Fingerprinting thread

Previous thread: browserprint.info/
panopticlick.eff.org/
ip-check.info
browserleaks.com/

Fingerprinting is a new way of tracking you across websites, it's not theoretical, it's being done right now by companies like Google.
Because unlike cookie based tracking you can't defeat it just by disabling cookies.
There is currently NO FOOLPROOF DEFENCE against fingerprinting (except quitting the Internet).
Attempts have been made but the technology is just too new.

Google releases limited hangout of how much they know about you:
news.slashdot.org/story/16/06/29/2038257/googles-my-activity-reveals-how-much-it-knows-about-you
>Oh, they're just remembering what YouTube videos I watched, nothing creepy about that, I already knew they were doing it!
>I guess all those people who fear tracking really are just conspiracy theorists!

ReCAPTCHA probably contains fingerprinting code:
archive.is/9K5gs
This means that the majority of Sup Forums users could be being fingerprinted, and Google might know about your shitposting habits.
To fix this you can get a pass (which allows you to be tracked by Sup Forums in a different way), or run Sup Forums with the no JavaScript CAPTCHA (use Sup Forums X to make Sup Forums without JS bearable).
Note: The no JavaScript CAPTCHA is broken for a lot of people.

Daily reminder to do all your Amazon / eBay / LinkedIn / botnet shit in a completely separate browser to your Googling or buying shit.
It's currently the ONLY way to truly defend against fingerprint tracking.
Double points if you have each browser running in a different VM with a different OS.
Triple points if you have each browser's VM configured with a different VPN.
The Tor Browser Bundle is still susceptible to many fingerprinting attacks that can uncover your true OS and browser.
Spoofing your user-agent may work, in the short term, provided you use a different user-agent for EVERY site.
Don't expect this to work forever, it may not even work now.

Other urls found in this thread:

savenetneutrality.eu
a.4cdn.org/b/threads.json
google.com/intl/en/policies/privacy/key-terms/#toc-terms-cookie
usatoday.com/story/tech/2013/09/17/google-cookies-advertising/2823183/
twitter.com/NSFWRedditVideo

>Daily reminder to do all your Amazon / eBay / LinkedIn / botnet shit in a completely separate browser to your Googling or buying shit.
Or better yet, not having an amazon, ebay, LinkedIn, Facebook, etc account at all.

or better yet, throwing your computer out the window.

How hard would it be for Google to do a timing attack on Sup Forums to correlate the captchas being submitted with posts appearing on the boards for the people using the noscript Captcha?

kek

Their recaptcha service gives them a post number and IP for every post made on Sup Forums, and their data is for sale. If you mean how hard would it be for AddThis or some other competitor, nearly impossible since they don't have code running on Sup Forums pages, and some of the necessary steps would constitute industrial espionage.

Probably not that hard if they could work out which board the post was going to first.
Otherwise probably pretty difficult since Sup Forums gets a lot of posts as a whole

The CAPTCHA really gives them the post number?
Have you read the code?

>Their recaptcha service gives them a post number
Sauce?

>Google knows everything I've said about jews and blacks on Sup Forums

And you thought they never replied to your job applications because your resume wasn't impressive enough...

>not using Amazon

Where am I going to buy shit now faggot?

The piece of shit gives me trump videos recommended on youtube just cause of this shithole and Sup Forums, i got gstatic and analytics blocked everywhere else.
Don't underestimate jewgle and the captcha.

savenetneutrality.eu

>again

Try using private browsing mode or clear out cache/cookies. I never get trump videos unless I search for it myself.

Nah, i got firefox set up to to run on ram and delete dom storage after i close it apart from self destructing cookies.
If i go on jewtube after starting firefox i only get the mainstream trash, i only get recommended trump videos after a few hours of shitposting and doing captchas.

Might give this a shot and see if I can make an infographic about it if it works

Strange. I don't get the trump videos, I still get whatever medicore movie hollywood is coming out with, the latest John Oliver shit, and some mainstream shit.

Better hope someone doesn't start a business out of buying google's Sup Forums and online application page data, correlating it, and selling the results to background check services used by employers, or you're pretty boned.

The point of this thread is that fingerprinting methods exist that makes such measures ineffective, and that's a bad thing. We want more people mad about it, so someone who can actually fix this for us might have a reason to.

