Can websites track me across different qubes?

I would expect that disposable VMs in Qubes provide the same set of Firefox features for all Qubes users. Unless you modified your browser in some way (and unless screen resolutions are different), our fingerprints should just coincide. However, every time I check the fingerprinting in Qubes, I get the result that I am unique among millions (amiunique) / hundreds of thousands (panopticlick) of users. It happends both on Debian and on Fedora. How is this possible? Do you get the same results?

Well, I have to admit that I have installed PrivacyBadger and HTTPS Everywhere, but they do not seem to be important: List of plugins: none

https://amiunique.org

P.S. I do know that for actual defense from the fingerprinting one should use Whonix with Tor Browser. It does show that I am not unique.

2 Likes

The default browsers do not have any anti-fingerprinting guarantees.

I would suggest on AmIUnique that you check manually which fields differ among Disposable Qube restarts. Maybe that will find it.

You can also consider the SecBrowser that is basically the same as the TorBrowser minus the Tor Network part. So it should also reduce significantly your fingerprint as well.

2 Likes

I would expect that disposable VMs in Qubes provide the same set of Firefox features for all Qubes users. Unless you modified your browser in some way (and unless screen resolutions are different), our fingerprints should just coincide. However, every time I check the fingerprinting in Qubes, I get the result that I am unique among millions (amiunique) / hundreds of thousands (panopticlick) of users. It happends both on Debian and on Fedora. How is this possible? Do you get the same results?

Well, I have to admit that I have installed PrivacyBadger and HTTPS Everywhere, but they do not seem to be important: List of plugins: none

https://amiunique.org

https://panopticlick.eff.org

Without JS the only thing giving you away is a) no JS and b) your user agent and maybe c) the headers.

I get 1:21k for that.

Anyway it is not too good of an idea to attempt to forge headers & user agents as that usually has to happen in lots of places and tends to fail in one of these. In that case you would get really unique.

P.S. I do know that for actual defense from the fingerprinting one should use Whonix with Tor Browser. It does show that I am not unique.

It does? Interesting.

See also: Ensure Tor Browser default screen resolution is uniform across Qubes Debian, Qubes Whonix, and baremetal Debian · Issue #1856 · QubesOS/qubes-issues · GitHub.

Sure, I just wanted to investigate what actually happens currently and whether we can improve it. Maybe at some point in the future we can have some anti-fingerprinting guarantees, among the Qubes users?

You are implying that the fingerprint changes between the restarts, but I am not seeing it. It stays the same for me. This is why I expected that it should be the same for others.

Thank you, this is interesting (though not very convenient).

1 Like

That’s a common misconception based on an over-simplified model of how browser fingerprinting and VM fingerprinting work.

@deeplow already linked this, but I’m going to link it again, because it cannot be stressed enough. This entry was written to address exactly this misconception:

Specifically, see these pages linked from that FAQ entry:

https://www.torproject.org/projects/torbrowser/design/

Did you actually read the link you’re replying to here? It already addresses what you’re saying:

In order to achieve the same results in non-Whonix qubes (including DisposableVMs), one would have to reinvent Whonix. Such duplication of effort makes no sense when Whonix already exists and is already integrated into Qubes OS.

Therefore, when you need privacy, you should use Whonix qubes.

4 Likes

I have a few relevant questions that’s been at the back of my mind for a while now:

  • What techniques do fingerprinters/trackers/profilers actually use in the wild? (These likely change rapidly, but it’s good to have an idea of what’s possible. For example, a company used ultrasound to track users across devices, and keystroke deanonymization is a big deal.)

  • Where are these tracking techniques tracking you? (What sites/protocols/etc?)

  • How often are they deployed for non-commercial purposes?

  • How reliable are they, especially against users who know about them?

1 Like

I’m not too deep into this but I think the following article is a great starting point to answering some of these questions. And it’s very recent as well (august 2020):

We find that browser fingerprinting is now present on more than 10% of the top-100K websites and over a quarter of the top-10K websites.

In case someone wants a lighter version of that study, there’s also this news article about it:

4 Likes

So it looks like the bog-standard method of disabling javascript is still the best (i.e. there doesn’t seem to be any exotic, non-javascript methods out in the wild).

NoScript/Ghostery/uMatrix all the way

(note: uMatrix is no longer being maintained)

2 Likes

The best practice, in my opinion, would still be using the default browser in your OS, without modifications.

The problem with fingerprinting websites is that the users who are using it usually are the people who are aware of the browser fingerprint or privacy in general who still a minority, not the general public who represent the majority, so the results in these websites will not be reliable.

Using Tor browser is the best we have right now in anti-fingerprinting.

