Hacker News new | past | comments | ask | show | jobs | submit login

Leaking any kind of data is yet another data point for fingerprinting. You only need a few to uniquely identify a user.



I've yet to see a normally configured browser _not_ be uniquely identifiable many times over through fingerprinting.

At some point it feels like trying to drain the ocean with a cup. Maybe we just need to accept that anyone who really wants to fingerprint you _can_ fingerprint you unless you use a specialist browser.

At that point the solution is fairly obvious, make it legally difficult to use unique fingerprinting and move on (ie stuff like gdpr). People will still do it, but they'll have to balance it with not falling foul of the law and wont be able to abuse it too much.

We wont stop real world facial recognition by all trying to make our faces more similar either, we have to accept it's generally possible to do, but discourage the actual doing of it rather than trying to make it impossible.

(note in both cases, actually preventing it when you have a reason to is totally possible and valid, via specialist browser modes and physical masks respectively)


I just tried a clean FF profile with resistFingerprinting enabled. No dice. Everything adds only very few bits of identifying information (unlike my main profile which is already almost unique thanks to the accept header (English, then German)) yet it still results in 17.75 bits which according to EFF is unique.

I’m agreeing with you, though I wonder, is there any way to not be unique? What would you have to do? Use Windows with no extra fonts, Chrome in English, on a FullHD monitor with webgl/canvas/audio fingerprinting protection extensions?


I believe the only feasible way without bending over backwards is to use the Tor Browser. But privacy and security always come at a price.


Actually, resistFingerprinting + switching to the user-agent string tor uses gets me 99% of the way there. All that’s missing is the weird window size (vertical taskbar), if I could get that to report a default size, I’d actually be better than Tor (they have a bunch of responses slightly more unique than FF with resistFingerprinting).

But it’s academic for me anyway, I have Accept-Language en-US,en;q=0.7,de-DE;q=0.3 which is close enough to unique that nothing else really matters.


> All that’s missing is the weird window size (vertical taskbar)

TBB actually adds a border at the bottom of the browser so the reported size isn't the actual size. If you change the size of your browser window to the tor-reported size then it should work.

Unless I'm misunderstanding and you mean something to do with the scrollbar?


I think a HTML-only browser without support for CSS and JS might help.


How many people do you know run html only browsers? Not having CSS would be extremely uniquely identifying.


Disabling JS is enough to almost perfectly fingerprint you.


The EFF has a website that illustrates why that doesn't help:

https://coveryourtracks.eff.org/

Like siblings are saying, they use all available information to fingerprint you.

You can cover your identity only to the extent that you can display the same characteristics to the web server as the largest group of users that have all the same characteristics. This includes whether you have JS disabled as well as your IP address, User-Agent, display resolution, etc.


Yes and you probably “haven’t watched television in 20 years”.


> We wont stop real world facial recognition by all trying to make our faces more similar either

The normalization of mask wearing in public was a great step towards this. I really wish it had gone better. Alas!


Yeah. All that's needed is to leak link-local IPv6 address from a single interface. There's your unique commputer identifier, unless someone's using mac randomization.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: