Panopticlick

[Gaetan Boren]

Idecided to try my hand at building a plugin that would help prevent suspended users from returning by blocking their browser fingerprint (see panopticlick.eff.org). My plan for this plugin involves:

Anyone concerned with being tracked on-line needs to be familiar with web browser fingerprinting. Without using cookies, fingerprinting can convert the web browser on a computer into a unique identifier by which your actions can be tracked. Last month, Geoffrey A. Fowler wrote about it in the Washington Post: Think you're anonymous online? A third of popular websites are fingerprinting you.

Browser fingerprinting is done by looking at many, seemingly trivial, aspects of a computer and web browser and combining all that information into a profile. Most of the time, these profiles turn out to be unique. Some attributes that are examined are: the computer operating system, the time zone it is in, the language the computer is using, how much RAM the computer has, the screen height and width, the browser being used, the fonts and plug-ins that are installed, the audio and video formats that are supported by the browser, and much more.

There is no one way to make a browser fingerprint. Each one is a combination of dozens of pieces of information. Regardless of the specific formula however, the critical issue is whether a given fingerprint is unique or not.

I don't know if anyone knows exactly what goes into the assorted fingerprints that advertising and tracking companies generate. If, however, they include the browser User Agent, that means you can only be tracked until your browser is updated to a new version, at which point you start over again with a clean slate. Considering how often browsers are updated, I doubt that fingerprints include the browser version number. But, who knows?

I recently added a section on browser fingerprinting to my DefensiveComputingChecklist.com web site. After writing up this summary of the topic, it occurred to me to test the two fingerprinting "tester" websites, amiunique.org and panopticlick.eff.org.

Still, a Chromebook running in Guest Mode should provide the same profile every time. Guest Mode is one of the best things about a Chromebook. It starts out, every time, with a virgin copy of the ChromeOS system. There are no favorites, no browser extensions and no other software besides the Chrome browser. When you log out of Guest Mode, everything is wiped out. You can think of it as private browsing mode on a just-installed copy of a web browser.

The profile of the Chrome browser on any one specific Chromebook should not change until the operating system itself is updated. The same effect could also be had using virtual machine software that supports checkpoints. You could run a fingerprint test and then rollback the virtual machine to the last checkpoint and run another test. I tested with a Chromebook.

Over and over, I would run a test at each of these two sites, then Exit out of Guest Mode and go back in to Guest Mode. If the sites do what they claim, they should see these Guest mode sessions as the same. It did not go well.

There are some other reasons to be suspicious of the site. The home page features a heading of "newVersionTitle" which makes me wonder if it has been abandoned. Also, the site offers extensions for Chrome and Firefox that track the browser fingerprint. The Chrome extension was last updated in October 2015. The Firefox extension was last updated in October 2017. Looks abandoned.

I emailed to the address on the home page, and someone responded quickly. The site has not been abandoned. The heading on the home page was fixed in a day. They were also very interested in my test results.

To help them in debugging, I have posted here the results of two tests, done a minute apart, each on a Chromebook in Guest Mode. I simply printed the web page to a PDF. Test 1 and Test 2. Looking at them side by side, I see that some data got cut off in each test. Sometimes data at the bottom of a page is simply missing. For example, the first JavaScript attribute was chopped off in one PDF. So, not the best debugging approach.

Also of interest was the Battery level. If this is part of a fingerprint, it means that devices using a battery can not be tracked long term as their battery level would constantly change. I doubt that advertisers include the Battery level in their fingerprints.

My best guess for why each Guest Mode Chromebook session appears to have a unique fingerprint is something called "media devices". I don't know what "media devices" are, but it seems that the Chromebook generates a unique value for this every time.

In the first test, it reported that "Your browser has a nearly-unique fingerprint". The detailed results said that one other computer/browser had the same fingerprint. This may have been from a prior test I did a few days earlier.

However, the 2nd, 3rd and 4th tests also reported that there was 1 other computer/browser with the same fingerprint. Still more tests failed to increase the tally beyond 1. This is either a bug or a bad explanation of what the number represents. The exact message is:

I emailed the EFF and heard back quickly. What have here, is a failure to communicate. They claimed it was not a bug, just a poor explanation of the situation. They said that each instance of the Guest Mode Chromebook was indeed generating the same fingerprint. I could not, however, understand their emailed second explanation of exactly what the site is trying to convey. However, that the numbers above are decreasing from (roughly) 63,000 to 50,000 to 42,000 to 36,000 can be taken as an indicator that my fingerprint has been seen more often.

Without a reliable tester website, there is no way to insure that our defenses against browser fingerprinting are working. And, since defending is so hard, we really need this. The one exception that I know of is the Brave browser (only tested on Windows) which reports when it has blocked a fingerprinting attempt (see a screen shot).

Thanks to the amiuniuque.org website, I found three other fingerprint tester websites. However, each failed. uniquemachine.org is in development. The test never finished.At fingerprint.pet-portal.eu the test also did not complete.fpcentral.tbb.torproject.org produced no single uniqueness result.

I would expect that disposable VMs in Qubes provide the same set of Firefox features for all Qubes users. Unless you modified your browser in some way (and unless screen resolutions are different), our fingerprints should just coincide. However, every time I check the fingerprinting in Qubes, I get the result that I am unique among millions (amiunique) / hundreds of thousands (panopticlick) of users. It happends both on Debian and on Fedora. How is this possible? Do you get the same results?

every time I check the fingerprinting in Qubes, I get the result that I am unique among millions (amiunique) / hundreds of thousands (panopticlick) of users. It happends both on Debian and on Fedora. How is this possible? Do you get the same results?

Anyway it is not too good of an idea to attempt to forge headers & user agents as that usually has to happen in lots of places and tends to fail in one of these. In that case you would get really unique.

Sure, I just wanted to investigate what actually happens currently and whether we can improve it. Maybe at some point in the future we can have some anti-fingerprinting guarantees, among the Qubes users?

I would expect that disposable VMs in Qubes provide the same set of Firefox features for all Qubes users. Unless you modified your browser in some way (and unless screen resolutions are different), our fingerprints should just coincide.

In order to achieve the same results in non-Whonix qubes (including DisposableVMs), one would have to reinvent Whonix. Such duplication of effort makes no sense when Whonix already exists and is already integrated into Qubes OS.

Browser fingerprinting is an invasive and opaque stateless tracking technique. Browser vendors, academics, and standards bodies have long struggled to provide meaningful protections against browser fingerprinting that are both accurate and do not...

The problem with fingerprinting websites is that the users who are using it usually are the people who are aware of the browser fingerprint or privacy in general who still a minority, not the general public who represent the majority, so the results in these websites will not be reliable.

You are right and I totally agree. This is where TorBrowser/SecBrowser

shine. They appear as a Firefox install on a Windows machine and even

take care about things like your screen resolution by putting the page

in a letterbox that matches standard resolutions but not that of your

screen. They are doing much more of course. I do not think even Brave

comes close.

3a8082e126