There is also Sec Browser (based on Tor Browser but non-anonymous /
doesn’t require Tor). It comes from the Whonix team and is part of
Kicksecure.

But it’s still Gecko-based, like Firefox as well, which has very weak sandboxing compared to Chromium and it’s derivatives.

Chromium is by far more secure. Unlike Sec browser, the strongest point for Tor browser is its anonymity, although it’s a modified version of firefox.

If you are running it in a disposable qube that has nothing else in it
… what does it matter? I wouldn’t mix online activity with any qube
that has actual data in it anyway.

I refuse to use any Chromium-based browser, because I don’t want to end
up in a mono-culture. The current usage numbers are depressing enough. I
don’t want Google controlling the web anymore than I wanted to see
Microsoft do that.

If one engine becomes so dominant that all other basically don’t matter
anymore we are in deep sh…

2 Likes

If you are running it in dispVM, you are right. it’s isolated from your workstation, but the sites you visit are not isolated in the browser itself.

Chromium is free and open source browser, and you may use things like: Ungoogled Chromium or brave or other privacy-respecting browsers if that’s a concern for you.

but, sometimes choosing the more private option and the refusal to blend-in may make the users in a less private situation by making their fingerprint more unique.

After all, it’s your decision of course.

Chromium is free and open source browser, and you may use things
like: Ungoogled Chromium or brave or other privacy-respecting
browsers if that’s a concern for you.

That’s all true. My point is off-topic (sorry) as it’s not concerned
with privacy: it’s about the dominance of a single engine and ending up
in a mono-culture. That’s not good for anyone. Doesn’t matter if it’s
open source.

but, sometimes choosing the more private option and the refusal to
blend-in may make the users in a less private situation by making
their fingerprint more unique.

You are right and I totally agree. This is where TorBrowser/SecBrowser
shine. They appear as a Firefox install on a Windows machine and even
take care about things like your screen resolution by putting the page
in a letterbox that matches standard resolutions but not that of your
screen. They are doing much more of course. I do not think even Brave
comes close.

If you are now thinking it would be better they’d present themselves as
Chrome running under Windows because that’s what most people do …
that’s my first point.

1 Like

You can change the search engine in any browser, I don’t see how that relevant in our discussion.

Tor browser has no rival in anti-fingerprinting. We both agree on that.

I don’t like Sec browser’s approach because there is no model or clear goal behind it; it offers me Tor browser without the Tor network!
Imagine someone browsing the clear net, revealing their real IP, using modified firefox claiming, in the user agent, that they use firefox, and disabling Javascript!
The websites know your IP, can detect the modifications in the browser and can detect the plugins. if Javascript is disabled, they can also detect that JS is disabled. All of that can make the browser’s fingerprint more unique.
But, it really ends up to the user’s threat model, that controls everything.

Last point, changing the user agent from firefox to chrome doesn’t mean the browser will behave like Chrome. Tor is build on firefox as you know.
(There was an issue in Tor browser, that it revealed the true OS in the user agent)

1 Like

+1
don’t think any of these 4 questions were addressed.

PS: I recommend the qutebrowser maintained project, JS off

I just visited the link to SecBrowser https://www.whonix.org/wiki/SecBrowser#Privacy_and_Fingerprinting_Resistance

But the website says its now deprecated.
So now what?

1 Like

Use Tor Browser on Whonix, it works quite well.

I just visited the link to SecBrowser […] But the website says its
now deprecated.

Yeah, bummer. Just found out 2-3 days ago myself.

So now what?

Here’s my strategy:

  • most links I open in whonix-ws / torbrowser

  • stuff that has trouble working over Tor or has me login in anyway
    (e.g. amazon, github) I open in Firefox with the following plugins:

    • OpenInQube … think of it as a whitelist with regex. If I didn’t
      explicitly allow a connection it is prevented.

    • NoScript … I choose which scripts can run (whitelist by domain)

    • uBlock origin … filters ads and other annoyances

    • Privacy Badger / HTTPS Everywhere … EFF essentials

    • Decentraleys … reduces more advanced tracking

  • in my work Qube I have to run some Chromium based browser due to M$
    Teams … there I choose Brave and configured it to be as strict as
    possible + the OpenInQube plugin with the whitelist again

/rant (feel free to stop reading here)

Google is the pest, worse than Microsoft ever was. So I avoid it
wherever possible. I don’t care if Chromium is open source or not. I
don’t trust it and I want Mozilla/Gecko/Firefox to stick around so
Google doesn’t entirely control everything on the internet. I want to
see them broken up into pieces so badly, right along with Amazon,
Facebook, Twitter and all the other monopolists.

4 Likes