29 votes

Panopticlick: How unique is your browser?

6 comments

  1. [7]
    Comment deleted by author
    Link
    1. [5]
      teaearlgraycold
      Link Parent
      Here are my results. Here's their bit on preventing browser fingerprinting: https://panopticlick.eff.org/about#defend-against I would be interested in a browser that provides somewhat obfuscated...

      Here are my results.

      • Is your browser blocking tracking ads? ✓ yes
      • Is your browser blocking invisible trackers? ✓ yes
      • Does your blocker stop trackers that are included in the so-called “acceptable ads” whitelist? ✓ yes
      • Does your browser unblock 3rd parties that promise to honor Do Not Track? ✗ no
      • Does your browser protect from fingerprinting? ✗ your browser has a unique fingerprint

      Here's their bit on preventing browser fingerprinting: https://panopticlick.eff.org/about#defend-against

      Browser fingerprinting is quite a powerful method of tracking users around the Internet. There are some defensive measures that can be taken with existing browsers, but none of them are ideal. In practice, the most realistic protection is using the Tor Browser, which has put a lot of effort into reducing browser fingerprintability. For day-to-day use, the best options are to run tools like Privacy Badger or Disconnect that will block some (but unfortunately not all) of the domains that try to perform fingerprinting, and/or to use a tool like NoScript for Firefox, which greatly reduces the amount of data available to fingerprinters.

      I would be interested in a browser that provides somewhat obfuscated results to all of the JavaScript/etc. APIs that can fingerprint a browser.

      8 votes
      1. [3]
        onyxleopard
        Link Parent
        Safari 12 exposes a simplified profile (fonts, plugin support etc.) that supposedly reduces the amount of information available for fingerprinting. I haven’t heard anyone actually test how...

        Safari 12 exposes a simplified profile (fonts, plugin support etc.) that supposedly reduces the amount of information available for fingerprinting. I haven’t heard anyone actually test how effective this is, though. I haven’t heard of other browsers implementing anything similar. Some of the information that is needed for certain browser functions to work is also the information that provides a great surface for fingerprinting, so unless those features are reworked, you’d have to turn those features off to reduce your fingerprint surface. Panopticlick still shows Safari 12 on macOS Mojave as easily fingerprintable based on the number of bits of information it’s leaking from my session.

        From Panopticlick’s analysis (click on the 'Show full results for fingerprinting'), it is HTML canvas support, WebGL, and my user agent string that are leaking the most bits of information. In fact, HTML canvas alone is uniquely identifying me among browsers that have run Panopticlick recently. WebGL support is also making my browser more easy to fingerprint (but not as bad as HTML canvas). There are other factors, such as my screen size and color depth info that are providing a decent fingerprint surface as well.

        8 votes
        1. [2]
          starchturrets
          Link Parent
          I’m curious, why is WebGL bad, but not as bad as canvas?

          WebGL support is also making my browser more easy to fingerprint (but not as bad as HTML canvas).

          I’m curious, why is WebGL bad, but not as bad as canvas?

          3 votes
          1. onyxleopard
            Link Parent
            It’s not bad, per se. It’s just how much information it reveals to someone who wants to fingerprint your browser: HTML canvas was enough to uniquely identify my browser (1 in >2,000,000) whereas...

            It’s not bad, per se. It’s just how much information it reveals to someone who wants to fingerprint your browser: HTML canvas was enough to uniquely identify my browser (1 in >2,000,000) whereas WebGL leaked enough information to say my browser was 1 in ~7,000. I’m just reporting what Panopticlick is measuring in its analytics.

            5 votes
      2. quan7hum
        Link Parent
        I got the same basic results as you. I'm running Vivaldi with uBlock Origin, Privacy Badger and Canvas Blocker. The most unique fingerprint was from canvas hash, but that doesn't really mean...

        I got the same basic results as you. I'm running Vivaldi with uBlock Origin, Privacy Badger and Canvas Blocker.
        The most unique fingerprint was from canvas hash, but that doesn't really mean anything, because Canvas Blocker supposedly randomizes it somewhat everytime. Next was my users agent, and after changing that from the Vivaldi default to Chrome, it too went down significantly. Panopticlick couldn't determine my WebGL hash.
        Fingerprinting seems to be pretty difficult to avoid completely.

        5 votes
    2. s4b3r6
      Link Parent
      I've found fingerprinting too difficult to avoid completely. Many of the tools to prevent it, make you unique as well, so you get diminishing returns. Instead, screwing with the fingerprint has...

      I've found fingerprinting too difficult to avoid completely. Many of the tools to prevent it, make you unique as well, so you get diminishing returns.

      Instead, screwing with the fingerprint has proved fairly successful for myself.

      I do use a decent adblocker, and HTTPS Everywhere, they're sort of foundational things you need, before you can effectively mess with the fingerprint.

      You also need to treat most cookies as ephemeral, and kill web workers frequently.

      But, once those easy things are out of the way, it becomes just a case of hiding your traffic within other traffic.

      My friends and I have an EU-based server. We all use socks (ssh as proxy) to lump our traffic together, and from the server side, a random number of connections are also proxied through Tor.

      Since doing so, things like this tool report high confidence on things that aren't correct, and low confidence on things that are.

      It does have some drawbacks, such as more frequent captcha, websites defaulting to either German or French, and more frequent misleading GDPR agreements.

      But I am now 1 in 2000000, rather than something reasonable to target with tracking or advertising.

      4 votes