Browser fingerprinting

Browser fingerprinting – explanations and solutions

Browser fingerprinting

In this new and updated guide, we will cover all aspects of browser fingerprinting and device fingerprinting. In addition to explaining what this is, we will show you how to protect yourself from these threats.

Many people use VPN services to hide their IP addresses and locations – but there is another way to identify and track them: fingerprinting through the browser.

Whenever you go online, your computer or device provides highly specific information about your operating system, settings, and even hardware for the sites you visit . Use this information to identify and track what you call device or browser fingerprinting online.

As browsers and operating systems become more compact, many unique details and preferences can be exposed through the browser. The sum of these outputs can be used to present a unique “fingerprint” for tracking and identification purposes.

Your browser fingerprint can reflect:

  • User agent header
  • Accept header
  • Connection header
  • Coding header
  • Language title
  • List of plugins
  • The platform
  • Cookies preferences (allowed or not allowed)
  • Do not track preferences (yes, no or not)
  • Time zone
  • Screen resolution and its color depth
  • Use local storage
  • Use session storage
  • Images rendered using HTML Canvas elements
  • Images rendered with WebGL
  • The existence of AdBlock
  • Font list

How accurate is browser fingerprinting?

Some researchers have found this method of identification   very effective .

Why did you do this?

Browser fingerprinting is just another tool for identifying and tracking people browsing the web. There are many different entities – companies and governments – that are monitoring Internet activity and they all have different reasons to do so. Advertisers and marketers have found this technology to be very useful for getting more user data, which can lead to more advertising revenue.

Some websites use browser fingerprinting to detect potential fraud, such as a bank or dating site, so it’s not always evil.

Regulators can also use it to identify people who use other privacy measures to cover their IP addresses and locations, such as VPN services or Tor networks.

Browser fingerprint test website

A good test site can view all the information displayed by the browser at www.deviceinfo.me .

Browser fingerprint test

There are also websites that display browser data and evaluate the “uniqueness” scores compared to their browser database based on your variables.

  • Panopticlick is operated by the Electronic Frontier Foundation.
  • Amiunique.org is another great resource, but unlike Panopticlick, it is open source , providing more information and updated fingerprinting technologies, including webGL and canvas.

Is the browser fingerprint test website very accurate?

Yes, no.

Yes , these sites do provide accurate information about browser fingerprints and the different values ​​collected.

No , the “uniqueness” conclusions about your browser from these sites can be very inaccurate and very misleading. The reasons are as follows:

  1. Data sample : Panopticlick and amiunique.org are comparing your browser fingerprints with the old, outdated browser ‘s huge database – many of which are no longer used . When you use a newer browser to test your browser’s fingerprints, even if most people use the same updated version, it may show it as very rare and unique. Conversely, running tests with older, outdated browsers may show very good results (not the only ones), but in reality few people now use old browsers.
  2. Screen resolution : At least on the desktop, most people regularly adjust the browser screen size. Each secondary screen size value will be measured as a unique factor, which can be misleading.
  3. Random fingerprints : Another problem with these test sites is that they don’t take into account random fingerprints that can be changed periodically through browser extensions. This approach may be an effective way to prevent real-world fingerprinting, but it cannot be tested/quantified through these sites.

Often, browser fingerprint testing sites help reveal unique information and values ​​that can be presented from your browser. However, in addition to this, trying to beat the test by getting the lowest “uniqueness” score can be a waste of time and counterproductive.

How to reduce browser fingerprints

Before we delve into potential solutions, it’s important to note that implementing browser fingerprinting protection methods can break some websites . Be sure to study these different options carefully before adjusting your browser settings.

Another thing to consider is your threat model . How much privacy do you need or want? The answer to this question will be different for each user.

Finally, I use the word “mitigation” instead of “solving” because browser fingerprinting is a very complex and evolving problem. For example, a new study shows that you can’t do anything to mitigate some fingerprinting attacks on your smartphone (discussed in more detail below).

Here are some good ways to ease your browser’s fingerprint:

1. Browser modification and adjustment

Depending on the browser you are using, you may have a few different options for tweaking and modifying to reduce browser fingerprinting. Below we’ll discuss the various Firefox and Brave browsers, all highlighted in the Secure Browser Guide.

Firefox browser fingerprint recognition

Firefox is a great privacy and security browser that can be modified and enhanced to suit your unique needs. (For an overview of Firefox privacy adjustments, see the Firefox Privacy Guide.) The first thing you need to do is type about:config in the Firefox URL bar   , press Enter, then agree to “accept risk” and make the following changes. :

  • privacy.resistFingerprinting   (Change to   true ) – Changing this value to true will provide some basic protection, but it is far from a complete solution. The privacy.resistFingerprinting preference has been added to Firefox as part of the Tor Uplift project and is still being improved.
  • Webgl.disabled (change to   true ) – WebGL is another tricky issue for privacy and security. Disabling this preference is usually a good idea – see some of the issues with WebGL here .
  • Media.peerconnection.enabled (Change to false ) – Disabling WebRTC is a good idea because it reveals your real IP address, even if you are using a good VPN service. For more details and how to disable WebRTC in other browsers, see the WebRTC Leak Guide.
  • Geo.enabled (Change to false ) – This disables geo-tracking.
  • Privacy.firstparty.isolate (Change to true ) – This is another major update to the Tor Uplift project that isolates cookies into first-party domains.

