- Joined
- Dec 3, 2020
- Messages
- 1,293
Fingerprint scanning service is a method of tracking you across the web that is significantly harder to defend against than previous techniques. Inter-domain traffic monitoring, the sort of tracking that requires following you between websites, is an invasion of your privacy; typically monitoring is completed to build a profile of your looking habits that then can be sold and used to serve you advertising. If you may have a problem with showing a stranger your Internet record you need to have a problem with tracking. Specifically you should have a problem with browser-fingerprint based tracking, which we refer to more succinctly as fingerprinting, since it's so hard to disable.
There are several different methods to defend against fingerprinting, and has their own positives and disadvantages. From this blog post wish going to discuss and compare each method.
Technique 1: Share a finger print with others
The first method is probably the easiest, to provide your web browser a fingerprint that is not unique. The more people you share your fingerprint with the harder you are to trail and the greater you get lost within the audience. Currently the most effective way to do this is by using the Portal Browser Bundle (the TBB). The TBB is a fork of Firefox produced by the Tor Project and it is their recommended way of browsing the Internet using Tor. The purpose of the Tor network is to anonymise your online traffic, and tracking systems could potentially be used to deanonymise Tor users, so it makes sense that they try to prevent it1. Tracking is an invasion of your privacy, and the Durchgang Project was created to help defend your privateness.
Installing Tor is simple, it doesn't require any special configuration or setup. It can have its downsides however. For instance if you use the TBB if you're forced to use Durchgang. Whilst it has many benefits, it also offers some properties that a lot of people may possibly find frustrating. Especially when using Tor pages fill noticeably slower, and Treffer users are treated like second class citizens online, often being denied service by websites or shown very difficult CAPTCHAs to test if they're human being before they can view a site [1].
Other browsers exist that contain fingerprinting defences, nonetheless they are likely to only defend against most effective of attacks. Intended for instance IceCat, another Chrome fork, has several fingerprint scanning service defences, such as spoofing HTTP headers to make it appear to be you're operating a common version of Firefox on the most frequent functioning system, Windows. These defences don't stack up to the TBB however, and aren't really good enough to defend against any but the simplest of fingerprinting techniques.
Lastly fingerprint scanning attacks and defences could be an arms race. For defences to be developed disorders first need to be discovered. An attack could be used in the wild for months or even years until a researcher discovers it and defences are created. Intended for instance AudioContext fingerprinting was uncovered in the outrageous [2] after having been active for who knows the length of time and defences are not yet widely available months later (Update 2016-09-08: Mozilla packages to provide users the option of disabling the net Audio tracks API in Firefox 51).
Method 2: Disable JavaScript universally
The second way of defending against fingerprinting is to disable JavaScript completely for all sites that you don't desire to be monitored to. All scripts on sites you don't want to be tracked to must be disabled, any scripts that you allow could contain fingerprinting code. The majority of fingerprint scanning service tests, and certainly the strongest ones, require the use of JavaScript, hence disabling JavaScript will wipe out most tests. The problem with this is the fact a huge amount of websites require JavaScript to function properly and simply won't work with it disabled. This makes the technique too restrictive for most users.
Additionally it doesn't defeat all testing, and those few checks may be enough to uniquely identify you, there were like to determine whether which the case within our research. In 2011 a report of 989 fingerprint examples found that a blend of fonts, the first two octets of IP address, timezone, and screen image resolution, were enough to exclusively identify most users [3]; all of those, except perhaps timezone, can be obtained without JavaScript. This year a study by Microsoft using datasets from Bing and Hotmail found that 60% - 70 percent of clients were effectively identifiable based upon their user-agent string, and this number proceeded to go up to 80% when IP prefix information was also used [4]. And in 2016 we have a study that found that only 29% of fingerprints were unique when JavaScript was impaired [5], nonetheless they don't have the CSS display size and font diagnosis tests Browserprint has.
An easy query of our databases found that out of 2104 submitted fingerprints where JavaScript was disabled 1372 were unique, that means 65. 2% of finger prints with JavaScript disabled were still unique, and gowns without the scriptless assessments that we're planning but haven't implemented yet such as scriptless ad-blocking looking at and a scriptless version of the char sizes test. This just demonstrates that disabling JavaScript is not a silver topic, it will probably be put together with by using a browser such as IceCat that has some fingerprinting defences. In conclusion we don't recommend this system.
Approach 3: Use multiple web browsers
The third method is to use a different browser for different activities on the internet. In its easiest form you partition your browsing habits between two browsers, for instance one browser for things tied up to your identity (LinkedIn, Facebook, Google+, banking, online shopping) and the other person for general browsing. Because of this while it's still possible for companies to track you and make a profile primarily based on your browsing patterns, the profile won't get tied to your personality, and the profile that is tied to your identity is minimised. This kind of technique could be increased using more browsers, using virtual machines, and by assigning each virtual machine a different VPN hardware.
This method does require somewhat of discipline. The moment virtual machines are added to the mix this may likely become too frustrating for most people.
Exactly what is more, cross-browser fingerprinting may be possible. That may be, if two browsers run on the same computer and main system, it could be possible to tie sessions of one browser to a new using only fingerprint data associated with operating system, underlying hardware, and other browser self-employed data. At least new research has attempted to answer this question before. They found that a blend of fonts, the first two octets of your IP address, timezone, and screen resolution were enough to uniquely identify most users [3]; these are features that are likely to be steady between multiple different browsers on the same machine. We plan to examine problem further. For instance in my old blog post we explored the likelihood of device independent fingerprinting using CAPTCHAs, user fingerprinting.
In summary I can none argue for nor recommend against this technique, in its simplest form it may just behave as a placebo and provide little benefit; in its more advanced form it's likely very powerful, but still suffers from the truth it's unwieldy, and that you're only partitioning your profile, not completely beating fingerprint-based tracking. If only it was possible to use a different combo of browser and functioning system for each and every site you visited.
Method 4: Distinct fingerprints several sites
The fourth method of protecting against fingerprinting is to spoof your fingerprint, offering a different one to each site you visit. The spoofing must be per site; there's no point for instance moving over your user-agent string every 5 minutes2. Per obtain is also acceptable, but it's trivial to identify, which makes it less desirable.
There doesn't seem to be to exist a significant amount society that provides the sort of per-domain or per-request spoofing we're looking for, but the few plug-ins we've found we list here.
The best software for fingerprint spoofing so far definitely seems to be the Flock extension FP-Block [6]. This randomises many finger print features per-site, including adding randomness to HTML canvases to foil canvas fingerprint scanning service. Sadly it's not under active development and is a little bit pushchair, but it's well really worth playing around with.
One more study developed software called PriVaricator that randomised the fingerprint features offsetHeight, plug ins, and fonts [7]. They found this strategy worked against all examined fingerprinters, but sadly they do not seem to be to have released the file format publicly.
Apart from that we certainly have closed-source extensions UAControl and Secret Agent. UAControl does user-agent string spoofing per domain, but you need to create the user-agent string manually rather than automatically creating mappings, which means it's not particularly useful. Secret Agent randomises user-agent string and get headers every request.
Footnotes
How could tracking deanonymise someone using Tor or a VPN? There's two scenarios; in the first scenario someone visits a site such as Gmail or Facebook . com that is tied to their identity, then they visit a second site that doesn't know their identity. If both websites have fingerprinting code and the websites collude, the first website could find out the other who you are, thus deanonymising you on the other site.
In the second scenario you could visit a site with your IP address hidden with a proxy, then visit the site a second time without your IP address hidden. If the site uses fingerprinting they would manage to link the first visit of the site to the other, thus deanonymising your first visit.
