257 comments

[ 3.8 ms ] story [ 242 ms ] thread
Apparently. I am not logged into anything. I tried it on Opera (along with the internal ad blocker) and I'm not using Privacy Badger.
This only works of you have third party cookies turned on. I'm not sure about Opera, but I'm pretty sure Firefox has them off by default.
Firefox has third party cookies enabled by default, PLUS they hide the setting so you have to search for it to disable it.

I'm 100% sure that they designed it that way to please Google. The pull requests to change it were ignored. And then they claim to be your partner in keeping your privacy.

AFAIK only Safari has 3rd party cookies disabled by default. There are only very few sites that require 3rd party cookies. I use none of them.

Sorry I was wrong about Firefox, I must have reconfigured mine and forgotten about it. My point was that Privacy Badger alone won't prevent this attack, you have to disable 3rd party cookies.
I'm 100% sure that they designed it that way to please Google.

And why would that be, if their deal with Google ended in 2014?

> AFAIK only Safari has 3rd party cookies disabled by default.

Safari's "3rd party cookies disabled" behavior is not the same as the Firefox one. Firefox's blocks third-party cookies (though it's hard to tell whether it just blocks _setting_ or also blocks _sending). Safari does something where they send the in some cases, but I'm having a hard time determining which cases, possibly because they've changed behavior a few times. At one point they blocked third-party cookies, _unless_ the third-party site has previously been visited as a first-party site. What this meant in practice is that Safari wouldn't block third-party cookies for things like Facebook or Google that you probably have visited as a first party.

At this point they _may_ be doing double-keying of cookies instead (top domain and third-party domain as key, not just the third-party domain). As I said, it's a bit hard to tell from the documentation out there, which is conflicting and contradictory, and I have no time right now to go read the source. And even then they might only be doing double-keying in the "never visited as first party" case...

The point of all of which is, "blocking third party cookies" is not a well-defined thing and different browsers mean quite different things, with different web compat impact and site breakage, when they say they do it.

Keep in mind that it doesn't show up the icons at all if you're using a content blocker and activated Fanboy’s Annoyance List.

This is because the critical resource is named "/socialmedia-leak/socialmedia-leak.js".

Thanks. I just enabled Fanboy’s Annoyance List in ublock origin. I've haven't spent any time digging through that filter list, but I'm now interested. Any other recommendations or resources?
Personally I went with EasyList and local EasyList against ads, Fanboy’s Annoyance and Anti-ThirdpartySocial because social media integrations generally annoy me. EasyPrivacy and Fanboy’s Enhanced Tracking List‎ for privacy as well as the Adblock Warning Removal List‎ and this cool thing against the EU cookie failure: https://raw.githubusercontent.com/r4vi/block-the-eu-cookie-s...

It's not very complete, though.

Why does it generally annoy you?
If I want to share content on a social platform I just copy the link and post it wherever I like. I don't need slow, endless lists of tiny buttons to nudge me into something.
Renamed it. Does it make any difference?
The blocked string is "socialmedia-"; filename is fine, folder name is still triggering the script being blocked.
Yes, this needs to be made clear: Fanboy Annoyance won't protect you from Social Media Fingerprinting, it just prevents the proof of concept on that one site from working properly.

Disabling 3rd-party cookies in your browser is what protects people against Social Media Fingerprinting.

I always advise to disable 3rd-party cookies -- unfortunately this is not enabled by default in browsers. Even without this Social Media Fingerprinting issue, anyone looking at cookie payload (which also include local and session storage) on common top sites will be horrified at the result of not blocking 3rd-party cookies.

I found it's quite rare to find a site broken because 3rd-party cookies are blocked.

Very good demonstration thank you.

Some interesting (an unethical) potential marketing opportunities here. For example, at the bottom of articles only show share actions for social platforms they are logged into.

