Being a fervent Tor Browser user, i just tried with it and of course the fingerprinting failed. Several copies of it give me the same fingerprints: e56952dba176a47af3c051b626b64ff3 (Safer mode) 632e305f8a939e5ba6afd24eced586f0 (Safest mode)
That's because the Tor Browser, contrary to urban legend, is not just a browser that routes trafic through the tor network, but a firefox reworked (most of which is being upstreamed) explicitly to combat fingerprinting (some kind of digital black block if you will).
Overall that's an amazing compilation of modern web fingerprinting vectors. I'm just a little disappointed they left screen size (and maybe other obvious avenues) out of the demo. That would be a really cool way to demonstrate how Tor Browser's window cutting (or whatever that's called) works [0].
I read somewhere (but i can't vet the claims) there's enough variance on TCP implementations across systems to be able to distinguish, and i'm curious how the Tor Browser deals (or doesn't) with that. Could be an idea for v2 demo.
Thanks for the cool demo! I definitely enjoyed the script-like UX of the page. I wish more sites did stuff like that instead of defaulting to JS for every little animation or dynamic content.
[0] Tor Browser enforces actual width and height of the web rendering part of the window to be multiples of certain numbers, so that websites can provide experience for smaller/larger screens while retaining limited fingerprinting (eg. your fingerprint will not be affected by a user-configured or desktop-dependent window border, scroll bar width, or anything such)
Tor is not Tor Browser. Detecting outdated Tor Browser version would help you detect well-known vulns. Detecting non-TBB browser over Tor would suggest that side-channel attacks are available to defeat onion routing (eg. WebRTC leaks).
If you want privacy, use Tor Browser. It's the only privacy-friendly browser out there. All others have many holes and leaks and very little intentions to close them. Although Firefox has a "Tor uplift" project upstreaming patches from Tor Browser into Firefox's strict privacy mode.
I guess they can easily identify tor vs normal firefox(Especially with tls fingerprinting probably used by cloudflare). But the goal of fingerprinting is mostly to distinguish user. There can be sane use like collecting fingerprint to stop bot attacks from registering. But as we know selfish society today they are mostly used to collect data and show ads. And egregious browser like chrome has no incentive to solve this problem.
I did, but i personally don't care that everyone knows i'm using a tor browser. TBB is like a digital black block [0]: it is known i'm in there but nobody knows who i am in that crowd.
Tor's techniques also make it a monoculture. The smallest fuck up that makes you just a little bit more identifiable normally, makes you stick out like a sore thumb among TBB users.
So how crippled does regular web browsing become using Tor safest mode?
I'm tempted to give it a whirl for a week.
Root my phone, flash something secure, leave VPN always on, and limit web browsing to Tor to get a feel for how bad or good it is.
The self inflicted contortions developers go through to justify the need to spy drive me crazy. Modern devices and bandwidth are more than sufficient to handle a vast majority of applications, but everything has to be cloud based rent-seeking-as-a-service.
> So how crippled does regular web browsing become using Tor safest mode?
In my experience, not really much. There's occasionally a few articles i can't read because they require JS just to display their blogpost but outside of HN planet, it's not that common (most people use Wordpress themes or other decent HTML/CSS templates).
The real problem is Cloudflare and other gatekeepers who claim to protect from bots and attacks, but are more likely to block honest people. If you know people using Cloudflare, please insist that they don't. If you really need DDOS protection because you're repeatedly been a victim, please use a decent network-level mitigation (as provided by professional hosts like OVH/Hetzner) not some shitty invasive DPI solution that will have 99% false positives.
An interesting aspect of Safest mode i enjoy is the web is "read-only" again with it. Well you can still POST stuff via forms, but it's an explicit opt-in operation. TBB's Safest mode is closer to reading a newspaper than the modern web could ever be.
As a nice bonus, the Safest mode is really resource-efficient. I can have hundreds (thousands?) of tabs open for days without leaking memory, and CPU is only used to draw stuff (no tab mining coins on my behalf). I don't know a single browser with JS enabled who can keep many tabs open without rendering my machine utterly useless due to overusing CPU/RAM. Hell, i don't know a single browser with JS who can prevent a single tab from using all of my resources. TBB's Safest mode is really the only modern way i know to browse the web on low-resource hardware (lighter webbrowsers exist, but they usually don't implement modern CSS3 features).
