Browser fingerprinting - relevance and countermeasures

Discussion in 'privacy general' started by summerheat, Jul 15, 2018.

  1. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,149
    Yes, true. But I only use that as Mirimir. And I don't care if everything that Mirimir does gets associated.

    And yes, "Inspect Element" does the same. But it involves more steps. This is just click and kill.
     
  2. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,944
    @lucd Well, your remark is not relevant to browser fingerprinting. CSFire was a great addon, but abandoned and if your purpose is CSRF protection only it's not necessary, since you can protect yourself from almost all CSRF w/out any tool as I wrote many times. I had been a CSFire user but even when it was still maintained, it caused many breakages and interferences w/ other addons some of which are conditional (e.g. it stipped most of OCSP requests out, which causes visible problem only when security.OCSP.require is true and the site doesn't use OCSP stapling) so I made bunch of rules to fix them. Note most of those breakages were about function and thus were not immiediately visible. For ultrasonic, the best protection is just not to give microphone permission to any apps which you can't fully trust. CSS Exfil makes some sense, given default-deny CSS causes too many problems; but note it's not an almighty, unconditional attack one may think or some media reported.

    BTW academic papers are actually the easiest and quickest way to see how frequently these techniques are used in real world because many of them include real-world survey, some are large-scale others are small but lists actual URLs as supplementary materials. The first hit on Google Scholar for ultrasonic showed:
    , and this didn't take even 30 seconds.
     
    Last edited: Jan 2, 2020
  3. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,944
    An alternative for DOM Delete is Element picker in uBO, it allows click-and-kill. As to uBO DOM inspector I use it only on mobiles where native DOM inspector is not available w/out an additional addon. In my experience automatically generated rules by the picker will work for 90+% of ads & popups, but for the rest they won't work: e.g. clear cache and reload the page, and the element reappears because selector for the element is dynamically generated and has random name; popup disappeared but you can't scroll the page. I said "(will) work", the implication is "work, but will not be efficient". I once noted some limitation of rules generated by the picker, but you can directly edit rules from the picker window if you know its syntax. Anyway, these are just hiding elements and I tend to disregard them. uBO has HTML filtering which removes the element from the document, contrary to hiding, but it has its own performance impact so in my case I only use it when the element executes script or loads images.

    But if a tool is working for you and still maintained, just stick to it. ABP once had Element-hiding helper, but it was abandoned as the function was integrated to ABP itself when it moved to web extension, which in turn brought many criticism and became determinant to switch to uBO for some user. A familiar tool is the best for anyone.
     
  4. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,614
    Location:
    Italy
    The "problem" ETag:

    https://en.wikipedia.org/wiki/HTTP_ETag

    never ceases to amaze me, every now and then it appears cyclically.
    I personally don't care about the ETag "problem" with my New Moon browser.
    They are deleted when the browser is closed.

    For those who want to take a test:

    http://lucb1e.com/rp/cookielesscookies/

    For paranoids, in Firefox-based browsers, it is possible to delete the browser memory cache:


    I don't think it is necessary to delete the disk cache too.

    The situation is different in the Chrome-based browsers where some extensions may be necessary to do the same actions that in Firefox-based browsers are internal.
    Disable the cache with the developer window open is not a viable way.
    The simple function of some extensions similar to the one below is interesting:

    https://chrome.google.com/webstore/detail/no-cache/hckocmggmdfdnjjomghmhllibmdobdll

    In the Chrome Web Store there others extensions with a similar function, up to the best known Click&Clean.
     
  5. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    7,509
    Location:
    Among the gum trees
    I tested there and no matter how many times I visited, whether by closing the browser (Firefox) or just opening a new temporary container it said I'd only visited 2 times. The text I saved did not survive a browser restart.
     
  6. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,614
    Location:
    Italy
    :thumb:

    If you use Chrome you will see that it is a completely different thing.
     
  7. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    7,509
    Location:
    Among the gum trees
    Yep, your right! Just checked MS Edge and Brave. Extension added. :thumb:
     
  8. FibonacciMozart

    FibonacciMozart Registered Member

    Joined:
    Mar 13, 2020
    Posts:
    3
    Location:
    Norway
    Yep same result here, the "stored text" = gone with a tab refresh - when clicking the "Store" button - counter stopped counting at 2. Currently using latest version of Firefox with 10 extensions working together. These fingerprinting testing-sites can't even get basic information straight. :eek: I'm not sure if these tests are very accurate? :thumbd:

    Relevant to topic: a few years ago I successfully found a method on how to run a Headless Firefox browser - posing as a normal windowed Firefox browser by opening the geckodriver.exe (selenium webdriver) file in HxD.
    Changed 2 specific values in geckodriver.exe because most of the sites who did the most aggressive fingerprinting would look for these 2 specific values that a normal browser did not have. I remember the other big challenge I solved was spoofing the count of how many extensions was currently installed. First it showed 0 extensions then I made a few changes n got it to report an 'undefined' count of extensions however I also remember that: 0 extensions OR undefined count of extensions == flagged as a headless or a suspicious browser when web scraping. Fun times experimenting.
     
  9. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,944
    Etag is a http header and thus can't be deleted by clearing cache, tho this indirectly makes etag tracking impossible. If you use a filtering proxy you can delete etag, which is what I had been doing and also what AdGuard can do. There are also addons capable to do so. Disk cache should be deleted unless you disabled it or your browser is set to delete it on close. I believe any privacy-conscious user is accustomed to CTRL + Shift + Del shortcut if they haven't automated it.
    Not relevant as far as common use cases of widely used fingerpinting frameworks are concerned. These tests report each fingerprintable propery back, but in reality web owners use a hash of concatenated properties. The more properties you add, the more each fingerprint becomes unique but also more sensitive to any slight change and thus not reliable - so they choose properties according to their purpose (e.g. OS/browser version in UA string or UA itself is often excluded) but still concatenate many properties and hash them. This reflects the fact they don't need to exactly track each user individually. All in all, fingerprinting is not very reliable and can't replace cookie.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.