Not logged in != doesn't have an account
For sure, but logged in == does have an account.
Sure, but if you identify they are logged into FB and Reddit, maybe only show those two options. If you can't determine they are logged into any service show them all.
Maybe you just use it for prioritization. For example, if they are logged into Reddit and Twitter: show buttons for Reddit and Twitter, then just have a more button that opens a dialog with other supported services.
Why is showing only pertinent share options unethical? Or is it the cross-site circumvention that you found unethical?
Ethics are subjective, some people may find the fact you're identifying what websites the user is logged into creatively in this way unethical as it divulges what services the user uses without them necessarily consenting/realising you have access to this information.
So, in one case you get a list of 10 share buttons, in another you get a list of 5 that you're logged in to already. The information doesn't leave your machine, it's your browser that discovers it and the information is presented to you - what in particular is your take in the ethical problem here? To me that's like a program arranging your contacts by order of use without explicit requesting permission to do so. The page is already causing your browser to request lots of URLs that you didn't explicitly allow.
So, loading favicon.ico via a redirect-type parameter:

    <img onload="alert('logged in to fb')" onerror="alert('not logged in to fb')" src="https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Ffavicon.ico">
Nice, so now by using this I have an NSFW site logged in my workplace's DNS log. Be careful if your employer checks such things.
The one time I don't check the comments before reading the story...
huh. I didn't think of that.. that's kinda harsh.
Yep I also clicked first. It might need an "NSFW" tag in the title to warn other users. (Let's see how long it takes for Corporate IT to come yell at us)
I get blocking it but I have to wonder about departments run like that. Do they really have nothing better to do?
It's the "see and be seen" method of working.

Nobody knows you exist because everything is working? Better go yell at somebody.

Everybody thinks you aren't working because something is broken? Better go yell at somebody.

Well, on the bright side I'll be able to see if our IT guy actually logs this stuff.

It'll be fun explaining it.

DNS prefetch makes those logs fairly useless - fortunately or unfortunately depending.
Share the link with your colleagues for extra fun.
Sorry, didn't think about that. Added a hint in the title.
If you had done your job instead of reading HN, there would be no problem!
100+ days old account, love it!
well, the name is fitting indeed
On the other hand, let's keep the novelty accounts to reddit (even there they are annoying though).
Made the same mistake. "Maybe NSFW" isn't really clear – "makes a request to YouPorn" is probably more fitting.
Yeah, I thought "Well I only log on to corporate email and HN on this computer, so it's not going to drag up anything scandalous."

Our IT department LOVES complaining about users using the network inappropriately, so I can look forward to a discussion with HR about this. I guess I should have checked the comments first.

If your workplace is creating any trouble for you because of a few unique hits to NSFW websites, better reevaluate where you work.
Without the constant social pressure to mark content, this 'Few unique hits' would become a pattern of behavior.

The system is working. Let it do its job.

Use a VPN like the rest of the savvy slackers.
Yes. If you do anything remotely personal on a work computer, use a VPN or some other type of encrypted tunnel (an SSH SOCKS tunnel + FoxyProxy makes a good poor man's VPN, and can usually be configured to allow seamless integration with internal resources going over the LAN and external going over the tunnel).
I'm more likely to get in trouble for creating a VPN than I would be for accidentally sending a DNS request to YouPorn. Our IT department is insane about data security, and running traffic through another VPN will cause them to drop everything to harass you for as long as it takes you to prove that you weren't leaking sensitive information.
Sounds like you need to just browse on your phone, then. And if that's not an option, you should probably just not browse at work.
(comment deleted)
This 'fingerprint' changes as you login in and log out of various services, so it's not very reliable for uniquely identifying users. Regardless, it could still be used to profile you and then target content accordingly. For example, if you're logged into Hacker News, you're probably a programmer and you're probably more interested in an ad for web hosting than wedding dresses and visa versa for Pinterest.
I have uBlock Origin in 3rd party deny mode and privacy badger and it still detects me as logged in to HN, Reddit, Slack and Stack Overflow.

EDIT: Following diegorbaquero's advice[0] solved it

0: https://news.ycombinator.com/item?id=12692485

I had that and enabled the "Fanboy Annoyance list" in uBlock Origin and now it says I'm on none of the platforms.
Keep in mind that this is an accidental fix due to a suboptimal naming choice by the website author.

A better solution would be to disable third-party cookies in your browser settings.

Sending the do not track request generally increases the ability to fingerprint you, as adversaries tend to ignore its purpose anyway.

In Chrome: Settings > Privacy > Content Settings > Tick 'Block third-party cookies and site data'

Also set 'Send a "Do Not Track" request with your browsing traffic'

And install uBlock Origin, ofc.

