It sounds like it would absolutely work for images as well, as the article notes that your browser will permanently remember the redirected location, and use that in the future.
Wow, I had no idea that my system fonts were trackable with Flash. That's like an instant fingerprint, as many developers and designers have at least a few custom fonts installed -- if not a few dozen.
You can probably do something similar with javascript, either by comparing a <span>'s width, or by using canvas etc sampling pixels, to see if a given font is installed or not. You'd need a pretty long list of fonts to check, though.
Flash makes it easier since you can simply enumerate all the fonts.
Amen. And wouldn't it be more informative to be told how many browsers were found to be indistinguishable from the user's? Pretty sure my iPhone is completely generic. That should be a detectable category for them by now.
Back then, the proponents of that plan insisted the privacy concern was largely academic. I somewhat wonder what would've happened post-PRISM leak had they ever implemented it.
What does something like PRISM have to do with an individual privately run site using information provided by the client software in order to prevent abuse?
Expecting privacy-minded people to opt-out of using telephones or emails for fear of government monitoring isn't reasonable. Opting out of Stack Overflow is nowhere in the same league.
> What does something like PRISM have to do with an individual privately run site using information provided by the client software in order to prevent abuse?
I feel like I explained the issue pretty clearly in the preceding sentence:
> Back then, the proponents of that plan insisted the privacy concern was largely academic.
We now know via the various leaks that have occurred recently, that government agencies will use any information available to them and that there is largely nothing the public can do to stop it or be made aware of it except through the occasional one-off leak like PRISM.
That is to say, the privacy concerns related to any private company tracking PII to this degree aren't academic or abstract. Information kept to prevent abuse can just as easily be repurposed for surveillance. I suspect (and would hope) many of the same people pushing for this feature back in 2011 would reconsider their support for a feature like this knowing what we know now.
> Expecting privacy-minded people to opt-out of using telephones or emails for fear of government monitoring isn't reasonable.
I'm not sure what part of my comment lead you to believe I would think otherwise, but I don't.
> Opting out of Stack Overflow is nowhere in the same league.
In the comments of the post I linked, several people were insisting that there wouldn't need to be an additional disclosure because it's information that's either public, available to other third parties (like browser makers), or already available to Stack Overflow in a different form. Not knowing that a site like a hypothetical Stack Overflow—where a feature like this was implemented—is keeping records on this level and therefore not opting out isn't informed choice.
Indeed, a significant portion of the outcry with respect to the NSA leaks is that nobody knew that the government had such a direct connection to the information stored by private companies that people could've easily opted out of using (e.g., Facebook, Apple, Google, or Paltalk).
But all I was attempting to do here was mention a past experience with Panopticlick and muse how it might've went today. I guess I've been bitten by something pg once said[1], that "you can't be concise on forums because if you leave any possible room for misinterpretation, someone will reply with it".
The response to that concern at the time was that most of the people who would know how to get around it wouldn't need to sockpuppet[1]. I suspect, if it were ever implemented, there'd be some attempt to obfuscate or hide what was actually tracked like they do for their other fraud algorithms. But issues like that and the privacy issues were pretty indicative of its lack of value and it doesn't surprise me it was never implemented and didn't even warrant a response from an SE employee.
The user signups up, connects their phone to their account and you use the fingerprint as the ID for future validation?
How do you handle changes in fonts/plugins/browser versions/timezones while travelling.
All of that data seems to be muteable over time. Unless it's a 99% match kind of thing. Also what about companies that hand out laptops with the same base OS/browser-installs (or is that the goal)?
Client side changes are handled in a weighted model. If the heuristics match between 85 and 95% we might update the stored fingerprint.
While we can use this for SSO it's usually tied to another factor of authentication. Something like a user/pass, social id or maybe saml assertion from another claim provider.
We are just scratching the surface of what this type of technology can be used for.
sounds awesome and at the same time it's shocking how unique and identifiable we are online. Did you consider adding _buzz_and_words_here_ 3-Factor Auth (4-Factor for Gov. clients)? You could solve it in a way that makes it very comfortable to the user, yet very hard to crack for crackers.
1. Your Tracking Technique + DRM-based-License Tracking
2. One Password / ID (No username required, it's optional)
3. Typing Speed Tracking 99.5 percent accuracy [1]
4. (Bio-metric Data like Fingerprint or HD Iris Scans for Gov. Clients)
DARPA is also working on it, definitely watch this (Google alredy uses this!):
Yeah we provide the solution to a lot of government clients. Strange enough, our international clients like the 3 or 4 factor authentication. It's very very easy for us to do though as there's no limit to chaining the work flows together.
