How does browser fingerprinting work? How much could a website I visit potentially know about my system (within reason, so no extreme hacking scenarios)? I'm sure they know my monitor resolution (which, as far as I understand, could be spoofed by simply resizing the browser window), my OS, my browser (and version), and whatever info is gathered by coockies and trackers.
Is there more?
Could they know about what Firefox add-ons I have installed? What about my bookmarks? Would they see a difference between a browser with no bookmarks whatsoever, and one with tens of thousands of them?
Browser, browser window size (you're right, it can be spoofed), browser history, cookies, os & version string (potential danger), browser plugins only if they affects the page, keychain and hashed passwords.
Charles White
Serverside script manipulates your Mouse Firmware and literally takes your fingerprint.
Owen Hernandez
>browser plugins only if they affects the page Like they'd know about ad blockers because they can obviously see that certain parts aren't being loaded, but can they detect CSS changes too? What about Greasemonkey? If I use Linkazza (a script that turns all plaintext URLs into clickable links), could they know about me using that script?
>keychain and hashed passwords What do you mean?
Blake Brooks
With JavaScript disabled you barely give away any information, so unless you set your user agent to something unique (e.g. Autism Browser 420) there's not enough information to accurately identify you. When you enable JavaScript however, websites get access to hundreds of different measures through various APIs and many of them (e.g. canvas or audiocontext) give an almost unique fingerprint, which can be made unique by combining it with other information. Luckily nearly all websites today load tracking scripts from a third-party website so just uBlock Origin provides a very good protection.
Jace Lopez
browserleaks.com
Elijah Morris
What I'm worried about the most are: >History (which I don't think is possible without serios blackhat) >Bookmarks (same as above) >Add-ons (which I'm trying to understand exactly how they detect)
If I disable Javascript am I completely protected from the disclosure of info regarding those three points?
>What about Greasemonkey? If you run scripts that make changes to the page, definitely. Otherwise, it shouldn't be possible to detect, but in the past there have been ways to do it. github.com/greasemonkey/greasemonkey/issues/1787
>If I use Linkazza (a script that turns all plaintext URLs into clickable links), could they know about me using that script? Yes.
Ethan James
Also, all of this was assuming the site can run JS. Otherwise it will not be able to do these things.
Camden Lee
sites use javascript and active addons like java, flash, etc. to collect as much data about your computer as possible. any 1 metric by itself is meaningless but when you have a hundred you can start to uniquely identify clients, even with millions of users
all the big sites are investing heavily in it
the simple solution is to disable javascript and addons..but then that's a redflag that you're trying to hide something. that's where spoofing comes in and bla bla you get the idea
Christian Green
It's possible to detect history by the colors of links, but it requires some social engineering. The link color changes are deliberately undetectable to scripts on the page, but you can see the colors, so it's still possible for a clever page to fool you into giving out information about your history.
This sort of social engineering exploit is CSS-based and does not require Javascript.
Benjamin Butler
Also, this is probably not something to be overly concerned about. No site is going to bother to do this except as a demonstration that it's possible.
Colton Martinez
Trying to find that chart that gives you a map that lets you display what data is sent through with no tor, with tor, with a bridge, etc. That's a good example of how it works
Benjamin Roberts
So if I disable Javascipt and other plugins, and never save history, they'll have basically no info about me, right?
Unless I'm the only one to do that, in which case pic related comes into play, but I doubt I'm the only one (and even then, All I have to do, is use the browser with these settings only for things that aren't connected to me personally, while using a more reasonable browser for things I don't care about revealing).
Kayden Ramirez
They still have your IP, and thus your approximate location, unless you browse through Tor or some other proxy.
>Until now, however, the tracking has been limited to a single browser. This constraint made it infeasible to tie, say, the fingerprint left behind by a Firefox browser to the fingerprint from a Chrome or Edge installation running on the same machine. The new technique—outlined in a research paper titled (Cross-)Browser Fingerprinting via OS and Hardware Level Features—not only works across multiple browsers.