At a minimum, though, please block third-party cookies and site data.

I have pretty minimal customizations and plugins on browsers—very few plugins, no ad-blocking, no security or privacy enhancements.

I've had third-party cookies blocked for a long time now and there aren't any sites or logins that break down with them disabled (that I've encountered).

On the plus side, though, you don't have to worry about this crap. I'm logged into several of these sites and none of them show as leaked.

Keep in mind, uBlock Origin does not block social media widgets by default, and you have to enable it in settings. Widgets like Facebook like buttons, and Tweet buttons have to be blocked manually.
Personally, I don't set the DNT header.

You have no way of knowing if any sites are actually going to comply, and it actually provides an extra datapoint to fingerprint you with.

But isn't it better to at least ask instead of not asking at all?
As I said, simply asking for it will actually reduce your privacy for any service that doesn't comply, by making you more fingerprintable.
But there is some pressure on companies to comply. Plus they can't use the defense that you could have enabled it and chose not to.
Its pretty obvious the default should be the opposite to avoid a race condition like that.
Are you suggesting a "please track me" header? Nobody would ever use it...
It was proposed that DNT be the default, but then ad companies said if that were the case, then they would just ignore the header. They want users to explicitly opt out of tracking otherwise they will assume they agree to being tracked.
There are 100s of ways to fingerprint the browser and more exactly. I think is better to set it for the few that comply.
That's true, but they usually require running javascript etc.

Looking at the request headers is the simplest way of fingerprinting.

3rd party cookies should be disabled by default in all browsers. It significantly improves your privacy with minimal impact.

After many years of blocking 3rd party cookies the only thing that's broken for me is my bank's bill pay system, which is an iframe of a 3rd party service.

heh, same here. I can't use my banks ebilling website.
Try opening the iframe directly.

Also, complain to your bank.

Or just whitelist that one.
I whitelisted bandcamp because some bands use custom domains.
How many people browsing the web would know to do this? Would even 0.5% of users know?
I didn't know about either of these things and I consider myself fairly security savvy (for a programmer).

uBlock Origin looks way better than Ghostery, which I was using until now.

As somebody who tried to build code respecting "Do Not Track" preferences, I have to say that feature, while well-intended, is a complete farce.

Chrome, Safari, Firefox, IE9, IE10, and IE11 all use different APIs for Do Not Track [1], so a front-end developer has to do a lot of extra leg work to check if the user has the preference set.

I find it highly unlikely that most companies would go through the effort of respecting Do Not Track.

[1] https://developer.mozilla.org/en-US/docs/Web/API/Navigator/d...

Wow. I am surprised at how many different ways Firefox, Safari, and IE9/10/11 implement an API as simple as navigator.doNotTrack.
This almost seems like a case of defective by design.
The main behaviour is to add the DNT: 1 HTTP header. The JavaScript APIs are just a bonus to perhaps avoid sending unnecessary information. (But yes, it’s still a silly feature, because having to go out of your way at all to respect DNT isn’t really worth it.)
Checking the box to block 3rd party cookies is great advice, but I would not tell my Mom or any other casual user to do it. Why? You wind up with a lot of very weird, hard-to-track down bugs in web pages. I've seen failures in OAUTH and SSO pages, buttons that don't click, etc. Things you might not expect to break, break. And it's hard to track it back to that checkbox.
I suppose the "block third-party cookies and site data" must be why this is mostly broken at home (doesn't show logins to 5-6 sites that I'm logged in to), but works properly at work (didn't bother to set that option there). Never toyed with exactly what the "site data" part means, though.
Can someone explain how this is NSFW? Is it because it's scraping for logins which looks suspicious?
I'm guessing from other comments that it checks logins on a wide variety of sites, some of which may be NSFW. Some employers might not like you accessing NSFW sites.
correct, among others it checks youporn. For this check it needs send a request to that domain, which may get flagged in certain corporate IT systems.
That would be a pretty crappy check then. After all any webpage could embed that favicon.
Any page could also embed anything else NSFW, such as actual porn videos. The assumption is that these sites are generally NSFW by association.

What would you propose instead?

