• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Killing Browser Fingerprinting

drhowarddrfine

Son of Beastie

Thanks: 821
Messages: 2,618

Ya' know.....with CSS, I can control the size of those same elements on the screen.....and the color.....and this will bring down civilization as we know it.
 

ronaldlees

Aspiring Daemon

Thanks: 262
Messages: 664

That is interesting, but as I mentioned earlier in this thread, I do think he is wrong in his conclusion. His work is fine, though old, and I do understand the fun of making blog posts like that - but he is still grandstanding.
It's a lesser issue than getImageData(), so I mis-stated that.

Relative to the web storage API, if using FF, one can set dom.storage.default_quota to zero and set dom.storage.enabled to false. If a site depends on these, then of course it will break.

I kind of like FF for the ability to set some of these things. Lord knows what's setup in Chrome, for instance. Hmmm, I notice TOR project didn't select them (or Chromium) for their TorBrowser. Hmmmm.

When Netsurf can do javascript I'm going away from *all* of them.
 

OJ

Daemon

Thanks: 253
Messages: 1,038

It's a lesser issue than getImageData(), so I mis-stated that.
Not intending to get into an argument here, but I think the issue is that what that guy is saying doesn't work. At all. He is just plain wrong abut that having a practical use in identifying a Tor user. There is nothing "lesser" about it. :) It's an unfortunate aspect of "nerd" culture, but some love to puff up their chests and announce vulnerabilities in Tor. Only a few pan out and get fixed. Nobody is going to look at this one. There was some discussion among programmers, but most of it was just rolling of eyes.

I kind of like FF for the ability to set some of these things. Lord knows what's setup in Chrome, for instance. Hmmm, I notice TOR project didn't select them (or Chromium) for their TorBrowser. Hmmmm.
I'm also a fan of FF because of the flexibility. As for Tor Browser, Chromium was apparently not used because it has proxy bypass bugs.
 

ronaldlees

Aspiring Daemon

Thanks: 262
Messages: 664

Not intending to get into an argument here, but I think the issue is that what that guy is saying doesn't work. At all. He is just plain wrong abut that having a practical use in identifying a Tor user. There is nothing "lesser" about it. :) It's an unfortunate aspect of "nerd" culture, but some love to puff up their chests and announce vulnerabilities in Tor. Only a few pan out and get fixed. Nobody is going to look at this one. There was some discussion among programmers, but most of it was just rolling of eyes.
I'll take your word for it. I'm not really a browser/javascript guy (have always been a backend coder). Obviously his stuff looked good to me ...
 

ronaldlees

Aspiring Daemon

Thanks: 262
Messages: 664

I hate to necro-bump this old thread, but this is very informative. I'm a little sheepish that I didn't think of it:

The new study, which was conducted using an open-source tool, also uncovered a stealthy new technique used by some small
tracking companies that exploits the way browsers process audio, using it to "fingerprint" computers so they can be tracked ...
From:
https://www.technologyreview.com/s/...king-proves-google-really-is-watching-us-all/

Probably uses the new HTML5 Webaudio API. Wow ...
 

drhowarddrfine

Son of Beastie

Thanks: 821
Messages: 2,618

**sigh**

You know those images you get in your email? When you open them, your email client has to fetch them from a server somewhere. Because you fetched the image, I know you opened the email. Does that make you duck and run for cover? (Actually, I don't do this)

With audio, I can tell what kind of browser you are using! If you play my .ogg files, I know you're using Firefox! And if I know you're using Firefox, I'll serve you .ogg files instead of .mp4!!! OMG!!!!!

EDIT: Just saw the fingerprinting test page. It shows that I can find the audio capabilities of your audio system. Is this world coming to an end?
 

obsigna

Aspiring Daemon

Thanks: 404
Messages: 733

Let me guess, you are tired to respond again and again to these privacy topics.

Let me assure you, that everybody else knows your opinion, since it is simple enough to remember it, and at the same time is tired to reading your same insights on this again and again.

So please feel free, to participate on privacy topics only, once you can't wait telling us some amazingly inspiring news, and nobody would be tired.

...
You know those images you get in your email? When you open them, your email client has to fetch them from a server somewhere. Because you fetched the image, I know you opened the email. Does that make you duck and run for cover? (Actually, I don't do this) ...
Let me guess, you know 2 categories of people, category 1 = Idiots, category 2 = You.

...
With audio, I can tell what kind of browser you are using! If you play my .ogg files, I know you're using Firefox! And if I know you're using Firefox, I'll serve you .ogg files instead of .mp4!!! OMG!!!!!

EDIT: Just saw the fingerprinting test page. It shows that I can find the audio capabilities of your audio system. Is this world coming to an end?
On this answer I don't even need to guess anything, since it is perfectly clear, that you misunderstood this test and the technology behind it. This is not about querying the audio capabilities of any browser. This is about generating a unique ID of a given machine by utilizing DSP results of an audio sample of your computer.

Well, we know already that you don't care. For those who care, this is interesting enough to become aware about it.
 
