New EFF Project: Browser Fingerprinting

http://panopticlick.eff.org/

Whoa.

 

I just tested.

 

This is actually pretty scary. And the problem seems to be that "Browser Plugin Details" can be read from a site if JS is enabled. That alone gives a high enough entropy. And if we add the rest to the mix, the chances for an unique "identity" increase dramatically.

 

Not scary, just scar tactics. I see nothing here unique about my browser. I find it very hard to believe that I am unique out of the 51,150 tested.

Yet "Your browser fingerprint appears to be unique among the 51,150 tested so far.

Currently, we estimate that your browser has a fingerprint that conveys at least 15.64 bits of identifying information."

Browser Characteristic - bits of identifying information - one in x browsers have this value - value
User Agent - 14.06 - 17050 - Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.6) Gecko/20091216 Firefox/3.5.6
HTTP_ACCEPT Headers - 3.33 - 10.09 text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 ISO-8859-1,utf-8;q=0.7,*;q=0.7 gzip,deflate en-us,en;q=0.5
Browser Plugin Details - 2.34 - 5.06 - no javascript
Time Zone - 2.33 - 5.03 - no javascript
Screen Size and Color Depth - 2.33 - 5.03 - no javascript
System Fonts - 2.33 - 5.04 - no javascript
Are Cookies Enabled? - 0.21 - 1.16 - Yes
Limited supercookie test - 2.33 - 5.03 - no javascript

 

Yet we add this information to yet another database to store for as however long as they deem necessary. I've always said that no matter what you do to prevent it, you can be tracked, I keep being proved right. Forgive my going off-topic, I just have hesitations when it comes to the EFF. Anyway, I am glad I found out about this, it's just more knowledge for me.

 

Interesting test...

 

One of you care to retest?

 

Still unique.

 

Your wish is my command.

 

But it's not you!
What were the odds anyway

 

Why would you have reservations? They have done a world of good, especially in the courtrooms of the U.S.

 

Be sure and read the Defense Against Fingerprinting https://panopticlick.eff.org/self-defense.php

Here is more information from a blog post on the experiment. http://www.eff.org/deeplinks/2010/01/tracking-by-user-agent

The math behind it is fascinating. http://www.eff.org/deeplinks/2010/01/primer-information-theory-and-privacy

edit at 11:06 to include links.

 

Because at times they have gone a little overboard in their claims and have done a little FUD-slinging. It's one thing to bring to light concerns regarding safety and privacy, it's another to "work up a scare", especially over the hypothetical and very unlikely issues. At the end of the day, the EFF is simply another special interest/advocacy group. And, as with all of these groups, they have their agenda. There's nothing wrong with that, but, again, just like any of these groups, if they can find an issue to push said agenda, they will.

They are, I believe, a good enough, often well-intentioned group, but they are still a political group.

 

Very interesting test.

BOII = bits of identifying information


Changed the User-Agent in FF to IE8 = 14.4 BOII



Via http://w2.hidemyass.com/index.php = 15.97 BOII



Via http://anonymouse.org = 11.97 BOII



The best result was Via http://anonymouse.org and it shows no User-Agent or headers either If you keep on trying with the same configuration, i found you get slightly different results every time ?

 

Guys can someone help explain what this actually means? Wouldn't having a greater number of browsers with the same fingerprint as me, make me less uniquely identifying?

 

That is correct.

 

Of course they are. Thank God!

http://w2.eff.org/legal/cases/SJG/?f=eff_creation.html

 

The more unique the less anonymous, the less unique the more anonymous - i.e. think of hiding a key on a keyboard in plain sight.

The key question to ask is how do I spoof/modify my essential details to become less unique with regard to the browser I use. For example, would changing any strings in Firefox's about:config help to lessen the uniqueness, and what would those values be?

-- Tom

 

There isn't enough data points yet for the results that the EFF browser test to be accurate. i would wait till you have about 3 million or so, so you can get a 1% population sample.

 

From http://browserspy.dk/ We have always known about this finger printing.

The time on your computer is also revealed. You can change that to make out that you are in a different country, It would throw any one trying to track you of course.

 

What makes the EFF project interesting is the mathematical calculations to how "unique" your fingerprint is. It's quite complicated and goes beyond just gathering the information. We've known you can gather all this stuff for years, what we didn't realize was how "unique" each individual computer is with all of these variables compared in the aggregate.

 

Perhaps even more interesting is the question what we are going to do with this knowledge. The setback of all these Firefox pro-privacy, anti-tracking settings:

 

'EFF's Panopticlick and Torbutton'- Tor Blog Post

Of Interest:

‘EFF's Panopticlick and Torbutton’

https://blog.torproject.org/blog/effs-panopticlick-and-torbutton

 

Iphantom strips out user agent too. But they are a U.S. company. And it looks like anonymouse is a European company. So they undoubtedly log too. I think it is interesting that instead of showing user agent, anonymouse put's their name there instead.

I tried a DNS test with anonymouse and it would not let me connect.

https://www.dns-oarc.net/oarc/services/dnsentropy

It said that you have to pay for a VIP membership to access an encrypted connection.

 

Try https://www.grc.com/dns/dns.htm