If a filter is set up to not just block access to but also flag based on something as trivial to embed as a URL one would hope the technology would be a little bit more involved than a single hit on a .ico file for a flag.
A web filter / proxy does not have any way to tell whether any individual HTTP request was requested as a result of HTML embedding, bookmarking, user entry or clicking on a link.
Exactly. So it shouldn't be used to 'flag' any employees.
If your position is that monitoring HTTP traffic is useless because favicons can be embedded into webpages, what method would you propose to monitor employees browsing habits then?

Furthermore, how would you monitor the HTTP traffic of suspected terrorists? After all, anyone can embed an image to "www.isis.com/blackflag.jpg" into any webpage, so shouldn't we stop monitoring all such traffic?

Your original assertion was that "it's a pretty crappy check", but I think what you are missing here is that it's the only possible check, minor irrelevant flaws and all.

No, it isn't the only possible check, but besides that the 'HTTP traffic of suspected terrorists' will be nicely encrypted in a way that you won't be able to intercept the URLS.

Lots of fearmongering here, if you want to monitor your employees browsing behavior then you're going to have to supply them with the hardware they do the browsing on, lock that hardware down and install some nannyware to do the monitoring. That way you won't have to MITM each and every connection and you'll have a more secure setup overall.

It retrieves the favicon (at least - haven't finished reading how it works) from YouPorn. If you're looking at DNS requests, it looks like similar to if you're browsing porn.
Pretty compelling information. Two observations: 1) No LinkedIn. Are they on top of the problem? 2) I had fun results with the Epic Privacy Browser.
Couldn't find a redirect on LinkedIn that redirects without prompting you to log in again... Can you?
Scary. Netflix is showing logged out though, whereas I'm actually still logged in.
Yeah, it kind of shows conflicting results to me too.

While it correctly identified me being logged into HN, Medium, and Amazon, it completely missed reddit, GitHub, Twitter, Facebook, etc. I'm assuming it missed them because of me running Privacy Badger, but I'm kind of negatively surprised that Privacy Badger failed to protect me from those three I mentioned.

Another false negative: Pinterest.
>You are logged in to:

>No platform

>(or you're using something like Privacy Badger)

I'm using uMatrix and uBlock Origin :)

Well its good to see its partly wrong for me. It shows HN correctly, but also shows me logged in to Facebook and Tumblr, not correct. And not logged in to gmail, which I am. Still, its a dangerous flaw.
How is being showed logged in any good when it's not true? Wasn't there also something about facebook creating accounts for people based on thier 3rd party promotion link ins and what not?
I would be interesting to keep track of how common each particular fingerprint is. It could potentially be used to identify an individual user.
This is why I use 'browser isolation', which is a way to separate different types of surfing activity into different buckets. Currently the best way to do this in Firefox is to create multiple profiles, or in Chrome, you can simply add a different user/persona.

Having one profile, or even an entire dedicated browser just for Twitter/FB ensures the login is not spilled over into other sites. If you're surfing the web heavily, I would recommend spawning a new private window so cookies, and other artefacts are not bleeding into your session.

It sounds like common sense, but many people have cookies and login information persisting for years at a time in their browsing sessions. The Mozilla Firefox team are planning to introduce a feature which makes compartmented surfing sessions a lot more user-friendly by separating sessions into tabs. Currently, the 'profiles' feature of Firefox is not user friendly and requires a bit of tinkering with the filesystem.

I was horrified to find I'm logged in to FB with my 'common' cookie jar. At least that explains the recently increased accuracy of its targeted ads.
I only ever log in to Facebook in private browsing mode.
Facebook is among the worst for stalking you. For the once a quarter I log into Facebook (mostly for an occasional friendly note to highschool/college friends from 30+ years ago), I use a private session. And I have a plugin that blocks facebook tracking.
I only ever log into Facebook via a VPN to a remote VPS using a private window on a browser I don't use for anything else. And also...

Chain OUTPUT (policy ACCEPT 6309 packets, 599K bytes)

pkts bytes target prot opt in out source destination

  330 19800 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set block-facebook-ips dst reject-with icmp-port-unreachable
I have an ipset that matches FB networks.
Yikes. Sounds easier just to not use Facebook.
There in lies the problem, all those Facebook widgets on various 3rd party websites are used to track you. If you block FB's network ranges then it gets much harder for them to do that.

