SecureKongo

Level 4
Hey guys, since some time I'm looking for ways to make my Browser fingerprint less unique as a testsite always tells me that it's still unique after all, no matter what I've tried so far. Do you have any tips? I'd also appreciate to see your testresults.

Website: Panopticlick

My current extensions are: Adguard, Privacy Badger, SmartHTTPS, Decentraleyes and Canvas Blocker. (Google Chrome)

looking forward to your recommendations :)
 

Attachments

  • Unbenannt.PNG
    Unbenannt.PNG
    72.9 KB · Views: 66

monkeylove

Level 5
Changing browser config doesn't change anything if the browser want telemetry data but if the browser doesn't respect user settings in UI, it's not very trustworthy. Normal telemetry isn't also bad.
Edge even respect configured Windows privacy settings and "copy" these to browser settings which doesn't any other browser provide.

Yes, but I still can tweak what I want and don't want to share. Developers should let users decide what's "normal telemetry" and what isn't.

Cookie banner are mostly needed as these (if implemented correctly) are Opt-In's or (if wrong implemented) Opt-Out's. Both are need user confirmation and get saved in Cookies so you only get a problem with such if you clean often Cookies which just doesn't make sense. (blocking 3th party Cookies is still recommend!)

Newsletter aren't a problem. Just don't register your mail if you don't want it. Or use random/ fake Email accounts for that.

I never see any floating video annoyances. Examples?

Anti-Adblock popups are gone if you doesn't block Ads ;)
Sites are need money or your data. If you doesn't allow any, they of course display such and personally i find that legit.

Websites can also determine which stuff get blocked

It doesn't matter whether they're needed or whether or not they'll go away if one responds. The point is that they're still annoyances.

For floating videos, there are many examples in sites that usually feature the news. They look like this:

 

Kubla

Level 8
Verified
You will know when it's working when you get greeted by Captchas, the site renders the wrong format, Spotify and streaming sites don't load and you can't buy anything or login to your banking account online. It's not worth the hassle. Privacy Possum is great at hiding fingerprints. So great, I uninstalled it because it's breaking too many sites that I need to navigate to and require fingerprinting for authentication. Spotify even sent me an email that they logged me out of everything because they didn't know who I was with Privacy Possum and VPN on (see pic). Google screams critical security alert on my Chromebook. Just beware 99% of the time, fingerprinting is used in your favor and by hiding it you don't become invisible, just more suspicious. It's like wearing a mask. Nobody knows who you are but now you stand out because you are the only one wearing a mask. lol

There is a quote out there and I don't know who said it but it was something along the lines of more privacy creates more inconvenience.

The same thing happens with the CyDec platform I mentioned earlier in this thread, it breaks sites out of the box however it allows you to set its fingerprint randomizing per site (Domain). I have maybe two dozen sites I frequent, news, tech, shopping etc... I have been able to set the fingerprint settings giving them only what they need to load and function correctly, except sites like banking and credit card sites those I have Cydec set to disable if I open one of them as they do use your fingerprint to verify who you are to protect you and them, everything else is fully spoofed.

I sandbox my browsers with Sandboxie so if I come across a site that will not load correctly I can change the domain setting in Cydec on the fly so it loads, once I shut down the those on the fly settings are gone so if I come across that site again doing a search I can decide what if any real data it gets again.

Now most of my browsing fingerprint is spoofed except for a couple of settings on specific sites.
 

Kubla

Level 8
Verified
Only a couple of sites that I frequent and have had to tweak the settings to work actually require the real user agent so at least that part is spoofed as well for the most part via CyDec.

I also use a VPN so there is that too.
 

monkeylove

Level 5
User's can't know that. Most user are blocking everything with telemetry in name because they think that's spying.

Some can't and others can. In which case, provide for settings and let users decide. Those who don't know won't even bother with tweaking or looking at advanced settings.

