40
12
I am trying to determine if the information shown on www.whatsmyip.org is the absolute maximum amount of information that a webserver can obtain from a web visitor. Are there other sites that will be able to get more information from the user passively like this?
I'm not talking about port-sniffing or any kind of interaction from the user, just the information that a server can get from a 'dumb' visit.
This question was a Super User Question of the Week.
Read the blog entry for more details or contribute to the blog yourself
wow, interesting stuff! – Pickledegg – 2012-09-05T14:06:08.580
2This requires Java in order to extract some of its information (and it gets very little if you decline the prompt to allow Java on the site) - the test OP linked gathers far more using passive means. – PhonicUK – 2012-09-05T14:10:06.263
1It does not require Java, it requires JavaScript. Most people don't have an addon like NoScript installed in their browser, thus in most cases all the information can be extracted. The sites doing this kind of scans will normally not ask the user if they are allowed to do. – Baarn – 2012-09-05T14:13:39.657
2Yes it does use java, it has a java applet that does the font check. Chrome even prompts you when you visit the page for whether or not you wish to allow the applet to run. Do an inspect element on the page and you see
<applet codebase="java" code="fonts.class" id="javafontshelper" name="javafontshelper" mayscript="true" width="1" height="1"></applet>
– PhonicUK – 2012-09-05T14:37:58.917@PhonicUK that being said, it uses Java, but doesn't require Java to get the list of fonts. That info was displayed regardless of my response to the dialog box. – Pickledegg – 2012-09-05T14:55:56.303
It does seem to require Java. I don't have it (nor Flash) installed, and the result was "No Flash or Java fonts detected". – Indrek – 2012-09-05T14:57:14.627
I don't even have a java plugin installed in firefox, still the site extracts the fonts correctly as soon as I set an exception for NoScript. Whatever, I think what @Pickledegg meant by passively extracting information is that there is no user interaction, not that there are no active scripts on the page. – Baarn – 2012-09-05T14:57:51.253
1@Indrek I can confirm this, as soon as you have both Java and Flash disabled, no fonts can be extracted. – Baarn – 2012-09-05T14:59:22.983
2If it can't do it via Java it uses Flash instead. If you disable both flash and java it just gives "No Flash or Java fonts detected". You can't get the list of fonts just using Javascript. Granted it's passive in so far that it doesn't require any interaction from the user but extras are still required to do it. – PhonicUK – 2012-09-05T14:59:24.373
I updated the answer to reflect this, I didn't know this. – Baarn – 2012-09-05T15:08:07.307
Panopticlick can find out what fonts you have installed!!! – Synetech – 2012-09-05T18:34:43.903
@Synetech As mentioned in my answer the list of fonts is nearly unique to a user (if you installed one or two other than the system fonts), by this it makes the person identifiably throughout the net, even if you use anonymizers and other stuff. – Baarn – 2012-09-05T18:48:14.093
@Informaficker, I was being facetious. Yes, it can be used like that, but many users never install fonts, or do so via installing Office and such, so it’s actually not as unique as you would think. For example, this Windows 7 laptop which has installed a few special fonts (for language rendering in Wikipedia) is unique to 1 in 2,399,787. Considering the sheer number of Internet-connected devices and the limited number of tests performed, that’s not as unique as one would expect. I’m sure there are extensions that can hide that data though, or at least browsers can make a setting to block it. – Synetech – 2012-09-05T18:53:11.530
@Synetech You do realize that the number equals the browser fingerprints analysed so far? If it were not the EFF that did this scan and you were to visit the site again a month later, maybe even using TOR, they still could predict that you are (in the range of a certain, high percentage) the same user as before. – Baarn – 2012-09-05T18:56:44.610
Panopticlick never displays data for me. Firebug just keeps repeating a "fonts is null" error. – Izkata – 2012-09-05T20:46:21.707
@Informaficker, yes I do, that’s why I said and the limited number of tests performed, and it’s because of a combination of a few really uncommon fonts I have. If I had not installed them (like most people), then the system would be fairly common and not unique. And like I said, there are/can be ways to hide the font (and other browser/system) information (simply running the test in Chrome’s incognito mode cuts it down to 1:800,090). – Synetech – 2012-09-06T01:40:14.143
1
Peter Eckersley over at EFF gave a very eye-opening talk entitled "How Unique Is Your Browser?" about their use of this tool. You can watch/hear it here: https://www.defcon.org/html/links/dc-archives/dc-18-archive.html
– glenneroo – 2012-09-11T19:15:17.210