In effect you are "using" Facebook whether you want to or not; this is the issue some people have with shadow FB profiles.

Careful, too strict and you'll start to be identifiable from your conspicuous lack of identifiable information ;)
I always use incognito mode but apparently I must have inadvertently logged in to a regular frame at some point. Horrified!
Its only in testing right now, but Firefox Nightly has "Containers" so you can exactly have different "buckets" for different types of browsing - https://wiki.mozilla.org/Security/Contextual_Identity_Projec...
What I really want is something like this and it opening containers automatically based on url sets.

So going to facebook would go to the facebook set automatically and isolate facebook. But I don't have to manually open the "facebook profile" to do the switch. Same with twitter, amazon, google*, youtube, apple, etc.

If you have multiple accounts, you can have the interface pop up a "choose your subcontainer" automatically with the new google container or whatever. All browsing in that container would then stay in that subcontainer until you close it.

After Firefox adds this, wouldn't that be a relatively simple plug-in? Just maintain a list of known info greedy URLs? (Note, not a tracker blocklist)
(comment deleted)
and deny other containers from embedding facebook urls?
If you want. Put it as a checkmark option?
Yeah, as long as it only activates that container based on typing in facebook or going to a bookmark, not just any random site hitting that URL. Which would then probably break following links to those sites - could you trigger it based on a normal navigation to that domain, but not based on some other site trying to fetch an image from it out of the blue?
Great advice. I use Chrome for Google, twitter, and Facebook, and another browser for everything else. This isn't quite as good as your approach, but gives me some web platforms isolation.
For anyone wanting to do this, the profile and no-remote command line options[1] may be useful if you want to create shortcuts to launch specific profiles

You might also want to consider using a different theme[2] in each profile to help avoid mixing them up if your running multiple instances simultaneously.

My initial use case for this was adding the lets encrypt staging certificate authority to the trusted root certificate authorities in a profile only used for testing.

[1] https://developer.mozilla.org/en-US/docs/Mozilla/Command_Lin... [2] https://addons.mozilla.org/en-US/firefox/themes/

Slightly easier way is to use the Disconnect/Privacy Badger extensions, along with uBlock Origin. It does a lot to prevent cookies from leaking across sites.
Yeah. I use those, and this site doesn't do anything AFAICT.
I use all 3 of those and a few others, yet it still detected quite a few sites I was logged in to.
If you're still worried, I'd take the time to learn and use uMatrix (https://github.com/gorhill/uMatrix) in addition to uBlock. For me, uMatrix has replaced Privacy Badger and other similar addons because they're no longer needed. It requires a bit more effort to maintain though.
(comment deleted)
This seems like a good plan. However I find it funny that one would use Chrome and be concerned about sites gathering information about you.
Firefox Nightly has container tabs available right now and they are fantastic! Only thing missing is a shortcut / better way to open a different type of container tab.
Or you can enable basic privacy settings on about:config, NoScript, etc. I get "No platform" both on my phone and Desktop (though I don't have any social networks, I created a Facebook account to test).
I use the http://qupzilla.com/ browser because each private window is a new session, no cookies are shared between windows.
At risk of being depressing, it's worth knowing that a dedicated profiler can reconcile accounts across all of the protections you've mentioned - not just as a targeted attack, but algorithmically.

There are a lot of fingerprinting tricks which transcend cookie restrictions and user profiles. The battery percent/value one will reconcile all accounts on one device (as will several other like fonts). If you log into one bucket on multiple devices, it becomes possible to traverse devices and reconcile one-device profiles via the shared profile. If I were truly paranoid, I would only trust "separation" if it involved a clean account on a clean device on a clean network.

None of which is to say that you shouldn't do this! I do lots of privacy things which aren't bulletproof, and I think other people should also. Fighting common tracking structures is still progress, and tools like bucketing and Privacy Badger are great ways to do this.

It's just also worth noting that dedicated profiling will break all but the most pathological defensive measures.

Indeed.

Another trick is to change or settle for one very common user-agent across all browsers, and to run them with differently sized windows.

