Hacker News new | past | comments | ask | show | jobs | submit login

if your other browser properties don't match the UA though, you're still showing up as a unique fingerprint. You'll be the guy with an IE8 UA sending an accept:image/webp header, or the guy with a Safari UA who's following link prefetching instructions that are only valid in chrome, or something else that makes you unique.

or my personal favourite: sending the do-not-track header, something that only a small number of people send that makes you much easier to fingerprint.




The combination of UA and accept headers need to be changed in sync. Good point - any other things like that that should be watched out for?

And DNT is currently at around ~8%, so, although it does leak some information, it doesn't leak an absurd amount (~3.6 bits). (That's using data from here [1], which is FF-only. If you have a better source of data for this, please let me know.)

[1] https://dnt-dashboard.mozilla.org/


Any number of things can out you as a fake. Whether or not the request's Accept-Encoding has sdch, can help you figure out if something's Chrome.

You can also abuse parsing quirks to figure out which rendering engine's being used, or just try to use request-generating features that shouldn't be present in whatever browser you're saying you are (<svg>, <video>, styling on engine-specific psuedoelements, etc.)

Here's an example[1] using just HTML+CSS that will request a different image depending on whether you use a webkit or gecko derivative. If you use neither, no image will be requested. Someone who says they're Chrome but requests Firefox's image is immediately outed as a liar.

Same thing given something like `<img src="jar:http://example.com/ewwww_jar_uri!/baz">`. Gecko will make a request to http://example.com/ewwww_jar_uri while other browsers won't since they don't support the jar URI.

I believe Mario Heiderich also posted some stuff using webkit's styleable scrollbars that could be used for fingerprinting screen sizes and how large certain elements are when rendered.

The list goes on, but my point is that fingerprinting at the rendering / layout engine level is trivial, so you're better off being legitimately ordinary if you're worried about fingerprinting.

[1]: http://codepen.io/anon/pen/YPwMmY


You are doomed, this does not work.

Are your headers in the correct order for the given UA? Correct capitalisation for the given UA? Correct accept for the given UA? Correct white space around or between values for the given UA?

It is far better to appear to be the same as everyone else if you want to be anonymous (i.e. to browse on an iPad) than it is to do anything to try and not be tracked.

Anonymity today is to be invisible within the crowd, not to stand out as you are the only sheep that is shorn.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: