Browser Fingerprinting

Discussion in 'privacy problems' started by RoamMaster, Mar 30, 2011.

Thread Status:
Not open for further replies.
  1. RoamMaster

    RoamMaster Registered Member

    Joined:
    Oct 1, 2006
    Posts:
    47
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    NoScript can block most of your plugins and javascript unless you whitelist the site.

    Not sure about blocking fonts, but how can that identify you?
     
  3. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i guess it is the combination of fonts + addons.
     
  4. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    You can't effectively block browser fingeprinting with a plugin because the browser is part of the problem.

    The deal is this: unique pieces of data reduce your entropy in a crowd to make you identifiable. This include things like if you allow javascript / flash, what other plugins and modules you have, what languages you have installed, what timezone you are in, your desktop resolution, etc. These are things websites need to know in order to serve pages to you.

    The solution is to standardize the browser response among a large crowd. This is what we have implemented inside the browser for Safehouse. It will effectively be unfingerprintable because millions of users will all have the same fingerprint.
     
  5. RoamMaster

    RoamMaster Registered Member

    Joined:
    Oct 1, 2006
    Posts:
    47
    I was thinking something more along the lines of a plugin report randomizer as a poster suggested in the previous thread. And I was thinking of it more along the lines of a user.js file than a plugin(because I don't think a plugin can inject itself into the engine).

    I had a Proximitron filter that used to prevent plugin checks, a long time ago. But it stopped working back on Firefox 2.0. I don't know if that's still even possible.

    The font list comes from the style object within the javascript engine. I strongly suspect that can be disabled either via about:config or the prefs.js file.
    According to Mozilla every javascript command can be disabled.
    Which is explained in some detail in the above link and simplified here.

    I know enough to be pretty sure this is possible while not knowing enough to actually be able to do it myself :p
     
  6. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    The browser fingerprinters gather entropic data that cannot be modified by anything plugins have access to. Even if you spoofed the user agent, plugin listings, and more, there is still enough critical or non-critical behaviors that browsers have that uniquely identify them. Read more about the specifics here.
     
  7. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Hey Steve, I have a serious question. I'm well aware of what effects trackers and cookies can have on gaining a behavior pattern and, perhaps, an identity. But, after running the browser test linked in this thread, what real danger is there in browser fingerprinting? I'm a bit more reluctant to call anything and everything that "leaks" data, a "threat", than some others here. There are a lot of bad things happening now and coming down the pipe, things that even some of the hardcore privacy members here would blow off. But, maybe it's my lack of knowledge on this particular "threat", but I don't see information from that test that truly poses a risk? As you said, most of it websites have to know in order to work right for you.
     
  8. I no more

    I no more Registered Member

    Joined:
    Sep 18, 2009
    Posts:
    358
    I have to agree with you. How long does someone use the same browser with the same settings anyway? A few months is probably typical. I don't think a browser fingerprint without any other evidence would hold up in any rational court of law, even if the browser could be fingerprinted to be 1 in 10 million.

    Sure, it would be nice if browser fingerprinting could be eliminated, but I don't think the risk is huge to begin with.
     
  9. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Well, I don't think that anyone is trying to claim that the fingerprinting can be or is going to be used in courts against people, as you say, at least not alone. I'm not sure it could prove anything at all, which is why I asked Steve about it. I think this is more about data collectors/trackers/advertisers having another tool to build up profiles. I can't see yet how the fingerprinting would do much good by itself.
     
  10. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Ah, yes. Sometimes the implications are a little abstract. Browser Fingerprinting means that even if you use a VPN or other anonymous service, if your browser is fingeprintable, you will be pseudonymously identifiable.

    ex: Website says: "You're the guy who was here last week looking up information on 'sexual abuse', and now you logged in to our search site. We'll link that prior search to your login that we sell to advertisers." And by the way, your fingerprint matches a bunch of other interesting online behaviors that are bought up in bulk by data aggregators and clickstream clearinghouses. Then they go to data silos like Lexis Nexis, where perhaps your potential employer, background checker, mortgage underwiter, etc. will be checking to see if you have any known "risky" or "non-prime" behaviors.

    It's a pretty good way of reducing anonymity to pseudonymity or identity.
     
  11. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    So basically it is really just another tool in the data collector arsenal. I assure you I've read the links, but I'm still missing how knowing my browser version, the fonts on my system and whether I have Java, Flash and the like, can "match" other behaviors. Okay, I'll give a simple example. How can fingerprinting tell someone else that I, for instance, view porn? The test does know I have cookies enabled, and of course those cookies can be read, and so can the referrer if enabled. That of course can lead to a healthy amount of data, and obviously it knows my time zone. But, if you took the cookies, referrer and time zone out, what can it tell about me? Except of course I'm a Windows user using Firefox?
     
  12. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Browser fingerprints work like crime-scene fingerprints. There may not be a match in the database yet, but if you were ever fingerprinted before using that OS/browser combo, they'll get a match and know it is user JoeSmith. If there is an identity attached to user JoeSmith, they get the identity too. If they share this information with other marketers/data warehouses, everyone gets that information.

    Example:

    Your porn site collects browser fingerprints and shares them with its affiliate marketers. Your porn site also knows you because you are a member, so they have your identity as well, so the two are linked. You clear your cookies and login history etc.

    You visit an affiliate website you've never been to before, and yet they recognize you and your membership and preferences because you've been fingerprinted previously and your fingerprint matches their database.
     
  13. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Sadly you've described a rather common occurrence in the legal system, lol.

    Okay, I actually get what both of you are saying. But, surely I don't have as unique a browser/OS combo as that? I didn't see it in the test, but can security software also be identified as being used on your system in such fingerprints? One last thing, seeing as how the vast majority of people never hide them, and they don't change very often (it could be months)...doesn't the IP address come more into play here than a browser fingerprint? All I have to do is tweak my browser to not allow any cookies and change Javascript settings, and mess the fingerprint up, correct?

    As far as being a member of something, well yeah, that's going to screw the pooch right there. But if you're just a regular surfer with cookies off, and so on, the fingerprint doesn't seem that insidious.
     
  14. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    The local harlots need StickyNotes to remember their home address, hilarity would ensue if they attempted to use the computer. So I guess my IP is damning..wait, uh, um...I talk too much :ouch: Anyway, lol, I'm not scared enough yet to resort to multiple browser usage daily.
     
  15. RoamMaster

    RoamMaster Registered Member

    Joined:
    Oct 1, 2006
    Posts:
    47
    People asked the same question about Y chromosomes. Yet it proves it in %100 of cases :D
     
  16. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Closing as on the tangent it went.
     
Loading...
Thread Status:
Not open for further replies.