Browser Fingerprinting

Wouldn’t it be better to just petition for a law that makes all this needlessly intrusive shit illegal? When was the last time a terrorist got caught because of browser fingerprint? I did see an app on fdroid a while back which lets you configure your own user agent, you choose what OS the site will see so it doesn’t match your real OS

Tor Browser already spoofs the user agent like this. It is still possible to identify the host OS by other means with JavaScript though.

1 Like

A few months ago a good solution was developed against fingerprinting in the form of a browser extension called JShelter. See here:
https://www.fsf.org/news/fsf-announces-jshelter-browser-add-on-to-combat-threats-from-nonfree-javascript

You can test your browser with and without it on:
coveryourtracks(dot)eff(dot)org

4 Likes

It looks promising. I’m sure it could be incorporated within Tor considering its an addon like https everywhere

1 Like

Hi @raglegumm welcome to the Tor Project forum & thanks for sharing about JShelter.

I’ve just tried it out & I think it could be especially useful for people who are new to the Tor Browser & also provide a helpful insight for those who need to be especially mindful of how their connections are observed by any potential overseers, in situations where the risks are perhaps greater for whatever reason.

As @Nameless suggests perhaps one day JShelter might be integrated into TB?!

1 Like

Tor doesn’t need anything like this, the tb browser fingerprint is already standardized across as many users as possible
JShelter just provides minor defense against fingerprinting, but that may fall short too. For example, two colluding websites can send a user with unique referrer links (happens all the time, like Twitter’s t.co) and then they can see your browser is lying. the eff’s fingerprinting test site really just gives you a false sense of security, because you only need one unspoofed fp vector to be completely unique. Epheremal posted the creepjs link, which is a good example of how invasive js is, and creepjs is meant to unmask lying browser extensions, which is really easy. Another example of js completely nullifying these sort of extensions is TorZillaPrint which has a whole host of fp vectors that JShelter does not cover, and it is even possible to fingerprint users via CSS, which I have yet to see any anti-fp extensions for.

I’m curious how well Tor is able to resist fingerprinting

I think you are underestimating how much work the tb devs actually put into tb. They have gone through almost every single api in the browser that could leak data in any way and applied patches to them. Actually give the tp design doc a read and it’s fascinating how they have mitigated fingerprinting.
After reading the actual JS that many anti-fp addons use, and checking how many fp vectors there are, I’m convinced that Tor is the only sensible fingerprinting defense besides using Windows 10 on Chrome, but then that has webgl / canvas / etc. leaks making it unique among a billion others.

2 Likes

We don’t know because threads run on with nobody being made aware. Its a difficult center to look out from, is our biggest threat going to come from fingerprinting, traffic analysis or some zero day. There are so many points of attack and failure that surely at least one must be unknowingly open, the ability to scrape passwords through exit nodes was unknown until after somebody had already done it.

3 Likes

What part of the ID is your Fingerprint first 8 or last 8? :thinking:

Neither, actually. That post was written when CreepJS still used 8 character identifiers.

1 Like
  1. Why assume that MS Edge is the most widely used browser?
  2. MS Edge will send browsing data to Microsoft and combine it with a unique device ID. Source: https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf Avoid it at all costs.

Probably nobody. There are good reasons it shouldn’t be done and it is certainly unsupported.

Even if you used the most common OS and browser with the most common configuration (not possible; there is no 100% “common” configuration), there are a hundred ways to fingerprint you anyway.

Which adversary are you trying to protect against?

Not that I’m endorsing Brave but something like this is probably good enough for most people who just want to “hide from ad trackers” or something. Of course TB will give you the most protection in this scenario as well, but that’s not what you’re asking.

@iekbwalfahngtdpupz

Using TorBrowser your IP is hidden. With Firefox it isn’t.
Please correct me if I am wrong about this; I’d say, at that point it does not matter anymore, how many people use your configuration.
Once your IP is revealed, you are already identified. The only thing you can still do, is limit the amount of information they collect.

