“Your browser fingerprint appears to be unique among the 5,198,585 tested so far”. What?! 2015-04-11

While https://panopticlick.eff.org/ is not really new, I learned about that site only recently.
And while I knew that browser self-identification would reduce my anonymity on the Internet, I didn’t expect this result:

Your browser fingerprint appears to be unique among the 5,198,585 tested so far.

Wow. Why? Let’s try one of the others browsers I use. “Appears to be unique”, again (where Flash is enabled).

What’s so unique about my setup? The two reports say about my setup:

Characteristic One in x browsers have this value
Browser Firefox
36.0.1
Google Chrome
42.0.2311.68
Chromium
41.0.2272.76
User Agent 2,030.70 472,599.36 16,576.56
HTTP_ACCEPT Headers 12.66 5477.97 5,477.97
Browser Plugin Details 577,620.56 259,929.65 7,351.75
Time Zone 6.51 6.51 6.51
Screen Size and Color Depth 13.72 13.72 13.72
System Fonts 5,198,585.00 5,198,585.00 5.10
(Flash and Java disabled)
Are Cookies Enabled? 1.35 1.35 1.35
Limited supercookie test 1.83 1.83 1.83

User agent and browser plug-ins hurt, fonts alone kill me altogether. Ouch.

Update:

  • It’s the very same when browsing with an incognito window. Re-reading, what that feature is officially intended to do (being incognito to your own history), that stops being a surprise.
  • Chromium (with Flash/Java disabled) added

Thoughts on fixing this issue:

I’m not sure about how I want to fix this myself. Faking popular values (in a popular combination to not fire back) could work using a local proxy, a browser patch, a browser plug-in maybe. Obtaining true popular value combinations is another question. Fake values can reduce the quality of the content I am presented, e.g. I would not fake my screen resolution or be sure to not deviate by much, probably.

7 Comments
non7top April 11th, 2015

Adblock plus
BetterPrivacy
CanvasBlocker
Certificate Patrol
Dephormation
Disconnect
DNSSEC/TLSA validator
Google search fix link
Disable webrtc
Np google analytics
Referrer control
Right to click

All plugins disable except flash. All social blocked, all google blocked. Hope this helps a bit to keep my privacy.

Cynyr April 11th, 2015

if it makes you feel better i get “Your browser fingerprint appears to be unique among the 5,206,398 tested so far.” so i’m doing worse than you.

It is the system fonts that are identifying me as well.

What it really looks like is we need to convince chrome upstream to only report two or 3 common fonts regardless if additional fonts are available. My list has Serif, sans, and fixed in it. Seems like that would be enough to make everything work, while also not leaking my “identity”.

Diego Elio Pettenò April 12th, 2015

LOL I love how people get the complete wrong impression with Panopticlick.

Faking your User-Agent will not help you a single bit — if anything, it’ll make it *more* unique, because a request that is coming from Firefox but reporting itself as Chrome is very easy to tell a part from a real Chrome request (that’s what my own antispam system is based on!)

And installing a bunch of extensions for “privacy” also do more harm than anything since there are techniques that Panopticlick does *not* use that can detect them and provide even more entropy.

The only valid option would be to get Chrome to stop providing the full build number in the User-Agent, that would make it much more common to avoid this kind of detection. On the other hand, since Chrome builds change so often, the uniqueness and entropy are very ephemeral, and Panopticlick can only give you figures for what it has seen up to now, not what is available in the long run.

See https://blog.flameeyes.eu/tag/useragent for some of the references.

But yeah the summary I can give is “LOL, terrible suggestions in these comments.”

sping April 12th, 2015

I think that’s a bit quick for a conclusion.

I didn’t say I’d fake Chrome to be Firefox. Faking to be a more wide-spread version of the same browser may work. I’m aware that HTTP header order is revealing the used browser with probability X too so that would be detectable right away. That’s why same browser product.

The detectability of plug-in X is related to (1) the approaches it is taking and (2) if you get to suppress/modify the list of plug-ins revealed by the browser. You have to get (2) anyway, so only (1) remains for that plug-in to be detectable.

Spazrock April 12th, 2015

http://ip-check.info/?lang=en lets you know that no matter what user-agent you pertain to be, your browser still has a signature that probably can’t be changed.

N.N. April 14th, 2015

5/8 fingerprinting methods on that site depend on javascript. Simply disable it and you will get *much* better results.

Since about two years ago, I have viewed javascript the same as Java, Flash and Windows, in that using them pretty much nullifies any effort you put towards securing your machine and your privacy.

My /conservative/ estimate is that there is a >90% probability that zero-days exist for (JS engines of) all major browsers. We also know about systems like quantum and the great cannon [0]. This means that you can potentially be owned any time you connect to any (non-HTTPS) website using JS. Most state-level (and many other) actors are in the position to get a valid fake certificate, so even HTTPS does not help much.

Just say no to JS (and, well, ignore the parts of the web that stop working beause of that). And remember that when the US, not China, decides to build its own botnet, they will use Google instead of Baidu.

[0] https://citizenlab.org/2015/04/chinas-great-cannon/

Merete April 19th, 2015

Fluxfonts can help you in the font uniqueness area by changing the fontstack a few times every hour.

Leave a Reply

You must be logged in to post a comment.