Top sites (and maybe the NSA) track users with “device fingerprinting”

Top sites (and maybe the NSA) track users with “device fingerprinting”.

FPDetective: Dusting the Web for Fingerprints (PDF: 346.6 KB).

By reading the PDF paper, there is a Firefox proof-of-concept add-on named Firegloves available to impede fingerprinting-based tracking while maintaining browsing experience.

Cross-browser fingerprinting test 2.0.

Firegloves.

Preventing misuses and misapprehensions of FireGloves. (followup: FireGloves is no longer being developed according to developers, and caused Font size webpage corruption problems for me)

-- Tom

 

i'm wondering why their lawyers advised them not to disclose the sites using device fingerprinting.

 

Those sites will be likely to reconsider their relationship with the NSA after the public backlash.

 

Hmmm so how do we counter this? Run Windows XP in VM with Internet Explorer?

 

shouldn't be too difficult to design a batch file or script or small program that effectively gives you a randomized portable disposable browser. it should delete random 5-10% of (lesser used) available fonts, select randomly from the thousands of user agents available, and also install some random 5 or so low impact or no impact extensions so that you'd have a different fingerprint each time. then on exit it deletes browser folder and the cookie and temp files it may have added to in the OS drive, or run it sandboxed. also it should drop in custom user.js file for the config settings, maybe the user chooses from 3 or so different ones depending the level of privacy and security desired. same thing with the extensions installed, just select from an local cache of the XPI files.

i'm wondering why nobody has done this yet. seems like it would be pretty easy to do for a programmer.

 

Hey, I don't mind device fingerprinting, because any particular device only gets used for stuff that I don't mind associated.

As long as they can't fingerprint VM hosts, I'm OK.

For stuff that I really don't want linked, I do use different hosts.

 

Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting (paper)

 

Correct link for first link in first post is http://arstechnica.com/security/201...e-nsa-track-users-with-device-fingerprinting/.

 

Correct link for third link in first post is http://fingerprint.pet-portal.eu/?lang=en.

 

From 2nd link in first post:

 

Tracking and Fingerprinting in E-Business: New Storageless Technologies... (paper)

From the paper "Tracking and Fingerprinting in E-Business: New Storageless Technologies and Countermeasures" (found at http://gulyas.info/):

 

From paper "User Tracking on the Web via Cross-Browser Fingerprinting" (found at http://gulyas.info/):

 

Secret Agent may be of some value as well. Works well most of the time, but you may run into a little trouble on some sites. Those sites can be whitelisted if desired.

 

Another fingerprint test site: hxxp://noc.to

 

@MrBrian,

Thanks for sharing this very informative site. I was comfortable with my current setup, but after checking this site out I feel even better. Took quite a bit of sabotage on my part to leak anything even remotely revealing about my system.

 

You're welcome . I got that link from http://en.wikipedia.org/wiki/Device_fingerprint.

Be aware though that, according to one (or more) of the above papers, commercial solutions may use techniques that these test sites don't. From the 5th link in the 1st post (my bolding):

 

From paper "Fast and Reliable Browser Identification with JavaScript Engine Fingerprinting" (direct link: hxxp://www.w2spconf.com/2013/papers/s2p1.pdf ):

 

From paper "XSS-FP: Browser Fingerprinting using HTML Parser Quirks" (direct link: hxxp://arxiv.org/pdf/1211.4812 ):

 

The IP check is a free and easy understandable anonymity test. The test shows at a glance
which attacks a website may launch on your privacy. Moreover, you get recommendations for
possible counter measures. It explains which data your own web browser sends to websites.
A website may use this data to create an individual profile. By misusing such a profile,
you may later get identified reliably on this or on another website.

http://ip-check.info/description.php?lang=en

 

Table 1 in the paper in post #7 shows features used by Panopticlick vs. those of three fingerprinting companies.

 

From paper "Searching for Indicators of Device Fingerprinting in the JavaScript Code of Popular Websites" (2013) (direct pdf hxxp://www.truststc.org/education/reu/13/Papers/RauschM_Paper.pdf ):

 

From paper "Host Fingerprinting and Tracking on the Web: Privacy and Security Implications" (2012):

 

From thesis "Browser Fingerprinting" (2012) (direct pdf hxxp://publications.lib.chalmers.se/records/fulltext/163728.pdf ):

 

Fingerprinting, CDI & How to Deal With It

I've come to the conclusion that fighting device fingerprinting is futile. I'm now in the same camp as the author of the above link and mirimir: things you don't want linked should be done in separate instances of operating systems, each with a different type of browser. Depending on how you do this, the different operating systems might or might not use the same IP address. So maybe you'd have the following:
operating system #1: activities that involve your real name, or anything that might be linked to it already (email addresses, etc.)
operating system #2: any "interesting" activities
operating system #3: everything else

 

From Browser Fingerprinting: 9 Facts: