Skip to content

Instantly share code, notes, and snippets.

@WildGenie

WildGenie/browser-fingerprinting.md

Created August 8, 2018 16:12
Show Gist options
  • Save WildGenie/6f2afbc995dbfd0af00906e9bf1ef3a5 to your computer and use it in GitHub Desktop.
Save WildGenie/6f2afbc995dbfd0af00906e9bf1ef3a5 to your computer and use it in GitHub Desktop.
Download ZIP
browser fingerprinting
Raw
browser-fingerprinting.md
layout title permalink
default
Browser Fingerprinting
browser-fingerprinting

{% include blog_post.md %}

I spent the last 2 days customizing my privacy-conscious Firefox setup, and now I've decided to create a blog and write a blog post about it.

I use privacy addons: uBlock Origin, Privacy Badger, Self-Destructing Cookies, Random Agent Spoofer, HTTPS Everywhere, Google Redirects Fixer, Decentraleyes, and CanvasBlocker.

And yet my fingerprint on Panopticlick is unique. So I decided to try to make my fingerprint more common.

Panopticlick result table has a column saying one in x browsers have this value which was pretty useful for this.

The first thing I noticed about this column was that the value of it for Hash of canvas fingerprint and Hash of WebGL fingerprint was exactly the amount of people who have used Panopticlick.

Which means that these values were 100% unique.

This was a little weird, as I use CanvasBlocker and thought it'd prevent canvas fingerpriting by disabling some of the canvas's functions like TBB does.

The problem was that I haven't read the fucking manual.

CanvasBlocker generates a new value for this fingerprint whenever a certain function is called.

This means that your fingerprint doesn't contain the permanent unique canvas hash, but basically says that you're using CanvasBlocker.

So I started looking for alternatives, hoping they'd do better.

I found Canvas Defender which generates a new value whenever you tell it to.

Now, deciding between these two is something that depends on your threat model.

In general, a common fingerprint is a unique one. Normal users (also known as targets of mass surveillance) don't spend time hardening their browser for better privacy.

Personally, I'd do this:

  1. look as common as possible (no privacy addons*) if I were a specific target
  2. try fight mass surveillance if I were a target of it (which I am)

* I'd use Canvas Defender (to change my fingerprint "whenever switching identity"), but definitely not something like Privacy Badger.

And my case is (hopefully only) the second, so I'm more comfortable with them knowing that I use CanvasBlocker than that 97d6df43b0679eb454d08905734ee8f5 is me.

Conclusion: Use CanvasBlocker (unless you're selling nuclear blueprints to North Korea, then you should use curl -v instead of Firefox)

The only solution to prevent WebGL fingerprinting I've found was disabling it completely (which shouldn't be too uncommon, since it's basically as if you were using a browser without WebGL support).

So: open about:config and set webgl.disabled to true (by double-clicking it).

The most common locale is en-US, therefore: to prevent locale fingerprinting, set general.useragent.locale in about:config to en-US, and intl.accept_languages (which is the Accept-Language header) to something like en-US,en;q=0.8.

Now, the less obvious fingerprinting methods.

  1. System Fonts - font enumeration is done using Flash* (or maybe Java too, anyway, get rid of Java). To prevent this, put DisableDeviceFontEnumeration = 1 into /etc/adobe/mms.cfg. If you're not using Linux, see the coments here.
  2. Browser plugins - the only working way is to disable them. Go to about:addons, click Plugins (on the left) and set everything apart from Flash (because Flash is sigh still pretty important) to Never use. If you're worried about disabling stuff like OpenH264 Video Codec, like I was, then read the description to see that it's apparently useful only for WebRTC, which you have already disabled anyway.

* See the update

Final note: Know that you can have an unique fingerprint even with all the parts non-unique, as in the combination of non-unique values being unique.

If you have followed the entire blog post, then the only unique (although changing every time) part of your fingerprint should be the Hash of canvas fingerprint.

If you have any issues, or have found a mistake, please contact me at [email protected] (Keybase).

Update (2016-01-08): There are a lot of fingerprinting websites. This article helps mitigate Panopticlick's results' uniqueness, not every browser fingerprinting form's. I have just done this test and I can see many values unique, even with this setup.

  • Flash could detect my language and platform.
  • My fonts could be detected using JS and CSS.
  • Date/Time format could be detected using JS
  • Presence of PrivacyBadger could be detected using like/share buttons
  • Character sizes and canvas' image rendering could be detected, and were unique values (these methods are deprecated on the website, due to the little amount of effort it takes to change these results - zooming, or even running the test again)

I am not very sure about the validity of this test's statistical results, though, as 13 people had the same Browser Plugin Details value, and the same Language (Flash) value, which doesn't make much sense, since cs (my language) doesn't seem to be related to Plugin 0: Shockwave Flash; Shockwave Flash 24.0 r0; libflashplayer.so; (Shockwave Flash; application/x-shockwave-flash; swf) (FutureSplash Player; application/futuresplash; spl). (my browser plugin details).

Also: total tested = 22,967. See this table:

Browser Characteristic Number of occurrences one in x browsers have this value
System Fonts (JS/CSS) 1 22,967
Fonts (CSS only) 1 20,672

The fingerprinting module clearly works, but the statistical has some bugs.

Also, I realized didn't mention screen resolution and color depth in this post, as it was not a problem to me, since I have 1920x1080x24 which is standard today.

(Actual) conclusion: User-Agent string saying you're running Windows and Flash saying you're running Linux is much less common than running Linux according to both. The amount of browser fingerprinting methods is increasing. Because of this, the best way to make it seem that you're running Chrome in Windows in English on a 1920x1080x24 monitor and using the GMT timezone is to run Chrome in Windows in English on a 1920x1080x24 monitor and use GMT. If this isn't an option for you, use NoScript and disable even Flash (which I didn't propose in the old version, as this means very low usability). Also note that everything depends on your threat model - it's really not very likely that every website you visit will use 10 browser fingerprinting libraries to get your fingerprint.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment