Using multiple VMs with diverse connectivity, one can sidestep all "Explicitly assigned client-side identifiers" and "Machine-specific characteristics". For evading WebGL, VM OS diversity is essential. It's harder to obscure "User-dependent behaviors and preferences", especially mouse and keyboard stuff. But it helps to switch keyboards, and between using mouse and touchpad.
You could load your browser through Selenium and explicitly choose which plugins to load but I wouldn't call it easy. Definitely not accessible to the average user.
That will set off some fraud detection on sites as there will be mismatch between user agent and the browser being used. You can easily profile the DOM and Javascript features to figure out what browser a person is using.
Plugins are a very small aspect of fingerprinting and there's really nothing you can do to stop it other than build a browser specifically designed to stop it.
Once talked with over a beer with a web performance head of company X, he said that you can use the web performance profile - without looking at any other browser identifiers - to pretty accurately do browser fingerprinting. When you then look additionally at the interaction speed within an webapp you can even profile different users.
But unfortunately, there are so many things that can contribute to identification of your browser, and many of them cannot reasonably be blocked. The important section of the Chromium list is "(2) Machine-specific characteristics". You need most of that, so you can't block or hide it.
Privacy is not easy. Not to mention the situation for non-technical users.
Hidden prefs are hidden for a reason and can be a foot-gun. The warning when opening about:config is no exaggeration, and copying-and-pasting a bunch of hidden prefs from an untrusted source is not a good idea.
For instance:
> user_pref("network.cookie.cookieBehavior", 1);
If I remember correctly, this may break some sites.
> user_pref("dom.battery.enabled", false);
Questionable value for privacy / fingerprinting. If you plug-in your computer or pull the plug (a pretty common scenario), the site trying to identify you will suddenly think you're a different users.
Pointless since 20100101 is already the default used in the user agent string. Makes me think this list is severely outdated or the author doesn't know what he's doing.
> user_pref("browser.newtabpage.enabled", false);
Little impact on privacy (is this about the "somebody opens a new tab in my profile and sees what sites I frequently visit" scenario?), no impact on fingerprinting. The readme says "Impacts on user experience should be minimized, erring on the side of convenience." How does disabling the new tab page satisfy that?
> The warning when opening about:config is no exaggeration
If you feel uncomfortable in that section, feel free to avoid touching it. But if you know what you do, there are zero problems. Want to change your user agent? Do it there. No problems. The warning is for your average non-technical user, justifiably.
Well, perhaps you need to read up on those a little bit again.
> If I remember correctly, this may break some sites.
Sure, everything may break some sites. But this is about blocking third party cookies, which blocks not a single site I know (Do you know a popular one?) while being one of the most effective measures against tracking (which uses fingerprinting) out there.
> Questionable value for privacy / fingerprinting. If you plug-in your computer ...
Sure, agreed for privacy.
> Pointless since 20100101 is already the default used in the user agent string
Yes, since late 2015 only, and keeping a default hardly does any harm. By the way, try outputting `navigator.buildID` in your JavaScript console -- oops, not even this setting helped. The real ID is right there. So it's not as easy as you might think.
> is this about the "stranger opens a new tab in my profile and sees what sites I frequently visit" scenario?
No. If I remember correctly, the "new tab" page is about the ads.
> If you feel uncomfortable in that section, feel free to avoid touching it.
I feel very comfortable touching hidden prefs in Firefox. That's not my point. My point is that random users stumbling upon your github page may not know what they're doing.
> Sure, everything may break some sites. But this is about blocking third party cookies, which blocks not a single site I know (Do you know a popular one?)
> No. If I remember correctly, the "new tab" page is about the ads.
The new tab page displays frequently visited sites. In new profiles without a browsing history, it would also suggest sites, some of which would be "sponsored" (i.e. ads). If I remember correctly, Firefox would pick the ads locally without leaking information about you. So what's the privacy impact? Also, it doesn't even do that anymore: http://arstechnica.com/information-technology/2015/12/firefo...
