I read an interesting paper today that proposes undermining browser fingerprinting by sending false information back in response to tracking requests.
link.springer.com
Also
research.microsoft.com
DOES ANYONE KNOW OF SOFTWARE THAT ACTUALLY DOES THIS?
Other urls found in this thread:
panopticlick.eff.org
fingerprint.pet-portal.eu
8ch.net
twitter.com
...
There's much more that can be used to fingerprint than just user agent. Visit panopticlick.eff.org
From the readme page of the fingerprinting library it uses:
List of fingerprinting sources
UserAgent
Language
Color Depth
Screen Resolution
Timezone
Has session storage or not
Has local storage or not
Has indexed DB
Has IE specific 'AddBehavior'
Has open DB
CPU class
Platform
DoNotTrack or not
Full list of installed fonts (maintaining their order, which increases the entropy), implemented with Flash.
A list of installed fonts, detected with JS/CSS (side-channel technique) - can detect up to 500 installed fonts without flash
Canvas fingerprinting
WebGL fingerprinting
Plugins (IE included)
Is AdBlock installed or not
Has the user tampered with its languages 1
Has the user tampered with its screen resolution 1
Has the user tampered with its OS 1
Has the user tampered with its browser 1
Touch screen detection and capabilities
oh also
Many more fingerprinting sources will be implemented, such as
(in no particular order)
Multi-monitor detection,
Internal HashTable implementation detection
WebRTC fingerprinting
Math constants
Accessibility fingerprinting
Camera information
DRM support
Accelerometer support
Virtual keyboards
List of supported gestures (for touch-enabled devices)
Pixel density
Video and audio codecs availability
Audio stack fingerprinting
>I read an interesting paper today that proposes undermining browser fingerprinting by sending false information back in response to tracking requests.
and if you actually read what OP linked to, you'd see that and are both completely relevant.
First link is behind a paywall, but from the second:
[code]
/* Extracting plugin information */
function getPlugins (){
...
/* JS-based detection of fonts */
function getFontMeasurement(font_family){
...
return [textWidth , textHeight ];
...
function getFonts (){
...
return discovered_fonts;
...
/* Get more fingerprintable information from a
user's:
- timezone
- screen dimensions
- math constants
- ...
*/
[code]
This is what firefox should have protected us from instead of becoming a castrated chrome. Fuck Mozilla.
Btw. check out Firegloves:
fingerprint.pet-portal.eu
browser fingerprints pretty much everything softwarewise and hardwarewise
DPI, Audio, Mouse, Keyboard
Anti-tracking software is developing quite fast, but the tracking agencies will always be a step ahead.
You'll never be fully indistinguishable, but spoofing your headers and not allowing cookies/js you make it harder for them to reduce the scope.
Random agent spoofer can randomly change many of these.
Take your fucking meds, who gives a shit.
changing user agents a few times with the same ip makes you stand out
take your meds user, you are certainly not living in reality
Delete yourself
you got no chance to win
I don't see why it has to be that way; I do not think tracking agencies necessarily have to ALWAYS be 1 step ahead. If only we could develop a browser bottoms-up that is totally geared towards privacy while still being able to view web 2.0 sites.
I don't see why that should stop us from annoying the shit out of the ad men. If you are going to lose, drag your enemies with you.
(pic partially unrelated. If the powers that be put a total end to the free Internet, I'd rather live in pic related world without Internet, than in this one.)
This qualifies as research?
Most of this requires Javascript, which you shouldn't enable whenever possible.
This a million times. Disabling JS will greatly improve speed, security and privacy. What we need is a HTML+JS to static JS-less HTML converter.
Secret Agent addon for Firefox. Even protects against ETAG trackers.
Kill yourself you stupid fuck.
DIsabling JS might make you more identifiable though, because every browser nowadays supports it and everybody keeps it enabled
Disabling JS and drawing attention to yourself, but not allowing random code to be run
OR
allowing JS, not drawing immediate attention to yourself and allowing arbitrary JS code to be execute. I'm not sure of the answer, but I still think it's better not to allow them to register how you type or how you move the cursor.
That's why there should be a frontend browser that fetches JS, runs it and produces local HTML.
Are you the guy who was asking about that in the sticky? I started configuring my machine to set that up actually, if I manage to finish getting it sorted I'll create a thread
No, but thanks for implicitly pointing me in the to 8ch.net
Oh wait, you niggers use meme browsers literally nobody else uses, no fucking wonder.
Are you stupid or trolling? This is about being able to create a very unique fingerprint that can potentially be used to identify you consistently. It takes into account far more than simply your user agent.
I doubt that this can be done in general without effectively implementing Javascript, so we'd have to hope that site authors finally get into graceful degradation.
Some things are really not worth it. For instance, I found that changing the language and quality preferences makes you more identifiable. However, blocking JS kills so much other fingerprinting vectors that it's worth it. I also recommend to use a whitelist for cookies and send no user agent where possible* since you blend in with the plethora of bots.
* Some sites block clients with missing user agents. You may want to try out something like HTTP Header Mangler with a few site-specific rules in that case.
Look at it this way: there are few people who wear gloves at all times, but that's still more than the number of people with your fingerprint.
Who else uses Gentoo Hardened, Xombrero, a tiling WM, Javascript disabled, a VPN and a cryptsetup-LVM root filesystem? That's right, only you. That's how fingerprinting works: if you gather enough data about someone, you will be able to single them out.
You can't figure out he uses all of that with just a client request to your server. Specially whrn he's got JS turned off
say everyone blocks 99% of the fingerprinting vectors and there are still 10000 left in that remaining 1%. fingerprinters will just use vectors within that 1%. choosing to obfuscate rather than block the 99% doesn't get you anything. or am i missing something? this just sounds like another way to add vulnerabilities to the already swiss cheese list of like 5 browsers that exist and people use
metasage
...