Fingerprinting thread

Well duh. That first paper came out in 2012.

There are enough HTTP and CSS exploits that disabling javascript on a page isn't enough. Something to sanitize, or preferably randomize your HTTP headers and control the behavior of your CSS rendering would be needed.

I wrote a proof of concept web application to test this works.
Seems for most browers all fonts are requested from the server every time.
It only works in Opera.

Wait disregard that.
It works in Chrome too.
Just doesn't seem to work in Firefox / IceCat

No wait.
Opera and Chrome do seem to request all fonts, it's just they'll fall back to local fonts if the src for the remote font 404's.
Yeah I have no idea how to get this test to work.
Maybe there's some magic key that I'm missing

Figured out where I was going wrong.
You need to explicitly tell it to look locally for the font before fetching it remotely.

Did this have something to do with footprint just curious

Nah it was just a bump to get the thread started.

>CSS exploits
For the @font-face one that can check what fonts you have installed just set gfx.downloadable_fonts.enabled to false in your about:config. Only other one that I've seen on these fingerprinting demos determines your screen size but I'm not sure if the server can get that info without javascript or adding it to a link that your browser would send to the server (which could be eliminated by using an addon like Clean Links). Also, if you're still worried you can use an addon like uMatrix and disable CSS. The noscript capcha in Sup Forums X runs fine without it. Beyond that HTTP headers offer next to no variation to identify you based off of compared to the massive amount of potential identifiers they can get from all the javascript fingerprinting techniques or the @font-face CSS technique. You seem to have a rather defeatist attitude.

Yes screen size can be detected using only CSS.
Browserprint does this as one of its screen size tests.
And Clean Links doesn't strip out jsessionid from URLs, which can be used in the same way as a session cookie.

Potentially you could do the char sizes fingerprint test using CSS only too.
But that feels a little pointless, like the screen size one, since zooming in completely changes the results and there's no obvious way to reverse this that isn't blocked by browsers like TBB.

I can't imagine screen size really being a big give-away to your identity, right?
Inform me, anons.

Who?

It's not, mostly.
But you combine it with other features to get a really identifying fingerprint.
Some older browsers will return the screen size of all your monitors added together, which can be very identifiable though.
For instance I've got 3 monitors and an old version of Opera reports my screen size as 3600x1848, which is probably unique on the internet.

It depends on the screen you use.

>>Daily reminder to do all your Amazon / eBay / LinkedIn / botnet shit in a completely separate browser to your Googling or buying shit.
>It's currently the ONLY way to truly defend against fingerprint tracking.
>Double points if you have each browser running in a different VM with a different OS.
>Triple points if you have each browser's VM configured with a different VPN.

Well fuck. That's like Qubeos tier levels of tinfoil. Making each browser run seperate, and isolated from each other...

>Google releases limited hangout of how much they know about you:
>have to log in to google account to view it
nice try OP :^)

bump for autism awareness

Yall niggas should look up Canvas Fingerprinting.
This is the most evil shit. You'd be surprised how many websites use it.

Here's another website if you want to add
browserspy.dk

It's not a single one-click test but can still show quite a bit about what information your browser is giving away.

github.com/kkapsner/CanvasBlocker/

addons.mozilla.org/en-US/firefox/addon/canvasblocker/

is torbrowser the only one worth using

The Tor browser is still susceptible to a bunch of attacks.
They can detect your real OS (TBB pretends to be Windows).
They can use audio context fingerprinting.
And you can detect the version of TBB that's being used, which is rather telling considering they release a new version every other fucking day

> Triple points if you have each browser's VM configured with a different VPN
Are you kidding me? Changing your IP should be the first thing to consider.
Sure, Google cant identify you just by the IP, but you dont even know how deep this rabbithole goes.
Not only the operating systems (Mac/Win, install Gentoo btw :P) are full of spyware, the browers themself are just like a large API to track individual users.
JavaScript/Flash and whatever add more possibilities and every browser update can (maybe unintentionally) allow new "footprinting" methods.
There are even backdoors in encrypted SSDs, BIOS and even in the CPUs.
Just dont think you can flee the system that easy.

