[linux-elitists] Browser fingerprinting

Cathal Garvey cathalgarvey at cathalgarvey.me
Sun Oct 13 17:28:11 PDT 2013


> Sure would be nice if Mozilla had an option for "only announce the 
> standard vanilla web fonts".

Check out firegloves. It's outdated, and I'd love to see it getting
some love, but it's a great POC for anti-fingerprinting in Firefox.
Still works with Iceweasel 20, so it's aged well for an apparently
unmaintained academic project. Among the key features; a restricted set
of fonts sent to sites, possibly including cycling the fonts randomly
to confuse fingerprinting by recurrent font-lists.

Note though, it breaks some websites in a manner akin to
fascist-maxima-noscript. So you'll sometimes need to disable it; Paypal
is a good example.

User-agents are the devil, though, because whatever about other sources
of browser entropy, the User Agent is a big honking bonus score every
site gets for zero effort. Worse, most efforts to minimise User-Agents
can end up maximising them instead, and there don't seem to be any
*current* lists of "most common user-agent string" to work from to
reduce entropy. I've set mine to a super-generic-looking
Windows/Firefox setting, but as other people upgrade their browsers and
OSes and as architectures get more diverse, browser UAs are getting
more and more diverse, too..

I vote we ditch them entirely and just assume that all browsers to
HTML5 or GTFO.

On Sun, 13 Oct 2013 17:06:22 -0700
Bill Stewart <bill.stewart at pobox.com> wrote:

> 
> >Date: Sun, 6 Oct 2013 11:11:46 -0700
> >From: Don Marti <dmarti at zgp.org>
> >
> >Translation: "Fine, you smug cookie-blocking nerds.
> >We're going to go all browser fingerprinting on you."
> >...
> >Unfortunately, Firefox appears to be highly fingerprintable.
> 
> One reason Firefox is highly fingerprintable is that it sends a list 
> of your available fonts to the web server so the server can format 
> its pages with cool fonts instead of boring fonts if you're able to 
> read them.  That often turns out to be surprisingly unique, at least 
> if you like fonts, and AFAIK it's not just the fonts you've 
> configured into your browser, it's the fonts configured into your
> computer.
> 
> For instance, my work PC has a font for the $DAYJOB corporate logo, 
> and has since acquired a couple more fonts so I can display their 
> newer marketing presentations correctly in Powerpoint, plus it's got 
> the dozen or two different monospace console fonts I was trying out 
> to find a good one for programming use, and the usual collection of 
> Bocklin and Dwarvish and Tibetan that old hippies usually have on our 
> computers, just in case we might need to count to nine billion or 
> have an appropriate password entry form.  When I first tested it with 
> the panopticlick tool, it was unique; there are now a couple other 
> similar machines (but that's "my machine's IE", "my machine's 
> Firefox", and "my machine running Win7 with the Long Term Support 
> version of Firefox that Corporate IT department makes us use", so 
> it's still unique in reality.)
> 
> Sure would be nice if Mozilla had an option for "only announce the 
> standard vanilla web fonts".
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20131014/5b0c2281/attachment-0001.sig>


More information about the cypherpunks mailing list