Imagine you switch your fingerprint at a typical (or irregular) interval. You visit one site where you have got to cookies enabled (or they're keeping track of your period with something else like a JSESSIONID), you move your fingerprint, and then you visit the site again. The site can discover you've changed your fingerprint trivially. All that needs to performed is for them to store your original fingerprint, notice the change, then overwrite the stored fingerprint with your new one, and notify all collaborating sites your fingerprint is promoting.
There are several different methods to defend against fingerprinting, and has their own positives and disadvantages. From this blog post wish going to discuss and compare each method.
Technique 1: Share a finger print with others
The first method is probably the easiest, to provide your web browser a fingerprint that is not unique. The more people you share your fingerprint with the harder you are to trail and the greater you get lost within the audience. Currently the most effective way to do this is by using the Portal Browser Bundle (the TBB). The TBB is a fork of Firefox produced by the Tor Project and it is their recommended way of browsing the Internet using Tor. The purpose of the Tor network is to anonymise your online traffic, and tracking systems could potentially be used to deanonymise Tor users, so it makes sense that they try to prevent it1. Tracking is an invasion of your privacy, and the Durchgang Project was created to help defend your privateness.
Installing Tor is simple, it doesn't require any special configuration or setup. It can have its downsides however. For instance if you use the TBB if you're forced to use Durchgang. Whilst it has many benefits, it also offers some properties that a lot of people may possibly find frustrating. Especially when using Tor pages fill noticeably slower, and Treffer users are treated like second class citizens online, often being denied service by websites or shown very difficult CAPTCHAs to test if they're human being before they can view a site [1].
Other browsers exist that contain fingerprinting defences, nonetheless they are likely to only defend against most effective of attacks. Intended for instance IceCat, another Chrome fork, has several fingerprint scanning service defences, such as spoofing HTTP headers to make it appear to be you're operating a common version of Firefox on the most frequent functioning system, Windows. These defences don't stack up to the TBB however, and aren't really good enough to defend against any but the simplest of fingerprinting techniques.
Lastly fingerprint scanning attacks and defences could be an arms race. For defences to be developed disorders first need to be discovered. An attack could be used in the wild for months or even years until a researcher discovers it and defences are created. Intended for instance AudioContext fingerprinting was uncovered in the outrageous [2] after having been active for who knows the length of time and defences are not yet widely available months later (Update 2016-09-08: Mozilla packages to provide users the option of disabling the net Audio tracks API in Firefox 51).
Method 2: Disable JavaScript universally
The second way of defending against fingerprinting is to disable JavaScript completely for all sites that you don't desire to be monitored to. All scripts on sites you don't want to be tracked to must be disabled, any scripts that you allow could contain fingerprinting code. The majority of fingerprint scanning service tests, and certainly the strongest ones, require the use of JavaScript, hence disabling JavaScript will wipe out most tests. The problem with this is the fact a huge amount of websites require JavaScript to function properly and simply won't work with it disabled. This makes the technique too restrictive for most users.
Additionally it doesn't defeat all testing, and those few checks may be enough to uniquely identify you, there were like to determine whether which the case within our research. In 2011 a report of 989 fingerprint examples found that a blend of fonts, the first two octets of IP address, timezone, and screen image resolution, were enough to exclusively identify most users [3]; all of those, except perhaps timezone, can be obtained without JavaScript. This year a study by Microsoft using datasets from Bing and Hotmail found that 60% - 70 percent of clients were effectively identifiable based upon their user-agent string, and this number proceeded to go up to 80% when IP prefix information was also used [4]. And in 2016 we have a study that found that only 29% of fingerprints were unique when JavaScript was impaired [5], nonetheless they don't have the CSS display size and font diagnosis tests Browserprint has.
An easy query of our databases found that out of 2104 submitted fingerprints where JavaScript was disabled 1372 were unique, that means 65. 2% of finger prints with JavaScript disabled were still unique, and gowns without the scriptless assessments that we're planning but haven't implemented yet such as scriptless ad-blocking looking at and a scriptless version of the char sizes test. This just demonstrates that disabling JavaScript is not a silver topic, it will probably be put together with by using a browser such as IceCat that has some fingerprinting defences. In conclusion we don't recommend this system.
