3

Tor goes the way of trying to make everyone look the same to defend against browser fingerprinting.

Wouldn't a simple addon that changes/adds as much information as possible randomly in short time intervals also do the trick? Are there downsides to this?

I am thinking about spoofing random fonts, addons (or addon version numbers), user agents (there is already an addon doing this).

Are there projects trying to do this? What are the downsides to this approach?

EDIT: Comparing this approach to the approach which TOR uses (everybody looks the same) On request I'll add what in my opinion this approach does better. You can't personalize your browser when using the approach "I want to look like anyone else". When just adding very much random plugin/fonts (whatever is possible information), which changes from time to time you can also personalize your browser. Sure, your personalized addons etc. won't change as quickly as the other random stuff, but now the server would have to check for every fingerprint, if there are any other fingerprints, where any of the information he uses to generate the fingerprint coincide with the new one. This sounds like a hell lot of work for me with a positive probability of getting false positives (associating two fingerprints with each other that aren't from the same user).

This approach is already used to some extinct as I see it. When wanting to be private, you will try to change your IP adress for example so it can't be tracked to you. Also changing the user agent is done (and there are already addons doing it in specific time intervals and randomly).

But why can't we pursue this approach: lets say we pic the 50 most popular addons/fonts, and always spoof having a random number of them installed in some random version

This isn't just limited to addons/fonts (I only read that information about these are often used for fingerprinting), but one could extend this approach to any information the browser sends. You'd have to send some real information (like window size) to have the site work properly. But then the fingerprinting algorithms can only rely on this minimum of real information you have to send (and not like panopticlick does it just on everything it gets).

To specify the question now: Is this technically achievable? (Can you spoof browser information this good) And what are the informations you can't spoof because either it isn't possible to spoof them or because you need to send them for most sites to work properly. And are these informations already enough to be identified? Do modern fingerprinting algorithms already only depend on these "must-be-true" informations or do they (like panopticlick) use everything they can get their hands on

fubal
  • 31
  • 4

4 Answers4

2

It is not easy to determine if some seemingly random changes are really random or if there is some underlying pattern/bias which might be used to track an individual user. On the other hand it is easy to implement and verify that the fingerprint is the same for all users and can thus not be used for tracking. Thus it is probably more safe to hide the identity of an individual user by making all users look the same.

Apart from that several web applications include the browsers fingerprint into the session cookie to detect session hijacking done from another browser. When the fingerprint randomly changes the session cookie will be invalidated a lot which can cause lots of inconvenience for the user, like the need to re-login all the time or loosing the articles inside a shopping cart etc.

EDIT: based on the recently extended question it looks like that the OP does not like the approach by TOR since it restricts the possibility to personalize the browser, add the extensions one likes etc. This is true but I would argue that the OP is not really aware how tracking and fingerprinting can be done and is done.

Yes, the simple fingerprinting just looks at the request and extracts information like User-Agent etc which could be easily changed. But this kind of fingerprinting gives only a rough idea of the user anyway and cannot be used alone to track specific users. More interesting tracking can be done with behavioral analysis, that is check for installed extensions, check in which social networks the user is logged in and much more. I really recommend to read Technical analysis of client identification mechanisms which covers a lot of different ways to track the user but is not even complete.

Thus, the idea of Tor to look the same is not restricted to make only the request look the same, but also to behave the same. With any extension you add and with any site you log in or simply visit you will change the behavior of the browser and thus look different from others. Randomization of simple features will not help because somebody who is really interested in tracking you knows which features can easily be faked and disregards these. Behavior instead can not be easily be faked.