My suggestion:
use LibreWolf

LibreWolf is designed to increase protection against tracking and fingerprinting techniques, while also including a few security improvements. This is achieved through our privacy and security oriented settings and patches. LibreWolf also aims to remove all the telemetry, data collection and annoyances, as well as disabling anti-freedom features like DRM.

I have just recently begun looking into anonymous surfing, fingerprinting etc, and using Tor browser. I have a fresh installation of Tor browser 11.5.2, using default settings. I have now visited amiunique.org to see my browser fingerprint, and to my surprise, Canvas i unique, and an image with vertical stripes is displayed there. When I change security level of Tor browser to “Safer”, it is the same (but everything goes to NA when changed to “Safest”).

For comparison, I have done this check with my customized regular Firefox browser, and Canvas similarity ratio is 3.4% and two rows of text are displayed.

Is there some way to change the Canvas fingerprint and make it less unique in Tor browser? Or is this not an anonymity problem?

2 Likes

canvas is deliberately randomized per execution - i.e every single time you check it, is it RANDOM and this cannot be used to linkify

see here: canvas spoof fingerprinting - click re-run and note that every single time the first and second reads change - i.e per execution (every time the code asks for it)

3 Likes

Hello everyone,

to my surprise My Fingerprint- Am I Unique ? as well as https://coveryourtracks.eff.org/ confirm that Tor browser on my desktop as well as laptop has a unique fingerprint.

I would understand if it was due to information specific to my devices, such as screen size, but even generic information such as user agent, list of fonts, navigator properties, permissions or audio context are very unique, i.e. very low similarity ration or very few web browsers would have the same value.

I have expected that the Tor Browser without any changes would have a very common fingerprint shared with many other users.

Thus, I wonder how is it possible and more importantly, how can I get common generic fingerprint which would not be unique.

Thank you for any suggestions or advice.

It’s suprising that coveryourtracks.eff.org finds you are unique. It tells me I’m not.
For AmIUnique, it’s a known issue that it considers TorBrowser unique, so unique in fact that it thinks you are unique again the 2nd time you come. That’s because TorBrowser randomize some piece of information. It’s unique, but also changing every time, so it’s not actually useful as a fingerprint. It’s hard to tell if amiunique sees something else until that issue is fixed, but the people working on amiunique are working on a new version of their platform which they haven’t open-sourced yet, so we can’t do much about it, yet.

5 Likes

Thank you for response.

I have compared the results from https://coveryourtracks.eff.org/ and the only difference between my desktop and laptop is the screen resolution, which is probably the reason why the fingerprints are unique.

At least I cannot find anything else. Or any another suggestions?

I appreciate that 1200x1600 of my desktop is not a common screen size, but surprisingly 1920x1200 of my laptop is also so uncommon that consequently [my] “browser fingerprint appears to be unique among the 188,439 tested in the past 45 days.”

Therefore, the results of ‘Protecting you from fingerprinting?’ is “Yours browser has a unique fingerprint”.

Lettterboxing (privacy.resistFingerprinting.letterboxing) does not make it any better, but even more unique. It would be great if it was possible to set letterboxing to 1920x1080 which is one of the most common screen resolution, at least on my laptop.

1 Like

sites that give entropy figures are nonsense … let me count the ways

  • very limited datasets
  • data sets are heavily skewed by privacy conscious users (FF is massively over represented for example)
  • data sets are further tainted by repeat visitors
  • data sets are even further tainted by repeat visitors changing settings and repeatedly visiting

Sites that claim to provide entropy figures are absolute snake oil. They may be good to see what is reported, but that’s it. EFF’s cover your tracks had a purpose, to show that fingerprinting was a real threat - they should add disclaimers about their BS figures

Stop making assumptions. Do you understand what and how it is being tested and how it is used to calculate anything?

