Killing Browser Fingerprinting

getopt said:
I do know, that those who are talking here about fingerprinting like "So what? I do not care" probably won't study it. And even more probably they won't stop talking like they did before.
Click to expand...

looks like :)
 
getopt: The "Meth Emporium" most likely is a placeholder name for whatever drug den of ill respute can be found around the city you live in. And the owner 'Joe Death' may be the same kind of person who is called 'honest Al' when selling used cars. Does this make things clear, or am I wrong on the interpretation of what drhowarddrfine said?
 
getopt Crivens is saying what I was meaning. Your expectations from visiting Amazon are totally different than if you were to visit a shady web site like the one I mentioned. You feel more comfortable visiting Amazon than an unknown "Honest Al's" don't you?

Your first paragraph is a complaint about marketing. Every company in the world targets customers based on their previous inquiries and purchases.
 
getopt said:
I personally would not feel more comfortable clicking unprotected on sites like Amazon, because they are tracking visitors.
Click to expand...
Which leads me back to one of my original points. Everyone is tracking you as much as they can and have been doing so since time immemorial. Again. It's marketing. No one cares about you. It's not personal. You're just a number and a sales objective. It's just that nowadays people immediately think Macy's is selling your DNA to the NSA. It makes great headlines cause it sells newspapers.
 
drhowarddrfine said:
Which leads me back to one of my original points. Everyone is tracking you as much as they can and have been doing so since time immemorial. Again. It's marketing.
Click to expand...

Marketing is fine. Surveillance is not. Recent years of internet development has seen marketers cross the line.

No one cares about you. It's not personal. You're just a number and a sales objective. It's just that nowadays people immediately think Macy's is selling your DNA to the NSA. It makes great headlines cause it sells newspapers.
Click to expand...

What do you mean that no one cares about me? I do!

What do you think Wheeler is on about with his recent effort to make gathering of information by ISPs opt-in? (In case you're not from North America, here's an article.) By the way, I don't read FCC proposals because they make great headlines. And I'm fairly certain that FCC chairman Tom Wheeler is not trying to sell newspapers. These things are actual issues of concern for many people. That you may poo poo them is fine, but please don't assume it is trivial to everybody just because you don't agree or don't follow Wheeler's line of reasoning.
 
getopt said:
Those using Tor might be interested in the following, as fingerprinting is a method attacking anonymity:
http://jcarlosnorte.com/security/2016/03/06/advanced-tor-browser-fingerprinting.html
Click to expand...

Sorry, I couldn't leave that alone - especially after reading the article and thinking about it. From what I understand those are pretty old techniques. Yes, it's a good blog post but at the end he makes an outrageous statement. You may have caught it:

It is easy to fingerprint users using tor browser to track their activity online and correlate their visits to different pages.
Click to expand...

It is one thing to fingerprint a user when you know the user and have control of where they're connecting, but it is quite another to make a correlation within the Tor framework. One would have to first identify the user on a non-Tor site and then while she's logged in there, correlate that fingerprint with the "hidden" service connection. And the person being attacked would have to have javascript turned on (which they most certainly wouldn't do if they were paranoid), and both sites would have to be owned or under control of the same entity. As you see, it's getting pretty far fetched.
 
OJ said:
It is one thing to fingerprint a user when you know the user and have control of where they're connecting, but it is quite another to make a correlation within the Tor framework. One would have to first identify the user on a non-Tor site and then while she's logged in there, correlate that fingerprint with the "hidden" service connection. And the person being attacked would have to have javascript turned on (which they most certainly wouldn't do if they were paranoid), and both sites would have to be owned or under control of the same entity. As you see, it's getting pretty far fetched.
Click to expand...
Well, it depends on what the "fingerprint" is, doesn't it? If the site (or adsystem on the site) is able to get an accurate fingerprint from just the browser you are using, the don't need to worry if you are connecting through TOR or not.
To prevent the likelyhood of this happening you should always use a different browser (than your "normal" one) when you are using TOR.
 
tingo said:
Well, it depends on what the "fingerprint" is, doesn't it? If the site (or adsystem on the site) is able to get an accurate fingerprint from just the browser you are using, the don't need to worry if you are connecting through TOR or not.
Click to expand...

The browser fingerprint is the save from all Tor Browsers, with the exception that if you're using an older version (which is bad) you will have an earlier print. I can confirm this from looking at logs on my onion servers.

tingo said:
To prevent the likelyhood of this happening you should always use a different browser (than your "normal" one) when you are using TOR.
Click to expand...

It's a very bad idea to use another browser with tor. If you read Tor FAQs you will see that it is in fact strongly advised not to. Always use the Tor Browser. It works very well so there's really no reason not to anyway.

BTW, since I know you to be very knowledgeable I'm thinking that there's probably a lot of outdated information out there which those who don't actively keep up with Tor (and fair enough) will be working with. I've seen other comments in this thread which seem to be based on very old information as well.
 
What do you mean that no one cares about me? I do!
Click to expand...

Again, I'm talking marketers. You are making it about someone standing outside your house watching your every move.

I try never to involve myself in these discussions anymore so I'm going to stop now.
 
Perhaps it would help to get back to the original poster's question, relating to the technical detail applicable to fingerprint reduction.

From the OP:
I dislike being a 1 in 4.4 million fingerprint when I'm on the Internet.
Click to expand...

On that note I checked panopticlick.eff.org yesterday, and it seemed to be reset to only 100,000 total samples. Did they change their algorithm enough to warrant a reset? Is anyone else here seeing the same (low) number?

panopticlick.eff.org
 
I think they're playing with the algorithm or something. Today I get a "several hundred thousand" sample total on my result.
 
OJ said:
The browser fingerprint is the save from all Tor Browsers, with the exception that if you're using an older version (which is bad) you will have an earlier print. I can confirm this from looking at logs on my onion servers.



It's a very bad idea to use another browser with tor. If you read Tor FAQs you will see that it is in fact strongly advised not to. Always use the Tor Browser. It works very well so there's really no reason not to anyway.
Click to expand...
Ok, just turn it around then; your "normal" browser should be a different browser than the one you use with TOR (and it probably is). You get the idea.
 
tingo said:
Ok, just turn it around then; your "normal" browser should be a different browser than the one you use with TOR (and it probably is). You get the idea.
Click to expand...

We're probably in agreement here and it is me that doesn't understand what you're saying, but I just want to make sure. :) There is only one Tor Browser. Using Tor separately with a browser is never done.
 
ronaldlees said:
Perhaps it would help to get back to the original poster's question, relating to the technical detail applicable to fingerprint reduction.

From the OP:


On that note I checked panopticlick.eff.org yesterday, and it seemed to be reset to only 100,000 total samples. Did they change their algorithm enough to warrant a reset? Is anyone else here seeing the same (low) number?

panopticlick.eff.org
Click to expand...
I went to their site a few hours ago and got a difference format that said I was something like 257,000 and 12.7 . I just did it again about ten minutes ago and the format was difference and with these exact rating. I think they may be modifying the algorithm as we speak. I wonder have they found something interesting since this thread, or receiving more hits and conversations about them elsewhere since this thread [un_x, Jul 24, 2014] done came back up just a little over a month ago.
Code: 
Within our dataset of several hundred thousand visitors, only one in 68668.5 browsers have the same fingerprint as yours.

Currently, we estimate that your browser has a fingerprint that conveys 16.07 bits of identifying information.

Is this good, fair or bad. I don’t understand the less is more thing but maybe panopticlick saw something in that statement and trying to make changes for some reason.

Anyway, there is no excuse not to protect yourself against any kind INTERNET activity. About fingerprinting … I keep my browser(s) clean. I use one portable Opera for banking, and another for my most trusted sites, and the rest of them I have everything thing turn off and more. I kill GEO through about:config which works for all Firefox and opera:config which only works for opera 12. to keep the world from tracking me. At install time I disconnect. At first run I grab all affiliated sites that are built in the browser and I block them all until it’s time to upgrade. I'm sure I still get fingerprinted when I don't want to, but I will soon allow only a few to do it thanks to the hints in this thread. I been very close already. I like my VPN provider. I might tor to them now that I learn so much about it, right here!
 
getopt said:
Just to add some confusion ;)
Click to expand...

Actually you're clarifying. :)

getopt said:
1. With FreeBSD there is no port "Tor Browser". Did you compile the "Tor Browser" from original sources successfully?
Click to expand...

I did not compile. Although this thread really is about FreeBSD, I use multiple systems and when it comes to security actually have a separate machine for that purpose, which is probably "best practice". So, at least regarding this point, I think I would have to concede that it is probably me who is causing confusion. Sorry.

getopt said:
2. There is a port security/tor that allows any browser and more to be used with tor. And this is mainly done with FreeBSD while lacking other opportunities except some browser plugins that I do not like.
Click to expand...

And that makes it very bad to use with a browser. I don't think that anybody in the Tor community would condone that approach. Just use a separate machine - browser capable computers are free nowadays.

getopt said:
3. It makes a lot of sense using Tor Browser regarding fingerprinting (and other reasons) when using Tor, because it is a cloned fingerprint.
Click to expand...

That is really my only point earlier in this thread. Tor has an evolved solution, and perhaps the only practical way to do this. At least a lot of thinking has gone into arriving at it.

getopt said:
4. To me it does not make much sense using the fingerprint of Tor Browser while not using Tor because it hints to a user also using Tor which should be avoided IMO.
Click to expand...

Agreed. Tor developers have put a lot of work into solving the fingerprinting problem, and it would seem that they have the best solution to date. I don't know if a similar approach is practical in another scenario, but at this point in time it looks to me like there is no good way to avoid fingerprinting other than using Tor Browser, which unfortunately precludes using FreeBSD at this time.
 
max21 said:
I went to their site a few hours ago and got a difference format that said I was something like 257,000 and 12.7 . I just did it again about ten minutes ago and the format was difference and with these exact rating. I think they may be modifying the algorithm as we speak. I wonder have they found something interesting since this thread, or receiving more hits and conversations about them elsewhere since this thread [un_x, Jul 24, 2014] done came back up just a little over a month ago.
...
Click to expand...

Today, panopticlick.eff.org gives me 135,000 as the total sample. So, yes I think they're working on the algorithm(s). The fingerprint detail page has been updated too. IIRC, platform, hashes, and touch support weren't on the list before. Could be wrong. On my visit to the site just now, the biggest contributor to my fingerprint was the HTML5 canvas hash (by quite a bit), followed by user-agent and then platform (which the user-agent normally contains anyway, but not always). Looks like the canvas hash was killer, but my FreeBSD attribute pushed me over the edge. If I had kept javascript off, I would have been in better shape, but I wanted to see the maximum list.

The fact that only 135,000 people have visited the page since they started making algorithm and/or detail chart changes is a bit disappointing.
 
drhowarddrfine said:
I wonder how many of you guys are aware that, when you use your cellphone, there's a record of tracking your movement around town.
Click to expand...

You're correct when you say that, especially when referencing newer phones.

But - should it be that way? Really? If you track a person's daily detail, and (most importantly) his whereabouts on a second-by-second basis, you can own him.
 
I agree. On the humorous side, they'll know how many daily bowel movements everyone has, then publish it as trivial knowledge.
 
We'd want to relate it to FreeBSD, and computers, so it's not OT. So, it's like being rooted or pawned. It's the flesh and blood version of a rootkit. Think about what a rootkit can do to a computer, and then think about a person's life, and how it can be rooted in the very same way as a rootkit can handle your laptop.
 
I understand how dangerous it is, even before coming across this thread. I don't want to compete against Computer Blue, for someone who is nefarious. You know, like how Banks did in the early 2000's, when they do "market research" to find psychological terms to get away with lopsided practices and cheating. This is worse. Look at what some "questionable" organizations did with their privacy knowledge. And I was hesitant to post this.
 
The tracking is a requirement to switch you between cell towers to improve reliability of the service. One of the reasons for recording it is to improve the service by seeing where users are and how much data they use.

Similarly, most web sites use tracking data to improve service by finding out where users go and what data they view.

Improving service. Not looking over your shoulder. Hmm.
 
You must log in or register to reply here.
Back
Top