EDIT: I should mention that the only useful service i can't use with Safest mode is Gitlab. Because Gitlab still does client-side rendering for some reason?!
I think the biggest problem of surfing the web via Tor end nodes will be the Cloudflare captcha. As much as I like Cloudflare, their captcha makes the open web pretty much unusable through Tor. At least last time I tried.
We need to boycott Cloudflare and others like them. They are pretending to protect websites, but in fact they create a walled garden where they decide who gets in.
People who use privacy tooling are left out, people from poorer countries are left out (due to bad IP range reputation), and legit bots scraping websites are left out.
If you need DDOS protection, use network-level mitigations from your host and basic rate limiting. If you need to protect your admin area from bruteforce and known vulns, restrict it to localhost queries and use SSH tunneling with public-key auth. If you need geo-replication, think again, you probably don't: make your pages lighter (why JS? why custom fonts?) and reduce the number of queries at all costs (the biggest slowing factor on high-latency links).
You don't need Cloudflare, even for a popular international website. Designing your website properly will make it more user-friendly and faster to load. From anywhere in the world, it should be fully rendered before any similar Cloudflare-powered page could load the JS spyware blocking access to the content.
I can't tell if you're trying to say unrooted phones with stock carrier roms are somehow understood to be secure, or if rooting is mutually incompatible with security, or something else. Want to expound?
Rooting your phone means you obtain root access to the device, bypassing carrier restrictions. It does not mean you run it as root user day to day. That would indeed be insecure.
Rooting is not incompatible with security. Trusting carrier distributed software on a locked down device is far less secure than using a custom install of something like Calyx or GrapheneOS.
In my view, trusting Google, Apple, Verizon, t-mobile, or at&t is incompatible with security.
The idea that people having administrative access to their own devices is inherently insecure is vicious anti-consumer nonsense.
What's your threat model? Is it more secure that you as a user can execute root code? Or that your phone manufacturer can without asking for your permission?
Modern smartphones are basically spyware distros. I would argue it's far more secure to run a decent distro (Lineage/Replicant) with root, than it is to run any SamWeiMi crapware without root. Oh yes, the manufacturer's crapware has system privileges whether you ask for it or not, and so does Google Play Services, Google's universal backdoor for Android.
On paper, no root is better. In practice, even on a crap distro, rooting it will enable you to remove most crapware to reduce attack surface.
Also related: if you're concerned about security, you should probably only use applications from F-Droid.org repos. Google Play Store (and others) are just full of spyware! See also the Exodus Privacy project tracking trackers via static analysis of APKs.
Even with a custom ROM that includes no google anything whatsoever, you still should not have root... that's what I mean. Just like how you should always use Secure Boot (but LineageOS requires you leave it off).
That's a fair interpretation! I'm not familiar with tor internals, but i assumed after removing the last encryption layer, the exit node would "expose" raw TCP trafic from the original requester. Otherwise, how does it work?
TCP is a bidirectional stream so ignoring some of the edge cases you can just proxy it across any stream transport. in the case of TOR it sets up a bidirectional stream across its network and then bytes come into the exit node over the TOR stream and then the exit node just writes them out using the normal operating system write() method. bytes then come from the normal operating system read() method on the exit node and the TOR exit node just sends them back over the TOR stream. on the client node setting up the stream over the TOR network and receiving/sending is exposed as a SOCKS proxy but i guess you could also have something fancy which intercepted traffic transparently (https://gitlab.torproject.org/legacy/trac/-/wikis/doc/Transp...). i haven't looked at the TOR project for a while but it looks like they are heavily pushing the TOR browser which I guess means the user is not exposed to any proxy setup and can't accidentally misconfigure things in a way that would break their anonymity.
It's probably worth a bug report to the TBB team so that they can investigate why fingerprints would be different. Having a unique fingerprint across instances is the very goal of TBB.
Browsers should limit every webpage to displaying a maximum of two fonts, and should silently ignore any font face rules after the first two. Maybe three if you're feeling generous. With variable fonts available in every browser it wouldn't impact typography much.
It would stop this sort of privacy attack, and it'd have the additional benefit of making the web look a lot nicer.
That's just insane. Sites and apps I build these days usually include FontAwesome and/or another icon library, frequently along with a custom dingbat font for the company's unique logos and iconography (we bundle all relevant vector art as a font). Then you have primary and secondary brand fonts, along with sometimes readability fonts. Not to mention iframed forms coming off credit card gateways. I have no idea how a proposal like this could be implemented, but it definitely would destroy most modern layouts.
Why can't you design sites that degrades gracefully? Keep in mind that font loading in low-bandwidth areas can be atrociously slow. You may have to wait minutes before all the assets have loaded. Vanilla HTML has no such accessibility or compatibility problems and can be viewed in all browsers on any network. Whatever issues your sites have are issues you have added to them.
I know you're thinking "well I don't see any of that in my analytics so this seems unlikely". Consider then that your analytics needs to actually load before the visitor bounces for them to show up in the statistics.
Are the majority affluent city-dwellers? Maybe in Luxembourg this is true, but in many parts of the world it just isn't.
But you get a sort of selection bias. Out of the people with money to buy the tech that can keep up with these sites and the network speeds to use these sites, out of those people, most people have modern tech and good metropolitan network access.
Live with a 2 font maximum and popups every time a site chose to load another font? It would break every icon on the web. You'd either only load the icons or only load the text fonts. If you want to avoid fingerprinting, and actually think this method remotely works, by all means block those requests. If you actually care about privacy a better place to start would be the fact that chrome logs you in on the browser level whenever you login to anything with a Google password. Some random fingerprinting is not worth shutting down all design for. On that idea we should just go back to dialup because everything is too dangerous for idiots to handle.
If you actually care about privacy a better place to start would be the fact that chrome logs you in on the browser level whenever you login to anything with a Google password.
Google is not the only company that has no respect for privacy. Privacy protection needs to go further, and stop privacy invasion completely.
There is a reasonable balance to strike between privacy, design and usability though. That's why I said 2 or 3 fonts. Maybe 4 at a push. If a site is using more than that then either the developers aren't very good, or the designers aren't very good, or it's trying to attack the user's privacy. Whichever one it is, it should be stopped.
I hate fancy designed sites that take forever to load, or need to be refreshed to work. If you’re really calling everyone an idiot who doesn’t like your bloated site design, re-examine why is it genius to have bloated sites like yours?
They might agree in principle, but they’d be pretty pissed off when nothing works when the open their web browser. The golden rule in web standards development is “don’t break the web”, ie you can’t just recklessly change web platform features, you have to do it thoughtfully and carefully to avoid breaking existing websites. It’s not a perfect rule, there are exceptions where the breakage is tiny and the benefit is huge, but what you’re proposing is huge destruction and would not make it past the first stage of consideration.
Giving up resources like Google Fonts in order to increase privacy for the entire web seems like a fair trade off to me. Besides, it'd still work fine, but you'd only be able to view two or three fonts at a time.
You don't seem to realize that the fingerprinting has nothing to do with what fonts you load from a page. It's what fonts you have installed on your machine.
The font-face attack in the article requires loading the font from a remote location. A JS font numeration attack works with local fonts. That would need a different mitigation in the browser, but browsers could, for example, have an array limited to three elements that JS gets when it asks for a font list, or just return the system default fonts, or just say no. A permission to get the full list would be necessary for things like browser-based editors and design software, but it'd still be worth it in my opinion. It would be a huge win for privacy.
The fact is very few websites use more than three fonts at a time on any particular page, and most sites than do could rework their design so they don't (swapping icon fonts for an SVG font map, for example), or they could implement a canvas or WebGL alternative.
I think icon fonts and custom icon fonts (like I build) are a huge win for web designers, a giant leap over embedded SVG or images as they can be scaled with CSS and without any SVG embedding or code; and they're tiny and don't need progressively larger files (like images). Yeah obviously there are workarounds but it's such a good tool that blowing it up because someone could use it for nefarious tracking purposes is equivalent to blowing up images. Hey how about we limit all Ajax calls until a user confirms. Or make them confirm every HTTP header one by one.