Community
  • 1
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • For "true randomness part". For sure we can't create perfect randomness, but breaking algorithms which "create randomness" would be way harder for the "attacker" (who wants to make fingerprints), then just do his usual fingerprints or not? Ok Cookies are a problem, but if you keep cookies then the website can track you anyway, so you have to live with removing cookies from time to time either way – fubal Oct 10 '15 at 13:50
  • 1
    @fubal: finding the bias in some randomness might be hard but can be possible. Finding a user-specific bias in "everybody looks the same" is not possible because there is no bias. Maybe you should explain in your question why you think your solution is better. At the moment you only describe a way which maybe "also do the trick" but causes the problems I've shown. If you show that your idea has significant advantages over the current state then one might try to weight these new advantages against the new problems and added complexity. – Steffen Ullrich Oct 10 '15 at 15:20
  • I added a lot of detail to the question now – fubal Oct 10 '15 at 15:42
  • 1
    @fubal: Thanks for extending the question, I've extended my answer too. And I really recommend to read the paper I've mentioned, because it is kind of disillusioning on what really can be done to stop getting tracked. – Steffen Ullrich Oct 10 '15 at 16:47
  • 1
    @fubal, respectfully, I suggest you may have succumbed to the [Dunning-Kruger effect](https://en.m.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect). Others here (who know more than you) have indicated that behavioral analysis, secondary signals from PRNGs and browser differences at the plug in and cookie level will defeat your proposal. You don't like these answers, so you dismiss them and assert your idea is correct. You've received the feedback, go do some more research of the areas mentioned after which you can attack this problem again more fully informed. – Andrew Philips Nov 09 '15 at 19:57
  • @AndrewPhilips As I see it, I just tried to understand what the other people ment with pointing out my difficulties in understanding their argumentation - I don't see how you relate that to the Dunning-Kruger effect. Also I don't see what you are trying to achieve with your comment or which new information you are bringing to this question. (But you might be interested in that the DK-Effect probably is just an statistical artifact and has now meaning or foundation at all. It is a regression to the mean, noting more) – fubal Nov 12 '15 at 09:18
1

Off the top of my head, I'd say there are some potential usability issues with the randomization approach.

It's relatively easy to define a single fingerprint for Tor users and do extensive testing on how different servers respond to it. With randomized fingerprints, it's likely that users will at some point experience issues while trying to access their usual content, and those issues will be both impossible to predict beforehand and potentially difficult to reproduce afterwards.

zinfandel
  • 1,233
  • 8
  • 10
0

The approach you described is totally ineffective as, by design, the simplest fingerprinting algorithm deployed today is able to detect, follow and even guess a fingerprint's changes. For example any plugins you may add to or remove from your browser will be easily detected by what we call the JavaScript behavioral test.

Also, you have no idea about the fingerprinting algorithm you want to foil: while you try to change font of your browser and install/remove random plugins, there are lot of information you forget to change (let's say your screen resolution) and lot of other data you can not even change : such as your CPU type/speed and clock skew measurements (An Improved Clock-skew Measurement Technique for Revealing Hidden Services)

You asked about tools, such questions are off-topic here, however, I can mention you the Firfox User Agent Switcher which is an addon that performs what its name says; however, do not pretend to break the simplest professional fingerprinting algorithm in use with that. You rather have to use the traditional methods mentioned here and discussed here.

Community
  • 1
  • You mean algorithms detect the fingerprint has changed due to specific actions which happen with normal browsing behavior, right? (updating plugins, versions, installing or removing a few). How would an algorithm detect the fingerprint is just "changed" when you randomize most of the data he uses for fingerprinting (which would be the objective of the approach).And of course there are a few informations one can't change, but this is the same for using e.g. the tor way (cpu speed isn't altered here too), so if they are enogh, then you are saying you can't defend against fingerprinting at all – fubal Oct 10 '15 at 13:47
  • @fubal Yes for the first question. No for the last question (in my answer I linked to solutions of how to evade browser fingerprinting discussed already on thie website). As for how could an algorithm detect changes in a fingerprint, as I said that is too basic. If you want details, ask a different question because comments are length limited. –  Oct 10 '15 at 13:51
  • Clock-skew measurement attacks against hidden services have _absolutely nothing_ to do with browser fingerprinting. – forest Feb 27 '18 at 10:42
0

One thing you must also consider: You must randomize the Result of Basic WebGL Operations.

It is also used to fingerprint Systems via HTML5 Canvas WebGL rendered Images. These are considered even more useful if information like Font or Screensize are not available. Mostly they render a colored Text on a colored Pane with an Patttern over the Text. Then they create an Hash of this generated Image.

What these Factors changes:

  • Browser
  • Browser Version
  • Graphics Driver Version
  • OS Version
  • Patchlevel different Software/Frameworks
  • Font implementations
  • many more
Serverfrog
  • 586
  • 7
  • 18