back to article It's not just your browser: Your machine can be fingerprinted easily

It just got a lot harder to evade browser fingerprinting: a bunch of boffins have worked out how to fingerprint the machine behind the browser, using only information provided by browser features. Like so many ideas, it's obvious once someone's thought of it: activities that aren't processed in the browser are treated the same …

  1. This post has been deleted by its author

    1. Compression Artifact

      Re: Mine doesn't give that data.

      This reminds me of when I visited the website of one of the major antivirus products many years ago. In order to frighten people into buying their product, they offered a link to click on which would then give you a printout of all the information they could dig out of your machine. I clicked on it. What came back was a page stating that they couldn't find out anything because I had JavaScript disabled. The page suggested that I enable scripting so that they could do their thing. I left.

      1. LDS Silver badge

        Re: Mine doesn't give that data.

        Thus you *never* activate Javascript on *any* site?

    2. Anonymous Coward
      Anonymous Coward

      Re: Mine doesn't give that data.

      "Fine! We'll miss you...NOT!"

      Let's face it. A GUI OS with 1GB+ IS the norm these days. Anything weaker than that doesn't even blip on the radar. And people DEMAND flashy websites or they'll denounce them as skinflint cheapskates. So for them it's either plunk down or lose business. And if they lose business, how will they explain themselves to the investors?

      1. SundogUK

        Re: Mine doesn't give that data.

        "And people DEMAND flashy websites or they'll denounce them as skinflint cheapskates."

        No we don't.

        1. AMBxx Silver badge

          Re: Mine doesn't give that data.

          Surely just easier to use a VM and change the configuration slightly each time? As most configuration is now just XML, would be easy enough to do it on a timed schedule. Even changing the MAC address on each reboot would be sufficient.

          1. Charles 9 Silver badge

            Re: Mine doesn't give that data.

            But the IP would still be the same because it would go through YOUR router. I'm sure they'd catch on to those tricks and just lump them together by IP and behavioral patterns.

        2. Charles 9 Silver badge

          Re: Mine doesn't give that data.

          "No we don't."

          YOU don't, but you're outvoted.

        3. imanidiot Silver badge

          Re: Mine doesn't give that data.

          You are not "people in general" nor fall into a group that comes even close to being described as "people in general".

      2. LionelB

        Re: Mine doesn't give that data.

        "And people DEMAND flashy websites ... "

        Which is why no-one uses Google - obviously their search page is just not flashy enough.

    3. Anonymous Coward
      Anonymous Coward

      "Mine doesn't give that data"

      ..."I have purposely edited the UA string to be as devoid of such data as possible"..

      Great! But wondering who in your circle of friends / colleagues / partners / ex's is the low-hanging fruit leaking juicy slurpable info on you regardless.

      Did you lock down their devices too? Did you stopp them pairing & sharing their entire life with WhatsApp / FB / Linkedin / Gmail / Instigram / Snapchat?

      Just because you built a digital wooden bunker in the woods that suffices for now, doesn't prepare for the privacy-killing juggernaut that's coming down the pipe! Google / FB etc are lawless, and its the wild wild west out there!

      1. Anonymous Coward
        Anonymous Coward

        Re: "Mine doesn't give that data"

        Yes.

        I don't use FB, whatsapp, Linkedlin, gmail, instagram or snapchat.

        If a FRIEND, you know, someone who is ACTUALLY a friend - and not some random who knows someone who knows someone who knows someone who knows me - wants to contact me, they send an email to my non-data-slurping email system, or send me a DIRECT SMS (not a FB or twitter notification) or CALL me. And vice-versa. If I want to hang out with someone or someones in particular, I'll DIRECTLY contact them with plans. I won't post a FB "Hey, i'll be at XYZ next Friday at 9pm" and hope someone I give a toss about reads it and decides to show up. I'm not that needy.

        I don't post my personal shit online because it's PERSONAL, NOT public.

        Sure, a friend who uses FB might post a photo of a gathering with me in it on their FB profile, but since I don't have an FB account it won't be 'tagged' with my FB account since I don't have one.

    4. Dan 55 Silver badge

      Re: Mine doesn't give that data.