Approach 3: Use multiple web browsers
The third method is to use a different browser for different activities on the internet. In its easiest form you partition your browsing habits between two browsers, for instance one browser for things tied up to your identity (LinkedIn, Facebook, Google+, banking, online shopping) and the other person for general browsing. Because of this while it's still possible for companies to track you and make a profile primarily based on your browsing patterns, the profile won't get tied to your personality, and the profile that is tied to your identity is minimised. This kind of technique could be increased using more browsers, using virtual machines, and by assigning each virtual machine a different VPN hardware.
This method does require somewhat of discipline. The moment virtual machines are added to the mix this may likely become too frustrating for most people.
Exactly what is more, cross-browser fingerprinting may be possible. That may be, if two browsers run on the same computer and main system, it could be possible to tie sessions of one browser to a new using only fingerprint data associated with operating system, underlying hardware, and other browser self-employed data. At least new research has attempted to answer this question before. They found that a blend of fonts, the first two octets of your IP address, timezone, and screen resolution were enough to uniquely identify most users [3]; these are features that are likely to be steady between multiple different browsers on the same machine. We plan to examine problem further. For instance in my old blog post we explored the likelihood of device independent fingerprinting using CAPTCHAs, user fingerprinting.
In summary I can none argue for nor recommend against this technique, in its simplest form it may just behave as a placebo and provide little benefit; in its more advanced form it's likely very powerful, but still suffers from the truth it's unwieldy, and that you're only partitioning your profile, not completely beating fingerprint-based tracking. If only it was possible to use a different combo of browser and functioning system for each and every site you visited.
Method 4: Distinct fingerprints several sites
The fourth method of protecting against fingerprinting is to spoof your fingerprint, offering a different one to each site you visit. The spoofing must be per site; there's no point for instance moving over your user-agent string every 5 minutes2. Per obtain is also acceptable, but it's trivial to identify, which makes it less desirable.
There doesn't seem to be to exist a significant amount society that provides the sort of per-domain or per-request spoofing we're looking for, but the few plug-ins we've found we list here.
The best software for fingerprint spoofing so far definitely seems to be the Flock extension FP-Block [6]. This randomises many finger print features per-site, including adding randomness to HTML canvases to foil canvas fingerprint scanning service. Sadly it's not under active development and is a little bit pushchair, but it's well really worth playing around with.
One more study developed software called PriVaricator that randomised the fingerprint features offsetHeight, plug ins, and fonts [7]. They found this strategy worked against all examined fingerprinters, but sadly they do not seem to be to have released the file format publicly.
Apart from that we certainly have closed-source extensions UAControl and Secret Agent. UAControl does user-agent string spoofing per domain, but you need to create the user-agent string manually rather than automatically creating mappings, which means it's not particularly useful. Secret Agent randomises user-agent string and get headers every request.
Footnotes
How could tracking deanonymise someone using Tor or a VPN? There's two scenarios; in the first scenario someone visits a site such as Gmail or Facebook . com that is tied to their identity, then they visit a second site that doesn't know their identity. If both websites have fingerprinting code and the websites collude, the first website could find out the other who you are, thus deanonymising you on the other site.
In the second scenario you could visit a site with your IP address hidden with a proxy, then visit the site a second time without your IP address hidden. If the site uses fingerprinting they would manage to link the first visit of the site to the other, thus deanonymising your first visit.
Imagine you switch your fingerprint at a typical (or irregular) interval. You visit one site where you have got to cookies enabled (or they're keeping track of your period with something else like a JSESSIONID), you move your fingerprint, and then you visit the site again. The site can discover you've changed your fingerprint trivially. All that needs to performed is for them to store your original fingerprint, notice the change, then overwrite the stored fingerprint with your new one, and notify all collaborating sites your fingerprint is promoting.
