How do you (reliably) resist fingerprinting?

What is the problem?
I am sure many of you already already know what fingerprinting is. If not, this article of the WaPo might be a good introduction.

Why is it important?
Because, if we are not able to reliably resist fingerprinting, neither anonymity nor privacy on the internet can be maintained. Indeed some companies (Google, Facebook, Cloudflare, Wix, Squarespace and, and many more…) have their pieces of codes on many websites. What would then prevent them to recognize us on the many websites we visit (by our fingerprint) and to even know our identity (because they fingerprint us as well when we’re logged in on their own sites)?

According to the WaPo, fingerprinting is simply standard practice for some industries:

I asked 30 of the most well-known to explain their behavior. (See below for a list.) Some claimed it was industry-standard to fingerprint.

Actually, we know for a fact that Facebook currently uses a very similar mechanism with apps on smartphones, where the fingerprint is the advertiserID and the “malicious” code come from their SDK (I’d love to provide the references but “Sorry, new users can only put 2 links in a post.” :upside_down_face:).
But I’m getting of topic since I’d like to keep this post centered on desktops & laptops.

So… How to resist fingerprinting with those 3 constraints?

  1. Having javascript enabled (because some websites simply do not work without javascript)

  2. Having ublock origin installed (because it can really be a pain to browse without an ad-blocker)

  3. Being able to browse full screen (because I would like to use my screen as a full screen and not like a tablet :wink:)

How do I know if I have succeeded?

  • I go on NothingPrivate
    • If there is already a name when I arrive on the website for the 1st time ==> Fine, my fingerprint is not unique!
    • Else ==> My fingerprint looks unique or, at least, pretty rare; I enter my name and come back some days later to see if it sticks or if it changes.
  • NB: I hear your (valid) objections:
    • The number of people checking there might be too small to draw conclusions.
    • There are other more elaborate fingerprinting techniques not used on that site.
      ==> I do agree but the point here is simply to have a first starting point. No need to try to fight “complex” techniques (thanks InfoSec Handbook for your pointer on the 15th of June “JavaScript Template Attacks: Automatically Inferring Host Information for Targeted Exploits”) if there is no solution to more “basic” ones.

Success and failures:

  • Windows 8.1 / javascript & ublock & full screen / Firefox with (among others) ublock, umatrix, privacy badger, https everywhere, decentraleyes, canvas blocker
    • My name sticks on NothingPrivate ==> Fail
    • NB: disabling all the addons gives the same outcome.
  • Windows 8.1 / javascript & ublock & full screen / Tor 9.0 (I know I’m not supposed to add an add-on and go full screen with Tor but the goal here is to resist fingerprinting with the 3 constraints here above)
    • My name sticks on NothingPrivate ==> fail
  • Tails (the version just before 4.0) without any changes (ublock is installed by default on that version of the Tor browser)
    • Somebody with the same fingerprint was already registered ==> success!
    • So this looks like a solution! But (1) using Tails for everyday browsing is inconvient and (2) it wasn’t even full screen.
  • Tails 4.0 without any changes (ublock is installed by default on that version of the Tor browser)
    • Fail (nobody was registered yet). But I guess it is simply because no Tails user has already been on NothingPrivate yet , since Tails 4.0 is fairly new.

TL;DR - How do you (reliably) resist fingerprinting with:

  • javascript enabled
  • ublock origin installed in your browser
  • full screen when browsing
  • without using Tails

This was a very looong post so… Thank you for your attention!

I think you have to distinguish between technical fingerprinting and behavioral fingerprinting. To achieve a better level of technical anonymity, you can use Tor Browser without customizing it.

However, while using Tor Browser, you will likely be somewhat unique due to your unique behavior. You go to certain websites, you use certain services, and you use the internet within a specified time.

The problem with services like NothingPrivate is they only look for some technical features and tell users about their “anonymity”. However, there are many more ways to track people even if you turn off JavaScript (as you wrote).

Then, nearly all of us do not only use web browsers to communicate with the internet. For instance, there is OS-level DNS/NTP, or apps on our phones. A very big company or a nation-level actor might be always able to track you remotely due to this “hidden” network traffic.

