150 comments

[ 2.3 ms ] story [ 186 ms ] thread
Here are some further ideas, how to do it: http://www.scatmania.org/2012/04/24/visitor-tracking-without...

or simply enhance the mentioned method my HTML5 / CSS3 support (e.g. through http://modernizr.com/) and you will get even much better results as shown in this study (https://panopticlick.eff.org/browser-uniqueness.pdf).

would 301 abuse work for IMG tags as well? or is the caching exploit specific to JS?
It sounds like it would absolutely work for images as well, as the article notes that your browser will permanently remember the redirected location, and use that in the future.
that reminds me to the css :visited browser history hack. I wonder if that still works, or if it could be replaced by your IMG approach. I fear yes.

The next ugly site could steal your browser history that way and show which porn sites you've visited, in example.

Wow, I had no idea that my system fonts were trackable with Flash. That's like an instant fingerprint, as many developers and designers have at least a few custom fonts installed -- if not a few dozen.
You can probably do something similar with javascript, either by comparing a <span>'s width, or by using canvas etc sampling pixels, to see if a given font is installed or not. You'd need a pretty long list of fonts to check, though.

Flash makes it easier since you can simply enumerate all the fonts.

Amen. And wouldn't it be more informative to be told how many browsers were found to be indistinguishable from the user's? Pretty sure my iPhone is completely generic. That should be a detectable category for them by now.
A couple of years back, I remember arguing with the moderators at Stack Overflow who wanted to implement this to combat sock-puppetry: http://meta.stackoverflow.com/questions/113394/implement-som...

Back then, the proponents of that plan insisted the privacy concern was largely academic. I somewhat wonder what would've happened post-PRISM leak had they ever implemented it.

What does something like PRISM have to do with an individual privately run site using information provided by the client software in order to prevent abuse?

Expecting privacy-minded people to opt-out of using telephones or emails for fear of government monitoring isn't reasonable. Opting out of Stack Overflow is nowhere in the same league.

> What does something like PRISM have to do with an individual privately run site using information provided by the client software in order to prevent abuse?

I feel like I explained the issue pretty clearly in the preceding sentence:

> Back then, the proponents of that plan insisted the privacy concern was largely academic.

We now know via the various leaks that have occurred recently, that government agencies will use any information available to them and that there is largely nothing the public can do to stop it or be made aware of it except through the occasional one-off leak like PRISM.

That is to say, the privacy concerns related to any private company tracking PII to this degree aren't academic or abstract. Information kept to prevent abuse can just as easily be repurposed for surveillance. I suspect (and would hope) many of the same people pushing for this feature back in 2011 would reconsider their support for a feature like this knowing what we know now.

> Expecting privacy-minded people to opt-out of using telephones or emails for fear of government monitoring isn't reasonable.

I'm not sure what part of my comment lead you to believe I would think otherwise, but I don't.

> Opting out of Stack Overflow is nowhere in the same league.

In the comments of the post I linked, several people were insisting that there wouldn't need to be an additional disclosure because it's information that's either public, available to other third parties (like browser makers), or already available to Stack Overflow in a different form. Not knowing that a site like a hypothetical Stack Overflow—where a feature like this was implemented—is keeping records on this level and therefore not opting out isn't informed choice.

Indeed, a significant portion of the outcry with respect to the NSA leaks is that nobody knew that the government had such a direct connection to the information stored by private companies that people could've easily opted out of using (e.g., Facebook, Apple, Google, or Paltalk).

But all I was attempting to do here was mention a past experience with Panopticlick and muse how it might've went today. I guess I've been bitten by something pg once said[1], that "you can't be concise on forums because if you leave any possible room for misinterpretation, someone will reply with it".

[1]: https://news.ycombinator.com/item?id=5365222

Wouldn't switching browsers/adding a plugin get around the block really easily?
You will still have the same set of fonts, resolution, os, ip, etc.
The response to that concern at the time was that most of the people who would know how to get around it wouldn't need to sockpuppet[1]. I suspect, if it were ever implemented, there'd be some attempt to obfuscate or hide what was actually tracked like they do for their other fraud algorithms. But issues like that and the privacy issues were pretty indicative of its lack of value and it doesn't surprise me it was never implemented and didn't even warrant a response from an SE employee.