      Your best bet for anonymity is to do (or set things up so it claims to do even though it doesn't) what the average machine does, because if you turn everything off, that itself makes you stick out like a sore thumb.

    5. storner
      Big Brother

      Re: Mine doesn't give that data.

      Your browser identifying as "Links" is enough to fingerprint you with 99.24% accuracy ...

    6. Anonymous Coward
      Anonymous Coward

      Re: Mine doesn't give that data.

      I notice you've also disabled your Return key.

    7. ecofeco Silver badge

      Re: Mine doesn't give that data.

      Thanks AC. I've been saying this for years.

      Apparently elegant and efficient are just not as hip as making everything as complicated as possible for street cred and job security.

      Not to mention the fucking security holes all that bloat creates.

  2. Sampler

    Tor height x width

    Tor's height and width is unlikely to be the machines either, as it starts the browser as a window and warns against going fullscreen, so, technically, even if it's reported, it's fairly useless and standardised.

    1. Anonymous Coward
      Anonymous Coward

      Re: Tor height x width

      Totally agree.

      While I don't use Tor, I never run any browser in full screen. It is just not my thing.

      To be honest, the only things I ever run in full screen (on my 4K display) are Lightroom and Photoshop.

      Why do I see 24in screens running the Control Panel in full screen. There really is no reason for this at all. The same goes for many applications on Windows. a 24in and above screen is NOT an effing phone or tablet. If there is no reason to default to full screen everything then just don't do it. Perhaps thats why I hate MS so much. But I have gone way off topic so I'd better shut the hell up.

    2. Anonymous Coward
      Anonymous Coward

      Re: Tor height x width

      One thing I've never got with TOR is why javascript is on by default. As it's such an easy toggle on/off, I would of thought off by default would make more sense.

  3. tr1ck5t3r

    Some other tricks you can use to identify someone.

    Use code in websites that will trigger reported bugs. If bug action isnt detected, then browser could be masquerading as some other browser.

    Where bug is known to have impact on OS, again depending on action, could indicate unpatched system ready for exploits, how many of those are there in the world?

    Considering the vague geolocation Google and other location services put you at if you were to search for a plumber (see Google maps with plumbers pinpointed on the map for you) and what the ISP will do to obfuscate your location, you have to ask yourself some of the following questions.

    When you break down how many people live in this obfuscated area, how many people who at that moment in time will be away from a computer doing a job not involving a computer?

    How many people will be at work on a computer?

    How many people will be driving?

    How many people will be shopping?

    How many people will be asleep due to working shifts?

    How many people will be waiting in hospital?

    How many people will be doing other activities not involving web browsing?

    How many people always check out the same few websites out of the billions available to choose from?

    How many people who will be carrying their mobile phone around with them placing them in a location already, with various phone OS sniffing wifi if GPS cant be seen.

    Do you really believe your mobile phone software when it says you have switched off wifi & gps?

    Did you write the software or just naively believe the programmers say even though some have admitted you are the product?

    When you take all of the above into consideration, you cant have privacy, in fact your interests and repeat behaviour visiting the same websites, at the same or similar times of day having specific interests give you away over and over and over again.

    The military like to call this Signals Intelligence (or SigInt), businesses call this data analysis amongst other names made up by some executive who thinks they can coin a new term or phrase, and one way or another you work or support those big corporates who own your Govt and feel its their right, their duty to spy on you monitoring your work performance and your private life whether you like it or not, to extract the maximum out of money out of your slave wages whilst giving you less and less back.

    If your favourite search engine keeps giving you the same few shopping outlets, and you keep being giving a limited choice of products and services to choose regardless of how you phrase your search results, then that search engine has already worked out who you are and they are now controlling your life by what they choose to show you.

    Enjoy your life slave, you slept walked into that one didnt you?!?

    1. Charles 9 Silver badge

      The TL;DR version: websites and network people have already mastered the art of de-anonymizing you in ways that cannot be easily disguised, such as by location narrowing, click habits (which can be timed and are based on instinctive habits that are hard to break), and assorted Turing Tests to filter out chaff clickers. IOW, if they REALLY want to find you out (and there's a financial motivation to do so), they'll find ways that can't be stopped without breaking the Internet. After all, a letter normally needs a return address, and that's crucial information on its own.

    2. Martin an gof Silver badge
      Meh

      Do you really believe your mobile phone software when it says you have switched off wifi & gps?

      WiFi and GPS on, battery lasts a day or two at best. WiFi and GPS off, battery lasts six or seven. Mobile data off too can easily stretch that to 8 or 9 days, and 10 is not impossible.

      Not that there aren't other ways to track you, but sometimes you can be a teensy bit too paranoid.

      ;-)

      M.

      1. Anonymous Coward
        Anonymous Coward

        @Martin an gof

        "WiFi and GPS on, battery lasts a day or two at best. WiFi and GPS off, battery lasts six or seven. Mobile data off too can easily stretch that to 8 or 9 days, and 10 is not impossible.

        "Not that there aren't other ways to track you, but sometimes you can be a teensy bit too paranoid."

        Well, clearly WiFi, GPS, and mobile data radios must have been heavily optimized to the point that they just don't consume much electricity. They must just stop your interactive applications from visibly communicating, which of course cuts down on CPU usage. The remaining bulk of electricity consumed during normal operation must just be done to give you the illusion of really having disabled your radios!

  4. Baldy50

    Try it.

    https://panopticlick.eff.org/

    1. GrapeBunch Silver badge

      Re: Try it.

      https://panopticlick.eff.org/

      I did. Screen size, and Platform, at least, were incorrect! Still, I suppose, even if they're wrong, if I'm unique, privacy is sunk.

  5. Anonymous Coward
    Anonymous Coward

    If they've just worked out how to do this, then they're 5 or 10 years behind everyone else, aren't they?

    The TorBrowser bundle sets NoScript to enable Javascript by default, because if you disable it by default then you'll probably have to enable it for certain sites, and what sites you've allowed javascript for would become a browser fingerprint of the type they're talking about. That decision was made years ago because it's a problem that's been well understood for a long time.

    I don't quite understand what part of this is news. Have they managed to increase the fingerprinting accuracy by 0.1% or something?

    1. Anonymous Coward
      Anonymous Coward

      "The TorBrowser bundle sets NoScript to enable Javascript by default, because if you disable it by default then you'll probably have to enable it for certain sites, and what sites you've allowed javascript for would become a browser fingerprint of the type they're talking about. That decision was made years ago because it's a problem that's been well understood for a long time."

      Any TOR site that needs JavaScript is likely REALLY using it for fingerprinting (the NSA used this trick, remember, and they got you nailed down to the MAC) and to be avoided in any event. NoScript should really deny by default and prevent you from selectively enabling on the grounds they're probably trying to get tells on you.

      The news is that they've been able to reliably fingerprint you by using nothing more than basic WWW callbacks: things basically needed, say, for formatting purposes (visited links, too-large or too-small elements, etc.) or things break. Basically, the metadata needed to make the WWW work smoothly and efficiently is ALSO, inherently, extremely valuable de-anonymizing information. It's like the return address you put on an envelope. Put it on, and people can find out about you whether you like it or not, but if you don't, and things go wrong, there's no way to backtrack and do a Return to Sender or the like.

      The TL;DR version: if you want to do practical business anywhere, you're going to have to leave traces in case of problems, but those traces can be used against you. The price of society, basically.

      1. Anonymous Coward
        Anonymous Coward

        "The news is that they've been able to reliably fingerprint you by using nothing more than basic WWW callbacks: things basically needed, say, for formatting purposes (visited links, too-large or too-small elements, etc.) or things break. Basically, the metadata needed to make the WWW work smoothly and efficiently is ALSO, inherently, extremely valuable de-anonymizing information. "

        That isn't news though. That sort of thing has been around for years.

        To answer my own question I had a quick scan of the actual paper. The crux of it is they claim to fingerprint the machine, not the browser. So if you use a different browser on the same machine, they can still identify you.

        Normally switching browsers will defeat the kind of browser fingerprinting that you described, based on things like link history, element formatting and HTTP headers. But they have found enough things that are common to all browsers on a machine to generate a useful fingerprint. The novel fingerprintable features they've come up with to enable this are mainly subtle variations in the behaviour of the GPU and graphics drivers.

        This capability seems fairly academic, given that the number of people who actually use more than one browser on the same machine is surely very small.

      2. Roger 11

        "Any TOR site that needs JavaScript is likely REALLY using it for fingerprinting (the NSA used this trick, remember, and they got you nailed down to the MAC) "

        Got any source for this?

  6. Eddy Ito Silver badge

    Just feed them a little イカそうめん and let them get fingerprints from that.

  7. Martin Maloney

    What about using a VPN?

    Does a VPN server send data about itself, or does it pass along data from computers accessing it?

  8. Matthew Collier
    Stop

    I did scan the doc, though I admit I didn't read the whole (wordy) thing completely. It seems to me that they use in order of magnitude:

    1. WebGL

    2. Javascript

    3. Canvas

    for their method to work. It seems to me that WebGL is the main attack surface here? When WebGL came out, it sounded like a bad idea to me, so I switched if off on all my Browsers and machines, and I have to say, in all the years since, I have run into one single website that needed it (an interactive "how to solve the rubik's cube site, which seems like the kind of thing it was actually designed for!).

    Honest question, what is WebGL supposed to be needed for, because I can't really see a good reason to have something running that exposes such a low level to your system, via your browser? It never seemed like a good idea to me when it was new, and it seems worse now, and seems not to be worth having it turned on, based on how little I seem to have missed it.

    Obviously, you can't lock everything down completely, as then you have quite basic browsing capability, though, the TOR browser is surprisingly usable considering, but you can do your best, as much as the time as possible, to try and keep the wolf from the door!

    The paper also doesn't state what differing underlying operating systems makes to the equation either (that I could see in the paper)?

    Matt. (with an uncommon OS and a lot of Firefox features turned off, and a lot of privacy/security extensions in the browser, plus lots of O/S and network level stuff on top... (just do the best you can and hope! ;) ))

    1. Anonymous Coward
      Anonymous Coward

      WebGL is a standard that provide OpenGL graphics features to the WWW.

      This means it has becomes the defualt playback system in Unity and other engines for producing web versions of games etc.

      This is basically what it is designed for. A way to replace Adobe's Flash for game developers in the HTML5 world.

      1. patrickstar

        Why is this, and other huge sources off attack surface, even needed in a web browser? You know, a program used to browse web pages.

        Why aren't the things specific to "large fancy high performance applications" in a separate program, or atleast behind a whitelist?

        1. Charles 9 Silver badge

          Because a web page is no longer just a page. That bus left LONG ago and won't be coming back even if someone were to draft an HTML6 spec with all the stuff taken out. It's what the users want (and to most users, the WWW == The Internet and they refuse to see anything else), and that's what the users will get (they outvote you). We could've done remote graphical terminals a long time ago, but now it's way too late.

          1. patrickstar

            Most web pages are still just that - pages. With text that you read, and possibly forms that you submit. Just with JS for stuff that's best done client-side.

            This is a very different use case than say running a FPS game or a word processor.

            This second use-case could very well be behind click-to-play and not even part of the core browser but rather a plugin/extension.

            Then, of course, there are some stuff that would be perfectly fine, and actually work better, if done as the first case rather than the latter. Apparently, at the moment it's hip to use a bunch of stupid frameworks, megabytes of JS, and proclaim that your site is a "web application" even though it would be perfectly fine - or even work better - as a classic site (Twatter, I'm looking at you).

            It seems that WWW suckiness follows a cyclic pattern.

            Started out decent, became good, got really crappy with the late 90's fads, became good again, and now it's back to crap. I'm holding out hope it will go back to atleast decent.

            Meanwhilst sites are working poorly, browsers eating lots of resources and crashing, people getting owned left and right, and you basically can't use a web browser for anything but very trusted sites on computers you care about avoiding that on.

  9. anoco

    Opportunity

    Good time for some smart kid to write a FF extension that gives random info back to the servers.

    1. Anonymous Coward
      Anonymous Coward

      Re: Opportunity

      Which would quickly be defended by Turing Tests so they can winnow out the chaff.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019