Comparing tests is a waste of time (well, the entropy figures are nonsense for a start), as the tests and purpose of each test can vary. For example, CYT detects some randomness and can thus return a static value for that test, such as “canvas: random”, but amiunique doesn’t do this, so it will also return a unique result for canvas, and thus an overall unique results

A fingerprint is just a snapshot in time, and can be manipulated after the fact - it is not incumbent on sites to TELL you what is used and what isn’t - and what can be bypassed or discarded in order to linkfy other fingerprints. Always treat fingerprints as snapshopts, that can be fuzzed after the fact.

lets look at this: Global Statistics- Am I Unique ? - last 30 days

  • 36% of users are using Firefox
    • in reality we know that FF is about 3% worldwide share, or 6% on desktop
  • 72% are using requesting en* (english)
    • it’s a shame this is not broken down by locale
    • this is simply not true. We’re talking users/profiles on the internet, not people in the world, so some languages will be under-represented, and a lot of users users do use en-* as their second language. But almost three quarters of internet users being english is a stretch
  • 22% are in timezone UTC0
    • it’s a shame this not broken down by actual timezone name instead of classifying everything as UTC-something
    • again with internet users vs populations this is a bit vague - but 22% of users being in greenwich mean time is bollocks
  • and I could go on

Lets look at some more nonsense (but I get that these sites are using all visitors). On CYT using TB (en-US) for windows

  • userAgent: (FF115 windows 10 64 bit)
    • says 1 in 3.45 browsers have this value
    • reality says FF is 3% (call it 1 in 33) worldwide, windows is 80% (1 in 1.25), and ESR is about 10% (1 in 10), so the real figure is approx 1 in 413
    • you also can’t hide the fact that you’re using TB or your OS, and TB has e.g. 1 million windows daily desktop users, so entropy (as far as we’re concerned) is the barest of buckets (equivalency) is actually zero
  • this one might explain the zero entropy better
    • says my timezone of UTC is entropy 2.35 bits
    • ALL tor browser users report his value, so it’s NIL (for our set)

The way we defeat fingerprinting linkability is to take each metric and reduce the entropy in it in our set (our set being TB users) - and there is are some things you can’t lie about (such as requesting web content in a language - e.g. if you need arabic, then request arabic) or hide (version, os, fonts). So for lack of a better word, we call this equivalency. E.g. if you have windows fonts, that’s equivalency of being on windows (os). Or if you have certain default fonts, that’s equivalency of language), etc. We can randomize if we want (per execution or per session+eTLD+1) but ultimately all randomizing can be detected. So this is not some magic bullet - it only exposes that some sites/scripts are lazy. We assume advanced scripts. So we protect each metric one by one, making it harder and more costly for scripts, until they give up and it becomes prohibitive - but we must balance that with usability and compat

The way to determine how many values a metric may return is to test and collect + analyze the data (e.g. checking for equivalency or other external factors such as device pixel ratio), and then the only way to get any real world entropy is to do a large scale test collecting the data, one per profile (so as to not taint the data set)

  • for example - collect TB115 only fingerprint data: this immediately removes all non-TB noise and e.g. UTC0 = all users = zero entropy (for us) - capisce?

tl;dr: stop comparing different sites’ results, stop using entropy figures from sites

I’m just going to stop here - I’m supposedly to writing this all up for some doc/blog

1 Like

wrong! LBing actually enforces a much smaller subset of inner window sizes (which we use to report outer window, screen + available screen) - without is it, TB users who tile, manually resize, maximize, go full screen, or have inner windows off ±1 pixel (due to rounding issues due to device pixel ratios/system scaling) would create numerous (millions) of different potential sizes

no one cares what the rest of the world is, it only matters what TB users are within our own set

3 Likes

actually, I got that a little mixed up … windows is 80% of desktop, but desktop is just under half of all users … so it’s double that … 1 in 826 - this is rather different from 1 in 3.45

edit: had it right the first time 3% already includes worldwide

1 Like