Great way to mix advertising profiles.
Everybody who goes to the same school / stays in the same dorm / uses the same ISP will have their profiles mixed because they share IPs

>not sure if serious or just bait

Exactly, the larger the number of users per IP, the better you can hide in their shadows.
But as i said, the IP is just a very small part of the footprint.

god damnit

This has a problem in that generally you set your IP address and then use that for everything for a time before switching (VPNs route ALL your traffic through the VPN).
For this to be effective you would have to change your IP address every time you wanted to take a break from shitposting on Sup Forums to check your facebook and vice versa.
That's an even bigger pain in the ass than using multiple isolated browsers.

Hahaha, wow, you're a degenerate

yea, well I got my dog dick pipe, you judgmental faggot.

redditard thinking he spotted a newfag, you just spotted yourself.

Laughing my ass off.
Why the fuck would anybody want to smoke from a dog's dick?
Even a human dick is fucked up

reasons that may lead to more dangerous reasons.

Fucking canadians...

He wanted to finally be able to smoke cock. And you know how furfags are.

Interesting finding.
NoScript seems to block CSS font fingerprinting if scripts are disabled, despite it not relying on any JS.

>There is currently NO FOOLPROOF DEFENCE against fingerprinting (except quitting the Internet).
>Attempts have been made but the technology is just too new.
bullshit. you need to disable JS, clear all your cookies from time to time, blacklist some domain names, and enable "click-to-play" to stop flash files being run automatically

Foolproof defence for people who want to use the 90% of the internet that requires JS.
You can't expect normies to make such a big sacrifice.
Besides, it's pretty likely that while you've got an ad blocker installed you immediately start enabling scripts if a website doesn't work

>You can't expect normies to make such a big sacrifice.
They don't even care about removing Gapps from their phone and using non Google shit to keep the information on everything they do from being collected. The people who won't make changes will likely never change, will slowly become more accepting of any invasion of privacy they did have a slight problem with, and will come to terms with how they are just a whore selling themselves for what they consider to be convenient. The people who do care will enter the downward spiral and slowly become like the countless others considered to be extremely paranoid by the general populous.

>panopticlick now requires you to enable their javascript to work

>adelaide uni
fug the botnet is following me

So how is this supposed to work?

I installed it but panopticlick says I'm still unique.

Oh I got it, I set it to block everything and now the fingerprinting is blocked.

Kinda gay EFF wants me to unblock 3rd parties that "promise" to honor Do Not Track though.

????

Yeah.
I have no idea why they remade Panopticlick.

Hello where do I buy wife please?

how much does your pic cost?

testing by replying to your test

Any ideas how to get CanvasBlocker working with Pale Moon?

Addons site won't allow it (says it's an old version of firefox) and the browser won't let me install the xpi.

Can somebody make ff extension to constantly randomise user agent, like show as firefox but constantly change versions and shit, or change google cookies every 5-10 seconds

I'm told uMatrix has user-agent randomisation functionality.
What you really want is an extension that gives you a different user-agent for every domain you visit.
AFAIK the only extension that can do that is UAControl, but... it doesn't generate domain / user-agent mappings automatically, you need to do it by fucking hand.
These threads have been making me think about writing a few extensions but I don't have a clue where to start.

dephormation.org.uk/index.php?page=81

?

I guess eventually most people will have DNT enabled so might as well set it.

Stop playing around with your meme browser and install Firefox.

This is the current documentation for creating add-ons
developer.mozilla.org/en-US/Add-ons/SDK

I assume this might be more relevant since Mozilla intends to replace their old APIs with WebExtensions
developer.mozilla.org/en-US/Add-ons/WebExtensions

Maybe you can get some others from Sup Forums to help out although my guess is that after we get the logo done and a github account set up the project will die.

Oh... I also forgot to add the that new WebExtensions API probably will make some things impossible to change since it'll have less privileges than the current API. Thanks a lot, Google.

Seriously though, no memes here

I like Pale Moon because it has less bloat than firefox, no telemetry/health report, no "social", better defaults for security in about:config, and I like the UI better.

I'll make it work in Pale Moon.

If you have flash installed, edit your mms.cfg file to get rid of system font detection for Flash. It really brings your uniqueness down.

C:\Windows\SysWOW64\Macromed\Flash

Add DisableDeviceFontEnumeration=1 in Flash's mms.cfg file