So for a better level of (technical) anonymity (and fingerprinting resistance), use Tor Browser without customization. Keep in mind that there is still other network traffic coming from your device, and your behavior on the internet is somewhat unique. (And don’t solely rely on services that tell you about your current “fingerprintability”.)

1 Like

Thanks for your input, InfoSec Handbook.
I take the opportunity to tell you that I discovered your site (https://infosec-handbook.eu) recently and that I really like its content.

Sure, but I was wondering if it was possible to resist technical fingerprinting with (1) javascript enabled + (2) ublock origin installed without using TailsOS, e.g. on Win8.1+ (3) full screen browsing.
Unfortunately, (2) and (3) means customizing the Tor browser. :frowning:

Sure, but my concern was more about technical fingerprinting. Because technical fingerprinting seems a prerequisite to anonymity.
Indeed, If I know who you are the moment you connect, I even don’t have to bother with behaviorally fingerprint you, do I?

Exactly. And if we cannot resist those “basic” technical features, there is no point focusing on more elaborate ones. Or do I miss something, here?

Is technical fingerprinting possible (on any browser e.g. Firefox) when javascript is turned off and cache is regularly cleared (to avoid things like “ETAG fingerprinting”)?
Let me be more specific: Let’s assume I go on a website with javascript turned off. If I clear my cache and go on the same website later, do you know any technical fingerprinting that websites could use to detect I am the same browser as a while ago?

Those are obviously important points to be taken into account! But the primary focus of my concerns in this post was:

  • technical fingerprinting resistance
  • against big companies (like Google, Facebook, etc. that can put their codes on many websites)
  • with (1) javascript enabled + (2) ublock origin installed without using TailsOS (where it UB is pre-installed) + (3) full screen browsing
  • on desktop/laptop computers only.

So, there is no way to browse anonymousle the internet if we let javascript enabled, have an ad-blocker like ublock origin installed and use our full screen to browse the internet?
I wouldn’t want to sound too melodramatic here but this looks like a major threat to the all of us: There would be no way to prevent Google, Facebook, etc. to know each and every page we visit?

Interesting points indeed but my goal here was not to rely solely on those services but to consider them as a basis to fight against fingerprinting. If we cannot resist to “simple” demo websites, I guess there is no point scratching our head to resist more elaborable techniques.

1 Like

It is a very nice discussion.

I would say it is extremely hard to resist technical fingerprinting this way. One example: Go to ip-check.info using the Tor Browser + JS enabled. You will see lots on information exposed to the website due to JS enabled.

Regarding uBlock Origin: This is basically an ad blocker with some additional blocking capabilities. Of course, you customize your Tor Browser if you install and use it. Then, there are many different ways to configure it which introduces more customization → a more unique fingerprint.

Yes and no. From the technical perspective, you could use a share internet connection/shared computer/shared web browser. So the behavior likely differs if the same device is used by different people. Of course, behavioral fingerprinting becomes more relevant when you resist technical fingerprinting.

It depends on how unique you appear based on the fingerprinting technique. For instance, your IP address can be very unique, your window size might be widespread. So some technical characteristics are not unique enough for good fingerprinting.

Assuming you mean the normal cache here (e.g., deleting cookies) AND you change your IP address, there are still ways to track you. For instance, Referer headers, HTML5 pings, NEL API, HSTS fingerprinting, GET parameters, or other APIs in your web browser that expose information about you and your device.

This setup will likely be somewhat unique.

You could block network traffic to Google and Facebook, however, their servers are extremely widespread nowadays. Then, there are other websites embedding their content. Or websites are hosted on servers provided by these companies.

I agree but the risk here is that “normal” non-technical people only look at such demo websites and start to believe that they are completely invisible on the internet since it is shown by these websites.

1 Like

Another interesting one that gives more detailed tracking parameter info is:

Not FOSS apparently, but has a companion academic paper.

Torbrowser appears very unique on my mobile with middle security setting, and no extra JavaScript allowed (with built-in noscript). On high security setting, it is a little less unique, but discourse sites like here won’t work until JavaScript is manually allowed.

At nothingprivate, nothing is displayed on high security mode (“Loading… please wait…” forever), until 2 sources of JavaScript are allowed; then it displays “An API error occurred! Please try again,” until a 3rd JavaScript source is allowed.