Note: This is a brief overview of the changes that can improve your privacy and help mitigate browser fingerprints. Still, fingerprinting has many different factors, and even with these changes, you may still have unique fingerprints.

Firefox and ghacks user.js file

Another great option is a unique user.js file to run Firefox, such as ghacks user.js of . This is a custom Firefox configuration file that has been modified to improve privacy and security. I like this option because it saves a lot of setup time and is regularly updated and improved. See the wiki page for an overview and setup instructions   .

When I tested the newly installed Firefox with the ghacks user.js file, amiunique.org showed that my browser fingerprint was not unique.

Brave browser fingerprinting

While it’s based on Chromium, a brave browser might be a good choice for those who want a simple, privacy-centric browser that blocks tracking by default and still supports Chrome extensions. Brave allows you to enable fingerprint recognition protection, which is set under the brave shield:

Browser fingering brave

When I tested the newly installed Brave by enabling “Block All Fingerprints”, I still have a unique fingerprint based on Panopticlick and amiunique.org.

See also this article on Github to discuss different aspects of fingerprint recognition protection in Brave.

2. Browser extensions and add-ons to minimize or deceive your fingerprints

You may find many different browser extensions and add-ons. Here are some things to remember:

  1. Please be aware of third party extensions, which may undermine your privacy and security.
  2. Please note that using extensions may make your browser fingerprints more unique (many factors).

Now that we have removed these disclaimers, let’s take a look at some of the browser plugins that might be useful:

Firefox browser:

  • Kkapsner ‘s Canvasblocker – Prevents canvas fingerprinting ( source code on GitHub )
  • Track  AbsoluteDouble – Prevent various fingerprinting methods ( source code on GitHub )
  • Chameleon  by sereneblue – allows you to trick user agent values ​​( source code on GitHub )
  • Alexander Schlarb’s User Agent Switcher – allows you to trick user agents ( source code on GitLab )

You may also want to consider many other Firefox add-ons that are discussed in the Firefox Privacy Guide. Some of these add-ons are also available for Chromium-based browsers such as Br ave.

Some people suggest using browser extensions to trick different user agents, while others think this is a bad idea because it may make you more “unique.” Of course, there are many factors to consider, but adding noise to your fingerprints may not be a bad strategy.

For example, with Chameleon , you can iterate through different user agents at different intervals:

User agent fraud

Now let’s take a look at another option to modify the browser’s fingerprint: the use of the virtual machine.

3. Virtual machine

You can also consider running different virtual machines that can use different operating systems on the host. VirtualBox is FOSS, which provides an easy way to run different Linux VMs for privacy and security. There are many different video tutorials online depending on your operating system and the VM OS you are using.

Virtual machines have many advantages in terms of privacy and security, while also protecting your host. To protect privacy, virtual machines allow you to easily spoof different operating systems and link VPN services as described in the Multi-Bit VPN Guide. This also helps isolate the virtual environment and protects the security of the host. If you want to destroy a virtual machine, just delete it and create a new virtual machine. You can also use different VMs for different purposes.

4. Tor browser

Another option is to use the Tor browser, which is just a hardened and protected version of Firefox. It contains a number of privacy and security modifications built into the default version:

  • HTTPS is everywhere
  • NoScript
  • Anti-tracking function
  • Canvas image extraction is blocked
  • WebGL is blocked
  • The operating system hides the real (displayed as Windows 7 for all users)
  • Time zone and language preferences are blocked

The key here is to use the default version   (developers don’t recommend adding any plugins or extensions as this may affect the effectiveness of the browser).

You can get the latest version of the Tor browser here .

Here are the fingerprint test results from the Panopticlick Tor browser:

Tor browser fingerprint

The default version of the Tor browser is configured to run with a Tor (anonymous/onion) network. Although the Tor network does add benefits in terms of privacy, it also has a number of disadvantages:

  • Your internet speed will drop to about 2 Mbps, making streaming video or music almost impossible
  • Tor only encrypts traffic through the browser, instead of encrypting all traffic on the operating system, such as VPN
  • Tor is vulnerable to IP leaks, especially for Windows
  • It is not safe to use Tor in Torrette (see Best VPN for Torrenting Guide)
  • Thor is established by the US government and is still   funded   by the US government.
  • Some people think that Tor will be damaged.

In my in-depth Tor guide, I also revealed extensive collaboration between Tor developers and US government agencies such as the FBI. (This information was posted via FOIA request.)

Although there is a problem with the Tor network, you can still use the Tor browser and virtual private network (VPN) and disable the Tor network.

Tor browser with VPN (disable Tor network)

Some people like to use the Tor browser with a VPN (disable the Tor network). This gives you the browser fingerprint protection of the Tor browser and the speed and anonymity provided by the VPN.

Disclaimer  – While this may be beneficial to some users, it carries the risk of misconfiguring the Tor Browser bundle, which may anonymize the user (if you rely solely on the Tor network for anonymity).

Here’s how to download the Tor browser and disable the Tor network:

  1. Download the Tor browser for your operating system . Once downloaded, you will be prompted to connect to the Tor network, which allows you to access the settings.
  2. In the Tor browser, go to the  Menu button (three lines in the top right corner) and select  Options (Windows) or   Preferences (Mac OS).
  3. Choose Advanced  >  Network  >  Settings 
  4. Choose No Agent  >  OK 
  5. Type about:config in the URL bar and press Enter / return. You will receive some kind of warning message (“This may invalidate your warranty!”) – just click “Continue” or “I accept risk!”.
  6. Type network.proxy.socks_remote_dns in the search box     and double-click to disable it; value = false
  7. To disable the Tor network completely, go to the search box again and type   extensions.torlauncher.start_tor  and double-click to disable it; value = false
  8. To ensure that these changes do not revert to the default settings when you close your browser, you need to disable TorLauncher. To do this, go to Options  >  Add-ons  >  TorLauncher [Disable] and restart your browser to perform the changes.

You will need to restart the Tor browser for the changes to take effect.

Now, when you open the Tor browser, it will not be able to connect via the Tor network. This will prompt a warning screen (“Something Went Wrong”) that you can ignore.

It’s important to remember that your Tor browser is not configured to use the Tor network, so it’s not like any other browser.

5. Don’t use a smartphone

As we mentioned earlier in “Restoring Privacy,” each “smart” device is a data collection tool for business entities (and their monitoring partners ).

Smartphones are particularly susceptible to browser fingerprinting. A research team in Cambridge published a paper focusing on how to use an internal sensor to fingerprint a smartphone – what the user can’t do.

The paper will delve into the technical details, but here is a brief overview of their findings:

  • You can launch an attack from any website you visit or any application you use on a vulnerable device without any express confirmation or consent.
  • The attack takes less than a second to generate a fingerprint.
  • This attack can generate a globally unique fingerprint for iOS devices.
  • The calibration fingerprint does not change even after a factory reset.
  • Attacks provide an effective way to track you as you browse across the web and move between apps on your phone.

Unfortunately, you can’t do anything with this attack – except get rid of your smartphone – you rely entirely on the company to solve software updates. Although Apple has apparently patched the attack vector with iOS 12.2, Google is still “investigating” the issue and has not fixed any problems.

If you are considering giving up “smart” phones, this study provides another reason.

Using VPN

While VPNs don’t protect you from browser fingerprinting, they are a very important privacy tool that hides your IP address, hides your location, and protects your data.

If you don’t use a good VPN, your Internet Service Provider can easily monitor all your online activities by recording your DNS request. In many countries, such as the UK and Australia, this is mandatory. Internet service providers in the United States can also monitor and record their users, and they can also sell this information to third parties (advertisers) since March 2017.

How does vpn work?
VPNs encrypt, protect and anonymize your Internet traffic while unlocking content from anywhere in the world.

If you don’t use a good VPN that can encrypt your internet connection and hide your IP address and location, then it can be a waste of time to protect yourself from browser fingerprinting with all the hassles.

The top three recommendations from the best VPN reports are ExpressVPN   (see three-month free coupon), NordVPN   ( 75% discount here ) and Perfect Privacy .

For those looking for a higher level of online anonymity, you can also use a multi-hop VPN that will encrypt your traffic across multiple servers (multi-hop) before exiting to the regular Internet. Two perfect privacy and ZorroVPN offer self-configuring multi-hop VPN configurations.

As mentioned above, combined VPNs also add extra privacy and security while distributing trust between different VPN providers.

Conclusion about browser fingerprinting

While browser fingerprinting seems to be a daunting problem for some people, it is relatively easy to reduce browser fingerprints. For those looking for the highest level of privacy and security, I recommend using a virtual machine or linking to a different VPN service.

As a general rule of thumb, after some modifications and configuration, Firefox is still an excellent all-around browser. The Secure Browser Guide also discusses various options, and Firefox Privacy Guide requires in-depth understanding of the adjustments, modifications, and extensions.

Another issue that needs to be considered in this guide is the use of a good ad blocker. Today’s ads are basically a tracking feature – they record your browsing habits, so you can go through a targeted ad. A good add-on is uBlock Origin , but there are also ad blocker articles and privacy tool guides. other suggestion.

Stay safe, secure and online private!

Leave a Reply

Your email address will not be published. Required fields are marked *