I got a very similar result with IE. Tor browser pass the test! I was curious to find a relatively simple way to solve this, but I had some problems of compatibility between the Random Agent Spoofer and LastPass and some sites (they are breaking)... So I'll leave that quiet for now... Thanks! I'm trying to find a right balance between privacy and convenience. I really wanted to use Linux and virtual machines, but in addition to playing games on PC, I use RAID (which makes it difficult to install dual-boot, at least for me that I have little experience), SSDs (some distributions are problematic with them), and I use my computer for work (and it has multiple Office documents that are a little broken in LibreOffice, which would require fixes them one by one). So I'm trying to see how to maintain privacy at least decent in a ordinary Windows 10 machine... So, to solve these things, I have installed Random Agent Spoofer, but depending on the settings it breaks LastPass and some sites (Outlook, for example) break some icons. Not to mention that I felt my navigation a bit slower. For now I'll keep things as they were, and soon see what other possible solutions are. What types of sites use this type of tracking? It's something still little used, right? Thanks and sorry for my english!
You can run Linux virtual machines on a W10 host. This is the only way I browse from a Windows host, I never do it from Windows. This clearly requires admin on the W10 box, assuming you have that.
This is the easiest path if you need Windows on hardware, and don't want to dual boot. Linux VMs run well in VirtualBox on Windows hosts. If you want to chain VPNs, I recommend running your VPN clients in pfSense VMs. As noted, if you're compartmentalizing, I recommend using VMs running different distros (e.g., Debian or Lubuntu, ArchBang and Fedora) because they have different WebGL fingerprints. Yosemite Zone is another option. PCBSD works too, but takes forever to boot.
Hello, your English is perfectly fine. Like the others are saying virtualization is a nice thing. You can try out lots of distros without a high risk of breaking something or being stuck. Give it a go sometime, I think you would like it. It‘s fun! Thanks to your post I discovered that the latest firefox update changed a setting that messes up my fingerprint as well! (At least in this test by the EFF). I fixed that. Here is what you can do (and should try, you can reverse the adjustements in no time): Type about:config in your address bar. Look for the line that says Code: intl.accept_languages and right-click on it chosing modify. Type in Code: en-US, en Then look for Code: network.http.accept-encoding.secure and remove the br at the end or make sure it says Code: gzip, deflate I don't know about your UserAgent spoofer so maybe this does not apply for you but you can check anyway. Look for Code: general.useragent.override and modify to Code: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0 This is just an example, you can try out another Firefox version and see how it affects the score. You should pass the test now and about one in every thousand browsers should have the same fingerprint as your browser. Of course, that's just according to this test run by the EFF but it is a start. Tell me, if it works!
Thanks, that's the hardcore version. I should try it myself. So far I have done all changes manually.
That link from finnish pyllyukko translates to "OldmansAss". Should we allow such links in wilderssecurity?
Google translate suggests something more suggestive But still, the default language for this forum is English.
Google translate ... LOL ... If you need to translate my mentioned page then you're wrong here because we're already on a english speaking forum.
But I don't see a lot of advantages by doing that. Let me explain my POV: 1) I can't buy more than 1 VPN (Brazil's currency depreciated last year and became very unpleasant buy things in dollars...) and I will loose some part of my internet speed (There are few good VPNs services that has good pings here). 2) If I use Facebook, I only use Facebook: what I mean is that I do a kind of compartmentalization, every site that I know are very aggressive by tracking (google etc) I execute in a sandbox apart from other regular sites. Anyway, I see that using VM is very, very more secure than sandboxes, i just don't know if the effort worth. Using Windows 10 is very discouraging in that sense, it seems that the big brother Microsoft is eyeing me anyway. Do you think the benefit would still be high, even though as a host system running Windows 10 and using just one VPN service? I tested, the last option (general.useragent.override) I could not find, or even something similar to that. And the results were: (I edited the User Agent with a plugin) I think that with my language and time zone it is impossible to achieve this. EDIT: If at every request of my User Agent it appears different, so the fingerprint comes useless? AND: My cookies are deleted when I restart the browser. My E-Tags are spoofed. My User Agent is changed every 10 minutes. My System information is fake too. I did not notice any delay in loading pages or notice any broken site. I think that it is okay, right?
Depending on your settings this might break some pages, because disabled authentication/etag but overall it's okay. But this have nothing much to do with VPN, I'm just saying. Almost all, if not all pages also need javascript to work or detect something, it's like downloading malware and then see what's happen, the best strategy is to simple only work with whitelist and then none of this pages working. For the pages you use daily or need a login RAS does already the job by spoofing the rest. But remember there are things which aren't fakable and the risk is always there, especially on wrong configurations or hardening. I would also recommend to install canvas blocker together with RAS because RAS only have the ability to enable/canvas entirely, but with canvasblocker you can fine control each page. I'm in general very sceptical about such pages because you need to allow them and they collect a lot of information about million users and no one really knows which is behind of such services and what they do with such data. I also not believe that this preventing leaks, as recently again shown.
@ExtremeGamerBR -- Well, it depends on what you're doing, and what you care about. If you have a gaming box, you can easily run VirtualBox VMs. VMs are a great way to learn other OS. A basic setup would be a pfSense router VM running a VPN client, and an Archbang (easy install) VM, which connects through the pfSense VM, as a workstation. For anonymity, you can add the Whonix gateway and workstation VMs. That will give you Tor via VPN. PIA is a decent VPN, it only costs $40 per year, and you can connect five devices simultaneously.
@ExtremeGamerBR I am using Random Agent Spoofer myself on some browsers and I think it is a powerful add-on. You are doing more than the average user already. Like I said before, a low score on Panopticklick can give you a false sense of security. It is just a tool measuring certain browser data with regard to traceability. There are several simulations and then your data is compared to a data-pool consisting of other users‘configurations. You can read about how it is done on their page. There is also information on how to escape tracking & how to minimize your fingerprint. Code: https://panopticlick.eff.org/about There are users like @mirmir, @deBoetie and others who are much more qualified and experienced than myself. If you can afford to take some quiet time then I recommend to start reading one of mirmir‘s guides and try out the VM approach. I do have a few remarks regarding your test results. First of all in your first test run you had javascript disabled, which is a good thing. Now you have it enabled. With javascript enabled you have to take care of a lot more stuff in your browser settings. Back to the languages: I just checked myself, it is better to modify like this (sorry): Code: en-US,en;q=0.5 Your JonDonym test shows that you are accepting third party cookies. You should change that in your browser settings (preferences → privacy → history: use custom settings for history: accept third party cookies: never) Without JS it should be pretty easy to pass the panopticlick test with a few add-ons installed like NoScript and those mentioned in this thread and just the modified language setting plus a different User Agent. http://i.imgur.com/X7m9EmW.png I just wanted to thank you for your detailed guides. I still have to try out the setup with a pfSense router VM, though.
Yes, I had to enable etag to be able to use Outlook without problems. I am using NoScript now. I will install CanvasBlocker later! ip-check.info doesn't need any permission, and it collects all the data without Javascript or anything, really impressive! Thanks! Yes, I will try this soon or later. I already downloaded Archbang and seen some youtube videos about it. Very good! Thanks and I already seen all your IVPN guides, fantastic! Yes, I will let NoScript working here and I finally could see exactly why I'am not passing the Panoptclick test: The problem, like you said, is my language and has no way to pass this test with my language in pt-BR. Ah, and I fixed the cookies problem! Thanks!
Of course it need javascript like all others (okay except the html5 canvas checks), please look at the posted screenshot you will see javascript detection. If you disable it then most of the 'leaks' are obsolete, the rest which is detectable isn't really a security problem because it's meta-data which isn't directly attackable or reveal something which could compromise you. I wouldn't give these tests so much credits, as said it not means anything if it comes to security and this topic is about VPN leaks and this isn't testable because you simply have to trust your provider. Faking something even if you are already behind a VPN also makes no sense because the data are already 'changed' it only would make sense to fake it on login pages and then the question is why you need to spoof/fake something - if you not trust simply not use it. The thing is if you spoof everything then it definitely breaks a lot of things.
Yes, you are right. I understood that you said that you can not run the test without JS. The test runs but collect less information. Thank you!
I agree about much of the Panopticlick stuff. But the canvas and WebGL fingerprints that they show are very real, and are not changed by VPNs. Indeed, browsers in different Debian and Lubuntu VMs on a given host have the same WebGL fingerprint, regardless of how they reach the Internet. Even VPN>Tor>VPN makes no difference.
No they aren't real. It's to play with peoples fear because they not knowing anything about the background! WebRTC is a legit technique, just because ONE page shows that it could reveal the IP doesn't mean automatically every page on earth is now evil too. If you really say webrtc is bad then you also need to say web in general is bad because it uses html5/http and such which is also vulnerable to known attacks, makes no sense. And btw it was and is already fixed in all browsers. Bypassing the VPN is always possible as I said, but then we not need such pages because 0day (or hardware based attacks) is definitely not present on such pages. Yes, a goal is to use the same, that's why you should't touch something because it then makes you more unique which means you'r maybe more under the microscope. Tor uses a pre-defined profile so everyone using Tor or the Browser Bundle using then by default the same, which would makes it impossible to tracking companies to say which guy is behind this, this is good. I would't say it makes no difference if you use Tor/VPN because the meta-data are mostly useless (except if you need to trust pages for e.g. logins/shopping or e-commerce) but there are designed to protect against well know weaknesses of http and other protocols and attacks in general. The question is how an attacker can or want use such data to compromise you, and if they do, then do you not believe that they also check against such pages and others? You simply lower almost everything if you disable such things in general and work with a whitelist instead of workaround with such pages. It's also mentioned directly on these pages that even something is shown it's not automatically bad.
WebRTC isn't such a big deal, because LAN IP addresses are pretty generic. WebGL fingerprinting, on the other hand, is potentially bad. Because it's browser-independent. And VM-independent, on a given host, for all guest OS that use a given graphics driver. That includes Whonix workstation VMs, by the way, if one uses a WebGL-capable browser. On the other hand, it's likely that different hosts with a given GPU will have the same WebGL fingerprints, both on the host and in VMs. But I haven't tested that. Anyway, at least WebGL is easy to block
@ExtremeGamerBR if you wanna have average joe's browser finger print , you need to act like him, be like him. to wit, use everything as is, do not modify anything. but there's a downside to that: you'll have to compromise security and convenience for false sense of anonymity.
I disagree, WebRTC is great because you not need external plugins for e.g. P2P, voice and/or video chats. The benefits are much bigger then the only mentioned concerns. It doesn't matter anyway because in future FF builds (for example) we will get an option to take more control over html5/canvas + the fact everyone already can work with it's permission system. Remember this topic about VPN leaks and not in general about browser fingerprinting. No page I now detect 'leaks' and never will be because this needs special access to the backend, it also not checks encryption or MITM injection they just only showing protocol based fingerprints. And fingerprints are not automatically dangerous or used to real your identify. It's always the developer of the pages or an attacker which possible compromise the security, use whitelist and all is okay. The rest is more about which provider to trust. You can't also check if the provider isn't already compromised if the provider itself not knows anything about that, and this is more dangerous as fingerprints.
