Hello, running in the shadows! Hello, random carders. In the last few years, a rather interesting method of user identification — the so-called fingerprinting-has been gaining popularity. Today we will talk about what fingerprinting is. You will learn how to check the browser for identification and how to protect yourself from it.
Go:
Fingerprinting — (from the English word fingerprint) identifies the user not by special tags stored on their system, but by the unique features of their browser, system, and device.
Since fingerprinting does not require storing data on the client, it is very difficult to notice and almost impossible to avoid. If cookies are only valid for one domain, the unique features remain unchanged when visiting different sites. This greatly simplifies tracking the user's movements on the Internet. Even worse, unlike cookies, unique features cannot be disabled. The user's efforts will lead to a maximum of replacing one set of features with another, even more recognizable one.
Fingerprinting methods
The simplest methods of fingerprinting use the IP address, browser and system version, system language, screen resolution, time zone, millisecond-accurate clock readings, and a list of standard fonts installed on your computer as unique characteristics. Using Flash, you can add information about your device's mouse, keyboard, microphone, camera, and multitouch support to this list.
Minor changes in some features do not prevent you from recognizing an already familiar user. They can use a different browser, move to a different time zone, or change the resolution, but if they don't do all of this at the same time, the probability of identification remains high.
There are also more sophisticated ways of fingerprinting. AddThis has experimented with user identification based on font display features. To do this, create a canvas that is invisible to the user and display the label on it. Hash of a sequence of color data for each canvas pixel and becomes an identifier. How the label will look is affected by the operating system, installed fonts, graphics card, version of graphics drivers, anti-aliasing settings, browser type and version, as well as features of the display itself. Subtle differences abound (PDF), but they are difficult to influence — the perfect combination for tracking.
By the way, AddThis widgets, which a few years ago discreetly performed fingerprinting of each user, are now available on many large sites. But don't worry: when this company was caught by the hand, it stopped the experiment. Now there is no fingerprinting. At least not noticeably.
Another method of fingerprinting is analyzing your session history. Researchers have shown that information about visits to 500 sites from a pre-defined set allows you to accurately identify about 70% of users, and if there are social networks in the story, it can be not just about identification, but also about deanonymization.
To determine whether a user has visited a particular site, there are some tricks. For example, you can try to download a document from the desired site. Based on the speed of the review, it will be clear whether it is in the cache or not. You can take advantage of the fact that links to visited sites are displayed in a different color. To find out the color, use the same canvas. There is, however, a more interesting option: links are not difficult to disguise as a captcha. Then the user will provide all the necessary information. This method is especially useful when JavaScript is disabled.
How can I disguise links as captchas?
Due to the different design of visited and unvisited links. Researchers at Carnegie Mellon University, who proposed this method of extracting history in 2011, list several possibilities. First, you can make each link a separate word and use CSS to hide the visited links. Now you need to ask the user to enter the text that they see. It is easy to determine which sites the user has already visited based on the missing words. Another version of the captcha is an image of a chessboard with pawns placed on it.
Each pawn is again a link, and the viewed links are made invisible. The user must click on each pawn. The pawns that he didn't click on correspond to links that lead to the sites he visited.
Checking the browser for fingerprinting
The network has several services that offer to check the browser for fingerprinting.
Let's start with the Fingerprint Central website. This service offers any user to check their browser for free. To do this, go to the My Fingerprint section and click the "Run JavaScript Tests", "Send to Server" and "Get Statistics"buttons sequentially.
After completing the process, you will see how the characteristics table is filled in: next to each result, you will see the percentage of users whose browser has an identical setting or distinctive feature.
For those who want to dive into this even more, the site has a "Custom statistics" section, where you can select a set of features from the full list and see how many users tested on the site could be distinguished by their combination.
If you need a short and simple answer to the question of whether you can be tracked, then go to the Am I Unique website. It will quickly check your browser and show you exactly what features give you away.
If you don't use any online anonymization tools, you'll probably see in the detailed report that you are being tracked by the system font style, the presence or absence of an ad blocker, and even by the type and model of video card.
Even if you try to access the site through an anonymous Tor browser that tries to hide or completely fakes these parameters, it turns out that surveillance is theoretically still possible. After checking, my browser turned out to be non-unique among the 350,000 results collected, but only 0.04% of the analyzed Internet browsers have exactly the same features.
Protection from trackers
Fighting trackers makes you more vulnerable to fingerprinting. Removed Flash? Well, you're a white crow now. There are fewer than a percent of you, and you can't think of a more unique attribute. You might as well hide on a city street with a fake beard, dark glasses, and a big hat. This is not a disguise, but an effective way to attract attention to your person. Also install Tor, and there will be a set!
It is hardly worth counting on a complete victory over trackers, but you can still create the illusion of invisibility. First, let's discuss the choice of browser.
Apple's Safari disappears immediately. It is unique in that it does not turn off cookies, local data storage and cache even in incognito mode.
Chrome is a good browser, but the real paranoid person should stay away from it. Google has never hidden the fact that it collects and analyzes user information.
Remains Firefox, Opera (for an amateur), Linken Sphere (cool, but expensive).
Firefox has a built-in tracker blocker, but it's disabled by default. To activate it, open the hidden settings (about:config) and enable the property[/B]
Code:
privacy.trackingprotection.enabledA new icon will appear at the left edge of the address bar — a small shield. You need it to selectively enable or disable blocking trackers on this particular domain.
The Firefox tracker blocker borrows the blacklist from Disconnect — a popular tracker blocker that exists as a browser addon and app for all popular platforms. The obvious disadvantage of Disconnect is that it knows best the trackers that are popular abroad. Garbage from Russia flows through it like a sieve.
The popular alternative to Disconnect — the Ghostery addon-is also not easy. It effectively removes trackers, and then sells information about its users to the very advertisers who put them. In theory, you can refuse to sell your data, but in practice-what paranoid person will be convinced by these excuses? Either apps that sell data or fight surveillance — you need to choose one of them.
Conclusions
After completing the recommendations listed in the previous chapter, you should start thinking about life. What's the next step? They'll find you anyway, so it's best not to delay. Run to the taiga, away from NoScript and Flash. Firefox and addons are half-measures and self-deception. An axe and wire cutters will help against the Internet, and sandpaper will help against fingerprinting. Just kidding, of course. But you should still think about the safety of your favorite ass. Good luck!
