CPU fingerprinting (cat proc/cpuinfo & cpuid)

I saw that too. I read the links as saying any program that is run, including within a virtualized environment, can access the CPU ID.

If this is true, it means any virtualized Windows is going to be getting the CPU ID of the system (most likely) and sending it to Microsoft, since they collect a large amount of such information via telemetry.

I almost never run closed source software, but I have occasionally run closed source software in a virtualized environment and then deleted the virtualized environment after. According to this, those closed source programs could be getting my CPU ID, sending it somewhere, and then even if I delete the program the CPU ID can be used to continue to track me.

Also, the links didn’t really address whether highly sophisticated technology companies that track people as their business model have properietary javascript technology that is fingerprinting the CPU. Most fingerprinting techniques involve canvas fingerprinting, audio context fingerprinting, domRects fingerprinting, WebGL fingerprinting, and font fingerprinting, and then combines that with characteristics of a web browser to identify a particular user. If you distort those fingerprinting metrics slightly, and don’t have unique browser characteristics, it becomes harder to fingerprint your browser. However I am not sure whether the larger companies like Google and Facebook have moved on to some sort of proprietary fingerprinting technology that they aren’t sharing. If Google or Facebook had a proprietary fingerprinting technology that utilized javascript, would that javascript be something that could be inspected when loading a page? Would developers and programmers be able to see it, or is there a way they could keep it proprietary? There are other theoretical ways of fingerprinting people involving different types of calculations that I believe cannot be modified, and I think it involves hashes related to RAM or other calculations and the hash in unique and consistent ways. I am not sure if big tech has deployed those methods and if developers and programmers would be able to see it when visiting websites.

If javascript is running on a website, is the javascript code something that is open and can be read, or is it in some way compiled and closed where a website reader doesn’t know what it is doing?

replied to your post, even if @procShield is stating something slightly incorrectly, the post still brings up some really valid and interesting concerns.

Also, if a website were to try to do a unique fingerprint of a user using a RAM hash, would that RAM hash hold as consistent in a disposable Qubes AppVM in which the total allocated RAM could vary but is always less than the total RAM?

edit: I am not being able to make more posts until 7 hours has elapsed. @renehoj you are probably right. I think I was using the term “CPU ID” as my way of saying unique CPU identifier (like a CPU serial number), but that might not be a risk at all. Even if that can’t be determined, I have seen some new hardware based fingerprinting on GIT that can’t really be spoofed yet, but I am not sure whether big technology is deploying that because it seems like probably 95 percent of users don’t understand canvas fingerprinting, and of the 5 percent that do, probably almost all 5 percent is only blocking canvas fingerprinting and not any of the other fingerprinting types. I think the amount of users who alter metrics to try to block most of the standard fingerprinting methods is probably less than 1/10,000 and it’s so small that it doesn’t affect their profit enough to deploy new methods.

Doesn’t all CPUs from that same production batch have exactly the same CPU ID?

1 Like

Related issue (see comments):

1 Like

I don’t know what precisely is going on, but I have observed machine behavior.

Java constantly gets interfered with even if I am using tor. I’m not sure how this happens, but I know it is highly repeatable and persistent.

I have noticed CPU “bursts” with multimedia. Google through invidious .onions. That processing reaction must be fairly specific, although maybe only so far as the CPU series.

If I understand correctly, the CPU frequencies, however, are slightly unique due to variations in the fabrication process. I know Mozilla can get proc/cpuinfo and can lifetime ban someone without any due process, but if you virtualize or essentially alter your system, then Mozilla corp functions suddenly work again. So they must get individual IDs connected to hardware properties somehow.

Hide hardware info: Hardware information masking and spoofing with hypervisor - #5 by BEBF738VD

Does that make any difference?

The appVM doesn’t have access to any hardware, except for the CPU, and even with kicksecure there is no way you can hide CPUID.


Unknown. Detection blocked by browser setting(s)/extension(s) or not supported.
Number of cores:

what do you think of this:

I got a lot of specifics using tor browser with standard safety.

You need to post the CPUID info in the textbox, and it will parse it for you, it can’t read the CPUID from your system.

1 Like

I got the same result from deviceinfo. I have to study the question some more before answering. poly.nomial is not a detector, just a sample. There may be a way for Java Servers to get remote CPU info from what I’m reading, but I’ll have to look into this further. Thanks.

No worries. Keep in mind that for best protection you may want to disable javascript entirely.


what do you think?

It says the same thing, you can’t use JavaScript to read CPUID:

I am now certain that CPUID cannot be detected from within a browser using JavaScript.

Then how do you think Mozilla Corp and Ubuntu Canonical Corp can identify a new computer and new software that I have not logged into any social media or email from? My identity should be unknown to them but somehow they have deep targeting capabilities I think must be connected to hardware specs. Ideas?

All software running in the appVM can read the CPUID, but that doesn’t mean that you can read it with JavaScript.

I doubt anyone is using CPUID for fingerprinting, it’s probably one of the weakest hardware identifiers in most systems. My laptop is the Lenovo T480 with the 8650U, the model number of the laptop is many times more unique than the CPU model, and the MAC address is 100% unique.

CPUID can be used to “break out” of the appVM and fingerprint the actual hardware, but knowning person X is using a CPU with a production run in the high millions isn’t really going to compromise your anonymity.

Nowadays some ISPs just sell your identity or a pseudonymized marketing ID of your identity to advertisers. It all happens in the backend based on your IP & port.
Obviously VPN & Tor etc. help.

Qubes is already limited to certain CPUs. Does the virtual CPU look exactly the same as on the host?
Knowing the CPU model could also make some CPU bug related attacks easier.

Don’t know how the vcpus work, but I think it more like threads on the real CPU, it’s not a virtual CPU emulating the actual CPU.

The guest needs to know the CPUID to know what hardware it’s running on, the ID tell the OS what optimizations etc. it can use.

Difference of cpuid command (or cat /proc/cpuinfo) output on host vs guest?
iirc at least for KVM/libvirt systems the output can be very different depending on what CPU features you pass through.
Also iirc, there once was a discussion on the Whonix forum for having the same CPU model used for each user.

Does it need to know everything?