That reminds me of Win 10: they remove more of that from education and enterprise versions. Why not make similar versions available for those of us who are more knowledgeable?
 

SecureKongo

Level 4
Spoofing useragent doesn't provide any privacy advantage and also can be circumstances by reading the real useragent via browser API anyway. So if you change the one you can change, it makes you unique as it's not the same as from API (the original)

I forget the thread but someone build a test site for that
Found an interesting extension, but I'm not sure about what some of the settings do. Maybe you want to take a look at it? :)

 

security123

Level 27
Verified
Found an interesting extension, but I'm not sure about what some of the settings do. Maybe you want to take a look at it? :)

I don't use Firefox but this extension doesn't seams to spoof the data else then other's.
But if you want, you can try the many useragent test sites and report. Anyway it's not even worth as useragent is the last thing user should care.
 

SecureKongo

Level 4
I don't use Firefox but this extension doesn't seams to spoof the data else then other's.
But if you want, you can try the many useragent test sites and report. Anyway it's not even worth as useragent is the last thing user should care.
It has more options than just spoofing user agents. After all I wouldn't try that function, as it would break too many sites.
 

security123

Level 27
Verified
It has more options than just spoofing user agents.
You're right. Sorry i doesn't check that before.

The extension can:
Headers
  • Enable Do Not Track
  • Prevent Etag tracking
  • Spoof accept headers
  • Spoof X-Forwarded-For/Via IP
  • Disable referer
  • Modify referer policies

Options
  • Block media devices
  • Limit tab history
  • Protect keyboard fingerprint
  • Protect window.name
  • Spoof audio context
  • Spoof client rects
  • Spoof font fingerprint
  • Spoof screen size
  • Spoof timezone
  • Enable first party isolation
  • Enable resist fingerprinting
  • Prevent WebRTC leak.
  • Enable tracking protection
  • Block WebSockets
  • Modify cookie policy
  • about:config checklist to enhance your privacy

DNT can be configured in every browser UI.
Etag tracking: just clean your Cache at browser exist
Spoof accept headers: this is dangerous and looks suspect/ malicious on server side which can end in a ban/ block
Spoof X-Forwarded-For/Via IP: just no. Does the dev even know what he do?
Disable referer: not possble as available API's and JavaScript
Modify referer policies: already covered in above posts

Enable first party isolation: can be done manually in about:config but doesn't work as Firefox lack real sandboxing and also use too much stuff from Tor browser (the feature is from Tor browser but not optimised for Firefox and will never be)
Enable tracking protection: Can be done at browser UI
Modify cookie policy: Can be done at browser UI
about:config checklist to enhance your privacy: Can be done manually but this extension also needs a lot of permissions:
This add-on needs to:
  • Display notifications to you
  • Access browser tabs
  • Access your data for all websites
This add-on may also ask to:
  • Read and modify privacy settings

so this isn't pro-privacy
all other "options" are only related to Firefox and restrict or spoof API's which only end in broken sites and uniqueness.
 

SecureKongo

Level 4
You're right. Sorry i doesn't check that before.

The extension can:

DNT can be configured in every browser UI.
Etag tracking: just clean your Cache at browser exist
Spoof accept headers: this is dangerous and looks suspect/ malicious on server side which can end in a ban/ block
Spoof X-Forwarded-For/Via IP: just no. Does the dev even know what he do?
Disable referer: not possble as available API's and JavaScript
Modify referer policies: already covered in above posts

Enable first party isolation: can be done manually in about:config but doesn't work as Firefox lack real sandboxing and also use too much stuff from Tor browser (the feature is from Tor browser but not optimised for Firefox and will never be)
Enable tracking protection: Can be done at browser UI
Modify cookie policy: Can be done at browser UI
about:config checklist to enhance your privacy: Can be done manually but this extension also needs a lot of permissions:

so this isn't pro-privacy
all other "options" are only related to Firefox and restrict or spoof API's which only end in broken sites and uniqueness.
Thanks a lot, maybe not as promising as I thought. :LOL:
 

oldschool

Level 57
Verified
I'll re-post this from the link in my post #12 above FWIW, which applies specifically to Firefox but is still a valid argument re: Chromium. I've added italics for emphasis:

