Browser Fingerprinting

Hi,

been using Tor browser for a long time and really like it, but for some things I don’t use it, because it is not fast enough and I don’t want to “steal” bandwidth from others, for example for watching videos. I am a bit into fingerprinting protection, and couldn’t find a good solution to resist fingerprinting while not using Tor. Since fingerprinting protection is an essential part of Tor browser, I assume that some people here are knowledgeable in that area and can give some advice. There are a few solutions I have in mind, all of them I would use in combination with a VPN, but I am not really convinced by either of them, especially lacking bigger real-world studies with advanced fingerprinting techniques.

  • Just use the most widely used OS and browser (Windows 10 and MS Edge) without modifications and hope that there are enough people with the same device, OS, browser, drivers, libraries (fonts etc), language, timezone, settings and extensions. I wouldn’t change settings or install extensions in this case, just delete browser data after use.
  • Use Tor browser without Tor (is easily modified by placing two config files into the Tor browser folder, with just a few lines of code). But how many people do this? If only a few do this, I could be tracked, because of the lacking exit node ip, even though my browser fingerprint would be in the Tor users crowd.
  • Use Brave browser with fingerprinting and tracking protection in strict mode. Not sure how good their fingerprinting and tracking protection is tbh. They definitely lack some things, like fonts, language and timezone protection, for others I don’t know how well they are implemented. Pro of this solution, is that I have to change only two browser settings and I guess, that a lot of people set them to strict anyways.
  • Use Firefox Release with arkenfox user.js (has FPI and RFP enabled) and uBlockOrigin in medium mode. Has really good settings and blocking capabilities, but even though it is the most popular user.js, the absolute number of people using it, are not that high (I assume), and a lot of people will modify it or install different extensions, so I will be in a small group
  • Use Firefox with some other configuration (e.g. only change to ETP and RFP). Again the problem, how many people will use this configuration?

So the question comes down to:

  1. How much of trackers/fingerprinting scripts come through, in case of using an ad/tracker blocker?
  2. Which features can then be exploited and how much information can be gained from it?
  3. Is the information shared with 3rd parties to establish cross-site linkability?
  4. How many other browsers share the same information exploited under 2. and how persistent are these features over time?

What would you recommend?

Best regards

2 Likes

Brave apparently gives a random fake fingerprint for every site. How come Tor doesn’t have this option? I know it wants everyone to look the same but if the way we are all viewed is spoofed anyway it would be irrelevant as they wouldn’t truly have our fingerprint ID.

The Tor Browser design document has stuff on why: The Design and Implementation of the Tor Browser [DRAFT]

3 Likes

I’m curious how well Tor is able to resist fingerprinting. What ID do you get on this site?
https://abrahamjuliot.github.io/creepjs/

I run Tor Browser 11.0 on Linux Mint with the Security Level on Safer. My fingerprint is 483f464b and I signed it like this so it is easier to recognize for myself: Tor Browser on Linux Mint. Unique phrase: thee-trouble-recognize

It would be interesting if you people could do this little experiment and reply with the fingerprint ID you get. Should the fingerprints all be different, we might be able to find out where they are different, to suggest improvements to Tor Browser’s fingerprinting resistance. But either way, I think it would be interesting.

1 Like

I got 9799722b and I also run Tor Browser on Linux Mint.

Since the website is telling me that I already visited 7 times and the first time over a month ago, I doubt it is able to do much. Apart from guessing Linux and Firefox correctly, none of the other information I can see on this site about my computer is correct (timezone, screen, CPUs, GPU etc).

1 Like

Wouldn’t it be better to just petition for a law that makes all this needlessly intrusive shit illegal? When was the last time a terrorist got caught because of browser fingerprint? I did see an app on fdroid a while back which lets you configure your own user agent, you choose what OS the site will see so it doesn’t match your real OS

Tor Browser already spoofs the user agent like this. It is still possible to identify the host OS by other means with JavaScript though.

1 Like

A few months ago a good solution was developed against fingerprinting in the form of a browser extension called JShelter. See here:
https://www.fsf.org/news/fsf-announces-jshelter-browser-add-on-to-combat-threats-from-nonfree-javascript

You can test your browser with and without it on:
coveryourtracks(dot)eff(dot)org

4 Likes

It looks promising. I’m sure it could be incorporated within Tor considering its an addon like https everywhere

1 Like

Hi @raglegumm welcome to the Tor Project forum & thanks for sharing about JShelter.

I’ve just tried it out & I think it could be especially useful for people who are new to the Tor Browser & also provide a helpful insight for those who need to be especially mindful of how their connections are observed by any potential overseers, in situations where the risks are perhaps greater for whatever reason.

As @Nameless suggests perhaps one day JShelter might be integrated into TB?!

1 Like

Tor doesn’t need anything like this, the tb browser fingerprint is already standardized across as many users as possible
JShelter just provides minor defense against fingerprinting, but that may fall short too. For example, two colluding websites can send a user with unique referrer links (happens all the time, like Twitter’s t.co) and then they can see your browser is lying. the eff’s fingerprinting test site really just gives you a false sense of security, because you only need one unspoofed fp vector to be completely unique. Epheremal posted the creepjs link, which is a good example of how invasive js is, and creepjs is meant to unmask lying browser extensions, which is really easy. Another example of js completely nullifying these sort of extensions is TorZillaPrint which has a whole host of fp vectors that JShelter does not cover, and it is even possible to fingerprint users via CSS, which I have yet to see any anti-fp extensions for.

I’m curious how well Tor is able to resist fingerprinting

I think you are underestimating how much work the tb devs actually put into tb. They have gone through almost every single api in the browser that could leak data in any way and applied patches to them. Actually give the tp design doc a read and it’s fascinating how they have mitigated fingerprinting.
After reading the actual JS that many anti-fp addons use, and checking how many fp vectors there are, I’m convinced that Tor is the only sensible fingerprinting defense besides using Windows 10 on Chrome, but then that has webgl / canvas / etc. leaks making it unique among a billion others.

1 Like

We don’t know because threads run on with nobody being made aware. Its a difficult center to look out from, is our biggest threat going to come from fingerprinting, traffic analysis or some zero day. There are so many points of attack and failure that surely at least one must be unknowingly open, the ability to scrape passwords through exit nodes was unknown until after somebody had already done it.

2 Likes

What part of the ID is your Fingerprint first 8 or last 8? :thinking:

Neither, actually. That post was written when CreepJS still used 8 character identifiers.

1 Like
  1. Why assume that MS Edge is the most widely used browser?
  2. MS Edge will send browsing data to Microsoft and combine it with a unique device ID. Source: https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf Avoid it at all costs.

Probably nobody. There are good reasons it shouldn’t be done and it is certainly unsupported.

Even if you used the most common OS and browser with the most common configuration (not possible; there is no 100% “common” configuration), there are a hundred ways to fingerprint you anyway.

Which adversary are you trying to protect against?

Not that I’m endorsing Brave but something like this is probably good enough for most people who just want to “hide from ad trackers” or something. Of course TB will give you the most protection in this scenario as well, but that’s not what you’re asking.

@iekbwalfahngtdpupz

Using TorBrowser your IP is hidden. With Firefox it isn’t.
Please correct me if I am wrong about this; I’d say, at that point it does not matter anymore, how many people use your configuration.
Once your IP is revealed, you are already identified. The only thing you can still do, is limit the amount of information they collect.

My suggestion:
use LibreWolf

LibreWolf is designed to increase protection against tracking and fingerprinting techniques, while also including a few security improvements. This is achieved through our privacy and security oriented settings and patches. LibreWolf also aims to remove all the telemetry, data collection and annoyances, as well as disabling anti-freedom features like DRM.