Browser fingerprints, and why they are so hard to erase

Discussion in 'privacy problems' started by ronjor, Feb 17, 2015.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,059
    Location:
    Texas
    http://www.cso.com.au/article/566512/browser-fingerprints-why-they-hard-erase/
     
  2. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    First off, thanks for this article. Decent read. I have read several like it but I am not sure it will prompt users into action. It sure should though!!

    I have given this matter a great deal of attention recently. I don't believe almost any user will even remotely be able to remove the fingerprinting and canvas detection traces from their systems after use. If you forget even one or two things you will stand out to an advanced "attacker". Its just a fact - really. So what to do? As discussed in the article and I will promote it as well: forget trying to anonymize by removing identifying "things in the browser activity", and quite literally blend in! Don't panic by what I just said. Here is my example. Use the TOR browser bundle, and if TOR is too slow for you, do it with TOR turned off. You will still get the amazing protection configuration package the TOR team has setup for you. So what does that do you might ask? Simple: when you surf using the TBB you look EXACTLY the same as every other generic TOR user --- > blend in. You can still sit behind multiple VPN's and/or actual TOR while using this package. Again, can be run well with TOR turned off. I do it once in awhile where blazing speed is needed. That bundle package alerts for canvas fingerprinting attempts and such. Unless you are way better than me, can you really even hope to provide a better "blend in" package than the TBB?

    Obviously a simple addition such as working via virtual machines for isolation, would remove the actual physical computer's hardware from being seen as well. It would take a break out to do that and its VERY unlikely if you setup your VM's correctly.

    This would be my suggestion for counteracting a very real and significant security weakness.
     
  3. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    And also VMs allow snapshot reversion, which is a very beautiful thing. Any traces left from your session disappear (at least from your VM space).
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    And pedantically, different VMs running different distros have different browser signatures.
     
  5. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    This fact makes the TBB's case even more. By placing the TBB inside of ANY distribution their "package" will still appear the same while on the internet. The identical fingerprint no matter where its placed and on what computer (as long as you don't modify something yourself). Now that is blending in.
     
  6. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    1,540
    Location:
    Triassic
    Has there been any focus or new developments on this since Feb 2015?

    I have WinPrivacy installed and just 2 days ago it added two websites to their canvas fingerprinting list . Before that there was nothing on my list. Each site has some items shown as blocked, but I do not know what it is that they blocked. The help screens offer no info as to what 'blocked' means, e.g. does it mean they have blocked sites like Addthis or does it mean they have blocked the sending of collected data back to the website. I am hoping it means that they are blocking info collected so that my info can not be sold to a third party.

    There is a list online of the sites that use canvas fingerprinting and I am shocked that government sites participate. I am also surprised that security sites do it too. Kaspersky is on the list !!! Maybe they should explain why.
     
  7. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,363
    Location:
    Oz
    Never heard of Winprivacy. Looks interesting.
     
  8. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    386
    I don't think it is a good idea using tor browser without tor enabled. It has intensive about:config changes. Without tor you would be pretty much uniq.

    On the topic, there is also protocol version numbers can be sent to sites. Let's say you modified iceweasel's user agent. They can still know you are on esr with protocol version number. I think finger printing can't be eliminated unfortunately. Only way for this is to using tor browser wihout any manual modifications.
     
    Last edited: Dec 5, 2015
  9. Gitmo East

    Gitmo East Registered Member

    Joined:
    Jul 28, 2013
    Posts:
    106
    What are peoples thoughts on Panopticlick ? https://panopticlick.eff.org/
    I have found that with Icecat and a few add ons I have got my score down to 574.
    This score would indicate a very high blend-in-abilty factor, how reliable is this ?
     
  10. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    386
    It is just an example. Web sites see much more than that. For example; if you don't change media.peerconnection.enabled to false, websites can see your internal ip.

    P.S: 574 bits of identifying information means you are pretty much unique.
     
  11. Gitmo East

    Gitmo East Registered Member

    Joined:
    Jul 28, 2013
    Posts:
    106


    574 bits of identifying information would be pretty bad!! I have 9.15 bits of identifying information (using Icecat)

    My Icecat also shows - Within our dataset of several million visitors, only one in 570 browsers have the same fingerprint as yours.

    As I understand it a lower score on Panopticlick is better. 1 in 574 is far from unique.


    Disabling webRTC should be standard operating procedure alongside canvas blocking, blocking scripting ie flash/java/etc and a whole host of other mitigations.

    I guess I was just asking how good is Panopticlick, if it says your good are you really good ?
     
  12. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    386
    lol my bad. It is pretty much good then. But if you read the article it has a side effect. Lesser identifying bits also makes you unique. The best is the common one. Icecat is far from common one. Sucked situation. There is no escape from getting profiled!
     
    Last edited: Dec 6, 2015
  13. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
    Thanks for the bump on this thread. It reminded me to check back on random agent spoofer. It now appears to be working for the latest firefox.

    My browser fingerprint is still unique but at least it is changing every 5 minutes.
     
  14. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    89
    According to https://panopticlick.eff.org/, my browser fingerprinting is unique.

    How do you avoid being unique in this regard? Is there any chromium extension that would help with that?

    I'm currently using:

    - tabcookies;
    - ublock origin;
    - lastpass;
    - httpseverywhere;
     
  15. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    386
    Don't take that site serious. There are much more parameters to consider than that site shows. That site just gives you an example. For example; did you know that? http://www.ghacks.net/2015/10/16/how-to-prevent-hsts-tracking-in-firefox/ i didn't. And i used it long time without knowing that. By thinking "yeah i modified my iceweasel well" They create standarts to track user. I thought switching another browser like dillo or netsurf to protest mozilla. But they were not enough unfortunately.
     
    Last edited: Dec 7, 2015
  16. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    I've run that test many times and each time I'm unique. So I don't know what exactly this means...
     
  17. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    I think there are two main approaches here:

    a) use utilities that lie about your user agent; minimise your use of add-ons
    b) use Live systems, sandboxes, or vanilla Virtual machines with stock browsers, that you revert to a snapshot.

    The latter are good because there will be a large pool of similar systems out there, particularly if you use a popular distro and browser.
     
  18. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    89
    I agree with your reasoning. However, doing b) is not a very time friendly behaviour, nor is it practical. I want a solution for everyday use. I'll play around with user-agent add-ons and see if I get anything good out of that. Do you've any suggestions for such an extension?
     
  19. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    I don't use those user-agent switchers, and they're browser dependent, but random agent spoofer (FF) and user-agent switcher(Chrome) seem popular.

    Compartmentatlisation (using VMs and sandboxes) has benefits way beyond browser fingerprinting and cookie control - for example, there's no way I want a browser being able to "see" my personal data. Once set up, it does become a way of life and very little impediment to use - it's been several years since I browsed from a real machine. The controls I use include Sandboxie (Windows), FireJail (Linux), and various VMs. All of these allow for an unadorned stock browser to be used, and the session wiped every time.
     
  20. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    I agree and subscribe to a great majority of your quoted post. Not having your workspace browser on the REAL machine is a pivotal piece of the puzzle. Where I differ is I prefer to use TBB at the end immediately preceding the exit node of a rather long tunnel (TBB functions as the workspace browser). My goal is to look like every other TOR user and of course all is cleared from TBB when the session closes. Further I use separate TBB instances for each site I visit regularly, such as here at Wilders, allowing no unanticipated dirt from another site even by mistake!
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.