I'm a member of an extremely large forum since many years. People come there to discuss anything from IT problems to relationships, politics or gardening. A large proportion of the population in my country has an account. In a country with somewhat restrictive media situation and stifled public debate this forum fills a very important function. The backside is they also have a lot of intimate personal data on people. The site swears that everyone is anonymous, they'd never share data with anyone. Recently I become aware that this site can somehow fingerprint and uniquely identify users and I'm interested in finding out how they do it. I have excluded the following possibilities; -IP address -Cookies, including DOM cookies and Flash cookies. That leaves in my opinion only some form of scan to check unique features of the machine - but how is that done? Am I right to think it's a Javascript? Or are there other options? How can I look at this javascript? Or is anyone willing to have a try and simply tell me? I can provide address and a login details if that would help.
1. The site swears that everyone is anonymous, they'd never share data with anyone. They may swear or do what they want - they may not share, but who wants, can see everything, even if the data is encrypted. Recommended to remember this for ever. 2. javascript is only one method to write some commands for run programs, and it could not be to blame in any way whatsoever, or where ever.
Javascript is crap, user can disable this. see:http://browserspy.dk PHP Script on Server is the right way.
There is a Firefox plugin You can use to fake fingerprinting - Random Agent Spoofer it changes all the data been used to create fingerprints each time You start the Browser works fine, I use for years now
Great tip, I've installed it. But I'm beginning to wonder if it's even possible to have privacy on Micro$oft at all! Somebody elsewhere commented:
In the cmd window Type wmic product get Wait a while There you will see your PC Global Unique Identifiers GUID
open cmd (as admin): Reading properties of the network card: wmic nicconfig where index=1 get /value wmic nic get index,name Show BIOS Info: wmic bios list full or Copy BIOS Info to clipboard: wmic /output:clipboard bios list full
Static HTTP requests and AJAX I guess...to collect info best until it is recognized as a unique machine. The more common the info is the more anonymous you are. Common not random! HTTP_ACCEPT_HEADER/Useragent/timezone/screenresolution/fonts/browserplugins... We here at MDL do not care about that, though. We respect privacy. We log IP address only... Try here and you'll know: (they read not all what's possible) If you get as result you're unique, you have to fake/make general more IDs... https://panopticlick.eff.org/
Fingerprint detection pages (also ssl and other browser based tests): https://panopticlick.eff.org/ http://www.filldisk.com/ https://www.ssllabs.com/ssltest/viewMyClient.html http://samy.pl/evercookie/ https://www.mozilla.org/en-US/plugincheck/ https://people.mozilla.org/~tvyas/mixedcontent.html https://ie.microsoft.com/testdrive/browser/mixedcontent/assets/woodgrove.htm http://mozilla.github.io/webrtc-landing/ https://www.adobe.com/software/flash/about/ https://www.java.com/en/download/installed.jsp http://ip-check.info/?lang=en http://cure53.de/leak/onion.php http://thehackerblog.com/addon_scanner/ http://www.computec.ch/projekte/browserrecon/ https://robnyman.github.io/battery/ https://pstadler.sh/battery.js/ https://rc4.io/ https://www.google.com/transparencyreport/https/ct/ http://html5test.com/ https://crt.sh/ & others. The thing is a) WebRTC was designed to be new and it offers a lot of security features compared to other protocols, BUT since it's new it may suffers from several implementation problems pr logical failures which not need to be fixed within browser more like in protocol (if possible) to not abuse these in name of evil. b) Hiding everything breaks the protocol mostly or lowers the surf fun (I tried that) c) Thinking to be secure just because you use NoScript, HTTPSE. or uMatrix is false sense of security because there exist attacks which bypass this, e.g. if you locally execute stuff which then want's to connect to web, a firewall may does help here more. d) To bypass all of this just use a faked certificate, then mostly they bypass it and you need again other tools or firewall settings to filter https. If you use other tools like AdGuard you must trust then their certificates. e) There is no real opt-out, because each application on your system or extension may have it's own GUID or other identification which is detectable, again a firewall may help to just stop the communication, even MS own firewall is mostly in 90% enough.
(for a better understanding in your 'favo' language) Yen, diese Admins machen alle immer wieder die gleichen Fehler. Wenn im User Browser Javascript deaktiviert ist, alles nutzlos. Wie du hier mal wieder sehen kannst ... (ohne js im Browser) startet das JavaScript gar nicht, wie soll es auch ....