You want to go after fonts? Shit, we've really fucked up civilization if we have to make everything in Arial or Times New Roman just to protect people from being tracked.
Also, fingerprinting is not necessarily an attack at all. I use it frequently to see whether a user is logging in from an unknown box, in which case we'll require secondary authentication. It's actually not a bad thing if you're using it as one part of a verification process to secure user accounts. It only gets bad if you track people around with it or share those prints with other sites to aggregate behavioral data. I use it regularly to keep my own customers safe.
Users do not always click yes reflexively. I filled in a form recently that asked "Do you consent for us to send you marketing emails" (default unchecked), and I laughed because I could not imagine why they expended engineering effort to ask that question and store the answer when almost nobody will check it.
It depends how the question is framed and presented. If the permission prompt is modal and
the user believes that they will be prevented from accessing the application unless they click Yes, then they will always click Yes.
But if the website loads first and then they are asked for permission to load some additional feature, they are much less likely to reflexively click Yes rather than to press X to close the non-modal.
I think we can mitigate such problems like how we handled notification. We can just stop all fingerprinting and show maximum of two font in such scenario.
Yes, let's limit creativity because some asshats have made looking at a list of fonts a negative. Let's just limit fonts altogether and only use emojis or braille like dot patterns.
Obviously the browser must prompt users before displaying non-ascii characters as well. Who wants to do anything other than read mailing lists in their browser?
I made the comment in jest, primarily to illustrate how restrictions like limiting pages to 2 fonts are completely arbitrary and likely wouldn't even solve the problems presented in the original comment ("make the web look a lot nicer", "stop this sort of privacy attack").
Or another way to look at it, you go to the doctor because your head hurts so they give you aspirin to treat the symptom rather than treating cause from the gaping wound.
We keep suggesting things like limiting use of fonts as a polyfill for not being able to create legislation or what not. How about not exposing the available fonts to the browser through JS? If the font is not available, it should silently regress through options listed in CSS or browser defaults. JS can request a font, and it can be used if available. If it's not available, JS shouldn't need to know about it.
Who is behind the web browsers that most people use. Companies whose businesses rely on subjugating user privacy have few if any incentives to make these types of changes. These complex browsers do not exist for their users, they exists for the advertising company or other company that collects user data.
Different languages often require you to use different fonts, there are very few fonts that contain characters for all languages. Ranges using specific languages are tagged with the 'lang' attribute so the browser can use the appropriate font. If you aren't allowed to include any font face rules you lose the ability to handle multiple languages (unless all the languages you care about use codepoints below 255).
Italic and Bold are also separate fonts (albeit in the same family).
Internationalization and localization don't require more fonts, just different fonts. When a user is viewing a site in English they'd see a different font to a user viewing a page in Japanese. That's fine. Just serve one a stylesheet with the English font first, and the other a site with the Japanese font first. They would still work fine.
Bold and italic were different fonts in the past, but variable fonts have solved loading separate fonts for different weights and italics. This change would require developers swap to use those in many cases, and to create variable versions of brand fonts if necessary. I don't see that as a problem. The benefit makes it worthwhile.
"Viewing a site in English" misunderstands the problem. Mixed-language content is a reality. Not all websites are a single language, because they can host user-generated content or snippets of content in other languages (commentary on translated material, live translations, instructional material, etc.)
I can't edit my post now unfortunately, but I have had an idea where websites could use as many fonts as they want - font bundling. If there was a format that could contain any number of fonts, browsers would only need to make one request for specific bundled resource, and then browsers could limit the number of requests and designers could pepper their websites with as many fonts as they want.
In essence, do what we do with JS code, but with fonts.
You'd lose the parallel request benefits of HTTP2 but nevermind.
> your fingerprint stays the same even if your browser is in incognito mode.
OK, I tried the demo with Firefox Focus, and it worked. But it doesn't tell you how unique your fingerprint is. If multiple users have the same fingerprint, then its effectiveness will be limited.
