Fingerprinting thread, I won't stop until we have a solution edition.
https://browserprint.info/
http://panopticlick.eff.org/
Browserprint has some new tests, you might want to check that out.
Remember, kids, disabling JavaScript is cheating, since many sites require JavaScript to work and fingerprinting code can be included in that mandatory JavaScript.
A blog post about fingerprinting users instead of browsers and devices, could there be a future in this?
https://browserprint.info/blog/userFingerprinting
Some kind anon many threads before posted a link to a story that indicates Google is injecting fingerprint code into their CAPTCHAs.
https://archive.is/9K5gs
This means that the majority of 4chan users could be being fingerprinted, and Google might know about your shitposting habits.
To fix this you can get a pass (which allows you to be tracked by 4chan in a different way), or you can trust the 4chan X extension and use that to run 4chan with all JavaScript disabled.
Daily reminder to do all your Facebook / Youtube / LinkedIn / botnet shit in a completely separate browser to your Googling or buying shit.
It's currently the ONLY way to truly defend against fingerprint tracking.
Double points if you have each browser running in a different VM with a different OS.
Triple points if you have each browser's VM configured with a different VPN.
The Tor Browser Bundle is still susceptible to many fingerprinting attacks that can uncover your true OS and browser.
Spoofing your user-agent is counterproductive unless you use a different user-agent for every site, even if you rotate them every x HTTP requests.
>>55307092
>3D models of Raita's art
Congrat's you've successfully got me to click on this thread and activate muh dick
POST MOAR
Raita is love.
Raita is life.
Raita is an artist of japanese cartoon porn.
>>55307092
Use/promote/help develop Privacy Badger.
They planned to add countermeasures for browser fingerprinting.
>>55307892
I do use it, although I'm not decided whether it's actually a good thing or a bad thing.
It blocks obvious trackers but doesn't defend against tracking code in stuff like the 4chan CAPTCHA.
What do you mean planned to?
Did they change their mind?
>>55307964
>I'm not decided whether it's actually a good thing or a bad thing.
The thing with privacy badger is that it needs a "warmup period". Switched to it about three weeks ago and just yesterday picked up the social media buttons.
How long is the period, I dunno.
Regarding browser fingerprinting
>pic related.
The better this is publicly understood, the faster the implementations will be done.
>>55308119
Oh really?
I always assumed privacy badger was based off of lists like adblock software.
I didn't realise it actually learned.
That's pretty cool.
>disabling JavaScript is cheating
But I don't even enable JavaScript for most webpages and they still work.
Not really sure how to get a lower score without disabling it. Even running a VPN doesn't reduce the score very much. Neither does running the browser in the default window, but that might be because I'm on FF 42/43 still for muh extensions.
EFF guide to reducing fingerprint isn't very good.
>>55308193
Yeah, I actually removed all other privacy related addons after reading how it works.
Lately I've been using on Privacy Badger and HTTPS Everywhere. Some ads still showup and there are blank spaces here and there, but I can live with that while PB learns more.
Also I want it to build a nice list so I can set up a proxy and block them at the door.
>>55308252
The problem is that fingerprinting defence technology is still in its infancy.
Nobody really knows how to stop this shit.
Is it better to fill your browser with extensions that block everything?
Well it works to some extent, but it also makes your browser more fingerprintable in other ways.
Should we use a browser with fingerprinting defenses like the TBB?
Well that does help but there are plenty of tests it can't defend against currently, and it can't defend against tests that are in the wild but haven't been discovered by the good guys yet.
Basically the best option is to use more than one browser and settle with partitioning your tracking to sets of different sites you're tracked over.
Not great but it's probably the best option at the moment
>>55307092
What if you made a little script that would change minor shit in your browser on occasion/every click, like a minor useragent change, a font added or deleted here or there, shuffle around some random (possibly fake) extensions, change browser screen size by a few pixels, whatever. Would that work well against existing fingerprinting methods?
>>55308463
Yes and no.
You'd also need to do stuff like tweak the images generated with HTML5 canvases and sounds generated with AudioContext.
Plus it could be defeated just by inventing a new fingerprinting attack.
Theoretically it could work if you set it up so it had a different fingerprint for every website you visited though.
I believe there's a project to spin up a new browsing environment on demand, but since fingerprints are reused across websites it's useless.
https://github.com/DIVERSIFY-project/blink
>>55307675
That's all there is AFAIK
>>55307092
https://news.ycombinator.com/item?id=11846303
https://thehackernews.com/2016/05/audio-fingerprint.html
>>55312666
>https://news.ycombinator.com/item?id=11846303
>NoScript homepage has hardcoded ads advertising malware
That is pretty damning of NoScript's author, but that doesn't mean NoScript is bad necessarily.
It is open source after all and if it was doing shady shit I'm sure people would know about it.
That being said a lot of people seem to be migrating to uMatrix these days.
While I don't think it's a worthy replacement for stuff like PrivacyBadger or cookie management extensions I think its JavaScript blocking is pretty tight.
I just wish it could block scripts temporarily like NoScript.
>>55312666
>https://thehackernews.com/2016/05/audio-fingerprint.html
This is basically canvas fingerprinting using the AudioContext API instead of HTML5 canvases.
The authors set up a proof of concept page here where you can run the tests:
https://audiofingerprint.openwpm.com
Alternatively the tests are on Browserprint since a couple days ago, minus the fancy visualization.
