firefox that are customised to suit different circumstances. Sandboxie doesn't provide the isolation with default configuration.

... which leads us to chronomatic's response. Maybe either an extension or some configuration settings in Sandboxie or similar could be made.

Even with the changes, the idea is to make your browser look like everyone elses and so whatever is done needs to be done by everyone to make us look anonymous. Would a proxy server or VPN work? Or can the Browser still be seen?

I don't think you can achieve 100% privacy/anonymity.

Scenario 1: You block cookies, javascript, plugins, etc.

There's still the IP issue and the information the browser provides, including which browser and operating system.

Scenario 2: Considering scenario 1 you acquire a service providing anonymity like a VPN or proxy.

Those in power of the VPN service or proxy still have access to your IP. They mask you before others, but they still know who you are, what sites you visit, referrers, etc.

There may be one or other proxy that won't log your IP, which is the case of https://eu.ixquick.com, which your searches are done anonymously to everyone else and you even have the option to open the links in the search results using a proxy. Still, this will remove a lot of functionality to most sites. It's a matter of whether or not you're OK with it.

One way for perhaps being 100% anonymous would be for you to have your own VPN. Still, you would have to have an account with ISPs with various IPs. They would still know who you are, unless you give false information to them, using many IDs. Plausible? I guess not.

Then you have Tor. The idea behind it is great, but it has two major flaws. It is way too damn slow, even with Polipo. And, the same way good people want to be anonymous using Tor, bad people also try to find them out. For example, you could never access your bank account or access/pass sensitive information using Tor.

Yesterday, while researching a bit about Tor, I saw an article (I don't remember where and when it was written, sorry) saying that some folk had created a few Tor exit nodes and got access to sensitive information about people of some embassy or something like that.

There are pros and cons with everything.

[ceejay13]

Quote:

Originally Posted by m00nbl00d

I don't think you can achieve 100% privacy/anonymity

I am agreed with you there.

I have nothing to hide in what I do, I just don't want to be identified by 'The Unofficial Data Gatherers'.

My life and what I do is my business, not <enter search engine/web site and their cookies> and the parties they have agreements with. I want to surf anonymously and not be identified for targeted searches (read advertising). When I search, I would like to get clean results as I need to search some pretty unique stuff with few hits, not targetted to suit my apparent profile. Basically, I don't want to be tracked, as don't most people, or at least, one would assume this is what they would want if they knew.

Unfortunately many sites use Java or Javascript which seems to be the main route in to get this fingerprint. Using different profiles is 'an' answer, but is it 'the' answer for the other innocent 99%+ of the population?

Do you always use the correct profile for the scenario at hand, or have you made the odd mistake?

My point here is that we are in the know and there are many who aren't and would like not to be targetted. It needs a unique solution for everyone, in the know or not, to block this access. Giving data voluntarily is OK, but to have it (basically) stolen, because they can by running a few algorithms is ethically wrong.

VPN's are fine for site to site, or computer to computer and I use those for regular communication with a sister site, as you say the host can still identify you. Tor, not really interested, unless I really wanted to hide who I was, but then a proxy server is normally good enough for that.

'Officials Data Gatherers' are welcome to watch me and get access to records from the ISP, they can have them - I may not agree with the law, but I live here and have to abide by it, as I say I am doing nothing wrong. It is the people who don't know what is going on that need to know/be protected from this.

[chronomatic]

Quote:

Originally Posted by m00nbl00d

Then you have Tor. The idea behind it is great, but it has two major flaws. It is way too damn slow, even with Polipo. And, the same way good people want to be anonymous using Tor, bad people also try to find them out. For example, you could never access your bank account or access/pass sensitive information using Tor.

You could use Tor for that, but I am not sure I would because Tor clears all cookies, etc., which means you would have to go through extra verification steps each time you logged into the bank account.

Quote:

Yesterday, while researching a bit about Tor, I saw an article (I don't remember where and when it was written, sorry) saying that some folk had created a few Tor exit nodes and got access to sensitive information about people of some embassy or something like that.

There are pros and cons with everything.

You're talking about the Swedish guy who set up his own exit node and then began logging all unencrypted activity. He found that a lot of embassy people and government agents used Tor for logging into their private e-mail accounts. Apparently those e-mail accounts did not use SSL/TLS because he was able to easily sniff all of the usernames and passwords.

The Tor project has always warned (even before this happened) that if you are using an unencrypted connection (i.e. not using SSL) then the exit node can see everything you do (however that exit node cannot see your IP).

Tor is the best we have. It is extremely difficult (if not impossible) to obtain someone's IP address over Tor (assuming it is used properly).

[lotuseclat79]

76% Of Users Exposing Their Browsing Histories.

Quote:

This is actually a very old flaw as it’s part of the core HTTP standards, it’s exploiting the very way in which the Internet works. Basically most browsers expose browsing history if probed in the right way, the fact was that it was just too resource intensive to get any useful data.

-- Tom

[CloneRanger]

@lotuseclat79

Good info

What the Internet knows about you

OFFLINE ? http://www.whattheinternetknowsabout...s/details.html

So used http://webcache.googleusercontent.co...&hl=en&ct=clnk

Quote:

Limitations

While the history sniffing techniques we present have a lot of potential to determine your browsing habits, they are (luckily) subject to some limitations. The most important thing to note is that websites can only be detected as visited if they're currently listed in your browser history. If you completely clear your history, nothing can be detected, at least until you start browsing again. Also, if you use different browsers or browser profiles, techniques such as ours can only detect the history in the browser/profile you're currently using.

Depending on your browser and whether you've customized your settings, some websites you visited might be purged from your history after a while (usually after three months, but some browsers, such as Google Chrome, keep them indefinitely). Also, websites opened while in "private browsing" ("porn") mode, will not be shown.

Finally, using the approach we chose, we can't detect if you've individual page components, for example, whether you've seen a particular photo, unless you've visited the direct link for that photo.

[caspian]

I went to this link. http://startpanic.com/ It's suppose to show web pages visitd but it did not even show Wilders.

[hierophant]

Quote:

Originally Posted by ceejay13

Found this article over on Lifehacker and was shocked at how identifiable I/My computer am/is over the internet.

Next question, how do you combat this as the browser extensions and fonts on your system are a BIG giveaway.

I just checked this on Ubuntu 10.04 with Firefox via XeroBank, and got ...

"Within our dataset of visitors, one in 0 browsers have the same fingerprint as yours.

Currently, we estimate that your browser has a fingerprint that conveys INF bits of identifying information."



Is the site broken? Or

[ceejay13]

Thanks for these links - very informative! Didn't realise there was so much detail available.

@hierophant - the site is down for maintenance at the moment. I would suggest there may have been a problem.

[hierophant]

OMG, I broke the President

[lotuseclat79]

Using Firefox, there is a safehistory add-on from Stanford that can defend against visited link based web privacy attacks. That said, here is what I did to enable it in FF 3.6.3:

I used the web link for the add-on at Stanford and added it via the DownThemAll! add-on Manager, and then downloaded the .xpi file to my desktop. Since a .xpi file is simply a zipped file, I made a new folder/directory (I use Linux) on my Desktop, moved the .xpi file to the new folder named safehistory, and then executed the unzip command against the .xpi file which (inflates) unzips it into its component files. I then edited the value of the maxVersion element (in the install.rdf file) to accept upto 3.7+ instead of 2.0.0*. To make the new .xpi file, from within the new folder, simply issue the zip command as follows to make the new .xpi file on your desktop:
ubuntu@ubuntu:~/Desktop/safehistory$ zip ../safehistory.xpi ./*
which takes all of the component files/directories and creates a new safehistory.xpi file in your Desktop directory/folder.

To then add the newly edited safehistory add-on to Firefox, open Firefox if it is not already open, and then use the File Open and click on the safehistory.xpi file in your Desktop folder/directory, and then click on the Install button when it appears. Then all you have to do is restart Firefox to complete the installation.

-- Tom

[hierophant]

Thanks, Tom. Following your instructions, safehistory 0.9 runs in FF 3.6.3 (Ubuntu 10.04) -- and http://webcache.googleusercontent.co...&hl=en&ct=clnk finds no history.

https://panopticlick.eff.org/ is still down

[lotuseclat79]

Hi hierophant,

Yes panopticlick appears to be still down for maintenance (I presume).

There is also a safecache 0.9 FF add-on from Stanford that can be enabled in the same manner (which I forgot to mention in my previous post).

-- Tom

[m00nbl00d]

You may find this of some use for you. Check it out.

http://anonymous-proxy-servers.net/en/anontest

[arran]

Unless you are using a proxy service which rewrites everybody's finger print the same who is using the proxy service there is nothing else you can do to prevent it.

true how you can block OS information that your browser sends but there will still be an actual Finger print.

Only difference is your fingerprint will look something like this

OS operating system UNKNOWN
Time on PC UNKNOWN
Browser type UNKNOWN
and so on UNKNOWN
and so on UNKNOWN

Blocked or Unblocked a Finger print will always exist

[ceejay13]

Agreed.

Here are EFF's findings - pdf document available here

[chronomatic]

Once again, I think this would be easy to defeat. Yes, there will always be a fingerprint, but if that fingerprint changes each time the browser is started, what good is it? As I said above, it would be trivial for someone to write a FF or Chrome add-on that does this.

[Pleonasm]

The Panopticlick website has been “temporarily down for maintenance” for over a week. Anyone know the current status of this research project?

[hugsy]

hm. I use KIS7 and FF with private browsing +noscript +adblock and these sites cant find anything on me except for ip, when i use anonymouse.org, then i am ninja
http://www.whattheinternetknowsaboutyou.com
http://startpanic.com/

If you have more of these tester, please let me know, i like would like to try them out, suggestions on how to beat them are welcome too

Panopticlick is back!

"Within our dataset of several million visitors, only one in 116 browsers have the same fingerprint as yours."
Beat me!