What? Wow, that sounds really dangerous. The same fingerprint is available to any site out there, so anyone could just capture it and try to replay it on a "SecureAuth" service, no?
Here's how it works. As a user I want to connect to a web resource, I am redirected to my idp (SecureAuth) where we ask you your name, then I look at your account and ask you to enroll, then I ask you your password. Now before I generate a claim/token or what ever I take your fingerprint so for the next day/30 days/90 days or what ever your fingerprint is checked between your username/password and the strong authentication is transparent to the user.
The variables can all be weighted differently and the fingerprints can easily be revoked but it is very cool technology.
I also used a similar concept to help us investigate charges of of cheating in an asynchronous online strategy game where sock-puppet collusion would destroy the balance. Having an extremely high probability that two accounts are actually the same browser made it easier for us to warn|block|ban cheaters.
Is there already a fix for that? Just a plug in that blocks all unique identifiers and responds with a windows-out-of the box configuration should solve the problem.
What we really need is a modified ``privacy'' build of FF that reports spoofed js/css data (screen res etc), but I'm not skilled enough in web stuff to make that.
As a side note, I've been impressed with French academia lately. Between INRIA and IRCAM, I see a lot of quite practical stuff that I like coming from there.
Glad to help. Yes so do I, I've seen a lot of INRIA projects that stunned me. I didn't know about CCRMA, would you mind sharing some stuff you found over there?
Hah sorry, I edited my comment before you replied, but I got a brain mix-up between the international computer-music centers' acronyms: CCRMA is an American one at Stanford, but I meant IRCAM, the French one at Centre Pompidou. The third of the "big three" is CNMAT at UC-Berkeley. All are 5-letter acronyms, so it is a bit easy to confuse...
It will not be very interesting if you don't care about computer music, but IRCAM has an ethos of producing many projects in that area. For example, the Max system that later became Max/MSP (and later the open-source version, Pd) was originally an IRCAM project. They also have a Common Lisp based visual-score system (http://repmus.ircam.fr/openmusic/home), a system for data-based resynthesis using musical corpora (http://imtr.ircam.fr/imtr/CataRT), and a number of other things, including many projects more on the music/composition side.
Upvoted you even so it doesn't bring a solution. They clearly state
For the moment, there is no protection from fingerprinting.
This seems just a wrong statement. If Firefox and Chrome are open source there must be a way to modify the fingerprint. Even if it comes in form of some "pre-loader" that blocks the sending of one fingerprint and overwrites it with another.
My suspicion is that sites coming across as super sneaky (e.g. LinkedIn) are actually using browser identification / fingerprinting to make their otherwise impossible suggestions.
For the moment, there is no protection from fingerprinting. Browser extensions that change some of the parameters of your browser’s snapshot make you even more identifiable because there are often other ways to check the values of these parameters. However, some of your parameters change by themselves, for example, after your web browser updates, or simply when you travel or use external monitors. Panopticlick does not take it into account, however effective fingerprinting libraries are able to identify you because they monitor your consequent visits to the websites.
"Browser extensions that change some of the parameters of your browser’s snapshot make you even more identifiable because there are often other ways to check the values of these parameters."
For example, use Useragent Switcher in FF, this is effective as long as you keep JS off. With JS the site can interrogate the client and report and any discrepancy would be found, and distinctive.
I've been looking at this from the avoiding-tracking and from the server side (identifying clients independently of cookies). The client is very limited in options with JS on.
Users need more control of this in the browser.
In an application you could in principle track users even across some changes with a sort of "preponderance of the signals" confidence value - weighting several things like Ip, platform etc..
> one in 506 browsers have the same fingerprint as yours.
So is this good or bad?
Some time this year, I'm planning to write a browser add-on which will send random (legitimate, from real browser versions) header combinations of the user agent (+OS) and accept headers. It can be semi-random, e.g. send the same headers to the same host during one visit. Combine it with the NoScript addon, use the RequestPolicy addon, block 3-rd party cookies, tell the browser to delete the cookies and local storage on exit, use plugins only in "on-click" mode (or don't use plugins), don't send "referer"s (or send fake "referer"s), use Tor for HTTPS sites (and sites that don't need authorization), and this will make hard to track you.
Thank you for your support. I'm sorry, but I use Firefox, and I have already created some small add-ons using Mozilla's Addon SDK, so I'm already familiar with it. If I manage to write it (and it will be under GPLv3), I will try to port it to Chrome too.