Be sure to use a common window size, though. If you pick a nice size with your mouse (as I always do), your window size is almost certainly unique when paired with just a few more bits of info.
At this point you may as well just go full rms and use wget to download pages which you then read offline.
Would it be possible to make a browser plugin to do exactly that?
it found nothing for me and I don't do anything pathological
This page didn't, because it only profiles third party cookies - that is, your browser explicitly admitting which sites you're logged into. Privacy Badger, Disconnect, or uBlock will all handle that, as will simply disabling the browser setting.

That was pretty much my point: this is a "nice" profile. One that targets unintentionally identifying image like browser window dimensions can easily track you despite all of those precautions.

What about virtualization? It seems to me that something like Qubes might not at present protect against this (I don't know what information is available to guest/isolated domains on that system), but could be made to? One can easily lie to a browser about battery status and fonts from the OS too, for example.

I guess my point is that it depends on what you view as pathological? I surmise that this is the kind of thing that needs an algorithmic countermeasure, such that systematic deception by user agents is no more difficult for the end user than browsing the web is currently.

It's very difficult to prevent side channel thumbprints—something as simple as traceroutes, wifi hotspots, caches (DNS, routing) can be uniquely identifiable. Add on top of this biometrics like how you type, how you move your mouse, etc, and it becomes very difficult to avoid concerted tracking efforts.

Of course, if you're not pissing off state actors, you're probably fine with qubes/tails.

Very interesting list, thank you. I will have to read up on this subject in greater depth.
if you're not pissing off state actors, you're probably fine

Thank you, this seems to be a point that is often ignored. Most of us don't need to hide our trail from a full wing of CIA analysts, just drive-by snooping and the like. (It of course doesn't help the Snowdens of the world)

I usually prefer to think of the middle case: someone with a grudge against me, who would love to blackmail me if they could get the dirt, and who has money to hire some blackhats and buy some zero-days and set up spear-phishing—but who doesn't actually have any access to the things that states get by default by sending fancy letters with Important Signatures.

It's interesting to work through the case of an absurdly rich private actor, because it works out differently for diferent companies; for some, they can just get a "man on the inside" to leak out your data easily enough, while for others (e.g. Gmail) the employees themselves aren't trusted to access user data, and have been firewalled/ACLed away from it to prevent just such intrusions. State actors get pretty much the same "help" from every service (save for the rare Lavabits of the world) but corporate actors get a rather unpredictable response landscape.

Presuming you are being pursued by a state actor, isn't using a computer at a library or Internet cafe enough to thwart most of that? Especially if you're using asynchronous store-and-forward protocols like NNTP or Freenet, where you can be long-gone from wherever the computer you used was, before anyone else ever sees "your" activity.
I remember at least one security expert commenting that if he ran an actual attack, his precautions would be "sitting in a computer lab using a stolen library card". Physical anonymity is by far the best cure for some of these things.
Qubes VMs cannot get the battery state. Assuming that the user didn't install custom fonts, the font list should be the same across all the installs.

I think Qubes closes most of the low hanging fruit in this space, but completely preventing fingerprinting is very hard and there are probably ways to leak identifying info.

Indeed, you can take this a step further and assign each bucket its own VPN, with JS turned off to minimize fingerprintability. You can even setup multiple virtual machines with multiple screen resolutions on each to further divide up your sessions, making your surfing modified beyond recognition. It might take a weekend or two to wrap your head around VMs and VPNs, but it's worth it.

Also, if you're paranoid about your VPN provider spying on you, you can install HTTP nowhere: https://addons.mozilla.org/en-US/firefox/addon/http-nowhere/ to further compartmentalize the risk of spying. DNS, however is tricky to obfuscate, so I would recommend surfing under broad and generic domains, like TWITTER.com and places like REDDIT.com which often scrape and proxy the content from other sites so you don't need to visit those sites explicitly.

but is that in itself not another signature in a fingerprint?
Not necessarily. The amount of bits needed to fingerprint somebody is substantially lowered doing this, and although you stand out by taking extra steps like this, it's substantially better than a large portion of the configurations you do see.

Of course if your threat model is such that nation states are targeting you, either passively, or actively, then TOR is fitting in most cases, but TOR can prove to be overkill in most cases.

For example, if I'm surfing a website which blocks TOR, I can use a JonDoFox[1] profile to visit a website with a VPN, and achieve better-than-most anonymity for my needs, albeit not as rigorous as what TOR provides, but at least my connection has rudimentary protection from passive eavesdropping.