The paper which exposes the audio fingerprinting technique also exposes that some trackers are using WebRTC to find out the IP address of clients.
It's not clear whether this is the private IP, public IP, or their ISP's IP from the paper, but if it's their public IP that's scary; means people behind VPNs or Tor can be deanonymised with JavaScript.
Until now I thought it that was just an urban myth that JS could be used to get your real IP
>>55307092
https://github.com/pyllyukko/user.js/
>>55312905
certainly anon, thanks for the TL;DRing so that is easier to understand to others
>>55307092
>raita's in 3d
shit is disgusting desu.
btw thats some cringe worthy NSA spy tinfoil post. I'll die before they even bother to check me, there's like bigger problems to pry with instead of worrying my downloading some jackie4chan copy fan art.
>>55313033
The NSA has got nothing on Google in terms of invasion of privacy.
If you've got a spare 2.5 hours and want to learn a bit watch this:
https://youtu.be/dNZrq2iK87k
It's really interesting and enlightening.
Another good one is:
https://donottrack-doc.com/
>>55312929
I'd like to see how a browser with this kind of hardening compares in terms of fingerprint uniqueness to a standard Firefox install.
>>55307092
Goddamn you for giving me a reason to use chrome, or should I use several different firefox forks?
>>55313482
Up to you m8.
But I'd say using browsers from different families would be a better idea.
If you don't like Chrome maybe Opera?
>>55313482
Check this forks
https://iridiumbrowser.de
https://github.com/gcarq/inox-patchset
https://github.com/Eloston/ungoogled-chromium
>>55308381
The best approach would be to create a very extensive add-on that can spoof all (known) vectors used for fingerprinting on a per-session basis with a whitelist for sites you regularly use and where being tracked doesn't matter (e.g. Facebook, mail). Use valid data of course (e.g. 1920x1080 for screen resolution and not 2372x958 since it's a dead giveaway the information is fake). It would require a lot of work, though. Perhaps better to fork Firefox/Chromium since add-ons might not have the required permissions to spoof everything.
>>55308463
You don't really need to change it that often. Once per session is enough. uMatrix+uBlock Origin should do a good job to prevent you from being tracked across domains. Almost all ads/analytics/tracking is served from a third-party domain.
>>55312929
Changing things in about:config might be counter-productive since it disables things that 99% have enable, making you easier to fingerprint.
>>55313148
Just create a new profile and run the test, then run it again with the user.js added to your profile folder.
>>55313482
I'd say use a different one. If you use Tor Browser I recommend running it in a virtual machine. Some will probably say to use Windows 7, or even Windows 10, since it makes you stand out less than using Linux but I don't really trust Microsoft so I personally use Qubes+Whonix.
https://www.whonix.org/wiki/Qubes
>>55313841
https://github.com/kkapsner/CanvasBlocker/
>>55313841
>and not 2372x958 since it's a dead giveaway the information is fake
Tell that to the Tor people.
Their browser returns the weirdest screen sizes.
>>55313841
>on a per-session basis with a whitelist for sites you regularly use and where being tracked doesn't matter
I suppose this could work, but you'd need to whitelist every website that you allowed cookies for.
Otherwise a site with cookies enabled that wasn't whitelisted could keep a record of your fingerprints and transmit that to sites that aren't whitelisted
>>55314037
Not sure why you linked that. It randomizes the fingerprint from canvas but there's still a lot of other things that can be used for fingerprinting.
>>55314084
It works for Tor Browser since, unless you change the window size, it'll report the same value for everyone using Tor Browser (well it's 1000x900 for me so I assume this is true for anyone with a screen resolution above that), and this in turn only works because there are millions of people using Tor Browser.
What I believe is the best approach is to randomize all fingerprintable vectors with valid data since it doesn't rely on anyone else doing it and if all data is valid it's going to take a lot of work to determine if the data has been spoofed or not.
>>55314146
I guess "sites you regularly use" was poor worded. Any site where you log in sounds better.
Here's the biggest problem I see for myself personally and probably lots of others like me.
I'm a graphic designer. My list of system fonts is likely unique to anyone else else's on the planet. System fonts can be read easily by any browser. Is there any possible way to block a website's access to my list of system fonts?
Tor Browser scores pretty well
>>55314928
Because panopticlick has shit all tests
>>55314761
For Firefox you can set browser.display.use_document_fonts to 0. Then go to about:preferences#content and set which fonts to use. Don't know for Chromium based ones but probably has something similar.
>>55315886
well that would still be unique. Why not research the most used browser/settings and impersonate that?
Fuck off with the anime garbage
dear nigger:
your everything is being monitored and sold as ad-data by your ISP regardless of javascript being disabled
>>55312772
>I just wish it could block scripts temporarily like NoScript.
you can make a change to block a scrip but not save the change. pic related at the top of the window, rubber erases temporary changes, lock makes them permanent. I'm gonna guess that temporary changes last until browser restart. requestpolicy can block whole domains temporarily
>>55314928
check browserleaks.com
>>55316688
What you could do is find out the most common font set (I assume default for Windows 7/Windows 10) then install these fonts and keep the other fonts outside of your Fonts-folder when browsing. It's a bit of work but I can't think of any better way until someone makes an add-on that can achieve the same result through spoofing.
