'Browser' Fingerprinting

Discussion in 'privacy problems' started by ceejay13, May 18, 2010.

Thread Status:
Not open for further replies.
  1. ceejay13

    ceejay13 Registered Member

    Joined:
    May 1, 2004
    Posts:
    34
    Location:
    Basingstoke, UK
    Found this article over on Lifehacker and was shocked at how identifiable I/My computer am/is over the internet.

    Next question, how do you combat this as the browser extensions and fonts on your system are a BIG giveaway.
     
  2. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,101
    How your Web browser rats you out online.

    -- Tom
     
  3. ceejay13

    ceejay13 Registered Member

    Joined:
    May 1, 2004
    Posts:
    34
    Location:
    Basingstoke, UK
    So basically Javascript has a lot to answer for!!

    I have mine down to 1 in 17,740 which makes me ~40 times less trackable than the original 1 in 850,000. Turning off Javascript was the only thing that significantly decreased my 'uniqueness'. Private Browsing made hardly any impact on the score.

    As I am on a static IP, I guess I am snagged anyway, whatever the browser says!
     
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    You can minimize what web sites may get from your browser.

    I run Chromium browser with 3 user profiles:

    One profile to access gmail and other sites where I need to login and want to be remembered, running in Incognito mode;

    Another with Incognito mode + Cookies blocked (all cookies!): for sites I trust and require no login, or that I don't mind to login all over again, after for example, I disconnect from the Internet for a second or so.

    And a third one with Incognito + Cookies blocked (all cookies!) + plugins disabled + javascript disabled + java disabled + no referrer + no geolocation + different user-agent

    You may even make the browser (or any other) access content specifically created for the iphone! ;)
     
  5. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    I think it would be pretty simple for someone to make an add-on that will randomize these identifiers at every start-up.
     
  6. ceejay13

    ceejay13 Registered Member

    Joined:
    May 1, 2004
    Posts:
    34
    Location:
    Basingstoke, UK
    @m00nbl00d

    This is OK or those who understand about the threats that are out there and know what to do to mitigate the probability of being unique and so identifiable.
    I also use several profiles in Firefox that are customised to suit different circumstances. Sandboxie doesn't provide the isolation with default configuration.

    ... which leads us to chronomatic's response. Maybe either an extension or some configuration settings in Sandboxie or similar could be made.

    Even with the changes, the idea is to make your browser look like everyone elses and so whatever is done needs to be done by everyone to make us look anonymous. Would a proxy server or VPN work? Or can the Browser still be seen?
     
  7. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I don't think you can achieve 100% privacy/anonymity.

    Scenario 1: You block cookies, javascript, plugins, etc.

    There's still the IP issue and the information the browser provides, including which browser and operating system.

    Scenario 2: Considering scenario 1 you acquire a service providing anonymity like a VPN or proxy.

    Those in power of the VPN service or proxy still have access to your IP. They mask you before others, but they still know who you are, what sites you visit, referrers, etc.

    There may be one or other proxy that won't log your IP, which is the case of https://eu.ixquick.com, which your searches are done anonymously to everyone else and you even have the option to open the links in the search results using a proxy. Still, this will remove a lot of functionality to most sites. It's a matter of whether or not you're OK with it.

    One way for perhaps being 100% anonymous would be for you to have your own VPN. Still, you would have to have an account with ISPs with various IPs. They would still know who you are, unless you give false information to them, using many IDs. Plausible? I guess not.

    Then you have Tor. The idea behind it is great, but it has two major flaws. It is way too damn slow, even with Polipo. And, the same way good people want to be anonymous using Tor, bad people also try to find them out. For example, you could never access your bank account or access/pass sensitive information using Tor.

    Yesterday, while researching a bit about Tor, I saw an article (I don't remember where and when it was written, sorry) saying that some folk had created a few Tor exit nodes and got access to sensitive information about people of some embassy or something like that.

    There are pros and cons with everything.
     
  8. ceejay13

    ceejay13 Registered Member

    Joined:
    May 1, 2004
    Posts:
    34
    Location:
    Basingstoke, UK
    I am agreed with you there.

    I have nothing to hide in what I do, I just don't want to be identified by 'The Unofficial Data Gatherers'.

    My life and what I do is my business, not <enter search engine/web site and their cookies> and the parties they have agreements with. I want to surf anonymously and not be identified for targeted searches (read advertising). When I search, I would like to get clean results as I need to search some pretty unique stuff with few hits, not targetted to suit my apparent profile. Basically, I don't want to be tracked, as don't most people, or at least, one would assume this is what they would want if they knew.

    Unfortunately many sites use Java or Javascript which seems to be the main route in to get this fingerprint. Using different profiles is 'an' answer, but is it 'the' answer for the other innocent 99%+ of the population?

    Do you always use the correct profile for the scenario at hand, or have you made the odd mistake?

    My point here is that we are in the know and there are many who aren't and would like not to be targetted. It needs a unique solution for everyone, in the know or not, to block this access. Giving data voluntarily is OK, but to have it (basically) stolen, because they can by running a few algorithms is ethically wrong.

    VPN's are fine for site to site, or computer to computer and I use those for regular communication with a sister site, as you say the host can still identify you. Tor, not really interested, unless I really wanted to hide who I was, but then a proxy server is normally good enough for that.

    'Officials Data Gatherers' are welcome to watch me and get access to records from the ISP, they can have them - I may not agree with the law, but I live here and have to abide by it, as I say I am doing nothing wrong. It is the people who don't know what is going on that need to know/be protected from this.
     
  9. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    You could use Tor for that, but I am not sure I would because Tor clears all cookies, etc., which means you would have to go through extra verification steps each time you logged into the bank account.

    You're talking about the Swedish guy who set up his own exit node and then began logging all unencrypted activity. He found that a lot of embassy people and government agents used Tor for logging into their private e-mail accounts. Apparently those e-mail accounts did not use SSL/TLS because he was able to easily sniff all of the usernames and passwords.

    The Tor project has always warned (even before this happened) that if you are using an unencrypted connection (i.e. not using SSL) then the exit node can see everything you do (however that exit node cannot see your IP).

    Tor is the best we have. It is extremely difficult (if not impossible) to obtain someone's IP address over Tor (assuming it is used properly).
     
  10. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,101
    76% Of Users Exposing Their Browsing Histories.

    -- Tom
     
  11. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @lotuseclat79

    Good info :thumb:

    What the Internet knows about you

    OFFLINE ? http://www.whattheinternetknowsaboutyou.com/docs/details.html

    So used http://webcache.googleusercontent.c...einternetknowsaboutyou.com&cd=1&hl=en&ct=clnk

     
  12. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I went to this link. http://startpanic.com/ It's suppose to show web pages visitd but it did not even show Wilders.
     
  13. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    I just checked this on Ubuntu 10.04 with Firefox via XeroBank, and got ...

    "Within our dataset of visitors, one in 0 browsers have the same fingerprint as yours.

    Currently, we estimate that your browser has a fingerprint that conveys INF bits of identifying information."

    o_O

    Is the site broken? Or o_O
     
  14. ceejay13

    ceejay13 Registered Member

    Joined:
    May 1, 2004
    Posts:
    34
    Location:
    Basingstoke, UK
    Thanks for these links - very informative! Didn't realise there was so much detail available.

    @hierophant - the site is down for maintenance at the moment. I would suggest there may have been a problem.
     
  15. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    OMG, I broke the President :eek:
     
  16. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,101
    Using Firefox, there is a safehistory add-on from Stanford that can defend against visited link based web privacy attacks. That said, here is what I did to enable it in FF 3.6.3:

    I used the web link for the add-on at Stanford and added it via the DownThemAll! add-on Manager, and then downloaded the .xpi file to my desktop. Since a .xpi file is simply a zipped file, I made a new folder/directory (I use Linux) on my Desktop, moved the .xpi file to the new folder named safehistory, and then executed the unzip command against the .xpi file which (inflates) unzips it into its component files. I then edited the value of the maxVersion element (in the install.rdf file) to accept upto 3.7+ instead of 2.0.0*. To make the new .xpi file, from within the new folder, simply issue the zip command as follows to make the new .xpi file on your desktop:
    ubuntu@ubuntu:~/Desktop/safehistory$ zip ../safehistory.xpi ./*
    which takes all of the component files/directories and creates a new safehistory.xpi file in your Desktop directory/folder.

    To then add the newly edited safehistory add-on to Firefox, open Firefox if it is not already open, and then use the File Open and click on the safehistory.xpi file in your Desktop folder/directory, and then click on the Install button when it appears. Then all you have to do is restart Firefox to complete the installation.

    -- Tom
     
  17. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
  18. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,101
    Hi hierophant,

    Yes panopticlick appears to be still down for maintenance (I presume).

    There is also a safecache 0.9 FF add-on from Stanford that can be enabled in the same manner (which I forgot to mention in my previous post).

    -- Tom
     
  19. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
  20. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    Unless you are using a proxy service which rewrites everybody's finger print the same who is using the proxy service there is nothing else you can do to prevent it.

    true how you can block OS information that your browser sends but there will still be an actual Finger print.

    Only difference is your fingerprint will look something like this

    OS operating system UNKNOWN
    Time on PC UNKNOWN
    Browser type UNKNOWN
    and so on UNKNOWN
    and so on UNKNOWN

    Blocked or Unblocked a Finger print will always exist
     
  21. ceejay13

    ceejay13 Registered Member

    Joined:
    May 1, 2004
    Posts:
    34
    Location:
    Basingstoke, UK
  22. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Once again, I think this would be easy to defeat. Yes, there will always be a fingerprint, but if that fingerprint changes each time the browser is started, what good is it? As I said above, it would be trivial for someone to write a FF or Chrome add-on that does this.
     
  23. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    The Panopticlick website has been “temporarily down for maintenance” for over a week. Anyone know the current status of this research project?
     
  24. hugsy

    hugsy Registered Member

    Joined:
    May 22, 2010
    Posts:
    167
    hm. I use KIS7 and FF with private browsing +noscript +adblock and these sites cant find anything on me except for ip, when i use anonymouse.org, then i am ninja:p
    http://www.whattheinternetknowsaboutyou.com
    http://startpanic.com/

    If you have more of these tester, please let me know, i like would like to try them out, suggestions on how to beat them are welcome too
     
  25. katio

    katio Guest

    Panopticlick is back!

    "Within our dataset of several million visitors, only one in 116 browsers have the same fingerprint as yours."
    Beat me!
     
Loading...
Thread Status:
Not open for further replies.