Keep in mind, VPNs are a countermeasure only and do not provide perfect privacy, but you can lessen the information gathered using the techniques I outlined. Surf under generic domains, and block traffic downloaded en clair

[1] https://anonymous-proxy-servers.net/en/jondofox.html

The problem is that even if the number of bits on the fingerprint shrink, you're also lowering the selection size.

It's a tradeoff, you can overdo it and certainly end up less anonymous than before.

A bigger fingerprint might make it easier to identify you but if there are more fingerprints, there might also be more fingerprints that are exactly the same, thus being drowned by the mass.

Shouldn't disabling 3rd party cookies also prevent this kind of attack? The request for the facebook/twitter favicon is being made from a non-FB/TW page and so the login cookie won't be sent.

This would depend upon how the browser implements its 3rd party cookie blocking. If it only blocks setting cookies, but still allows existing cookies to be sent, then there would be no protection.

Lately I've been using Opera Incognito with free builtin VPN for all general browsing and I highly recommend it. (I use Chrome to stay logged in to email).
> It sounds like common sense, but many people have cookies and login information persisting for years at a time in their browsing sessions.

If it requires quite a bit of domain knowlege (almost everything in security does), it's not 'common sense'.

I've had a fantasy of not just using different browser profiles (effectively) for each site, but routing requests for each site through a different personally-run cloud-hosted proxy.

Someday maybe I'll get around to setting it up. Maybe.

Shouldn't a browser not send cookies when the request comes from a different domain? That would seem like the most sensible solution to me. Unless somebody can show a caveat of course.
(comment deleted)
I believe that cross-site scripting [0] can be used to get around domain restrictions.

[0] https://en.wikipedia.org/wiki/Cross-site_scripting

[1] (This is not my area of expertise. If I'm not correct... please let me know!)

That requires exploiting an XSS vulnerability in the target domain however. Such vulnerabilities are sadly common, but can be prevented.
No, that's not really related. Cross-site scripting's name comes from the vulnerabilities which allow an attacker to insert a <script> tag pointing at a script on another domain (or an inline script). It doesn't have to do with cookies and doesn't get around or really interact with the "block 3rd party cookies" setting.
This is exactly what the "block third-party cookies" option does. It really should be enabled per default, possibly with a permission prompt for cases where they are useful.

The interesting thing here is that third-party cookies usually allow a central site (e.g. an ad server) to track a user across many other sites. It's almost the other way around here: "other sites" can track status on a "central site".

I didn't know this option exists. Thanks. I enabled the option and indeed, this social media fingerprint stopped working :)
TIL YouPorn is considered social media
You'd be surprised how active people are on YouPorn, PornHub, etc. Whole new world. And surprisingly, very civil people.
ironic that youporn is included in this list considering they lost in a class action suit for very similar business practices.

https://www.scribd.com/doc/44635414/Pitner-Versus-Youporn

+1 very interesting case - company never located on US soil is being sued in California for something of a peanut size comparing to what Facebook does.

I know a bit off topic but I can't find how this case ended. Anyone with better Google skills??

youporn lost in the end, not sure what the end settlement was.
Nothing shows up in my Epic Privacy Browser ;-D!!
Using uBlock Origin and Privacy Badger defaults, it only showed me as logged into Hacker News.
Same for me, plys Slack. What it didn't notice: Reddit, GMail, Github, Paypal and maybe more.
Privacy Badger alone missed Reddit and the Google cluster, but picked off all of my other active logins. I'll be adding uBlock to see what it does with the survivors.
Hm. Doesn't seem to work on Chrome on Android.
Works mostly! I'm logged into HN of course; it says I'm not. Also Steam.

It got Facebook, Gmail, Youtube, Dropbox right.

Using default browser IE 11 on Win7

what is happening is not legal in the US and a large porn website was sued for doing it. they were printing hidden links on the page, then checking the color with JS to see if you had visited the destination url or not. judge didn't think it was a fair business practice. maybe these companies are not fixing this because of this legal precedent and figured no one was doing it?
> without your consent

Untrue. I have given my consent. Why are these privacy posts always using some kind of nefarious and negative language?