Click on a few videos non related to trump or Sup Forums, then start looking at the videos to the right that are next in line for playing.
Obviously do this after solving a few captchas and with Sup Forums threads open alongside.

Oh wait. You were talking about the recommended bar next to a video? I thought you were just talking about the frontpage of youtube. Yeah, I get recommended trump videos if I post on Sup Forums but don't search on Sup Forums related stuff on youtube.

yeah that's what i meant, not on the front page
pic related is the one that pops up every time

Could it be that it's detecting embedded youtube videos on Sup Forums and adding those to your profile?

Nah impossible, i go to Sup Forums like once every blue moon and besides i got third party frames blocked on ublock so embedded youtube videos don't even load.
Gstatic on the captcha probably relates Sup Forums to Trump and there's not much else to it.

It wouldn't be hard for them to get given the timestamp in the GET request they receive and this: a.4cdn.org/b/threads.json
Collecting user data is how they make money on all their free shit.

Someone needs to make a better fingerprinting website, in particular combine everything from browserleaks.com along with some of the things browserleaks.com doesn't include into a single page to show how unique you really are. Don't block Javascript? You are very likely unique given the ridiculous amounts of fingerprinting techniques. Block Javascript? How about CSS fingerprinting, have you considered how they can use the @font-face atribute to see what fonts you have (done by checking for fonts and downloading ones you don't have), view the your browser dimensions (which can change based on your screen layout, toolbars, tab orientation), and query your recent history with the CSS visited rule? How about your HTTP headers, have you taken care of those? Then there's TCP/IP fingerprinting, sure you may have taken every measure in the book to reduce your fingerprint (at the cost of your browsing experience being broken in many ways) but how many people in your city with your ISP have done so? Are you unique in that way? They can also determine your real OS with TCP/IP fingerprinting giving them yet another data point if it doesn't correlate with your user agent in your HTTP header. Now what if you use a VPN? Then you're connecting from a static IP address for them to correlate all this to.

It seems like the only real way to stay anonymous when browsing the web given what's possible now days is to at the very least use Tor for everything and for the times you aren't using Tor never connect to any websites that may try to fingerprint you. Any time you aren't doing that you should treat it like walking into a store run by an asshole who masturbates to 1984.

Assuming you aren't running their analytics scripts, their servers still see recaptcha requests for this domain and then youtube from the same IP.

>Someone needs to make a better fingerprinting website
Why don't you? You could put ads on it to pay for it.

>Then there's TCP/IP fingerprinting
The only conceivable method of combating that is running a OpenBSD based firewall box using pf's scrub.

Because I don't have the knowledge and learning all of that for a possibly rather complex first project (leaving plenty of room for me to mess up and not catch it) seem like a bad idea. Plus at the rate I've been getting through my current backlog of projects it'll probably be over a year before I could get to it. Ideally the EFF could just add it to their test.

TCP/IP fingerprinting.
That's... difficult.
Wouldn't it involve writing your own webserver or something?

I think Browserprint intends to implement as many tests as possible.
They seem to add tests every week, unlike other sites like Panopticlick which just use the tests that it had at their creation

Guys... the botnet is real.
Original content

JPG since I forgot to compress it.

Holy shit. I don't even allow cookies for anything Google. Gonna try again with the noscript captcha.

Didn't happen with the noscript captcha, but it also didn't happen again when I tried it with scripts again so maybe it detects that you're trying to mess with it.

Well hopefully that means using Sup Forums with no scripts is better.
Google would have to be pretty desperate to hide their tracking if they actually disabled it when people try to mess with it

Disabling it for 5 minutes each time would be sufficient.

I haven't been able to reproduce the results with 3rd party cookies disabled, sadly.
I'll try again in a couple days.
Even if Google isn't using fingerprinting yet other trackers definitely are, and it's only a matter of time before Google starts doing it too.
Their privacy policy explicitly says they can use non-cookie based tracking
>Other technologies are used for similar purposes as a cookie on other platforms where cookies are not available or applicable
google.com/intl/en/policies/privacy/key-terms/#toc-terms-cookie
And we know they've been experimenting with fingerprinting for a few years now
usatoday.com/story/tech/2013/09/17/google-cookies-advertising/2823183/

The /csg/ people might be interested to know that aliexpress is confirmed for fingerprinting via alicdn.com

Glad to see this thread gaining traction.