Browser Fingerprinting

[HEISENBERG]

Many people use Anonymity Networks to hide their IP address and location – but there is another way you can be identified and tracked: through browser fingerprinting.

Whenever you go online, your computer or device provides the sites you visit with highly specific information about your operating system, settings, and even hardware. The use of this information to identify and track you online is known as device or browser fingerprinting.

As browsers become increasingly entwined with the operating system, many unique details and preferences can be exposed through your browser. The sum total of these outputs can be used to render a unique “fingerprint” for tracking and identification purposes.
Your browser fingerprint can reflect:

• the User agent header;
• the Accept header;
• the Connection header;
• the Encoding header;
• the Language header;
• the list of plugins;
• the platform;
• the cookies preferences (allowed or not);
• the Do Not Track preferences (yes, no or not communicated);
• the timezone;
• the screen resolution and its color depth;
• the use of local storage;
• the use of session storage;
• a picture rendered with the HTML Canvas element;
• a picture rendered with WebGL;
• the presence of AdBlock;
• the list of fonts.

Efficiency of identification in this way is well described here: http://yinzhicao.org/TrackingFree/crossbrowsertracking_NDSS17.pdf

Are browser fingerprinting test websites very accurate?

Yes and no.

Yes, these websites do provide accurate information about your browser’s fingerprint and the different values being gathered.

No, the “uniqueness” conclusion about your browser from these websites can be wildly inaccurate and very misleading. Here’s why:

Data sample: Cover Your Tracks and amiunique.org are comparing your browser’s fingerprint to a giant database of old, outdated browsers – many of which are no longer in use. When you test your browser’s fingerprint with an updated browser, it may show it as being extremely rare and unique, even though the majority of people are using the same updated version. Conversely, running the test with an old, outdated browser may show a very good result (not unique) when in reality very few people are using the older browser today.
Screen resolution: At least on desktop machines, most people regularly adjust their browser screen size. Every minor screen size value will be measured as a factor for uniqueness, which can be misleading.
Randomized fingerprints: Another problem with these test sites is that they don’t account for randomized fingerprints that can be regularly changed through browser extensions. This method may be an effective way to prevent real-world fingerprinting, but it can’t be tested/quantified through these sites.​

In general, the browser fingerprinting test websites are good for revealing the unique information and values that can be rendered from your browser. Aside from that, however, trying to beat the test by getting the lowest “uniqueness” score may be a waste of time and counterproductive.

Here are some good ways to mitigate your browser fingerprint:
It is strongly recommended that anything that could be considered Darknet related you don’t do on your normal operating system, or default browser. It is advisable to have a separate device for this purpose.

Be sure to study:

Cover Your Tracks

See how trackers view your browser

coveryourtracks.eff.org

https://amiunique.org/ is another good resource. It is open source and provides more information and updated fingerprinting techniques, including webGL and canvas.

 

[Chemman]

Are there any precedents when a drug dealer was detained for identifying browser fingerprints?
Is JS so dangerous for the darknet?

 

[Alenciss]

There are a number of known vulnerabilities, that have been used, to deanonymize Tor users via leveraging JavaScript.

The first major incident where this happened was with the "Freedom Hosting" seizure by the FBI. The FBI kept servers online, and then installed javascript paylods which exploited a zero-day exploit in Firefox. This caused the computers to call back to an FBI server from their real, non-anonymized IP, leading to the deanonymization of various users. You can read more about it in Ars Technica.

In general, enabling JavaScript opens the surface area for many more potential attacks against a web browser. In the case of a serious adversary like a state-backed entity (e.g. the FBI), they have access to zero-day exploits. If the vectors for these zero-days are disabled (e.g. JavaScript), then they may be hard pressed to find a viable exploit even if they have access to zero days etc.

The only reason the Tor project allows JavaScript to be on by default in the Tor browser is usability. Many Tor users are not technically savvy, and JavaScript is commonly used with HTML5 in modern web sites. Disabling JavaScript causes many web sites to be unusable, thus it is enabled by default.

As a best practice, one should disable JavaScript in the Tor browser and keep NoScript enabled for all sites, unless you have an extremely compelling reason not to.

 

[MuricanSpirit]

Afaik WebRTC - used mostly as voip - can be used as well to fingerprint you (the api shows what devices are available eg. Chrome gives away if you have a xbox controller pluged in).

Some unique non js fingerprinting technique is using css respectively the @media query (responsive view) to fingerprint you by "downloading each time a new image" when the browser size is changed. So they can tell if you have a 4k monitor or if you are running a vm (most vms have only 2 sizes available by default). The only way to "avoid" this fingerprinting is not to change the size of the tor browser after it started (it will start in its default size).

eg.

@media only screen and (max-width: 600px) { body { background: url("maxwidth600.png") } }

This way the server knows what width the browser has. The endpoint (eg. /images/widthWHATEVER.png) doesn't even have to return an image and still the browser will ask each time for one when resizing.

They can also use your "resizing behaviour" to identify you eg. you are the only user of 1'000'000 samples who resizes from x-width to y-width repeatedly.

There are so many techniques to fingerprint you, its unbelievable. Best is to avoid any site you don't trust.

 

[HEISENBERG]

The only sensible solution

 

[MuricanSpirit]

Follow the mouse without js (though expirment, I never saw this or heard that it is used):

It works in the backend basically the same way as "resolution fingerprinting" works by loading a picture (server can response with 404 not found) which tells the backend the coords of the mouse.

// never tried .main { -z-index: 999999; // put over everything width: 100%; height: 100%; position: absolut; top: 0; left: 0; pointer-events: none; // let the mouse click through } // lets say you care about each 1px movement, resulting in a lot of noisy requests, you probably would use 20-100px grids .main grid00 { // representing top left first pixel x:0 y:0 background: url("position0_0.png"); width: 1px; height: 1px; } .main grid01 { // representing top left first pixel x:0 y:1 background: url("position0_0.png"); width: 1px; height: 1px; } // etc. you would ofc generate those css rules through scss (imagine it as [I]scripted css[/I] which generates standard css)


You could use the date to know if the user is active on the tab, classify his mouse behavior (eg. how fast does he move it, where is his preferred position, does he use his mouse to read the text etc. pp.)

You could create such css rules for each button to know "how does the user press a button" (does he move from the bottom to the top, speed of the movement etc.) and ofc what position he prefers on the buttons itself

 

[cederroth]

I would recomend not doing more than one thing at a time when using tor, or tails.
When you want to do something else, logout from tails. and relog. THat creates a new id.
If you do many things at the same time, one might be able to connect dots you dont think about.