this post was submitted on 05 Nov 2023
193 points (96.2% liked)

Privacy

31855 readers
223 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

This is an EFF project that allows you to understand how easy it is to identify and track your browser based on how it appears to websites. Anonymous data will be collected through this site.

all 43 comments
sorted by: hot top controversial new old
[–] jet@hackertalks.com 29 points 1 year ago (1 children)

The EFF site is great, it tells you how many bits of information are identifiable.

If you think you have good protection, go to http://fingerprint.com and see if they can track you across multiple visits. This is a commercial fingerprinting company, on their homepage they have a tracking widget to demonstrate how good they are. So it's always useful to use fingerprint.com to get an empirical test of if you're trackable.

[–] beetus@lemmy.world 2 points 1 year ago* (last edited 1 year ago) (1 children)

Visited on my mobile this morning while commuting and no VPN and it geo located me 1000 miles away.

Visited again connected to a WiFi network and it got me right. Fun stuff

[–] jet@hackertalks.com 2 points 1 year ago

Did it track you on a second visit?

[–] privacybro@lemmy.ninja 14 points 1 year ago (1 children)

I have been doing fingerprint research for several years. I've done countless builds with various browsers, configurations, extensions, and strategies. (Yes i have too much time for this).

Here is what I've concluded. I hope this helps someone.

CoverYourTrack is crap, plain and simple. Your best option will always be to randomize. Always. You will not "blend in". I don't care if you run Google Chrome on Windows 10 or Safari on iOS, JavaScript exposes way too much info, you will always have a unique fingeprint. Just go play around with fingerprint.com on some normie browser/os setups and you will see what i mean.

You must randomize all the values that you see on sites like browserleaks.com. canvas, audio context, webgl hash, clientrects, fonts, etc etc. I'd also make sure you are proxifying all your browsers and using random locations. You can do this with Brave somewhat, which has some randomization stuff in it. You can do this with browser extensions as well. Ungoogled chromium also has some randomization for canvas and clientrects i think

There are only a couple options outside of this that I recommend, in the realm of "generic fingerprint" solutions. TOR browser (they have been on the front lines of this for many years). And also Mullvad browser, which, despite its generic fingerprint goal, seems to also defeat fingerprint.com.

Tldr, if you want the best experience out of the box that is also very usable, just use Mullvad Browser. They are basically the browser i wished for for like a decade.

[–] timicin@lemmygrad.ml 0 points 1 year ago (1 children)

When I tried tor it was so painfully slow that I have a difficult time imagining anything using it full time

[–] privacybro@lemmy.ninja 1 points 1 year ago

Yeah mullvad browser plus vpn is the best bet for usability

[–] downpunxx@kbin.social 14 points 1 year ago (1 children)

My impression is the thing with modern day ad tracking, selling information to spammers, and hackers is, even if you secure your browser tighter than a drum, any one of your browser extensions, which we've given permission to read all site data on every site you visit and interact with, could be keeping extensive logs on your activity and selling that away to the highest bidder. Am I understanding that right?

[–] nottheengineer@feddit.de 6 points 1 year ago (1 children)

Yes and that's why you stick to popular FOSS stuff.

[–] Contend6248@feddit.de 5 points 1 year ago* (last edited 1 year ago)

And even then, decide if you really need 20 addons really bad, less is better.

[–] Melody@lemmy.one 9 points 1 year ago* (last edited 1 year ago) (1 children)

I've got really good scores. I'm grading a bit on a curve due to mitigations/spoofs already in place for both browsers that fool the scripts effectively.

4.45 bits from Firefox. ["System Fonts" is the worst score]

4.47 bits from LibreWolf. ["AudioContext Fingerprint" is the worst score

Some Measurements are Ignored; reasons within.User Agent - Flawed. This contains no personally identifiable information and spoofing this often causes compatibility and functionality issues. It is OK to spoof for -MORE- functionality if needed.

WebGL Vendor & Renderer - Spoofed/Blocked Firefox spoofs this via CanvasBlocker and LibreWolf blocks this from being accessed at all. Spoofing allows some websites to feel "satisfied" they have some fingerprint that is otherwise patent nonsense and CanvasBlocker will present the same value to the website/script later if it's loaded in the same Container/Context.

Screen Size and Color Depth - Spoofed/Blocked Both Firefox and LibreWolf will spoof/randomize/standardize these viewport values back to scripts to preserve privacy. For functionality reasons my LibreWolf installation is my minimal plugin environment. This allows me to quickly and temporarily load a website I might NEED to use without compromising on Privacy while not being forced to troubleshoot which plugins might be preventing the site from loading in Firefox.

System Fonts - LibreWolf Only Spoofed/Blocked Value is Randomized

[–] spacedance@sh.itjust.works 6 points 1 year ago

What settings/addons do you recommend?

[–] jeena@jemmy.jeena.net 8 points 1 year ago (1 children)

Our tests indicate that you have strong protection against Web tracking.

nice

[–] elbarto777@lemmy.world 2 points 1 year ago (1 children)

What about the fingerprinting part?

[–] Contend6248@feddit.de 4 points 1 year ago* (last edited 1 year ago) (2 children)

Just use CanvasBlocker, it changes your ID randomly.

https://canvasblocker.kkapsner.de/faq/

Page X claims my fingerprint is unique.

Having a unique fingerprint is fine as long as it changes. With the default settings of CanvasBlocker the fingerprint should change all the time.

[–] flamingarms@feddit.uk 2 points 1 year ago

It should be noted that canvas is only one method of fingerprinting, so just randomizing that will not be enough to prevent fingerprinting.

[–] elbarto777@lemmy.world 0 points 1 year ago (1 children)
[–] Contend6248@feddit.de 1 points 1 year ago

No problem, faking instead of blocking canvas is the way to go, for example the new captcha by Cloudflare uses countless queries to check the browsers validity: https://blog.cloudflare.com/turnstile-private-captcha-alternative/

I'm guessing that if you block it sites will either block you entirely or give you a fallback old captcha.

[–] KarnaSubarna@lemmy.ml 8 points 1 year ago* (last edited 1 year ago) (1 children)

OS: Ubuntu 23.10 | Browser: Firefox 119 | Add-on: No-Script | Misc: AdGuardHome on Raspberry Pi 4B

Edit: Uploaded Full image for Comparison with Mullvad Browser.

[–] KarnaSubarna@lemmy.ml 4 points 1 year ago

Same setup, but with Mullvad Browser

[–] auf@lemmy.ml 7 points 1 year ago (2 children)

Here's my result (Tested on Safari on iPad)

[–] deranger@lemmy.world 7 points 1 year ago* (last edited 1 year ago) (2 children)

You should post the # of bits of identifying info it was able to derive. Best I’m able to do is 15 bits or so. Never seen it below 14, meaning you’re able to be nearly uniquely fingerprinted everywhere.

[–] e-ratic@kbin.social 5 points 1 year ago

Tor browser gives 6.8 bits, with javascript disabled https://files.catbox.moe/d74wf1.png

[–] auf@lemmy.ml 4 points 1 year ago (2 children)

Your Results Within our dataset of several hundred thousand visitors tested in the past 45 days, only one in 94902.5 browsers have the same fingerprint as yours. Currently, we estimate that your browser has a fingerprint that conveys 16.53 bits of identifying information.

It seems that my Safari does not have very strong tracking protection.

[–] mateomaui@reddthat.com -2 points 1 year ago

Nvm, I got the same result you did with Firefox and Safari, I realized I was testing on my wifi with a pihole… switched to mobile network only and protection dropped to partial.

