Killing Browser Fingerprinting

After visiting https://panopticlick.eff.org/, and seeing:

Code:
Browser, Bits of ID, Unique as in 1/x
User Agent 21.05, 2178474.5 [Mozilla/5.0 (X11; FreeBSD 9.2-RELEASE i386; rv:2.0 Gecko/20100101 Firefox/4.0 Opera 12.16]
HTTP_ACCEPT Headers, 8.59, 385.5 [text/html, */* gzip, deflate en]
Browser Plugin Details, 3.92, 15.17 [undefined]
Time Zone, 5.12, 34.78 [480]
Screen Size and Color Depth, 5.99, 63.46 [1600x900x24]
System Fonts, 2.59, 6.02 [No Flash or Java fonts detected
Cookies Enabled, 0.43, 1.35 [Yes]
Limited supercookie test, 0.91, 1.88 [DOM localStorage:Yes, DOM sessionStorage:Yes, IE userData: No]
Your browser fingerprint appears to be unique among the 4,356,949 tested so far.
Currently, we estimate that your browser has a fingerprint that conveys at least 22.05 bits of identifying information.

I would like to reduce my fingerprint. Just the USER AGENT string alone in Opera, combined with FreeBSD, makes me unique as 1 in over 2 million. I know the settings under opera:config for this, but regardless of what I choose, it still detects FreeBSD and Opera. And what is it about the HTTP_ACCEPT that is making me only 1 in nearly 400? Time Zone is just GMT. Can I kill the reporting of my Screen Size? I dislike being a 1 in 4.4 million fingerprint when I'm on the Internet.

Thanks.
 
You can change the user agent string in Firefox in about:config by adding the setting general.useragent.override and setting the value to something like Chrome for Windows.

Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
 
Just for the record, I use the "Random Agent Spoofer" (GPLv3 license) addon with www/firefox.

Another option is to install the JonDoFox profile for Firefox and select 'No Proxy'. It's originally set up for the JonDoNym network or Tor, but it can be used for regular browsing too by selecting 'No Proxy' with the 'JonDoFox Settings' addon icon . By also doing the test over at ip-check.info you can see what is being exposed.

Download (JonDoFox for Linux and BSD (TAR)) and verify the file from the page provided with the initial link. Unpack the TAR file and go to the folder in terminal. For easy MD5sum verification I use the DownThemAll! (GPLv2 license) "right click download option" addon.

Run the command with ' sh' in terminal (not double clicking the script):

sh install_jondofox.sh

At first run, run www/firefox with the profile manager flag ' -p' and select 'JonDoFox'.
 
I imagine you've visited Panopticlick.eff.org ...

There's a problem with changing the user-agent string, if you do not simultaneously change all the other browser header strings. If there is some (uncommon) mismatch (like the usual MS Edge user agent in combination with the usual Mac Safari http-accept string, you'll be unique with near certainty). It requires a lot of thought, and the plugins don't necessarily aid in this process.

Sometimes it's a matter of an extra space (or lack thereof) in common strings.

With FreeBSD, there's yet another obstacle. The FreeBSD network stack is identifiable by itself. Most ad servers can identify whether or not it's FreeBSD, Linux, GoogleOS, or Windows (they each have different packet fingerprints). Look up OS fingerprinting. So, if your user-agent string says Mac, but your tcp/ip stack says FreeBSD, you're gonna be unique in the catalogue of the ad-spammer. Sorry to say.
 
The best thing might be to stay with the operating system you're really using, and then try to select the most common browser config. This turns out to be really tough, because of auto-update and rapid browser version change-over. It's slowly becoming an unwinnable game. I have one box at about 1/9000 - and I call that pretty good.

The other option is to build a browser that (chamelion-like) - changes its profile on every exchange, because the idea of the ad-tracker is to connect the dots, and a continuously changing profile would slow that down.

There's TOR, as one poster mentioned, but do you *really* want your webmail going through Mozambique?
 
Using only noscript and requestpolicy gets me:
Currently, we estimate that your browser has a fingerprint that conveys 12.03 bits of identifying information.
I assume less is more, eh?
 
Maybe it's time to introduce Bobby Tables to the spammer networks... If you are singled out anyway, you may as well create some headaches for them. I'm one to half a million in that test, by the way, but that is still too much for my taste.
 
I've fooled with this kind of thing on a copy of Iceweasel and in the end it really was just a way to learn stuff. I didn't achieve what I had hoped. The best way really is to install Torbrowser and don't change a thing (including window size) with that.

I find it too much trouble to use Torbrowser for everyday use though, so mostly use a VPN which gives a small amount of obfuscation to the adslingers.
 
www/xombrero comes with detailed instructions on enabling tor browsing about 4/5 the way down on this page.