[1]: http://meta.stackoverflow.com/questions/113394/implement-som...

We use this concept for low friction enterprise authentication at SecureAuth. Sure as hell beats rsa tokens or anything related to a phone.
Could you explain how it would work?

The user signups up, connects their phone to their account and you use the fingerprint as the ID for future validation?

How do you handle changes in fonts/plugins/browser versions/timezones while travelling.

All of that data seems to be muteable over time. Unless it's a 99% match kind of thing. Also what about companies that hand out laptops with the same base OS/browser-installs (or is that the goal)?

Client side changes are handled in a weighted model. If the heuristics match between 85 and 95% we might update the stored fingerprint. While we can use this for SSO it's usually tied to another factor of authentication. Something like a user/pass, social id or maybe saml assertion from another claim provider. We are just scratching the surface of what this type of technology can be used for.
sounds awesome and at the same time it's shocking how unique and identifiable we are online. Did you consider adding _buzz_and_words_here_ 3-Factor Auth (4-Factor for Gov. clients)? You could solve it in a way that makes it very comfortable to the user, yet very hard to crack for crackers.

    1. Your Tracking Technique + DRM-based-License Tracking
    2. One Password / ID (No username required, it's optional)
    3. Typing Speed Tracking 99.5 percent accuracy [1]
    4. (Bio-metric Data like Fingerprint or HD Iris Scans for Gov. Clients)
DARPA is also working on it, definitely watch this (Google alredy uses this!):

http://www.youtube.com/watch?v=fgNpOzvwOiU

[1] http://csis.pace.edu/~ctappert/it691-08fall/projects/keystro...

Dude, you made me curious, I will implement this after my thesis! :)

(I'm watching you DARPA et. al /24/7/365!)

Yeah we provide the solution to a lot of government clients. Strange enough, our international clients like the 3 or 4 factor authentication. It's very very easy for us to do though as there's no limit to chaining the work flows together.
Can you already offer 3. as a service, is it in planning, or won't you use that?
Yes, 3, 4, what ever they want we already offer
What? Wow, that sounds really dangerous. The same fingerprint is available to any site out there, so anyone could just capture it and try to replay it on a "SecureAuth" service, no?
(comment deleted)
Hopefully that isn't the only mean of authentication.
What is it then? What if I upgrade the browser, will it accept whatever other auth factor I present (a password?) anyways? What's left then?
Here's how it works. As a user I want to connect to a web resource, I am redirected to my idp (SecureAuth) where we ask you your name, then I look at your account and ask you to enroll, then I ask you your password. Now before I generate a claim/token or what ever I take your fingerprint so for the next day/30 days/90 days or what ever your fingerprint is checked between your username/password and the strong authentication is transparent to the user. The variables can all be weighted differently and the fingerprints can easily be revoked but it is very cool technology.
I also used a similar concept to help us investigate charges of of cheating in an asynchronous online strategy game where sock-puppet collusion would destroy the balance. Having an extremely high probability that two accounts are actually the same browser made it easier for us to warn|block|ban cheaters.
This post gives me the impression that it's self-fulfilling.

The more info you share here, the more dangerous it gets and the more people are aware of the danger it could pose, when used by the wrong hands.

It's not very trackable - I've replaced my user agent string with my full name, which is very unique.

This way nobody even knows if I'm on Firefox or Chrome.

> It's not very trackable - I've replaced my user agent string with my full name, which is very unique.

The more unique, the more trackable.

You missed his (pretty funny) joke.
Yes, I'm afraid I did. The "my full name" part should have been an indicator, but I missed it :)
Is there already a fix for that? Just a plug in that blocks all unique identifiers and responds with a windows-out-of the box configuration should solve the problem.
Install Noscript. Torbutton helps, but for those who don't want to use the outdated tor browser bundle you can also try Blender (https://addons.mozilla.org/en-us/firefox/addon/blender-1/).

What we really need is a modified ``privacy'' build of FF that reports spoofed js/css data (screen res etc), but I'm not skilled enough in web stuff to make that.

For me, the list of installed plugins is by far the most unique bit of information, so just blocking that would be helpful.
Go here => https://stopfingerprinting.inria.fr/ Chrome + Firefox add-on.
Thanks!

As a side note, I've been impressed with French academia lately. Between INRIA and IRCAM, I see a lot of quite practical stuff that I like coming from there.

Glad to help. Yes so do I, I've seen a lot of INRIA projects that stunned me. I didn't know about CCRMA, would you mind sharing some stuff you found over there?
Hah sorry, I edited my comment before you replied, but I got a brain mix-up between the international computer-music centers' acronyms: CCRMA is an American one at Stanford, but I meant IRCAM, the French one at Centre Pompidou. The third of the "big three" is CNMAT at UC-Berkeley. All are 5-letter acronyms, so it is a bit easy to confuse...

It will not be very interesting if you don't care about computer music, but IRCAM has an ethos of producing many projects in that area. For example, the Max system that later became Max/MSP (and later the open-source version, Pd) was originally an IRCAM project. They also have a Common Lisp based visual-score system (http://repmus.ircam.fr/openmusic/home), a system for data-based resynthesis using musical corpora (http://imtr.ircam.fr/imtr/CataRT), and a number of other things, including many projects more on the music/composition side.

That doesn't seem to actually block anything? It just says it sends them your data for analyzing?
Upvoted you even so it doesn't bring a solution. They clearly state For the moment, there is no protection from fingerprinting.

This seems just a wrong statement. If Firefox and Chrome are open source there must be a way to modify the fingerprint. Even if it comes in form of some "pre-loader" that blocks the sending of one fingerprint and overwrites it with another.

My suspicion is that sites coming across as super sneaky (e.g. LinkedIn) are actually using browser identification / fingerprinting to make their otherwise impossible suggestions.

I disabled all of my plugins, and I'm still unique.
The only truly effective way is to use an addon like NoScript (Firefox) or NotScripts / ScriptNo (Chrome).

Other addons may prevent certain leakages, but definitely not all.

Plus a VPN and/or Tor, otherwise your IP alone dooms you.
(comment deleted)
(comment deleted)
Even trying to be less trackable makes you more unique.
Yep. And I didn't know that our browser sends plugin info to websites. Wonder if there's a plugin to turn that off :P
I found this site, that way :)

Go here => https://stopfingerprinting.inria.fr/ Chrome + Firefox add-on.

I installed it and the uniqueness didn't change in the OP's test.
You're right. The website claims:

For the moment, there is no protection from fingerprinting. Browser extensions that change some of the parameters of your browser’s snapshot make you even more identifiable because there are often other ways to check the values of these parameters. However, some of your parameters change by themselves, for example, after your web browser updates, or simply when you travel or use external monitors. Panopticlick does not take it into account, however effective fingerprinting libraries are able to identify you because they monitor your consequent visits to the websites.

"Browser extensions that change some of the parameters of your browser’s snapshot make you even more identifiable because there are often other ways to check the values of these parameters."

For example, use Useragent Switcher in FF, this is effective as long as you keep JS off. With JS the site can interrogate the client and report and any discrepancy would be found, and distinctive.

I've been looking at this from the avoiding-tracking and from the server side (identifying clients independently of cookies). The client is very limited in options with JS on. Users need more control of this in the browser.

In an application you could in principle track users even across some changes with a sort of "preponderance of the signals" confidence value - weighting several things like Ip, platform etc..

I believe they use JS to get the plugins and fonts.
JS is just the plugins. The fonts list requires flash or java.
(comment deleted)
> one in 506 browsers have the same fingerprint as yours.

So is this good or bad?

Some time this year, I'm planning to write a browser add-on which will send random (legitimate, from real browser versions) header combinations of the user agent (+OS) and accept headers. It can be semi-random, e.g. send the same headers to the same host during one visit. Combine it with the NoScript addon, use the RequestPolicy addon, block 3-rd party cookies, tell the browser to delete the cookies and local storage on exit, use plugins only in "on-click" mode (or don't use plugins), don't send "referer"s (or send fake "referer"s), use Tor for HTTPS sites (and sites that don't need authorization), and this will make hard to track you.

> I'm planning to write a browser add-on

Do it for chrome.

...and let me send you money.

Thank you for your support. I'm sorry, but I use Firefox, and I have already created some small add-ons using Mozilla's Addon SDK, so I'm already familiar with it. If I manage to write it (and it will be under GPLv3), I will try to port it to Chrome too.
Save your money, the people who released this solve the problem:

Go here => https://stopfingerprinting.inria.fr/ Chrome + Firefox add-on.

EDIT: solved->solve, they didn't solve it yet, but this add-on helps them solve it.

Thank you for this link. So, currently, it does nothing to protect, it only collects information and sends to them for future analyzing.
Correct, they are researching ways to fight against tracking, this helps the researchers to do just that and stop future tracking attempts.
Yeah, I've thought about this too. I was going to try and use a system-wide proxy, rather than a browser plugin, to capture all outgoing HTTP traffic and sanitize it.

Making it more widely useful would require a lot of thought, because much of the functionality of the current web is predicated on using these same vectors. There are interface issues, and fundamentally, the web would be significantly less useful for a large number of people if the privacy situation were ameliorated.

When it's done in proxy level, you can't change the JavaScript objects, so the global objects like "navigator" (which can be used to extract your browser and OS version) will still be available for trackers (if JavaScript is enabled).
True. You'd need a defense in depth.
that's good 1:506 means you're not very unique. Unfortunately for me it says appears to be unique among the 3,229,643 - probably because I'm Chrome/Linux, my ratio basically means I can be trivially tracked across the web.
Beeing unique is bad, because that makes you an even better target.
> Your browser fingerprint appears to be unique among the 3,229,622 tested so far.

> Currently, we estimate that your browser has a fingerprint that conveys at least 21.62 bits of identifying information.

Your result sounds a lot better than mine. Simply using Opera gives me a one in 111366.28 result.

You do realize it's better to have lots of browsers like yours in this test? The more unique your browser is, the more trackable you are.
It's good. My result on the other hand:

'Your browser fingerprint appears to be unique among the 3,230,650 tested so far.'

Is there a plugin to remove or modify specific request headers? The bits of unique information could easily be removed, couldn't it?
Is there anything preventing a website that has access to your email address or name for that matter (ie because you created an account on that site) to sell the information between email and browser fingerprint to advertising networks?
Nothing at all. Working with the data industry, I've been blown away by the links every advertising network is trying to make between the crumbs we leave all over the place. Expect your TV (not even a smart TV) to be displaying ads based on your browsing history in the near future, all linked by your IP address. The data industry will absolutely whore your data all over the place. Datalogix, BlueKai, and many others have raised millions to do exactly this sort of thing.
whoa, I didn't think of that! It's true and that must be the reason why all the European ISPs try to sell you

3in1 Internet Bundles coming with:

    * Wiretapped VoIP
    * Censored and Tracked Internet
    * Browser History based TV Programs and Ads

    (Online-Shops already do income based pricing)
i have a unique user agent. i'm absolutely trackable. :p
Well, I seem to be unique as well, but I have nothing to hide...on this machine.
This could also be extended to include WebGL extensions/capabilities. Lots of data there: http://webglstats.com/ - various WebGL extensions, stats like max texture size, max varyings etc. dependent on hardware.

I wonder how it would fare if it included WebGL stats but excluded all plugin data, e.g. stuff from Java or Flash. Seems to be a direction browsers are moving in.

This is an excellent idea, I'm surprised I've never seen it before.
Ugh, all of my browsers are unique!
The fact that they can see what plugins I have makes uTorrent wanting a browser plugin make total sense. Just thinking.
Is there any way to hide things like Browser Plugin Details and System Fonts?
Yes, disable JavaScript.
I did the test afterwards again, Panopticlick can use the information anyways.
1 in 3.2 million doesn't really seem that unique to me. Once the sample size is larger by a factor of 10 - 100, I think this will be more valuable.
From what I gather going by this site that I consulted (http://www.m-w.com/dictionary/unique) it seems that anything less than 2 would qualify you as unique.