Last edited:

drhowarddrfine

Son of Beastie

Thanks: 821
Messages: 2,618

obsigna What you are saying is you only want to hear one side of this story. This whole thread is about every tech out there is out to get you and, as one who uses most of the tech on a daily basis, I'm here to let anyone know that, as one who writes code that uses this tech, most of it is tin hat worry.

You can be chicken little or you can go about your normal life. The people I know and myself choose to wake up in the morning, drink our coffee and do our work without giving these concerns one thought cause they are of no concern. It makes life so much more relaxing.
 

OJ

Daemon

Thanks: 253
Messages: 1,038

This whole thread is about every tech out there is out to get you and, as one who uses most of the tech on a daily basis, I'm here to let anyone know that, as one who writes code that uses this tech, most of it is tin hat worry.
I think you're misunderstanding the thread.
 

drhowarddrfine

Son of Beastie

Thanks: 821
Messages: 2,618

Some people cannot stand other opinions other than their own. Even worse is it, when facts are denied.
Totally agree. As I so said.

Some people, and the same people, are pushing one point of view and don't want to hear anything else. Going to the point of calling people "trolls" They have no experience in the field as shown by their statements and examples. As one who works with this on a daily basis, I am trying to explain the error in their thinking and hope they can learn from it cause the people on this board are, far and away, more intelligent and right thinking than the multitude of similar posts on places like Reddit or HN. There, people pile on with repetitive statements from unknown sources and the same, total lack of knowledge and experience in this area. They act like the "boogie man" is around every corner and hiding behind every line of code and spend every waking moment looking for such things cause "they" are out to get them.

But, like the kids on reddit, I learned long ago you can't educate such people just like in politics and religion. They'll go on about it amongst their small group till they grow tired of it and move on to another thread about the same thing. So I regret responding to this. I should have known better.
 

fernandel

Aspiring Daemon

Thanks: 106
Messages: 558

George Orwell 1984 is relatively new but to old what "big brother" watch and want to watch today...

Fernandel
-------------
Bury My Heart at Wounded Knee
 

ronaldlees

Aspiring Daemon

Thanks: 262
Messages: 664

1984 was a pretty good read in its day. But, seriously, it's lame compared to today's culture and what that culture accepts. I don't think that six decade old novel is much more notable than the stuff currently out (or outted) in the online press, as regards such issues in today's frame of reference. Consider the telescreen, which was a big heavy appliance permanently affixed to Smith's apartment room. Today, people carry a telescreen around with them all day long - and it's a much more powerful one.

But, the use of the term does put an accurate fix on that general genre of conversation, and is useful for defining the topic in conversation.
 

wblock@

Administrator
Staff member
Administrator
Moderator
Developer

Thanks: 3,581
Messages: 13,850

It is reasonable to be concerned about capabilities, especially when automation allows those capabilities to be applied to large groups. Assuming those capabilities will not be used because they are unlikely is not a good way to approach computer security.
 
Thanks: OJ

OJ

Daemon

Thanks: 253
Messages: 1,038

Some people, and the same people, are pushing one point of view and don't want to hear anything else. Going to the point of calling people "trolls"
Point of view is your topic. The OP wrote:

I would like to reduce my fingerprint.
You may be able to help with that.

They act like the "boogie man" is around every corner and hiding behind every line of code and spend every waking moment looking for such things cause "they" are out to get them.
That is a troll. :)

But, like the kids on reddit, I learned long ago you can't educate such people just like in politics and religion. They'll go on about it amongst their small group till they grow tired of it and move on to another thread about the same thing. So I regret responding to this. I should have known better.
And so is that. There is no reason not to respond to the topic in a direct and useful manner. Insisting on questioning people's motives is not helpful.
 

shepper

Aspiring Daemon

Thanks: 230
Messages: 689

A provision snuck into the still-secret text of the Senate’s annual intelligence authorization would give the FBI the ability to demand individuals’ email data and possibly web-surfing history from their service providers without a warrant and in complete secrecy.

If passed, the change would expand the reach of the FBI’s already highly controversial national security letters. The FBI is currently allowed to get certain types of information with NSLs—most commonly information about the name, address, and call information associated with a phone number or details about a bank account.
More here.
 

surv

New Member

Thanks: 7
Messages: 9

With FreeBSD, there's yet another obstacle. The FreeBSD network stack is identifiable by itself. Most ad servers can identify whether or not it's FreeBSD, Linux, GoogleOS, or Windows (they each have different packet fingerprints). Look up OS fingerprinting. So, if your user-agent string says Mac, but your tcp/ip stack says FreeBSD, you're gonna be unique in the catalogue of the ad-spammer. Sorry to say.
There are ways to fix it?
 

tomxor

Member

Thanks: 20
Messages: 77

Kind of a side step but... most of the fingerprinting is done by the ads, so adblockers are probably the best way avoid the vast majority of fingerprinting (it can even prevent the GET request to the server so they can't inspect your packets and infer OS)
 

Murph

Well-Known Member

Thanks: 176
Messages: 297

As far as OS fingerprinting goes, it shouldn't really be a major concern. It does not identify a unique machine, there's no tracking enabled by it. If you try to defeat OS fingerprinting, there are two significantly likely negative outcomes: 1) you actually give your machine a unique and trackable fingerprint instead of a generic fingerprint; and/or 2) you significantly harm the operation (security, performance, features, standards compliance) of your network stack. I strongly caution against misguided attempts to defeat OS fingerprinting, especially if you don't fully understand the things you might be tinkering with.