As far as browser fingerprinting, xombrero also offers round robin user agents
~/.xombrero.conf
Code:
# "user_agent" can be set to just about anything, for a comprehensive
# list see: http://www.useragentstring.com/pages/All/ . If more than one
# "user_agent" is given, then xombrero will use them in a round-robin
# fashion for each request.

<alt-j> lists all cookies which can be quickly cleared. <alt-h> clears history.

Unfortunately, the FreeBSD port is broken at this time.
 
Using only noscript and requestpolicy gets me:

I assume less is more, eh?

Correct, less is more. It's also true that javascript is probably the biggest contributor to making the fingerprint "closer to unique," through its ability to dig further into your details, using things like HTML5 canvas hashes, webgl hashes, etc. Turning it off is the only way (on a recent browser) to get the numbers you've shown.

The fly in the oil is that many of the most important sites don't work well without javascript, and unfortunately affiliates of those sites are the ones most likely to *want* your ad info.
 
Is this a contest? :) 1 in 6,464,738 and 22.62 bits of identifying information.

I haven't seen an ad in ages, thanks to Adblock+ and
Code:
local-zone: "almamedia.fi." static
(local tabloid "giant") in unbound configuration.

Juha
 
The fly in the oil is that many of the most important sites don't work well without javascript, and unfortunately affiliates of those sites are the ones most likely to *want* your ad info.
"don't work well without javascript" is somewhat of a subjective sidestep that is typically bantered around because people assume that web browser javascript can either be on or off as a whole. Reality is more nuanced and given that high traffic sites typically pull in outside code to construct the page is why noscript and requestpolicy should be used in tandem.

It has been my experience that you can generally allow noscript to be enabled for javascript at the root FQND of a website without much of an issue. Based upon what is called from the root, you can allow scripts that will restore functionality while disallowing the ones you dont want. If you think of noscript as your heavy lifter, requestpolicy is your forward recon ops squad. requestpolicy tells you what is being requested to be loaded from outside of the root FQDN and that really is key to effective blocking.

googletagmanager.com wants to load? umm .. I dont think so. Recently, my insurance company went with some stupid salesforce.com backend with a bunch of hooks to outside websites. In this particular case, the functionality of simply paying my bill could not be restored without enabling GTM, Facebook et al. To work around this, I used fiddler to intercept the evil .js calls and instead it loads a local .js file:

fiddler.JPG


That local file simply opens a dialog box so I know where the site is at in its loading:
Code:
alert('fbds.js')
The noscript / requestpolicy posture is not for everyone and I rarely will recommend it in conversations due to its nearly vertical learning curve but I enjoy the fine grained control it allows.
 
Hiding your footprint is, unfortunately, nigh-impossible.

Changing your user-agent reveals less information, but it doesn't stop sites from guessing the browser. This can be done in Javascript as well by accessing things like window.mozContact, window.opera, and some other variables I don't remember off-hand. I believe WebKit even stores the full version number somewhere in JS. I'm not sure if you can also "guess" the OS this way, but it's very feasible that this is possible.

Disabling Javascript would appear to "fix" this, but having Javascript disabled is in itself an identifying feature. The same applies to disabling things like Flash or localStorage; no "supercookies", but you are a lot of identifiable.

It's also broken from a functional point-of-view. For example, a few days ago I ran into a problem where hyphenation works on all browsers, *except* Safari on OSX; for some reason it shows a 9 instead of a dash. I have no idea why, but I suspect it's a Safari bug, and until I have time to investigate (and possibly fix) it I just disabled hyphenation for Safari only. This would break if you do funny things like spoofing user agents.

In short, IMHO hiding your footprint is not feasible without making severe compromises. I feel this is a problem that should be addressed at the legislative level; the EU "cookie law" is an attempt, but it's stupid, ineffectual, and annoying to boot.
 
Disabling Javascript would appear to "fix" this, but having Javascript disabled is in itself an identifying feature

The fly in the oil is that many of the most important sites don't work well without javascript, and unfortunately affiliates of those sites are the ones most likely to *want* your ad info

The other neat thing about www/xombrero, that <ctl-j> will toggle javascript on/off - get to your destination site and then turn it on. <alt-j> lets you delete cookes in another tab on the fly. I wonder how much I stand out with the round robin user-agents and javascript that comes and goes?

Brings to mind a passage in Alice's Restaurant - "if one person does it they think your crazy, if two people do it in harmony, they think you're gay". "And if 50 people a day, 50 people a day then its a movement."
 
