An advanced browser fingerprint calculator aimed mainly at Tor Browser users

I worked on designing tracking scripts for six months (Sorry. Fortunately they aren&#x27;t in production). Fingerprinting was very difficult to pull off in practice: even with canvas fingerprinting, font enumeration, plugin enumeration, etc. most mobile phones are still indistinguishable. Desktops are easier to fingerprint because they often have unique browser plugins or a unique set of fonts installed. Even with desktops, fonts and other settings usually change within a matter of days, so its difficult to identify a user unless they&#x27;re browsing from the same ip address you&#x27;ve seen them at before.<p>What used to work really well were Flash cookies. Adobe had a security hole where Flash cookies weren&#x27;t cleared when you cleared your regular cookies. The only way to clear your Flash cookies was to open the Flash application on your laptop and clear all content, or visit a special webpage Adobe built to help users clear their cookies. So for years marketers could store any cookies they wanted this way. This only ended when Chrome began embedding a version of Flash into the browser so Flash cookies could be deleted when other cookies are deleted.<p>The other mechanism that was really interesting was ETag tracking. When you request a picture or other asset from a website, the website can send you an etag id which is supposed to signify the picture&#x27;s version. When the client revisits the page, the client sends back the etag to confirm the version cached is the same as the version on the server. The security leak is that the etag protocol allows arbitrary text to be set as an etag, so to set an etag cookie all you have to do is place a 1x1 pixel on each page with a random GUID, and when the user revisits the page the browser will resend the tracking etag in its request for the 1x1 tracking pixel. This works for browsers with cookies disabled, and will remain when cookies are cleared. The only way to clear it is to clear all browsing history entirely, including cached images. Fortunately, Chrome now clears cached images by default when you clear your cookies.

I have a few questions about finger printing.<p>Why Tor sends window size to servers? If it has to, why it can&#x27;t send closest multiple of 100 instead of real value?<p>Why servers request size of client windows anyway? I assume so they can serve different resolution images to clients or maybe different layouts, is this correct? But then instead of sending 1920x1080, simply sending 1900x1100 would also work right?<p>Same goes for fonts, as soon as you install a few different fonts, you are pretty much unique now. Why does a browser has to send the fonts you have? Shouldn&#x27;t it be possible to only send the fonts you have? Default fonts of OSes enabled by default, and new fonts are disabled?

Under the &quot;Tor&quot; tab it states that the browser should be set to a window size of 1000x1000 or a multiple of 200x100. Is this to stay consistent across all Tor users? I would have thought that 1920x1080 would be fine to help stay anonymous.

Surely there&#x27;s some way to detect when a script touches far too many APIs such as setting several font families in succession. Then pause execution, warn the user about potential fingerprinting, and either disable script or blackhole its network requests.

Have used several browser fingerprinting services and have tried a few of the techniques myself, they&#x27;re incredibly useful for fraud prevention when said fingerprint is reported against a central database alongside with the fraud that happened to _you_. The next time said fingerprint shows up at an eCommerce site, they&#x27;ll be blocked off from purchasing or at least flagged for additional verification.<p>They&#x27;re also just useful for super targeted ads.<p><i>shrug</i>

Why don&#x27;t we just create a VM with the tor browser preinstalled ? Surely, it would be a lot harder to do fingerprinting. ETags would still make you vulnerable, but caching can also be disabled. Then you&#x27;re left with cookies.

A good fingerprinting method (only applies to devices on private networks), is using JavaScript to enumerate the devices&#x2F;services on a user&#x27;s network (running HTTP(S) or other services if they are in the &#x27;safe&#x27; port range).<p>You can also test for models&#x2F;versions of a router on their network (for example, many routers allow access to static content such as images without authentication), so if a unique&#x2F;uncommon image, CSS, or JavaScript URL can be accessed without authentication, then the user can be fingerprinted not just across browsers, but across devices as well (even in a VM). This is done using network timing (to test if TCP servers exist) and the onload&#x2F;onerror XHR events which can be done even for 3rd party origins, by creating img or iframe elements.

I&#x27;m confused at the &quot;Aimed mainly at Tor&quot; part. A lot of these techniques use Javascript and the Tor browser blocks Javascript in general and warns strongly against enabling it. So it seems that part of the technique will be ineffective against most Tor users.

I&#x27;ve noticed that the Tails and other privacy focused tools go to great lengths to look the same as other users. And as far as my understanding goes, this is somewhat tricky with things like canvas fingerprinting.<p>Is there a reason why they want to look the same? Could the same result be achieved as looking unique every time? e.g. Instead of attempting to make every canvas fingerprint the same, instead make every fingerprint unique by introducing noise.

There&#x27;s a layout bug where the nav bar covers content at &gt;768px of with to whenever the logo and nav links are on the same row again.

I symphathise with that, but HN is a US-centric liberal echo chamber when it comes to political issues, so everything that got to do with government, intelligence and surveillance is automatically labelled &#x27;evil&#x27;.