>The new technique relies on code that instructs browsers to perform a variety of tasks. Those tasks, in turn, draw on operating-system and hardware resources—including graphics cards, multiple CPU cores, audio cards, and installed fonts—that are slightly different for each computer. For instance, the cross-browser fingerprinting carries out 20 carefully selected tasks that use the WebGL standard for rendering 3D graphics in browsers. In all, 36 new features work independent of a specific browser.
>The new tracking technique relies on JavaScript code that's compact enough to run quickly in the background while visitors are focused on a specific task, such as reading text or viewing video. The researchers have launched this website to demonstrate the techniques and have released the corresponding source code here. In a test that collected 3,615 fingerprints from 1,903 users over a three-month period, the technique was able to successfully identify 99.2 percent of users. By contrast, a single-browser fingerprinting technique dubbed AmIUnique, had a success rate of 90.8 percent.
Sites can tell if you have js enabled or disabled, and if you whitelist certain sites to run js because a majority require it, this will make you distinguishable
Evan Harris
Time to disable JavaScript and only whitelist sites I want to use along with 3rd party scripts being blocked.
Jaxon Ramirez
Refer to
Jose Gray
This is only if the sites I allow JS in, communicate this information to whoever is also recording that I don't have JS enabled in other websites (so that an entity can compile two lists of sites where I allow it and where I don't, and use it somehow to identify me across websites), right?
Carter Ortiz
The best way to hide yourself is to apply the most generic and basic "ways to browse web" for yourself.
So, in a virtual machine run a Windows 8 or 10, with Firefox, with fucking nothing added to protect you like a good plebtron
Or that's my argument, as more and more of these detailed, intricate, snoopers come.
You want to hide yourself in the generic mass don't you?
Noah Young
It essentially creates a cookie that whomever needed to get their hands on it could based on whatever sites you have whitelisted combined with blocked. You have some blocked, some visible which is a way to identify what sites you're on
I don't suggest website owners to do browser fingerprinting of visitors because you may end like me and discover that 20 - 40% of your website traffic have been coming from click fraud botnet for years and there is no way to stop it
Elijah Edwards
Mine hangs at "fingerprinting GPU"
which might be because I do my browsing in a VM or because I have WebGL disabled.
Aiden Hall
I use a script blocker. But I thought things like script blockers make you easier to identify. Because most people aren't running them.
I'm a bit confused on that issue. Regardless I'm not giving up my script blocker.
Justin Kelly
kek, whats your site user?
Christopher Morales
>Mine hangs at "fingerprinting GPU" Yeah, I had to enable 'cloudfare' in my script blocker to make it work (and open a new tab).
Luke Nguyen
I didn't even notice it tried to load more scripts.
Now it just dies with an error message about how my browser doesn't support webGL and a "find out how to enable it here" link. Why they think I'd want to become more fingerprintable idk.
Angel Phillips
It cuts both ways. Imagine if two percent of the people in a city wore a ski mask and dark glasses everywhere. Yeah, most people don't do that and are easily identifiable, so someone in a ski mask stands out. But you can't tell which of the guys in ski masks he is. And if your daily traffic is a million people, it's probably a valuable thing to limit them to saying "Well, he's one of the 20,000 people we get each day in ski masks, but we have no idea beyond that"
That depends on using a fingerprint technique that fingerprints the hardware or the underlying OS. Those techniques can be frustrated just like any other fingerprinting method, and yes, disabling JS kills a whole lot of em at once.
Ryan Cruz
...
Jeremiah Brown
Kek, thank you.
Aiden Hughes
You have nothing to worry about.
William Wood
>ajit pai >pajit ai >Pajeet AI
Adam Jones
How do I hide what fonts I have on my computer? Because that's probably the biggest single identifier.
Luke Myers
Use what all the other W10 or Mac users have installed by default. I would think that is the best way to hide.
Dominic Price
I'm on Debian and have packages depending on stuff like Liberation, Freefont and Noto as well as Japanese fonts.
Also, it's kinda odd that Linux x86_64 only is a 1 in 8.54. That's 12% market share. Well, for the EFF, that is.