Browser fingerprinting has hash collisions so you basically get a bloom filter. Browser fingerprint plus ip is probably enough to track, but I'd imagine if you bring the device to another city or even a coffeeshop that there's too many similar devices to uniquely identify.
I don't think this is intended to provide an actual fingerprinting solution like EFF's Cover Your Tracks, but rather a demo of non-obvious noscript-proof data points.
If these techniques were combined with more well-known such as screen size or DPI, uniqueness would be more relevant.
I used to think that privacy was a technical problem, then I thought it was a legal problem, now I think it is a reaction problem. We are not disgusted enough. I do wonder if that will change.
No, it's a legal problem. There are countries where groping women is not a big deal for example. Even in the most "ideal" EU countries, casual racism is an afterthought. Reaction is a problem because there is no adverse consequence to the perpetrator.
I don't need a browser extension, I need CEOs in prison. Then reactions will catch up.
Things are or are not a problem in certain places because that’s just how things have been done. You pick it up when you grow up in that culture.
Which leads to the problem of determining what is actually right or wrong.
For example, I naturally believe that racism is wrong because of the culture I grew up in (multicultural California) tells me that it’s wrong. But I also believe it is wrong because it undermines society and adds unnecessary friction to interactions, so it’s simply more productive if it didn’t exist.
I believe that privacy is important because I believe humans work best when they feel free to think and act freely. I believe society (and myself as a result) benefits far more in that scenario.
You bring up an interesting point. But even at the peak of slavery in the US, there were "white" people who believed all people are created equal and deserve equal rights, some even helped free slaves.
I think it is more of a worldview thing which is influenced by local culture. You beliefs about answers to fundamental questions like why do people exist? What are valid authority systems and structures? What is the origin of humans? And more questions like this, makes the difference.
I believe racism is wrong because I don't believe race is a thing beyond a social classification system. I believe in ethnicities and diffrences between them, but humans share a common origin. Even if some humans have less or more capability to do certain things than others, in order to be just, one must evaluate others as individuals not groups. Even if some statistic about a group can predict behavior of all but one members of a group, prejudice against that one member is still unjust and unfair, We should treat others the way we want to be treated ourselves.
But back to the topic, I think I agree with you that why we believe privacy is important is critical to make any improvements or changes. Simply put, privacy is power. When someone deprives you of privacy against your consent (where expectation of it is readonable), they are excercising power over you. They are excecising a claim that for whatever reason, information about you now belongs to them. If all or most information about you belongs to someone, you are now their subject.
It could be as simple as a lack of understanding of the implications of privacy deprivation.
Except I was replying to a comment about systemic acceptance of privacy deprivation. Groping and racism are considered unacceptable in most places, good case studies to correlatr and then find cause of systemic acceptances.
Interesting how you are trying to change the conversation and make it about the analogy used to analyze the root cause of the issue described in the post.
If you don't want to say what you imply then perhaps don't imply it at all. You actually explaining what you're implying will not distract unless the original implication was also distracting. This just makes it look like you want to state opinions as facts without even stating the opinion fully.
As far as I know and intended this is common knowledge. Plenty of ways to find out which countries treat foreigners and minorities badly. Either I list all EU countries or you are asking me to build a case against specific ones. Either way, I am not interested, if you wish to believe otherwise then consider my statement an opinion.
I thought Smarter Every Day's analogy to carbon emissions was great for this exact reason. It's hard to feel like it is a problem because it is difficult to see the pollutant and small amounts don't cause major problems. But when that pollutant reaches a critical mass then it becomes a very large problem for everyone, not just a particular individual.
Though I think it's fishy he's trying to get VC funding for a privacy product that does similar stuff to current FOSS projects. How on Earth do you expect to make profit for investors on a privacy product?
By being "better" than the (FOSS) competition, even if only for some narrowly scoped use cases. Maybe there is a market for privacy products that allows you to make some money. They seem to be focused on privately storing and sharing documents and other files. What FOSS competition is there that just works? Signal and matrix have very limited UI/UX for that use case, and they also severely limit file sizes (100 MB I think, which is nothing if you share a 4K video of the family singing Happy Birthday for grandma). Signal also does not really work on desktop, and not at all without a phone. What else is there? dropbox and google drive and amazon fail on the privacy aspect, mega.nz is too shady both in history and in current business practices. Most other competitors do not really have sharing or fail the privacy bit, and the other open source "apps" usually require you setting up some infrastructure, which won't work for most people as they lack the skills to do so and/or motivation to go through the hassle of maintaining such a setup[1].
