I recently saw a post about fingerprintjs, which attempted to fingerprint using javascript, as the user who made the post pointed out, it wasnt very effective and could be dealt with by using some basic measures he and others described.
However the same developers of fingerprintjs later released a demo of another tool -noscriptfingerprint- which does not user cookies, js or ips and it is extremely effective. I did some basic tests and was hoping others could do them as well so we could compare and discuss our results and ways to deal with this. Here is what I found:
Test 1: I used 2 smasung galaxys, same exact model, same browser and same browser settings. JS and cookies disabled,different IPs, browser hardened to the extent the GUI options enabled it. Both phones received different fingerprints which remained constant throught different visists to the aforementioned website. I eventualy found out that the difference was the dark/light mode of the phones, which was different, when I changed it to be the same, the fingerprint also became the same.
Test 2: This one is more concerning. I tested Tor browser (only change I made was setting it to safest) on both an intel based mac and on fedora and the fingerprints were different and constant to each device (as in the remained the same upon browser restart). They are able to differentiate firefox on mac vs firefox on others platforms so that was how they fingerprinted me. This is extremely concerning, I wonder if other macs with different hardware would provide the same fingerprint or not. Based on the parameters they use probably not.
Test 3: I then used a qubes machine, Tor Browser on a anon-whonix dispvm and compared the fingerprint I got with the one from my fedora machine and they were different, despite using Tor Browser on both of them and only having changed the security level to safest. The Qubes machine and the fedora machine are quite different in terms of hardware so maybe that was it. Regardless, this was not at all the expected behavior and is very worrisome, the fingerprint should be the same in all instances of Tor Browser.
It would be great if others could test different machines running Tor so we can beter understand this. Perhaps we should post the fingerprints we get.
It seems indeed to be slightly related but does not explain everything. I asked a friend to do tests similar to the ones I did and the results were similarly concerning. Perhaps someone more knowledgeable than us regarding browser fingerprinting/TorBrowser will come along.
I have done further testing and I determined the following:
When it comes to distinguishing Tor browser users on mac vs Tor browser users on linux they are probably doing it through a âhackâ that allows them to differentiate firefox on mac vs firefox on other platforms. Hence the different fingerprints.
When it comes to distinguishing Tor browser users on linux distros, be it qubes-whonix, fedora,etc, it seems they are not capable of distinguishing based on the distro being used but on the screen height, which was the only value that was different. It just so happened that my fedora machine and my qubes machine had different screens/monitors and thus generated different fingerprints. Screens with different sizes produce different fingerprints, you do not need to maximize the window for that to happen either, as it happens even if you leave the window on the default size.
All in all, Tor browser users as a whole will be in a significantly smaller pool now, while this vector alone is not enough to deanonymize Tor browser users, it reduces the ability of Tor Browser to protect users, given that that ability depends on the number of users appearing the same to potential adversaries. Users with less common screen sizes, be it very big or very small, will be particularly affected by this.Again, this happens even with Tor browser on safest mode.
Itâs only relevant that itâs different the next time you visit a website.
jshelter [1] is one of the addons that claims to do just that. I havenât tested it yet though.
canvasblocker [2] is another. A diff which one âfirewallsâ which Javascript API can be found at [3] (German). Using both at the same time apparently requires some special configuration.
JShelter and CanvasBlocker doesnât work on CSS based fingerprinting.
They use CSS to test specific features, like screen size, available fonts, pointers, color, browser specific CSS settings, etc.
I donât think you can prevent anyone from doing this without breaking the browser. The Tor Browser project is very clear about their goal of not breaking the browser in an attempt to secure it.
At least [1] states that it isnât:
âCurrently, this method is not scalable as it requires over 1MB of CSS downloads and hundreds of requests per user. However, with the next upcoming draft of the CSS specification, CSS Values 4, it may dramatically shrink the number of requests per user by allowing the use of custom variables in URLs.â
Anyway that method is pretty easy to block by just denying CSS background image requests for websites that use such a technique. Or just block all externally loaded additional CSS content and live with minor inconveniences on some sites. Or block only when thereâs more than X such requests. Or orâŚ
Secondly, your fingerprint is indeed the same when you revisit the website again, so it is a moot point regardless.
Thirdly, TBB follows a uniformization or sameness approach, so getting a different fingerprint everytime is the oppositve of what they set out to do.
Lastly, those addons do not pevent the type of fingerprinting I described and linked to, as the extensions focus on fingerprinting that uses javascript. Also, CSS fingerprinting is much more common nowadays and quite easy to use and hard to prevent. They also use more than just just CSS to fingerprint you, so even if you block all CSS, JS and cookies with something like umatrix, that is no longer supported anyway, they would still be able to fingerprint you. Especially if you use a browser other than TBB.
Did you find a website that uses CSS fingerprinting and/or whereâs that demo you mentioned hosted?
That would make analysis of the used technique possible.
Their github repo [1] doesnât mention CSS-based fingerprinting. The demo [2] doesnât even work without Javascript.
So Iâm still sceptical wrt the scale of CSS-based fingerprinting as of today.
And well, possibly I disagree with the Tor Browser uniformity strategy, but thatâs another topic.
There are many whitepapers that discuss the usage of CSS as fingerprinting tool. Torproject and jondonym also have some articles on the topic on their respective websites. And you can be certain that if there are public tools/demos that show how CSS can easily be used to fingerprint you most big/top websites will be using it already. There are companies that open sell such tracking technology. Also, disable cookies and even use all those extensions you mentioned and then search noscriptfingerprint, you will see the fingerprint remains the same.
I can confirm it works rather well against Qubes, but the demo is also way too broad (screen size + installed fonts + some other settings) to be used precisely against millions of users.
I can also build a simple script that uses your display language and will show some ID for that and youâll be scared that I can always recognize you when in fact youâre one of thousands to me.
Yes, itâs an issue, but I still doubt itâs prevalent at the moment and I bet itâll be fixed sooner or later.
In the meantime feel free to use different browsers and VM templates as mitigation.
If used on very popular sites with millions of users it will not be very effective as it will lead to many false positives. However on websites with a small number of visitors, users, especially those with unusually large or small monitors, might be more effectively fingerprinted, especially if additional vectors of fingerprinting are used.
I believe it is easy to solve, given that if you use umatrix, with some tweaks, they stop being able to determine your screen height and width, which was the only setting that allowed them to differentiate TBB users on safest settings. I seriously doubt Tor project will do anything about this unless someone tells them.
Hi all Iâm a little late to this conversation, and Iâm not an expert in browser fingerprinting, but with regards to @joaanaaâs concern here (and @tanky0uâs as well):
Regardless, this was not at all the expected behavior and is very worrisome, the fingerprint should be the same in all instances of Tor Browser.
I donât want to speculate on your test #3, but since you mentioned different hardware, whether or not the underlying CPU architecture is disclosed (for web compatibility reasons) is something that TB and Mozilla both have discussion on, and there are other factors, such as whether or not you had the same Tor Browser version on both devices, etc.