Fingerprinting is actually a slightly misleading word in the context of "OS fingerprinting", as it is not unique like a person's fingerprint, only identifying a generic OS variant (e.g. FreeBSD 10.x). It would be like the entire global population sharing 244 sets of fingerprints. See /etc/pf.os for examples of the level of detail provided by the OS fingerprinting supplied as part of PF. It's handy for things like sending all incoming SMTP connections from Windows into a tarpit, but that's about it. In the hands of an advertising network, about the worst that will happen is you'll see more Cisco, O'Reilly, network management, and server hosting adverts.
 

tomxor

Member

Thanks: 20
Messages: 77

Fingerprinting is actually a slightly misleading word in the context of "OS fingerprinting", as it is not unique like a person's fingerprint, only identifying a generic OS variant (e.g. FreeBSD 10.x). It would be like the entire global population sharing 244 sets of fingerprints. See /etc/pf.os for examples of the level of detail provided by the OS fingerprinting supplied as part of PF. It's handy for things like sending all incoming SMTP connections from Windows into a tarpit, but that's about it. In the hands of an advertising network, about the worst that will happen is you'll see more Cisco, O'Reilly, network management, and server hosting adverts.
More specifically OS fingerprinting should refer to more than the network stack just like browser fingerprinting refers to more than the user agent string... it's how many pieces you can stick together that make it converge to a "fingerprint", for OS you could try to probe for as many services as possible and then probe the services to see how they are configured... so you could probably make it more unique than just "OS". Obviously browsers are much easier.
 

surv

New Member

Thanks: 7
Messages: 9

As far as OS fingerprinting goes, it shouldn't really be a major concern. It does not identify a unique machine, there's no tracking enabled by it.
I do not believe that it is not used as much as possible. All the possible ways. It brings great profit money
If you try to defeat OS fingerprinting, there are two significantly likely negative outcomes: 1) you actually give your machine a unique and trackable fingerprint instead of a generic fingerprint; and/or 2) you significantly harm the operation (security, performance, features, standards compliance) of your network stack. I strongly caution against misguided attempts to defeat OS fingerprinting, especially if you don't fully understand the things you might be tinkering with.
That's the problem, that FreeBSD' generic fingerprint is already very unique in the context "Surfing the Internet on FreeBSD desktop"
Also, the value of uptime can be recorded: http://lcamtuf.coredump.cx/p0f3/ , section 4
I tried to play with net.inet.tcp.* options, until the results of such:
p0f signature changes from
4:64+0:0:1460:65535,6:mss,nop,ws,sok,ts:df:0
to
4:64+0:0:1460:65535,0:mss:df:0
with
net.inet.tcp.sack.enable=0 (TCP Selective Acknowledgments)
net.inet.tcp.rfc1323=0 (TCP timestamps)
Now uptime not determined and machine is defined as "Linux generic" (should ideally be Windows 10 or 7)

I could be wrong, but in this case
less additional options = more security
Some optimization, that added these options is not significant for desktop machine, I think

Fingerprinting is actually a slightly misleading word in the context of "OS fingerprinting", as it is not unique like a person's fingerprint, only identifying a generic OS variant (e.g. FreeBSD 10.x). It would be like the entire global population sharing 244 sets of fingerprints. See /etc/pf.os for examples of the level of detail provided by the OS fingerprinting supplied as part of PF. It's handy for things like sending all incoming SMTP connections from Windows into a tarpit, but that's about it. In the hands of an advertising network, about the worst that will happen is you'll see more Cisco, O'Reilly, network management, and server hosting adverts.
Of course it is used in combination with other data. In addition, one value may be 80% of visitors (win), other 0.01%.
but for those 80% users other methods are used
 

Murph

Well-Known Member

Thanks: 176
Messages: 297

I could be wrong, but in this case
less additional options = more security
Some optimization, that added these options is not significant for desktop machine, I think
You are wrong.

The window scale and timestamp options exist to improve TCP's performance and reliability. Read RFC 7323 for descriptions of the circumstances where window scaling and timestamps are beneficial. They are no less relevant for desktop systems. In the current era, desktop systems certainly can have the bandwidth to benefit from those features, combined with lower quality connectivity which can see round trip times rise under load. Selective ACKs improve performance and recovery from loss.

You gain no additional security by crippling your TCP stack in that manner. Those options are long established and do not have any negative impact on security. In a narrow set of circumstances, disabling those options is harmful to data integrity (high bandwidth combined with packet retransmission). Degrading the integrity of a protocol which software assumes to be reliable could be considered to weaken security.
 
Top