Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Browser fingerprinting

  • 15-07-2013 7:48pm
    #1
    Registered Users, Registered Users 2 Posts: 16,414 ✭✭✭✭


    http://valve.github.io/blog/2013/07/14/anonymous-browser-fingerprinting/
    Browser is queried its agent string, screen color depth, language, installed plugins with supported mime types, timezone offset and other capabilities, such as local storage and session storage. Then these values are passed through a hashing function to produce a fingerprint that gives weak guarantees of uniqueness.

    I bet the installed plugins contributes a whole lot to the uniqueness of each user.

    So now we need something to randomise some of these settings. Would false reporting on the plugins be enough to limit the usefulness of the data?


Comments

  • Registered Users, Registered Users 2 Posts: 17 dxter


    Most definitely introducing degree of randomization would make the fingerprinting useless. Level of effectiveness depends on the number of factors taken under consideration.


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Trojan wrote: »

    I bet the installed plugins contributes a whole lot to the uniqueness of each user.

    So now we need something to randomise some of these settings. Would false reporting on the plugins be enough to limit the usefulness of the data?

    How about instead of randomising settings, instead harmonise our add-ons. There are certain add-ons we probably all have anyway. If we all have the same ones it would make fingerprinting much more difficult.


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    bedlam wrote: »
    This is the route the Tor browser bundle takes, you all look the same so you hide in a crowd.

    Unfortunately that bundle does not contain certain plug-ins that I definitely need. Things like Ad Block Pro, tamper data, tab mix plus, flashblock, no script etc. Im sure most people use some of those as well.


  • Registered Users, Registered Users 2 Posts: 570 ✭✭✭hooplah


    The EFF have a tester page here so you can see how unique your set up is. I would have thought the range of pluins I use is fairly standard but it doesn't appear to be the case. Neither is the range of fonts (or the order I have them in).

    FAQ about the tester here.

    I use the plugins I do because it improves my browsing experience. I wouldn't fancy losing a lot of them or browsing in 'private/stealth' mode because the experience wouldn't be as enjoyable.

    I have seen wifi cracking tutorials where they advise setting up a fresh vm so that your setup is as clean as possible. Again its overkill for the average user. On the FAQ page above they make the point that browser and plugin designers could do more to reduce the 'fingerprintability' of their offerings.
    "Flash, Java and other plugins that report fontlists could decrease their fingerprintability by sorting the fontlist before returning it to client side scripts."
    I think that this is probably where we are likely to see improvements, rather than end users coming up with a way to browse and still enjoy the benefits of the current web.


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    I was unique among ~3M visitors to that EFF page. Fairly disturbing that.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 570 ✭✭✭hooplah


    Khannie wrote: »
    I was unique among ~3M visitors to that EFF page. Fairly disturbing that.

    If you read the faq though they say that over 85% of people are unique.


  • Registered Users, Registered Users 2 Posts: 367 ✭✭900913


    evercookie is a javascript API available that produces
    extremely persistent cookies in a browser. Its goal
    is to identify a client even after they've removed standard
    cookies, Flash cookies (Local Shared Objects or LSOs), and
    others.

    evercookie accomplishes this by storing the cookie data in
    several types of storage mechanisms that are available on
    the local browser. Additionally, if evercookie has found the
    user has removed any of the types of cookies in question, it
    recreates them using each mechanism available.

    What if the user deletes their cookies?
    That's the great thing about evercookie. With all the methods available,
    currently thirteen, it only takes one cookie to remain for most, if not all,
    of them to be reset again.

    For example, if the user deletes their standard HTTP cookies, LSO data,
    and all HTML5 storage, the PNG cookie and history cookies will still
    exist. Once either of those are discovered, all of the others will
    come back (assuming the browser supports them).



    http://samy.pl/evercookie/


  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,581 Mod ✭✭✭✭Capt'n Midnight


    One test for browser uniqueness is here
    https://panopticlick.eff.org/


    If paranoid how about using something like knoppix (or other popular live distro) in a VM


    This was good for a laugh
    https://addons.mozilla.org/en-us/firefox/addon/firesomething/
    Not available for Firefox 22.0 :(


  • Registered Users, Registered Users 2 Posts: 16,414 ✭✭✭✭Trojan


    So it appears that this is actually in more widespread use than thought before:
    A new study by KU Leuven-iMinds researchers has uncovered that 145 of the Internet's 10,000 top websites track users without their knowledge or consent. The websites use hidden scripts to extract a device fingerprint from users' browsers. Device fingerprinting circumvents legal restrictions imposed on the use of cookies and ignores the Do Not Track HTTP header. The findings suggest that secret tracking is more widespread than previously thought.

    Device fingerprinting, also known as browser fingerprinting, is the practice of collecting properties of PCs, smartphones and tablets to identify and track users. These properties include the screen size, the versions of installed software and plugins, and the list of installed fonts. A 2010 study by the Electronic Frontier Foundation (EFF) showed that, for the vast majority of browsers, the combination of these properties is unique, and thus functions as a 'fingerprint' that can be used to track users without relying on cookies. Device fingerprinting targets either Flash, the ubiquitous browser plugin for playing animations, videos and sound files, or JavaScript, a common programming language for web applications.

    This is the first comprehensive effort to measure the prevalence of device fingerprinting on the Internet. The team of KU Leuven-iMinds researchers analysed the Internet's top 10,000 websites and discovered that 145 of them (almost 1.5%) use Flash-based fingerprinting. Some Flash objects included questionable techniques such as revealing a user's original IP address when visiting a website through a third party (a so-called proxy).

    The study also found that 404 of the top 1 million sites use JavaScript-based fingerprinting, which allows sites to track non-Flash mobile phones and devices. The fingerprinting scripts were found to be probing a long list of fonts – sometimes up to 500 – by measuring the width and the height of secretly-printed strings on the page.

    The researchers identified a total of 16 new providers of device fingerprinting, only one of which had been identified in prior research. In another surprising finding, the researchers found that users are tracked by these device fingerprinting technologies even if they explicitly request not to be tracked by enabling the Do Not Track (DNT) HTTP header.

    The researchers also evaluated Tor Browser and Firegloves, two privacy-enhancing tools offering fingerprinting resistance. New vulnerabilities – some of which give access to users' identity – were identified.

    Source: email newsletter, full text can be found online.


  • Registered Users, Registered Users 2 Posts: 1,771 ✭✭✭Dude111


    hooplah wrote:
    The EFF have a tester page here........
    Thank you for the page,i was trying to remember what it was and was gonna add it myself!!

    Here is another test: http://fingerprint.pet-portal.eu (This one requires scripts to be enabled)


  • Advertisement
Advertisement