You may feel that as the sample set grows others may join your party but you have not told us why you believe this to be the case. I wouldn't be too sure, I would be more hesitant in reaching that conclusion.

As it stands you are a unique snowflake and so am I.

I have always wondered if there is a "master list" of things that can be used to uniquely fingerprint a browser. For example, I don't see system time offsets[1] being used here.

[1] An example of this can be seen here: http://time.is

I am unique among the millions so far.

It took me a moment to realize that means I am completely trackable.

A little surprising since I just built this computer from scratch a couple weeks ago. I'll take this more as a commentary on the popularity of Windows 8 more than anything.

For me, without a doubt, it's my fonts and one or two other things that make me unique.
Your browser fingerprint appears to be unique among the 3,229,638 tested so far.

I'm a snowflake!

Sadly, me too...
Me too, unique … users of Chrome dev versions are obviously not that common.
This is what I think: this "service" is rather old, and I'm sure it is not being used regularly by lot of people with recent versions of browsers, so the majority of those 3.2 million fingerprints were made in older times (when it was being Slashdotted/HNed several times, like today) that's why we get many unique results.
That's not uncommon for (custom) dev builds, or if you have a plethora of addons that manipulate core browser behavior. I have a user and dev profile on firefox.

But that makes you more unique and a better target.

"My browser firefox fingerprint appears to be unique among the 3,230,950 tested so far and 21.62 bits of identifying information, mostly acceptable to be shared." But this is just a demo, a real attacker could get much more info out of it, I'm not protected against this.

Why do you think that you have gotten that result? Did you compile Chromium with some special flags?

Fun fact: If you test it in normal mode and then incognito, you are no longer unique

Also, it might mess with overall statistics

These numbers don't make much sense to me. Only 2.5% of the site's users are running 1920x1080x32? Only 4% of people going to an EFF website are in the Pacific timezone?
Well, only 14% of the US's population is in the Pacific time zone [1], so that would imply that about 2/3 of the visitors are non-US, which seems reasonable.

And yes, 1080p is still a fairly uncommon resolution in this laptop era. StatCounter estimates 7-8%, and it's somewhat likely that StatCounter and EFF are going to have different skews [2]

[1] http://www.newtimezones.com/pdfs/current_economic_crisis.pdf

[2] http://gs.statcounter.com/#resolution-na-monthly-201302-2013...

At the moment, 15% (1:6.8) are in the UTC+2:00 timezone, which covers most of mainland Europe using Daylight Saving Time.

Sounds ballpark reasonable to me - Europe is twice the population of USA, and USA is split over more timezones. And Asia has more people than USA and Europe put together.

I think it mostly goes to show that it doesn't take much information to reduce the number of possibilities by 1-2 orders of magnitude.

In my case, Safari on iPad makes me 1:67,000. Chrome on the same iPad makes me 1:1.6 million.

My designer friend was watching a livestream, where he clicked a link that infected his OSX Computer at work. He was worried and asked me to inspect the payload, which was funny, because I only got a blank page. Only modifying my UA-String gave me access to the java exploiting payload, but imagine how they could go undetected by sniffing for more than just the UA-String!

After some investigation I found out that one guy has infected many thousand OSX and Windows PCs and turned them into drones. Now I know how they make money, selling their bot-nets. Kinda disappointed, I thought there is more thought and work required. But you see the point, anybody with enough patience can do that today, the tools are available.

You might be surprised to hear that many tens of thousands of clueless kids, teenagers, and adults pay for all-in-one kits that host Java drivebys (malicious self-signed Java applets, and Java exploits), redirect visitors of compromised sites to one's Java driveby, infect them, and manage such botnets through fancy Web 2.0 interfaces.

And they don't even need (and often do not have) a shred of basic IT knowledge to do any of this, let alone programming knowledge.