Right, "1292 days ago". Now that we've just talked about information that is out-of-date.
> Blocking 3rd party cookies breaks surprisingly few things
Agreed. A comment from the post that you linked to.
Disqus being one of the few exceptions that don't work (because it's embedded as a third-party on first-party sites), personally, I can live with that. Everybody has to decide for themselves. If some setting doesn't work, it can simply be undone.
Facebook login, Google login, etc. still work (at least with most implementations), since they redirect to the SSO site, which is what every reasonable site should do, instead of using an iframe/embed.
Good luck finding something that considerably improves your privacy while breaking 0.000% of modern sites.
I'm not blaming you for the fact that disabling third-party cookies may break some sites. The problem is that you provided a long list of preferences privacy-sensitive users allegedly should set, without explaining what these prefs do let alone warning about the possible negative impact.
It is easy not to shoot yourself in the foot if you do not have a gun.
Privacy and convenience are at two ends of a spectrum. Commerce likes to exploit this by making things more "convenient", generally at the cost of privacy. Sadly, the majority of consumers care far more about convenience than the often hidden costs of lack of privacy.
> for example, TCP/IP traffic will often reveal high-resolution system uptime data through TCP timestamps.
Is this something that's on by default? Dependent on OS? Not deeply familiar with the details of the TCP stack, but have never hard of something like this being exposed via TCP requests!
"users who extensively tweak their settings from the defaults may be actually making their browsers considerably easier to uniquely fingerprint"
...interesting comment in section, "User-dependent behaviors and preferences"
Mozilla and Tor devs are currently working on upstreaming some Tor Browser patches[0] that reduce fingerprinting surface. E.g. cookie isolation based the domain shown in the URL bar[1] and making canvas readback opt-in[2]
I really dislike fingerprinting.. I hope someday we find a significant reason (presumably a profitable one) to stop all this creepy shit. How do we make it advantageous for companies (groups/etc) to NOT want to do this? long term I mean.
45 comments
[ 3.0 ms ] story [ 36.6 ms ] threadIsn't canvas fingerprint linked to your window size, if you maximize your browser, does that help?
Qubes isn't designed to blend into all other users; it's designed to make you unlinkable to your other Qubes instances.
A better experiment would be to run the test in two of your Qubes instances. Hopefully they will both be unique.
But granted it may be surprising there was no collision with another HN user.
I'm sure there are various other extensions that do similar things that randomize the parameters of whatever is used to fingerprint you.
[0] https://chrome.google.com/webstore/detail/random-user-agent/...
https://github.com/delight-im/Secure-Firefox
But unfortunately, there are so many things that can contribute to identification of your browser, and many of them cannot reasonably be blocked. The important section of the Chromium list is "(2) Machine-specific characteristics". You need most of that, so you can't block or hide it.
Privacy is not easy. Not to mention the situation for non-technical users.
For instance:
> user_pref("network.cookie.cookieBehavior", 1);
If I remember correctly, this may break some sites.
> user_pref("dom.battery.enabled", false);
Questionable value for privacy / fingerprinting. If you plug-in your computer or pull the plug (a pretty common scenario), the site trying to identify you will suddenly think you're a different users.
> user_pref("general.buildID.override", "20100101");
Pointless since 20100101 is already the default used in the user agent string. Makes me think this list is severely outdated or the author doesn't know what he's doing.
> user_pref("browser.newtabpage.enabled", false);
Little impact on privacy (is this about the "somebody opens a new tab in my profile and sees what sites I frequently visit" scenario?), no impact on fingerprinting. The readme says "Impacts on user experience should be minimized, erring on the side of convenience." How does disabling the new tab page satisfy that?
If you feel uncomfortable in that section, feel free to avoid touching it. But if you know what you do, there are zero problems. Want to change your user agent? Do it there. No problems. The warning is for your average non-technical user, justifiably.
Well, perhaps you need to read up on those a little bit again.
> If I remember correctly, this may break some sites.
