[HN Gopher] Browser Fingerprinting Without JavaScript
___________________________________________________________________
Browser Fingerprinting Without JavaScript
Author : sni
Score : 55 points
Date : 2021-10-29 19:49 UTC (3 hours ago)
(HTM) web link (fingerprintjs.com)
(TXT) w3m dump (fingerprintjs.com)
| tyingq wrote:
| ETAG fingerprinting is perhaps the most reliable non JS approach.
| ranger_danger wrote:
| Can you elaborate on this?
| yamrzou wrote:
| > your fingerprint stays the same even if your browser is in
| incognito mode.
|
| OK, I tried the demo with Firefox Focus, and it worked. But it
| doesn't tell you how unique your fingerprint is. If multiple
| users have the same fingerprint, then its effectiveness will be
| limited.
| southerntofu wrote:
| I don't think this is intended to provide an actual
| fingerprinting solution like EFF's Cover Your Tracks, but
| rather a demo of non-obvious noscript-proof data points.
|
| If these techniques were combined with more well-known such as
| screen size or DPI, uniqueness would be more relevant.
| Matthias1 wrote:
| Yeah. As I understand it, since all Apple mobile browsers use
| the WebKit engine, there's nothing this demo can use to
| separate them.
|
| This demo doesn't mention cookies. screen size, cache, etc,
| which could be used to further differentiate.
|
| This article is less of a tech demo and more of an introductory
| article to how some fingerprinting works.
| tantalor wrote:
| Right. What is the entropy?
| gregw134 wrote:
| Browser fingerprinting has hash collisions so you basically get
| a bloom filter. Browser fingerprint plus ip is probably enough
| to track, but I'd imagine if you bring the device to another
| city or even a coffeeshop that there's too many similar devices
| to uniquely identify.
| southerntofu wrote:
| Being a fervent Tor Browser user, i just tried with it and of
| course the fingerprinting failed. Several copies of it give me
| the same fingerprints: e56952dba176a47af3c051b626b64ff3 (Safer
| mode) 632e305f8a939e5ba6afd24eced586f0 (Safest mode)
|
| That's because the Tor Browser, contrary to urban legend, is not
| just a browser that routes trafic through the tor network, but a
| firefox reworked (most of which is being upstreamed) explicitly
| to combat fingerprinting (some kind of digital black block if you
| will).
|
| Overall that's an amazing compilation of modern web
| fingerprinting vectors. I'm just a little disappointed they left
| screen size (and maybe other obvious avenues) out of the demo.
| That would be a really cool way to demonstrate how Tor Browser's
| window cutting (or whatever that's called) works [0].
|
| I read somewhere (but i can't vet the claims) there's enough
| variance on TCP implementations across systems to be able to
| distinguish, and i'm curious how the Tor Browser deals (or
| doesn't) with that. Could be an idea for v2 demo.
|
| Thanks for the cool demo! I definitely enjoyed the script-like UX
| of the page. I wish more sites did stuff like that instead of
| defaulting to JS for every little animation or dynamic content.
|
| [0] Tor Browser enforces actual width and height of the web
| rendering part of the window to be multiples of certain numbers,
| so that websites can provide experience for smaller/larger
| screens while retaining limited fingerprinting (eg. your
| fingerprint will not be affected by a user-configured or desktop-
| dependent window border, scroll bar width, or anything such)
| Paturages wrote:
| I seem to be able to change the fingerprint through triggering a
| fetch in the JS console on every `/signal/...` url found in the
| stylesheet while it is "gathering data". I'm guessing that adding
| some randomness on the fetches in an extension could probably
| fool CSS-based fingerprinting, granted you're handling all
| `url()`s found in all CSS... which is pretty overkill.
|
| But then again, AdNauseam exists https://adnauseam.io/
| iamcurious wrote:
| I used to think that privacy was a technical problem, then I
| thought it was a legal problem, now I think it is a reaction
| problem. We are not disgusted enough. I do wonder if that will
| change.
| badrabbit wrote:
| No, it's a legal problem. There are countries where groping
| women is not a big deal for example. Even in the most "ideal"
| EU countries, casual racism is an afterthought. Reaction is a
| problem because there is no adverse consequence to the
| perpetrator.
|
| I don't need a browser extension, I need CEOs in prison. Then
| reactions will catch up.
| thrashh wrote:
| I think it's a cultural problem.
|
| Things are or are not a problem in certain places because
| that's just how things have been done. You pick it up when
| you grow up in that culture.
|
| Which leads to the problem of determining what is actually
| right or wrong.
|
| For example, I naturally believe that racism is wrong because
| of the culture I grew up in (multicultural California) tells
| me that it's wrong. But I also believe it is wrong because it
| undermines society and adds unnecessary friction to
| interactions, so it's simply more productive if it didn't
| exist.
|
| I believe that privacy is important because I believe humans
| work best when they feel free to think and act freely. I
| believe society (and myself as a result) benefits far more in
| that scenario.
| snarf21 wrote:
| Well, the real problem is advertising. It is far too
| profitable. If we want to live in a less distorted world, start
| taxing digital advertising heavily. Give people the real choice
| to pay for services (like we do in _every_ other area in life)
| instead of paying with their privacy.
| skoskie wrote:
| Relevant Twitter thread.
| https://twitter.com/PatrickMcGee_/status/1451619916994396164
| godelski wrote:
| I thought Smarter Every Day's analogy to carbon emissions was
| great for this exact reason. It's hard to feel like it is a
| problem because it is difficult to see the pollutant and small
| amounts don't cause major problems. But when that pollutant
| reaches a critical mass then it becomes a very large problem
| for everyone, not just a particular individual.
| onion2k wrote:
| Browsers should limit every webpage to displaying a maximum of
| two fonts, and should silently ignore any font face rules after
| the first two. Maybe three if you're feeling generous. With
| variable fonts available in every browser it wouldn't impact
| typography much.
|
| It would stop this sort of privacy attack, and it'd have the
| additional benefit of making the web look a lot nicer.
| wbobeirne wrote:
| This feels like it's targeted at a very narrow view of what a
| browser is for. How would a site like fonts.google.com work?
| getcrunk wrote:
| Easy. The limit should be for 2 fonts, unless you load them
| your self
| katakuri wrote:
| It said it should be the same in incognito mode as well. I tried
| it on both firefox and chromium. It was different in the
| incognito mode
| skoskie wrote:
| But don't you have some extensions that are not enabled for
| incognito mode? Perhaps they assume it works as long as the
| same extensions are installed in both modes?
| ranger_danger wrote:
| Doesn't work for me on firefox or chromium, the fingerprint is
| different every time.
| jpnelson wrote:
| Would it be possible to mitigate the CSS based fingerprinting
| using URLs, by having the client forcibly cache the fonts / urls?
| I think then on return to the site, there would be client cache
| hits, and no request to the server on return visits.
|
| I imagine this would be a pain for browsing in general, but could
| help browsers in a privacy mode
| codetrotter wrote:
| In addition to making browsing slower you'd also consume more
| of your data, if you're on a capped plan.
|
| These days I have a 70 GB plan with data rollover, which leaves
| me with plenty of data to spare. But for the longest time I
| used to be on a plan with only a couple of GB of data per
| month, and it was a real pain in general. In that situation,
| downloading all resources instead of only the ones I need would
| have made a noticeable impact I am sure.
|
| Even though I now have data to spare, the additional slowness
| that you mentioned would be annoying enough that I would not
| want my device to do that. Additionally, transferring more data
| would also consume more battery.
| oblak wrote:
| Caching would make things slower, consume more bandwidth and
| power why exactly?
|
| Also, your argument assumes everyone is browsing on a phone,
| and with a "plan". Is there no other way to access the web
| these days?
|
| I think simply disabling JS spares a lot more battery. Hell,
| with noScript you can block font manipulation.
___________________________________________________________________
(page generated 2021-10-29 23:00 UTC)