1

So I used Qemu on Ubuntu 20 to emulate a computer running windows 10. I kept all of Qemu default values. Then, while installing the Windows 10 iso, I kept all the default values once again. Finally, I went on :

https://amiunique.org/fp

And the site tells me my browser fingerprint is unique! In theory, Qemu can emulate hardware, so by using a Windows 10 clean install I should be able produce a fingerprint that is very common. It seems like the website can gather data about elements outside of the scope of the emulation.

How is this possible? How to prevent it?

Also I get a score of 1.43% for fonts used. Is it really that uncommon to only have the default fonts or is there something else at play here?

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
propre_poli
  • 13
  • 3
  • the site tells you which aspects are unique. You need to address those things. – schroeder Jun 10 '21 at 16:50
  • I guess some of these aspects are determined by hardware components? How do I emulate common hardware components in a way that hides the real hardware components? Is Qemu even able to do this? – propre_poli Jun 10 '21 at 16:57

2 Answers2

0

Qemu can emulate hardware, so by using a Windows 10 clean install I should be able produce a fingerprint that is very common.

This is a wrong conclusion. Emulate is not Imitate. Emulate just means that it works enough like the device from the perspective of the OS, which usually does not mean specific timings, performance ... . Also qemu can only emulate specific hardware, typically older one. While this is sufficient to run the OS it will not reflect what runs in modern systems - thus adding to the different fingerprint.

How to prevent it?

If you want to blend in with a shared fingerprint you need to run on a typical system, i.e. a system similar to what many others use. A freshly installed system on a virtual machine is far from a typical user environment.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Is there a way to truly imitate modern hardware, performance not really being a priority? If I want to completely change my browser fingerprint, is modifying the hardware the only way to have a different fingerprint that looks "real" and not spoofed in some way? – propre_poli Jun 10 '21 at 18:02
  • @propre_poli: *".... truly imitate modern hardware, performance not really being a priority ..."* - if you want to imitate the hardware you also need to imitate the performance. *"If I want to completely change my browser fingerprint, is modifying the hardware the only way to have a different fingerprint that looks "real" and not spoofed in some way?"* - this fully depends on how the fingerprint gets computed. There is not one single method of doing a fingerprint. But if you want to look "real" you likely need to be more or less real, as I already pointed out. – Steffen Ullrich Jun 10 '21 at 18:32
  • Thank you for your input. Now i know where to direct my efforts. – propre_poli Jun 10 '21 at 19:03
0

Disclaimer: I don't have any formal infosec training; I'm just a nerdy guy that likes coding, Linux, and FOSS.

[...] my browser fingerprint is unique! [...] How is this possible? How to prevent it?

No clue why it does this in your specific case, so I'm not even going to attempt to answer that one.

As for the unique id, personally, I don't consider that to necessarily be the only significant factor in staying anonymous. For instance, one solution I had previously looked into for preventing browser fingerprinting in Firefox was to use the addon Chameleon. I also configured it so that I got a random user agent string every X number of minutes (to be clear: this doesn't just change the user agent string; it has a bunch more settings for spoofing fingerprinting related header fields and such as well). While testing on several of the browser fingerprinting test sites such as the one the EFF had, I had noticed it would still flag mine as unique even with these settings...

But if you think about it, the real danger in having a unique fingerprint is that it is persisted and can be correlated to other web activity at other times due to that persistence. If I get a new fingerprint every couple minutes - but it is unique, there still isn't any persistence that can be used to correlate it with any of my other web activity. At least, there shouldn't be if I'm doing everything else right (using a VPN/TOR, not logging in with the same user name everywhere, not logging into accounts like social media/email that can be tied to activity from other fingerprints, etc)

Now, everything I just said probably doesn't really apply to your situation due to the VM guest hardware playing a role. BUT, you might potentially be able to use the same addon as a solution if you are using Firefox. AFAIK, this extension has not been ported to Chrome (there were "Chameleon" extensions but not by the same author); however, there may be Chrome extensions which do something similar.

zpangwin
  • 321
  • 2
  • 9