Sure, everything may break some sites. But this is about blocking third party cookies, which blocks not a single site I know (Do you know a popular one?) while being one of the most effective measures against tracking (which uses fingerprinting) out there.
> Questionable value for privacy / fingerprinting. If you plug-in your computer ...
Sure, agreed for privacy.
> Pointless since 20100101 is already the default used in the user agent string
Yes, since late 2015 only, and keeping a default hardly does any harm. By the way, try outputting `navigator.buildID` in your JavaScript console -- oops, not even this setting helped. The real ID is right there. So it's not as easy as you might think.
> is this about the "stranger opens a new tab in my profile and sees what sites I frequently visit" scenario?
No. If I remember correctly, the "new tab" page is about the ads.
I feel very comfortable touching hidden prefs in Firefox. That's not my point. My point is that random users stumbling upon your github page may not know what they're doing.
> Sure, everything may break some sites. But this is about blocking third party cookies, which blocks not a single site I know (Do you know a popular one?)
I quickly googled this for you, found this:
https://bugzilla.mozilla.org/show_bug.cgi?id=849948
https://news.ycombinator.com/item?id=5272069
https://getsatisfaction.com/getsatisfaction/topics/bad_user_...
https://planapple.uservoice.com/knowledgebase/articles/50965...
> No. If I remember correctly, the "new tab" page is about the ads.
The new tab page displays frequently visited sites. In new profiles without a browsing history, it would also suggest sites, some of which would be "sponsored" (i.e. ads). If I remember correctly, Firefox would pick the ads locally without leaking information about you. So what's the privacy impact? Also, it doesn't even do that anymore: http://arstechnica.com/information-technology/2015/12/firefo...
Right, "1292 days ago". Now that we've just talked about information that is out-of-date.
> Blocking 3rd party cookies breaks surprisingly few things
Agreed. A comment from the post that you linked to.
Disqus being one of the few exceptions that don't work (because it's embedded as a third-party on first-party sites), personally, I can live with that. Everybody has to decide for themselves. If some setting doesn't work, it can simply be undone.
Just like e.g. Facebook Login and github accounts, right?
> personally, I can live with that. Everybody has to decide for themselves. If some setting doesn't work, it can simply be undone.
Except that the list that you promoted here has no detailed documentation and doesn't put users in the position to make an informed decision.
Good luck finding something that considerably improves your privacy while breaking 0.000% of modern sites.
https://bugzilla.mozilla.org/show_bug.cgi?id=591537
And 2013 for all builds (I happen to have fixed this bug):
https://bugzilla.mozilla.org/show_bug.cgi?id=728773
In current Firefox this is AFAIK whitened exactly to prevent fingerprinting. Disabling it will increase your footprint because it's not the default.
... though it hasn't been recently updated.
We are developing `gngr` in the belief that privacy should be engineered into the browser, not worked around:
https://github.com/UprootLabs/gngr
Offtopic: I am looking for a cross-platform browser written in Go(lang) even though the GUI stuff is just getting started there.
This kind of thinking basically helps powerful people erode the idea that they are not entitled to anybody's personal details.
Privacy is as easy as not shooting yourself in the foot.
You just have to not point the gun at your foot.
Privacy and convenience are at two ends of a spectrum. Commerce likes to exploit this by making things more "convenient", generally at the cost of privacy. Sadly, the majority of consumers care far more about convenience than the often hidden costs of lack of privacy.
It's still a bullshit catchphrase, empty as any buzzword.
> for example, TCP/IP traffic will often reveal high-resolution system uptime data through TCP timestamps.
Is this something that's on by default? Dependent on OS? Not deeply familiar with the details of the TCP stack, but have never hard of something like this being exposed via TCP requests!
http://superuser.com/questions/680200/os-x-how-to-make-it-re...
[0] https://wiki.mozilla.org/Security/Tor_Uplift/Tracking [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1299996 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=967895
Any idea where I can find the most common subset of system fonts?
Internet Tracking Has Moved Beyond Cookies
https://fivethirtyeight.com/features/internet-tracking-has-m...