  1. nothingprivate, 2) cloudflare, 3) 000webhostapp.

You could block network traffic to Google and Facebook, however, their servers are extremely widespread nowadays. Then, there are other websites embedding their content. Or websites are hosted on servers provided by these companies.

Just try browsing with icecatmobile some time, and cloudfirewall. See how much blocking Google or amazon messes things up.

A user agent changer and referrer changer can also throw some random errors into the data. But track you, they will.

Happy you like it as much as I do! :slight_smile:
Let’s dig a bit further, then… (sorry for the delay!)

That’s precisely what I thought :frowning: but I was still hoping somebody here would prove me wrong.

Right, I didn’t take that case into account.

Actually, that’s the whole point!
I reinstalled Tor (default installation) to do some tests…
According to https://amiunique.org/ (which has about 2000 visits/day), in the last 90 days, less than 0.01% of the visiting browsers had the same fingerprint as I have.
Conclusion: Either very few Tor users bothered to go on AmIUnique in the last 90 days or I’m pretty unique, even using Tor’s default installation! :exploding_head:
NB: And my IP - when coming from Tor - is not very unique due to the limited number of exit nodes in the Tor network.

Jeez, this looks like a never ending story!! :worried:

That’s the whole point of this threat: how to be sure not to get fingerprinted while having a decent online experience (javascript enable / ublock origin / full screen browsing).
1st conclusion is that it looks very difficult (if not impossible).

This confirms my experiments: Tor is not a solution.
So, why not taking the problem the other way round:
Why not using a decent browser (e.g. firefox) and injecting false fingerprints?
E.g. the “canvas blocker” add-on generates random canvas fingerprints. Some other add-ons change the user-agent, etc.
The signature will certainly be each time unique… but ever changing!
Is that “the” solution?

How could it be possible - from a technical fingerprinting ONLY point of view - if the fingerprint always changes?

We tested Tor Browser on Android, and it seems to leak some information about your system. This can be the root cause of a more unique fingerprint.

Then, you need to change all fingerprint-relevant values.

Imagine you go to your favorite coffee shop every day. Each day, you arrive between 6 and 6:15 a.m., and leave between 6:30 and 6:45. Each day, you sit on the table in the middle of the room. Each day, you buy one single coffee and the same newspaper. And each day, you look the same (except for your clothing).
Now, you change your hair color. Does this prevent others from recognizing you? Unlikely. You change your time of arrival (7 a.m.), however, it is also unlikely that others can’t recognized anymore.
So you need to change much more to actually become another entity. Then, some people assume that wild, ever-changing values of your web browser make you even more unique. Besides, keep in mind that enabled JS nearly always renders such countermeasures useless (if someone uses JS for fingerprinting).

See above.

Love your coffee shop analogy!

Many things in this thread so far. So, let me recap:

  • We want to browse the web on a computer without being tracked.
    In this thread, we focus on the technical fingerprinting techniques only, even if InfoSecHandbook had nice inputs on behavioral fingerprinting.
    To be more specific, we say we want to browse the internet with (1) javascript enabled + (2) Ublock Origin installed + (3) full screen browsing to have a comfortable online experience (websites (1) don’t break & (2) don’t flood us with ads & (3) not too much scrolling)

  • Everyday life illustrations:
    As a matter of fact, we can get recognized day after day on Firefox:


    as well as on Tor:

    Those screenshots come from https://www.nothingprivate.ml/ but other fingerprinting test sites were mentioned in the thread here above

  • Prevention of fingerprints leaks is (very) difficult.
    As InfoSecHandbook summarized fingerprinting resistance when javascript is enabled:

And this does not even take into account additional technical fingerprinting techniques not related to javascript:

  • A different approach: messing with fingerprints
    Let’s put a bit of salt and pepper on our fingerprints (“canvas blocker” add-on / change user-agent for different connections / etc.) . Problem is: Looks like we need to do (much) more than add salt & pepper for a fish & chips meal to become unrecognizable. As InfoSecHandbook puts it:
  • The problem still remains

and moreover:

  • Conclusion so far:
    The (apparently simple) question remains: How do we browse the internet without being tracked?