They also try to be kinda snapchat with self-destructing file shares. That this is impossible at the very least thanks to the analog hole is a given, but at least they mention that and mention how they intent to fight it (by using watermarks to discourage people from screenshots, etc). They seem to overstate their capabilities in their main marketing material, tho. They are a bit sparse on the details and very "marketingey" - which is understandable given the target audience of this campaign - but they promise a proper white paper and open source (not necessarily free) code soon.
All I see is that they have a kickstarter for a measly $150K, not really VC funding? So "make a profit for investors" might be a kind non-goal at least for now. It doesn't sound like they aim to be the next unicorn, just to be sustainable and maybe eventually make the major investors their money back and then some.
I wouldn't call this thing "fishy". It has a high likelihood of failure in the market and/or not quite delivering on the promises, sure, but that's true for all early startups. But they might come out with a real product valuable enough for some niche of people to pay for it and sustain it.
The Smarter Every Day guy also put his reputation on the line. He doesn't seem stupid enough to back complete vaporware or worse, grab the money and run. His reputation is likely more valuable mid to long term than the $500K (of $150K they asked for).
My personal guess: it will fail to be big (the space is too crowded in "good enough" apps, and they will have a hard time building enough network effect that their "sharing files" mission requires), it will fail to deliver everything they aspire to deliver, but they will deliver something that a niche of people will like and use. If that will be enough to sustain the thing... maybe not. They kinda have to go as a freemium app, like lastpass or mega.nz or protonmail to even have a chance to build up momentum, or find themselves some "sugardaddies" and "sugarmommies" as signal did or mozilla did (tho the latter is in trouble now thanks to the codependence - as well as bad management). They could even become a mega or even a dropbox competitor. Or they will fail to acquire enough users and fade away or have to pivot to a secure and private file management/backup solution, and still face a lot of competitors.
Well, the real problem is advertising. It is far too profitable. If we want to live in a less distorted world, start taxing digital advertising heavily. Give people the real choice to pay for services (like we do in every other area in life) instead of paying with their privacy.
Who's to say they're paying with privacy? Xbox and Playstation get 15-30% of every game sale for their consoles, since the consoles are sold near-cost or even at a loss. At least historically they were just paying on the backend, not with their privacy. Is the line tracking, advertising, or just not being able to pay everything up-front (and not based on usage)?
> And since most websites require JavaScript to function properly, using this method to preserve your online privacy will invariably lead to a suboptimal web experience.
Great article and a good demo and insight into CSS capabilities in particular but I have to disagree with the above quote taken from the article. I surf the web with JavaScript disabled and the words 'most', 'properly' and 'suboptimal' in my view are debatable.
most - for me, about 99% of websites still work best with JS disabled. If I see the 'please enable JavaScript ' message on a content site (like a blog) I generally bail immediately because delivering content with JS is my definition of suboptimal and a sign of inexperienced devs or a CMO with way too much influence over dev.
properly - when I view a pure content site (like a blog), actually seeing the content is my definition of 'properly'. Seeing a blank screen or the 'please enable JavaScript ' is my definition of not functioning properly. Using JavaScript to deliver content seems like overkill to me.
suboptimal - for me, rather than leading to a suboptimal web experience, disabling JavaScript leads to an optimal web experience. I avoid most ads and I don't suffer JS download delays. All I want is the info. Helping to preserve my online privacy is just a side bonus.
I have a simple rule. If a website is an application (i.e. it has instrumental value) and it's behind a login screen, then by all means use JS. If it's not (i.e. it has intrinsic value like a blog post) then don't. To me, a PWA is the optimal app experience, not the optimal content experience. JS is not for delivering content, it's for delivering functionality, instrumentality.
Like others have mentioned here the demo seems to be able to categorize users into certain groups, but it is unclear how useful it is for fingerprinting and track an individual. I would love to see some statistics on it because from the data the demo gathers it seems like it will have a hard time to make out individuals in many cases.