[–] mateomaui@reddthat.com -5 points 1 year ago* (last edited 1 year ago)

~~Do you need to turn an option on or off in Safari? I got a strong protection result, same as for Firefox.~~

[–] mateomaui@reddthat.com 3 points 1 year ago* (last edited 1 year ago) (1 children)

While everyone’s at it, you may want to check for leaks with Mullvad VPN’s service, it picked up a DNS leak for me that got past a few other sites:

edit: also ipleak.net, which tests a few other things, like torrent ips

[–] LostXOR@kbin.social 2 points 1 year ago (1 children)

Huh, it says I'm leaking DNS servers and WebRTC IPs, but I don't have secure DNS enabled, and I'm not really sure why WebRTC leaking my IP is a problem considering I'm already "leaking" my IP just by visiting a website.

[–] mateomaui@reddthat.com -4 points 1 year ago* (last edited 1 year ago)

In my case I had reset a device and didn’t disable IPv6. Once I fixed that the bottom two tests still say I’m “leaking”, but all three show only one IP each, for my VPN’s servers (maybe different IPs, but one for each.)

If I were actually leaking, IPs shown would be for a local DNS, or my residence, etc.

[–] swayevenly@lemm.ee 6 points 1 year ago (1 children)

Anyone know how I can get improved fingerprinting results on Firefox Android? Currently its at 16.56 bits and it says I have strong protection against web tracking. NoCanvas isn't availble on Android devices.

[–] shym3q@programming.dev 2 points 1 year ago (1 children)

on f-droid there is a hardened firefox fork: mull

[–] swayevenly@lemm.ee 3 points 1 year ago

Thanks. I'll give it a try.

[–] KarnaSubarna@lemmy.ml 5 points 1 year ago* (last edited 1 year ago) (1 children)

I personally consider this[1] to be the ultimate test of Browser fingerprint protection coverage. [1] https://abrahamjuliot.github.io/creepjs/

[–] averyminya@beehaw.org 1 points 1 year ago

Tails on Tor with JS off?

[–] KarnaSubarna@lemmy.ml 4 points 1 year ago

This is another good website for Browser leak/privacy settings test.

https://browserleaks.com/

[–] mateomaui@reddthat.com 3 points 1 year ago* (last edited 1 year ago) (1 children)

~~Using Firefox on iPhone~~

edit: Nvm previous result, I got the same result OP did with Firefox and Safari, I realized I was testing on my wifi with a pihole… switched to mobile network only and protection dropped to partial.

edit2: but Firefox Focus still has strong protection:

https://i.imgur.com/qeeuHKJ.jpg

[–] cyborganism@lemmy.ca 5 points 1 year ago (2 children)

Yeah I got the same result.

I wonder in the fingerprint is a spoof and the result is a false positive? Because Mozilla says there is fingerprint protection in Firefox.

[–] mateomaui@reddthat.com -5 points 1 year ago

My results were skewed because I was testing through a pihole, switched to mobile and got OP’s result.

[–] mateomaui@reddthat.com -5 points 1 year ago* (last edited 1 year ago)

~~I seem to get that same result on iPhone for Firefox, Safari and Brave~~

edit: see original reply

Firefox Focus still has “strong” result.

I get “Partial Protection” on Chrome and two generic named browsers, and a flat-out “No” for Opera Mini

Before anyone asks “why” about anything listed here, I have to test webpages for compatibility across browsers. Having them installed is the only way to do that.

[–] Lodra@programming.dev 3 points 1 year ago

I got the same as @mintycactus@lemmy.world using Firefox Focus on IOS. Which I’m rather pleased by

[–] ShitOnABrick@lemmy.world 2 points 1 year ago

I've been using this for years m8. Propa bit of software

[–] halfempty@kbin.social 1 points 1 year ago

My Librewolf gets strong protection from tracking and it's fingerprint is common with millions (so not uniquely identifiable).

[–] MonkderZweite@feddit.ch 0 points 1 year ago

Meh, "Protecting you from fingerprinting?" doesn't load.