I remember a few years back, Ebay was having some fraud resolution issues, and was barring logins from people who tried to sign on with a different browser than (apparently) what had been recorded as the "usual browser" for that person.

I had to call a certain telephone number, and give them security details before they would allow the "new browser". I had to do this frequently for a while because I was experimenting with many different setups. Well - that hasn't changed much. :)

Today I tried to use Ebay without javascript (I've done it often in the past). No dice. Now, they demand javascript to use the site. So now I guess my Netsurf won't cut it. I wonder if they're still identifying browsers (as they did before) - but now want the extra bits that javascript gives them, for verification purposes?
 
One thing that I have been wondering is why browsers are so verbose with their version information, eg. my current browser says "Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0" (no FreeBSD this time I'm afraid). Why can't it just say "Firefox 38"? That alone would already make people quite a bit less unique while still providing enough information for browser-specific tweaks.

Most of the time I just set the user agent to an empty string which brings its own issues -- some sites will refuse to load (because hey, I could be trying to scrap your website without pretending to be IE) while others create infinite redirection loops. Plus I suppose an empty user agent is only marginally less unique than the string above.
 
cockroach The User Agent information you see is for legacy software that still uses that information. Even Microsoft's Edge still IDs itself as Gecko, iirc. I just woke up so I may blurt things out slightly incorrectly.

There are services that look at the User Agent string to determine capability of the browser and which device you may be on; mobile vs desktop for example. So IDing it as Firefox 38 does no good if I serve you one page one way on mobile and a different way on a desktop.
 
Today I tried to use Ebay without javascript (I've done it often in the past). No dice. Now, they demand javascript to use the site. So now I guess my Netsurf won't cut it. I wonder if they're still identifying browsers (as they did before) - but now want the extra bits that javascript gives them, for verification purposes?

NetSurf is working on it:
NetSurf 3.4 released17 Feb 2016
NetSurf 3.4 features many optimisations to improve performance over previous releases. It also contains many bug fixes, including improvements to page layout. This is also the first release to contain the DuktapeJavaScript engine. While our JavaScript bindings have seen a lot of development for this release, JavaScript remains disabled by default as the support is incomplete. We recommend all users upgrade to NetSurf 3.4.
 
I forgot to address the javascript issue.

Javascript is becoming as ubiquitous as HTML and CSS on web sites. Done properly, a site should allow all the functionality without javascript but market forces often deem it "necessary" to add pizzazz or responsive speed and the developer has no choice. Or there aren't enough developers to make all that happen so pizzazz wins out.

In almost all cases, this fear of javascript is unwarranted. Legitimate sites use it for two reasons only; marketing and functionality. Marketing to learn what their customer is interested in. Functionality for speed and pizzazz.
 
In almost all cases, this fear of javascript is unwarranted. Legitimate sites use it for two reasons only; marketing and functionality. Marketing to learn what their customer is interested in. Functionality for speed and pizzazz.

I have a sense that alot of javascript is buggy. I run an OpenBSD machine that does not tolerate memory leaks (?privilege separation/regular sanitizing of 1/2 the free memory). If I go to a site with embedded videos using Firefox-esr/Webkit3 browsers they will often core dump. If I use Netsurf or Xombrero, with javascript toggled off, I can view the same site without problems. For me the issue is not one of fear but rather the degree of security compromise I should tolerate in order to access content.
 
shepper Well, that fear of security is what most people mean and what I talk about. Mostly unfounded.

As far as buggy javascript, you're right. I'd bet 80% of all web site programmers sole javascript knowledge is how to copy/paste from Stackoverflow.
 
On the topic of fingerprinting, <alt-j> in www/xombrero quickly lists the current cookies. Starting with no cookies, if I look at the CNN web site, I end up with about 30 cookies. Why do I end with a linkedin cookie and a .linkedin cookie? My understanding is that 30 cookies, each with unique time/date stamps is another fingerprint. I compulsively delete them; not an ounce of sympathy for the effort it took to load them in the first place.

Addon: I would also suggest that if the practice of deleting cookies was widespread it would significantly lessen the value of cookies as a means of tracking. Perhaps to the point that value that is gained from cookies is outweighed by the resources it takes to place them.
 
In my case, cookies are used to let me know if you already visited that page so I don't show you something you already saw or did so you don't have to see or do it again. For example, one site flashes their slogan on first visit but not after that. It stores any view settings you might make like language preferences or if you prefer to stay logged in. These bigger sites have advertisers who want to know the same thing, or slightly different, in their own way. Sometimes it sets what your device is so I can serve better pages for that. And on and on. iow, it's mostly for saving settings than anything else.

In fact, the vast majority of sites don't do much more than that with cookies.
 
Back
Top