⚠ Anti-Fingerprinting Extensions... F&%K NO!
  • DON'T BOTHER to USE extension features to CHANGEany RFP protections
    • Exception: where you can whitelist a site for functionality and you know the risks
This is not about the merits of randomizing vs lowering entropy: this is about using the best options available. We support RFP (privacy.resistFingerprinting) as far superior (in the metrics it so far covers)
  • It is trivial to detect RFP and when you change a RFP metric, you lose your "herd immunity"
    • i.e.: you just added more entropy, very likely unique, compared to the already tiny group of RFP users
    • Ask yourself why Tor Project recommends you do not change Tor Browser settings and you do not install extensions
  • RFP is robust and vetted by experts (Mozilla, Tor Project, researchers)
  • RFP is an enforced set where all users should be[1] the same: i.e. uniform, in the same "buckets", or exhibiting the same behavior
    • [1] Don't fiddle with prefs unless you know what they do
  • Extensions aren't robust: either lacking APIs, or are poorly designed, or miss all methods, or it's snake oil (impossible)
    • e.g.: spoof OS? You can't (RFP can do what it likes as it's an enforced set of users)
    • e.g.: spoof user agent, timezone, locale, or language? navigator properties leak via workers and can leak via other methods such as window.open and iframes
    • e.g.: spoof screen? css leaks and matchmedia can leak
    • e.g.: spoof language/locale? Practically impossible, and if (that's a massive "if") it were perfect, then it's no different to setting that as your preferred website language in options
  • Extensions can often be detected
    • e.g. script injection and function names
    • e.g. if not uniquely, then by their behavior and characteristic patterns
    • note: RFP doesn't care if it can be detected, because all users are the "same"
If you don't use RFP, then you're on your own. And don't rely on entropy figures from test sites. The datasets are not real world, very small, and tainted by both the type of visitors, and by their constant tweaking and re-visits which further poison the results and artificially inflate rare results: e.g. on Panopticlick [May 2020]
  • e.g.: why are 1 in 6.25 (16%) results returning a white canvas (which is statistically only an RFP solution), and 1 in 6.16 (16%) returning a Firefox 68 Windows user agent, and yet Firefox (and Tor Browser) only comprise approx 5% worldwide, in total - actual ESR68 users on Windows, and actual RFP users would both be a tiny fraction of that
  • e.g.: why are 1 in 1.85 (54%) results returning no plugins, when chrome (at 67% market share) and others by default reveal plugin data
  • remember: very, very, very few users use anti-fingerprinting measures
It takes large real world studies to get the number of results per metric, and it takes a controlled one (one result per browser) to get the distribution in order to get reliable entropy figures. Don't believe the BS.
 
Last edited:

SecureKongo

Level 4
I'll re-post this from the link in my post #12 above FWIW, which applies specifically to Firefox but is still a valid argument re: Chromium:

⚠ Anti-Fingerprinting Extensions... F&%K NO!
  • DON'T BOTHER to USE extension features to CHANGEany RFP protections
    • Exception: where you can whitelist a site for functionality and you know the risks
This is not about the merits of randomizing vs lowering entropy: this is about using the best options available. We support RFP (privacy.resistFingerprinting) as far superior (in the metrics it so far covers)
  • It is trivial to detect RFP and when you change a RFP metric, you lose your "herd immunity"
    • i.e.: you just added more entropy, very likely unique, compared to the already tiny group of RFP users
    • Ask yourself why Tor Project recommends you do not change Tor Browser settings and you do not install extensions
  • RFP is robust and vetted by experts (Mozilla, Tor Project, researchers)
  • RFP is an enforced set where all users should be[1] the same: i.e. uniform, in the same "buckets", or exhibiting the same behavior
    • [1] Don't fiddle with prefs unless you know what they do
  • Extensions aren't robust: either lacking APIs, or are poorly designed, or miss all methods, or it's snake oil (impossible)
    • e.g.: spoof OS? You can't (RFP can do what it likes as it's an enforced set of users)
    • e.g.: spoof user agent, timezone, locale, or language? navigator properties leak via workers and can leak via other methods such as window.open and iframes
    • e.g.: spoof screen? css leaks and matchmedia can leak
    • e.g.: spoof language/locale? Practically impossible, and if (that's a massive "if") it were perfect, then it's no different to setting that as your preferred website language in options
  • Extensions can often be detected
    • e.g. script injection and function names
    • e.g. if not uniquely, then by their behavior and characteristic patterns
    • note: RFP doesn't care if it can be detected, because all users are the "same"
If you don't use RFP, then you're on your own. And don't rely on entropy figures from test sites. The datasets are not real world, very small, and tainted by both the type of visitors, and by their constant tweaking and re-visits which further poison the results and artificially inflate rare results: e.g. on Panopticlick [May 2020]
  • e.g.: why are 1 in 6.25 (16%) results returning a white canvas (which is statistically only an RFP solution), and 1 in 6.16 (16%) returning a Firefox 68 Windows user agent, and yet Firefox (and Tor Browser) only comprise approx 5% worldwide, in total - actual ESR68 users on Windows, and actual RFP users would both be a tiny fraction of that
  • e.g.: why are 1 in 1.85 (54%) results returning no plugins, when chrome (at 67% market share) and others by default reveal plugin data
  • remember: very, very, very few users use anti-fingerprinting measures
It takes large real world studies to get the number of results per metric, and it takes a controlled one (one result per browser) to get the distribution in order to get reliable entropy figures. Don't believe the BS.
Very helpful, so do you have fingerprint protection disabled in Brave, or does the article really just refer to anti-fingerprint extensions?
 

oldschool

Level 57
Verified
do you have fingerprint protection disabled in Brave
No. I have it enabled since it's a function of the browser itself.
does the article really just refer to anti-fingerprint extensions?
It refers to built-in features like Firefox's Resist Fingerprinting but I believe it's generally relevant to Brave or ungoogled Chromium since these have their own built-in fingerprinting protection feature as well.

It also refers to extensions for the reasons outlined.
 

Kubla

Level 8
Verified
Extensions aren't robust: either lacking APIs, or are poorly designed, or miss all methods, or it's snake oil (impossible)
  • e.g.: spoof OS? You can't (RFP can do what it likes as it's an enforced set of users)
  • e.g.: spoof user agent, timezone, locale, or language? navigator properties leak via workers and can leak via other methods such as window.open and iframes
  • e.g.: spoof screen? css leaks and matchmedia can leak
  • e.g.: spoof language/locale? Practically impossible, and if (that's a massive "if") it were perfect, then it's no different to setting that as your preferred website language in options

Unless it spoofs everything like the CyDec one I mentioned earlier in this thread and works, if for example I don't have language and geolocation turned off for my search engine I get results in foreign languages depending on what it was changed to.

CyDec 2.jpg

No it is not perfect and granted it is still going to leak on specific sites I tweaked to have full functionality like my search engine by shutting off couple of the parameters. The way I figure it having a fingerprint that is not unique is impossible unless you have everyone that browses the internet spoof the exact same fingerprint, so you might as well make it as difficult as possible for those that want to track you to track you.

What would be smart is if a browser developer like for the Brave browser were to implement a generic fingerprint in its browser making it appear that everyone using the browser was the same person then we would not need to spoof or worry about being tracked via our browser fingerprint.
 

Attachments

  • CyDec 2.jpg
    CyDec 2.jpg
    213.7 KB · Views: 32
Top