Yeah, I've thought about this too. I was going to try and use a system-wide proxy, rather than a browser plugin, to capture all outgoing HTTP traffic and sanitize it.
Making it more widely useful would require a lot of thought, because much of the functionality of the current web is predicated on using these same vectors. There are interface issues, and fundamentally, the web would be significantly less useful for a large number of people if the privacy situation were ameliorated.
When it's done in proxy level, you can't change the JavaScript objects, so the global objects like "navigator" (which can be used to extract your browser and OS version) will still be available for trackers (if JavaScript is enabled).
that's good 1:506 means you're not very unique. Unfortunately for me it says appears to be unique among the 3,229,643 - probably because I'm Chrome/Linux, my ratio basically means I can be trivially tracked across the web.
Is there anything preventing a website that has access to your email address or name for that matter (ie because you created an account on that site) to sell the information between email and browser fingerprint to advertising networks?
Nothing at all. Working with the data industry, I've been blown away by the links every advertising network is trying to make between the crumbs we leave all over the place. Expect your TV (not even a smart TV) to be displaying ads based on your browsing history in the near future, all linked by your IP address. The data industry will absolutely whore your data all over the place. Datalogix, BlueKai, and many others have raised millions to do exactly this sort of thing.
This could also be extended to include WebGL extensions/capabilities. Lots of data there: http://webglstats.com/ - various WebGL extensions, stats like max texture size, max varyings etc. dependent on hardware.
I wonder how it would fare if it included WebGL stats but excluded all plugin data, e.g. stuff from Java or Flash. Seems to be a direction browsers are moving in.
From what I gather going by this site that I consulted (http://www.m-w.com/dictionary/unique) it seems that anything less than 2 would qualify you as unique.
You may feel that as the sample set grows others may join your party but you have not told us why you believe this to be the case. I wouldn't be too sure, I would be more hesitant in reaching that conclusion.
As it stands you are a unique snowflake and so am I.
I have always wondered if there is a "master list" of things that can be used to uniquely fingerprint a browser. For example, I don't see system time offsets[1] being used here.
It took me a moment to realize that means I am completely trackable.
A little surprising since I just built this computer from scratch a couple weeks ago. I'll take this more as a commentary on the popularity of Windows 8 more than anything.
This is what I think: this "service" is rather old, and I'm sure it is not being used regularly by lot of people with recent versions of browsers, so the majority of those 3.2 million fingerprints were made in older times (when it was being Slashdotted/HNed several times, like today) that's why we get many unique results.
That's not uncommon for (custom) dev builds, or if you have a plethora of addons that manipulate core browser behavior. I have a user and dev profile on firefox.
But that makes you more unique and a better target.
"My browser firefox fingerprint appears to be unique among the 3,230,950 tested so far and 21.62 bits of identifying information, mostly acceptable to be shared." But this is just a demo, a real attacker could get much more info out of it, I'm not protected against this.
Why do you think that you have gotten that result? Did you compile Chromium with some special flags?
These numbers don't make much sense to me. Only 2.5% of the site's users are running 1920x1080x32? Only 4% of people going to an EFF website are in the Pacific timezone?
Well, only 14% of the US's population is in the Pacific time zone [1], so that would imply that about 2/3 of the visitors are non-US, which seems reasonable.
And yes, 1080p is still a fairly uncommon resolution in this laptop era. StatCounter estimates 7-8%, and it's somewhat likely that StatCounter and EFF are going to have different skews [2]
At the moment, 15% (1:6.8) are in the UTC+2:00 timezone, which covers most of mainland Europe using Daylight Saving Time.
Sounds ballpark reasonable to me - Europe is twice the population of USA, and USA is split over more timezones. And Asia has more people than USA and Europe put together.
I think it mostly goes to show that it doesn't take much information to reduce the number of possibilities by 1-2 orders of magnitude.
In my case, Safari on iPad makes me 1:67,000. Chrome on the same iPad makes me 1:1.6 million.
My designer friend was watching a livestream, where he clicked a link that infected his OSX Computer at work. He was worried and asked me to inspect the payload, which was funny, because I only got a blank page. Only modifying my UA-String gave me access to the java exploiting payload, but imagine how they could go undetected by sniffing for more than just the UA-String!
After some investigation I found out that one guy has infected many thousand OSX and Windows PCs and turned them into drones. Now I know how they make money, selling their bot-nets. Kinda disappointed, I thought there is more thought and work required. But you see the point, anybody with enough patience can do that today, the tools are available.
You might be surprised to hear that many tens of thousands of clueless kids, teenagers, and adults pay for all-in-one kits that host Java drivebys (malicious self-signed Java applets, and Java exploits), redirect visitors of compromised sites to one's Java driveby, infect them, and manage such botnets through fancy Web 2.0 interfaces.
And they don't even need (and often do not have) a shred of basic IT knowledge to do any of this, let alone programming knowledge.
150 comments
[ 2.3 ms ] story [ 186 ms ] threador simply enhance the mentioned method my HTML5 / CSS3 support (e.g. through http://modernizr.com/) and you will get even much better results as shown in this study (https://panopticlick.eff.org/browser-uniqueness.pdf).
The next ugly site could steal your browser history that way and show which porn sites you've visited, in example.
Flash makes it easier since you can simply enumerate all the fonts.
Back then, the proponents of that plan insisted the privacy concern was largely academic. I somewhat wonder what would've happened post-PRISM leak had they ever implemented it.
Expecting privacy-minded people to opt-out of using telephones or emails for fear of government monitoring isn't reasonable. Opting out of Stack Overflow is nowhere in the same league.
I feel like I explained the issue pretty clearly in the preceding sentence:
> Back then, the proponents of that plan insisted the privacy concern was largely academic.
We now know via the various leaks that have occurred recently, that government agencies will use any information available to them and that there is largely nothing the public can do to stop it or be made aware of it except through the occasional one-off leak like PRISM.
That is to say, the privacy concerns related to any private company tracking PII to this degree aren't academic or abstract. Information kept to prevent abuse can just as easily be repurposed for surveillance. I suspect (and would hope) many of the same people pushing for this feature back in 2011 would reconsider their support for a feature like this knowing what we know now.
> Expecting privacy-minded people to opt-out of using telephones or emails for fear of government monitoring isn't reasonable.
I'm not sure what part of my comment lead you to believe I would think otherwise, but I don't.
> Opting out of Stack Overflow is nowhere in the same league.
In the comments of the post I linked, several people were insisting that there wouldn't need to be an additional disclosure because it's information that's either public, available to other third parties (like browser makers), or already available to Stack Overflow in a different form. Not knowing that a site like a hypothetical Stack Overflow—where a feature like this was implemented—is keeping records on this level and therefore not opting out isn't informed choice.
Indeed, a significant portion of the outcry with respect to the NSA leaks is that nobody knew that the government had such a direct connection to the information stored by private companies that people could've easily opted out of using (e.g., Facebook, Apple, Google, or Paltalk).
But all I was attempting to do here was mention a past experience with Panopticlick and muse how it might've went today. I guess I've been bitten by something pg once said[1], that "you can't be concise on forums because if you leave any possible room for misinterpretation, someone will reply with it".
[1]: https://news.ycombinator.com/item?id=5365222
[1]: http://meta.stackoverflow.com/questions/113394/implement-som...
The user signups up, connects their phone to their account and you use the fingerprint as the ID for future validation?
How do you handle changes in fonts/plugins/browser versions/timezones while travelling.
All of that data seems to be muteable over time. Unless it's a 99% match kind of thing. Also what about companies that hand out laptops with the same base OS/browser-installs (or is that the goal)?
http://www.youtube.com/watch?v=fgNpOzvwOiU
[1] http://csis.pace.edu/~ctappert/it691-08fall/projects/keystro...
Dude, you made me curious, I will implement this after my thesis! :)
(I'm watching you DARPA et. al /24/7/365!)
The more info you share here, the more dangerous it gets and the more people are aware of the danger it could pose, when used by the wrong hands.
This way nobody even knows if I'm on Firefox or Chrome.
The more unique, the more trackable.
What we really need is a modified ``privacy'' build of FF that reports spoofed js/css data (screen res etc), but I'm not skilled enough in web stuff to make that.
As a side note, I've been impressed with French academia lately. Between INRIA and IRCAM, I see a lot of quite practical stuff that I like coming from there.
It will not be very interesting if you don't care about computer music, but IRCAM has an ethos of producing many projects in that area. For example, the Max system that later became Max/MSP (and later the open-source version, Pd) was originally an IRCAM project. They also have a Common Lisp based visual-score system (http://repmus.ircam.fr/openmusic/home), a system for data-based resynthesis using musical corpora (http://imtr.ircam.fr/imtr/CataRT), and a number of other things, including many projects more on the music/composition side.
This seems just a wrong statement. If Firefox and Chrome are open source there must be a way to modify the fingerprint. Even if it comes in form of some "pre-loader" that blocks the sending of one fingerprint and overwrites it with another.
My suspicion is that sites coming across as super sneaky (e.g. LinkedIn) are actually using browser identification / fingerprinting to make their otherwise impossible suggestions.
Other addons may prevent certain leakages, but definitely not all.
Go here => https://stopfingerprinting.inria.fr/ Chrome + Firefox add-on.
For the moment, there is no protection from fingerprinting. Browser extensions that change some of the parameters of your browser’s snapshot make you even more identifiable because there are often other ways to check the values of these parameters. However, some of your parameters change by themselves, for example, after your web browser updates, or simply when you travel or use external monitors. Panopticlick does not take it into account, however effective fingerprinting libraries are able to identify you because they monitor your consequent visits to the websites.
For example, use Useragent Switcher in FF, this is effective as long as you keep JS off. With JS the site can interrogate the client and report and any discrepancy would be found, and distinctive.
I've been looking at this from the avoiding-tracking and from the server side (identifying clients independently of cookies). The client is very limited in options with JS on. Users need more control of this in the browser.
In an application you could in principle track users even across some changes with a sort of "preponderance of the signals" confidence value - weighting several things like Ip, platform etc..
So is this good or bad?
Some time this year, I'm planning to write a browser add-on which will send random (legitimate, from real browser versions) header combinations of the user agent (+OS) and accept headers. It can be semi-random, e.g. send the same headers to the same host during one visit. Combine it with the NoScript addon, use the RequestPolicy addon, block 3-rd party cookies, tell the browser to delete the cookies and local storage on exit, use plugins only in "on-click" mode (or don't use plugins), don't send "referer"s (or send fake "referer"s), use Tor for HTTPS sites (and sites that don't need authorization), and this will make hard to track you.
Do it for chrome.
...and let me send you money.
https://github.com/hultqvist/Kiss
Go here => https://stopfingerprinting.inria.fr/ Chrome + Firefox add-on.
EDIT: solved->solve, they didn't solve it yet, but this add-on helps them solve it.
Making it more widely useful would require a lot of thought, because much of the functionality of the current web is predicated on using these same vectors. There are interface issues, and fundamentally, the web would be significantly less useful for a large number of people if the privacy situation were ameliorated.
> Currently, we estimate that your browser has a fingerprint that conveys at least 21.62 bits of identifying information.
Your result sounds a lot better than mine. Simply using Opera gives me a one in 111366.28 result.
'Your browser fingerprint appears to be unique among the 3,230,650 tested so far.'
3in1 Internet Bundles coming with:
I wonder how it would fare if it included WebGL stats but excluded all plugin data, e.g. stuff from Java or Flash. Seems to be a direction browsers are moving in.
You may feel that as the sample set grows others may join your party but you have not told us why you believe this to be the case. I wouldn't be too sure, I would be more hesitant in reaching that conclusion.
As it stands you are a unique snowflake and so am I.
[1] An example of this can be seen here: http://time.is
It took me a moment to realize that means I am completely trackable.
A little surprising since I just built this computer from scratch a couple weeks ago. I'll take this more as a commentary on the popularity of Windows 8 more than anything.
I'm a snowflake!
But that makes you more unique and a better target.
"My browser firefox fingerprint appears to be unique among the 3,230,950 tested so far and 21.62 bits of identifying information, mostly acceptable to be shared." But this is just a demo, a real attacker could get much more info out of it, I'm not protected against this.
Why do you think that you have gotten that result? Did you compile Chromium with some special flags?
Also, it might mess with overall statistics
And yes, 1080p is still a fairly uncommon resolution in this laptop era. StatCounter estimates 7-8%, and it's somewhat likely that StatCounter and EFF are going to have different skews [2]
[1] http://www.newtimezones.com/pdfs/current_economic_crisis.pdf
[2] http://gs.statcounter.com/#resolution-na-monthly-201302-2013...
Sounds ballpark reasonable to me - Europe is twice the population of USA, and USA is split over more timezones. And Asia has more people than USA and Europe put together.
I think it mostly goes to show that it doesn't take much information to reduce the number of possibilities by 1-2 orders of magnitude.
In my case, Safari on iPad makes me 1:67,000. Chrome on the same iPad makes me 1:1.6 million.
After some investigation I found out that one guy has infected many thousand OSX and Windows PCs and turned them into drones. Now I know how they make money, selling their bot-nets. Kinda disappointed, I thought there is more thought and work required. But you see the point, anybody with enough patience can do that today, the tools are available.
And they don't even need (and often do not have) a shred of basic IT knowledge to do any of this, let alone programming knowledge.