It's not correct that if you disable JavaScript you're be automatically more secure, together with the fact that if you disable it you lower the surf fun dramatically, this is also the reason why it's not default disabled by Tor Browser Bundle (it gets disabled if you slide the tor button to max settings). There are also other techniques, as already mentioned Canvas (HTML5), cookies, supercookies and a lot of more which could theoretically compromise you. It's also a no-go to disable everything since that (again) simply breaks everything, even MDL need e.g. Google Ajax script for e.g. the thanks/like button, it's due implementation. You should also not forget that just because it's might somehow possible to track, that not means automatically you will be tracked, it's up to the webmaster and how often the page get's updated, if it's compromised with malware advertisements and many more factors. I'm not really a test of these mentioned test-pages because they need most stuff enabled and this (if you work with a whitelist) like NoScript e.g. offers not really shows that you're vulnerable, in fact you allow e.g. Panopticlick to trakc you because you visit the page + enabled javascript + then clicked the button which clearly showed that you get scanned - of course that is just an example what someone may can implement in his HP but again working with a whitelist + keep up2date is mostly enough, just do the fact Mozilla and others fighting for more privacy, we also got an integrated list (e.g. Mozilla use disconnect + google safe browsing list) to block already well known and reported pages by default. If you're a Mozilla fan and care about privacy you may want to visit a small project I contribute to - the user.js project. I explained in most issue tickets how it works, which attack surface exist and you can of course use the file to harden the settings.
CHEF is right. You need functions like AJAX to have all the comforts of the site. For instance perview of member list (recipient PM/search).... NoScript makes only sense when defining whitelists of trusted sites... Also fingerprinting a device does not mean fingerprinting a person.
Yen last word to it ... Yen, das wirkliche Problem (Unsicherheit) besteht dann wenn ich mich in eine Website/Forum einloggen kann ohne Javascript und du aber dieses hier im Forum nutzt, denk mal darüber nach ... Das ist hier ('bei dir') der Fall. Ich will das nicht weiter ausführen ... Ich denke du hast verstanden was ich meine. Eng: Yen, the real problem (uncertainty) exists when I can login into a website/forum without JavaScript, but you are using it at the forums...think about it, it is a fact here I don't want to elaborate on this further ....I guess you know what I mean
English, please. (I am adding a translation to your post)... No, sorry. Neither AJAX nor JS nor php are 'bad/good'...it are just 'languages'... It is ALWAYS a question of trust.
Another test site with a recommendations, how to fix it. https://whoer.net I did not even know about WebRTC, so I installed https://chrome.google.com/webstore/detail/webrtc-leak-prevent/eiadekoaikejlgdbkbdfeijglgfdalml?hl=en
You not need any WebRTC addon anymore, that hole is now closed. As mentioned because it could be used not means every page automatically compromise you and your security setup. Firefox solved it - you can disable entirely WebRTC and with FF 46 it also get's an option just for more control over certain stuff. If you're on Chrome you can compile without Webrrtc flag, or better consider to use Chromium + nosync version because that not comes with WebRTC. You're wrong if you say php is an answer, we not talking only about site specific fingerprinting, we also need to talk about metadata and this is protocol wise fingerprinting. Like IP, geo location (huge topic now in germany), and in general OSI layer based fingerprints. E.g. if you use a tagged photo you can be possible geo located, or if you use HTMl5 storage [dom storage] and to entirely disable everything breaks a lot of stuff, e.g. if you disable DOM Storage Mega and his plugin will not work (because key is in this section stored). So, again there is no real solution without breaking stuff. Since I not use any plugins anymore I dropped NoScript and replaced it with uMatrix because the benefits from NoScript are more to protect plugins and is more comfortable, this then gives you white-/blacklist ability, but as mentioned even if you work with whitelist it not protects you agains all types of fingerprints. Tor is maybe an 'solution' a lot of people saying it's insecure which is imho wrong, it's the only option I see for now, because it uses the same ID for each session and user, which means that the fingerprint you leave is useless for the page because everyone gets the same. The problem is that if you try to tweak your Browser like this and change certain configuration you make you more unique and this may more attractive to tracking companies - this is why I always prefer Tor. I not say it's perfect there are protocol based issue and fingerprinting too, but it's far more designed to protect you, especially for beginners it's a lot of easier as working with uMatrix/NoScript if you visit a lot of different pages and not exactly know which you can trust. You should also not forget that if you leave small footprints in the sand it not cares much as driving with a car trough the sand - with this analogy I want so say that you should not get in panic if xyz page may detects something. There is a huge different between get a result or get a result and you know which one behind did it. An example is that e.g. some pages detect font's, in general they come pre-installed with every OS. So you not need to worry much about, just because it tells you that there is may be an exploit (which was closed btw in several OS and Office versions). It's a difference to bring all the peaces together you reveal your identity. From what I know both Firefox and Chrome constantly try to improve there security without breaking much, but we are hitting the possibility, again it needs to be fixed in the protocols, not php, not java, if the protocols are secure on OSI layer, then it doesn't matter what OS/Browser you use since the page would only see encrypted garbage - but this is not very easy possible, metadata are one huge problem because if you would truly 'invisible' then how you ban trolls/terrorist from internet/pages? That's the main problem, I not found any solution yet and possible there will be no .... So this topic is huge and difficult, there exist no protocol, plugin or addon to hide you or your fingerprints. There are suggestions/recommendations on my linked pages to lower the attack surface but there exist still some problems.