I find the technique used in the paper "Prime+Probe 1, JavaScript 0: Overcoming Browser-based Side-Channel Defenses" [1] more interesting, although highly impractical. I guess there might be more practical CSS-based techniques that could fingerprint an individual and track them over several sites, but I have a hard time to see the limited tracking presented in this article would be very effective.
Sure. Etag stands for "Entity Tag", and it's a header value that comes from the web server and related to caching. A normal implementation would use something like a CRC or MD5 hash of the requested page/image/etc to calculate a tag, and send it to the web browser. The browser stores it for later.
The browser, if it's asked to retrieve that thing (image, page, etc) later, sends the "etag" back in the request via a If-None-Match header. The server then knows whether the image/page/etc has changed since the client last requested it. And, it can send back either the new version of the image/page/etc, or a "304 Not Modified" if the page hasn't changed...that is, the computed etag hash value is the same.
Here's the problem. There's no spec for how an etag is computed or how it's used. So on the server side, I can use it like a marker tag. Say, I generate a known unique tag for every new visitor that doesn't send me If-None-Match, like a GUID. And I keep a table of those Etag values. You're now fingerprinted...your browser will send that value back every time you visit, no JavaScript required.
I seem to be able to change the fingerprint through triggering a fetch in the JS console on every `/signal/...` url found in the stylesheet while it is "gathering data". I'm guessing that adding some randomness on the fetches in an extension could probably fool CSS-based fingerprinting, granted you're handling all `url()`s found in all CSS... which is pretty overkill.
I don't, but it seems to cache the fingerprint so a normal refresh doesn't regenerate. If I use their 'start over' control or just shift-refresh, I do get a different fingerprint every time.
Would it be possible to mitigate the CSS based fingerprinting using URLs, by having the client forcibly cache the fonts / urls? I think then on return to the site, there would be client cache hits, and no request to the server on return visits.
I imagine this would be a pain for browsing in general, but could help browsers in a privacy mode
In addition to making browsing slower you’d also consume more of your data, if you’re on a capped plan.
These days I have a 70 GB plan with data rollover, which leaves me with plenty of data to spare. But for the longest time I used to be on a plan with only a couple of GB of data per month, and it was a real pain in general. In that situation, downloading all resources instead of only the ones I need would have made a noticeable impact I am sure.
Even though I now have data to spare, the additional slowness that you mentioned would be annoying enough that I would not want my device to do that. Additionally, transferring more data would also consume more battery.
Some people say it doesn't work for them in Firefox or Chrome. Surprisingly it works for me even in Tor browser (even in safest mode). Although it seems that its method to distinguish between Tor browser and Firefox fails and still assumes I'm using Firefox.
The magic CSS supports tags are clever. I haven't seen that technique before. Still I'd assume basically every iPhone running the same version of Safari would give the same results.
But don’t you have some extensions that are not enabled for incognito mode? Perhaps they assume it works as long as the same extensions are installed in both modes?
That's because the Tor Browser, contrary to urban legend, is not just a browser that routes trafic through the tor network, but a firefox reworked (most of which is being upstreamed) explicitly to combat fingerprinting (some kind of digital black block if you will).
Overall that's an amazing compilation of modern web fingerprinting vectors. I'm just a little disappointed they left screen size (and maybe other obvious avenues) out of the demo. That would be a really cool way to demonstrate how Tor Browser's window cutting (or whatever that's called) works [0].
I read somewhere (but i can't vet the claims) there's enough variance on TCP implementations across systems to be able to distinguish, and i'm curious how the Tor Browser deals (or doesn't) with that. Could be an idea for v2 demo.
Thanks for the cool demo! I definitely enjoyed the script-like UX of the page. I wish more sites did stuff like that instead of defaulting to JS for every little animation or dynamic content.
[0] Tor Browser enforces actual width and height of the web rendering part of the window to be multiples of certain numbers, so that websites can provide experience for smaller/larger screens while retaining limited fingerprinting (eg. your fingerprint will not be affected by a user-configured or desktop-dependent window border, scroll bar width, or anything such)