> One technique to protect against these attacks is browser fingerprinting. This method works by collecting data about a user's browser, which is then used to create a unique fingerprint for differentiating between genuine users and bots.
This seems like it can't work. 50% of users are browsing from an iPhone. Every iPhone of the same model has the same fingerprint except for time of day and language preference. So for every time zone there are literally hundreds of thousands of devices that will have the same fingerprint.
The EFF tool is provably false. For one, it doesn't get enough traffic so it's not representative in any way shape or form of a website that would use fingerprinting.
But it also doesn't pass the sniff test. It tells me I'm unique. One of 185k. Let's break down that number. I'm in the PST time zone. There ~40 million people in the PST time zone. Divided by 185k is 216. They're basically claiming there are 216 iPhone 13 Pro in all of California + Oregon + Washington + British Columbia.
Bullshit!
It's basically fake news. The EFF should know better than to exaggerate with hyperbole. It might be true that almost no one visits https://coveryourtracks.eff.org/, but site that actually gets traffic is also a sight where it'd be closer to unique in 1 of 10.
That site doesn't generally have sufficient recent data, it's essentially saying device fingerprint is rare compared with data from older software versions.
EFF don’t say they know who you are, rather how unique your device appears. This is a problem because if you appear very unique, only if one site knows your identity, everyone can potentially know it.
When you generate a report they tell you which bits of your device were unique. For an iPhone running the latest iOS there is nothing in that list that leaks a significant number of bits.
My point is they don’t claim any of the bits are unique (all of the individual things are very common) and still someone end up at an answer that is “unique”.
The goal of fingerprinting in this case is not to uniquely identify users, but merely to differentiate real human users using an actual iPhone from bots that use an emulated iPhone.
This fingerprint suffices for that. They use small differences like the size of audio buffers, the exact capabilities of the GPU, etc.
Emulate any one of those slightly wrong and the fingerprint will differ and your bot will be revealed.
> They use small differences like the size of audio buffers.
Fun fact, on my laptop I can hear websites who use audio APIs for fingerprinting because it causes the audio subsystem to wake up and the speakers make a small pop sound.
They may be referring to JA3 [0] which can be used to fingerprint the connection by examining the order of the ciphers sent by client to server during the TLS handshake. It isn't useful to detect that the user is browsing on an iphone, but rather that the useragent says the user is using an iphone but the JA3 gives it away as something else.
It can be defeated by the client sending a specific list of ciphers in a specific order during the TLS handshake but in practice this can be difficult to do as it's typically implemented at a low level. Alternatively, creating a browser extension can also be used to defeat it as the request is running through the browser's code in that case.
This seems like it can't work. 50% of users are browsing from an iPhone. Every iPhone of the same model has the same fingerprint except for time of day and language preference. So for every time zone there are literally hundreds of thousands of devices that will have the same fingerprint.