Advanced Browser Fingerprinting

I recently saw a post about fingerprintjs, which attempted to fingerprint using javascript, as the user who made the post pointed out, it wasnt very effective and could be dealt with by using some basic measures he and others described.

However the same developers of fingerprintjs later released a demo of another tool -noscriptfingerprint- which does not user cookies, js or ips and it is extremely effective. I did some basic tests and was hoping others could do them as well so we could compare and discuss our results and ways to deal with this. Here is what I found:

Test 1: I used 2 smasung galaxys, same exact model, same browser and same browser settings. JS and cookies disabled,different IPs, browser hardened to the extent the GUI options enabled it. Both phones received different fingerprints which remained constant throught different visists to the aforementioned website. I eventualy found out that the difference was the dark/light mode of the phones, which was different, when I changed it to be the same, the fingerprint also became the same.

Test 2: This one is more concerning. I tested Tor browser (only change I made was setting it to safest) on both an intel based mac and on fedora and the fingerprints were different and constant to each device (as in the remained the same upon browser restart). They are able to differentiate firefox on mac vs firefox on others platforms so that was how they fingerprinted me. This is extremely concerning, I wonder if other macs with different hardware would provide the same fingerprint or not. Based on the parameters they use probably not.

Test 3: I then used a qubes machine, Tor Browser on a anon-whonix dispvm and compared the fingerprint I got with the one from my fedora machine and they were different, despite using Tor Browser on both of them and only having changed the security level to safest. The Qubes machine and the fedora machine are quite different in terms of hardware so maybe that was it. Regardless, this was not at all the expected behavior and is very worrisome, the fingerprint should be the same in all instances of Tor Browser.

It would be great if others could test different machines running Tor so we can beter understand this. Perhaps we should post the fingerprints we get.

2 Likes

The ability of distinguishing the Tor Browsers running on QubesOS/Fedora/MacOS is concerning.

Probably slightly related:

It seems indeed to be slightly related but does not explain everything. I asked a friend to do tests similar to the ones I did and the results were similarly concerning. Perhaps someone more knowledgeable than us regarding browser fingerprinting/TorBrowser will come along.

I have done further testing and I determined the following:

When it comes to distinguishing Tor browser users on mac vs Tor browser users on linux they are probably doing it through a ‘hack’ that allows them to differentiate firefox on mac vs firefox on other platforms. Hence the different fingerprints.

When it comes to distinguishing Tor browser users on linux distros, be it qubes-whonix, fedora,etc, it seems they are not capable of distinguishing based on the distro being used but on the screen height, which was the only value that was different. It just so happened that my fedora machine and my qubes machine had different screens/monitors and thus generated different fingerprints. Screens with different sizes produce different fingerprints, you do not need to maximize the window for that to happen either, as it happens even if you leave the window on the default size.

All in all, Tor browser users as a whole will be in a significantly smaller pool now, while this vector alone is not enough to deanonymize Tor browser users, it reduces the ability of Tor Browser to protect users, given that that ability depends on the number of users appearing the same to potential adversaries. Users with less common screen sizes, be it very big or very small, will be particularly affected by this.Again, this happens even with Tor browser on safest mode.

1 Like

It’s not relevant that a fingerprint is unique.

It’s only relevant that it’s different the next time you visit a website.

jshelter [1] is one of the addons that claims to do just that. I haven’t tested it yet though.

canvasblocker [2] is another. A diff which one “firewalls” which Javascript API can be found at [3] (German). Using both at the same time apparently requires some special configuration.

[1] JShelter – Get this Extension for 🦊 Firefox (en-US)
[2] CanvasBlocker – Get this Extension for 🦊 Firefox (en-US)
[3] JShelter: Fingerprinting mit Javascript verhindern

JShelter and CanvasBlocker doesn’t work on CSS based fingerprinting.

They use CSS to test specific features, like screen size, available fonts, pointers, color, browser specific CSS settings, etc.

I don’t think you can prevent anyone from doing this without breaking the browser. The Tor Browser project is very clear about their goal of not breaking the browser in an attempt to secure it.

https://2019.www.torproject.org/projects/torbrowser/design/

Is CSS fingerprinting already common nowadays?

At least [1] states that it isn’t:
“Currently, this method is not scalable as it requires over 1MB of CSS downloads and hundreds of requests per user. However, with the next upcoming draft of the CSS specification, CSS Values 4, it may dramatically shrink the number of requests per user by allowing the use of custom variables in URLs.”

Anyway that method is pretty easy to block by just denying CSS background image requests for websites that use such a technique. Or just block all externally loaded additional CSS content and live with minor inconveniences on some sites. Or block only when there’s more than X such requests. Or or…

[1] https://csstracking.dev/

That is not true at all. Firstly, randomization approaches are typically inferior to uniformization approaches. Check the following link from Torproject:
https://2019.www.torproject.org/projects/torbrowser/design/#idm660

Secondly, your fingerprint is indeed the same when you revisit the website again, so it is a moot point regardless.

Thirdly, TBB follows a uniformization or sameness approach, so getting a different fingerprint everytime is the oppositve of what they set out to do.

Lastly, those addons do not pevent the type of fingerprinting I described and linked to, as the extensions focus on fingerprinting that uses javascript. Also, CSS fingerprinting is much more common nowadays and quite easy to use and hard to prevent. They also use more than just just CSS to fingerprint you, so even if you block all CSS, JS and cookies with something like umatrix, that is no longer supported anyway, they would still be able to fingerprint you. Especially if you use a browser other than TBB.

Did you find a website that uses CSS fingerprinting and/or where’s that demo you mentioned hosted?
That would make analysis of the used technique possible.

Their github repo [1] doesn’t mention CSS-based fingerprinting. The demo [2] doesn’t even work without Javascript.
So I’m still sceptical wrt the scale of CSS-based fingerprinting as of today.

And well, possibly I disagree with the Tor Browser uniformity strategy, but that’s another topic.

[1] https://github.com/fingerprintjs/fingerprintjs
[2] Technical Demo - Fingerprint Pro

There are many whitepapers that discuss the usage of CSS as fingerprinting tool. Torproject and jondonym also have some articles on the topic on their respective websites. And you can be certain that if there are public tools/demos that show how CSS can easily be used to fingerprint you most big/top websites will be using it already. There are companies that open sell such tracking technology. Also, disable cookies and even use all those extensions you mentioned and then search noscriptfingerprint, you will see the fingerprint remains the same.

So you’re talking about [1]?

That’s the @media approach I mentioned earlier.

I can confirm it works rather well against Qubes, but the demo is also way too broad (screen size + installed fonts + some other settings) to be used precisely against millions of users.

I can also build a simple script that uses your display language and will show some ID for that and you’ll be scared that I can always recognize you when in fact you’re one of thousands to me.

Yes, it’s an issue, but I still doubt it’s prevalent at the moment and I bet it’ll be fixed sooner or later.
In the meantime feel free to use different browsers and VM templates as mitigation.

[1] https://noscriptfingerprint.com/

If used on very popular sites with millions of users it will not be very effective as it will lead to many false positives. However on websites with a small number of visitors, users, especially those with unusually large or small monitors, might be more effectively fingerprinted, especially if additional vectors of fingerprinting are used.

I believe it is easy to solve, given that if you use umatrix, with some tweaks, they stop being able to determine your screen height and width, which was the only setting that allowed them to differentiate TBB users on safest settings. I seriously doubt Tor project will do anything about this unless someone tells them.