Project

General

Profile

[URGENT]Browser Fingerprinting

Added by Thomas Kitchin almost 7 years ago

Do you know about "Browser Fingerprinting"?

Here's what it does: https://panopticlick.eff.org

Is replicant affected? OH yes

!


Replies (7)

RE: [URGENT]Browser Fingerprinting - Added by My Self almost 7 years ago

Do you know about "Browser Fingerprinting"?

Yes.

Here's what it does: https://panopticlick.eff.org

This site exists round about 5 years, now (https://web.archive.org/web/*/https://panopticlick.eff.org/), I don't get what could be so "URGENT" right now?

Is replicant affected? OH yes !

This sounds misleading. IMHO, every connected device in this universe is "affected". There are

Sorry, but I don't know what Replicant could fix here (asap)...
If you (or anybody else) have an idea, please just let me know.

RE: [URGENT]Browser Fingerprinting - Added by Thomas Kitchin over 6 years ago

Replicant has a more-or-less unique browser fingerprint. Through aggregate data mining, websites (and the people that own them) are able to track and use psychometric analyses to determine behavior patterns, and thus this gives them unbalanced power.

I dare say [that] most people when they use the internet aren't realizing that this is exactly what's happening to them. And the problem with establishing a distribution like Replicant without having adequate privacy safeguards in place is that Replicant (as of this writing) is a hyper-specific niché distribution.

Think about it:

In order to use Replicant you have to have a certain kind of phone. Most people have went out and bought these phones specifically for the open-source /privacy aspect. Therefore one can automatically have a huge data point to start with: cares about freedom, cares about privacy... And through aggregate tracking of browsers with a Replicant fingerprint, we can determine other things about this niche group.

I dare say anyone who disagrees with me on this point either lacks concentration in the issue, is greedy for trying to look cool in saying that it doesn't matter or else has something to gain from having inadequate privacy on Replicant.

I vote we implement some system to address this issue immediately.

RE: [URGENT]Browser Fingerprinting - Added by Paul Kocialkowski over 6 years ago

Replicant has a more-or-less unique browser fingerprint. Through aggregate data mining, websites (and the people that own them) are able to track and use psychometric analyses to determine behavior patterns, and thus this gives them unbalanced power.

Well, first, I think that people should be aware that they can indeed be identified and tracked based on various elements that makes them recognizable (IP address, browser user-agent, various cookie-related fingerprinting, etc). Despite being a fundamental problem for privacy, this is not a bug in the software, but rather an expected and "normal" situation given the technical grounds upon which the internet and the web work i.e. this is not an unintended security flaw, but rather the result of an overall design. In many ways this is similar to the GSM network being able to identify and track its users, something that is possible not because of malware but because of the design of the network.

So in that sense, there are two different kinds of things that we can do to address this issue. First, there is some easy-to-fix stuff that doesn't hurt usability, such as providing a vanilla user-agent instead of labelling it with Replicant. This is the kind of change that I would be glad to accept in Replicant. Now the second type of thing that we can do is enforcing privacy at the cost of usability and other things. This is for instance the case when using Tor to get anonymous on the network. I do not wish to make Tor the default in Replicant, but perhaps we could come up with a more secure variant of Replicant that would have that by default.

I vote we implement some system to address this issue immediately.

I am willing to accept patches that solve these issues without being detrimental to usability. For those that do hurt usability, perhaps we should discuss making a more secure version of Replicant.

I am not going to do the technical work to solve those myself -- I am too busy working on hardware-level software and I generally lack technical interest for working on privacy-related matters.

RE: [URGENT]Browser Fingerprinting - Added by My Self over 6 years ago

Full ack to Paul's statement.

I've played around with the user-agent a little bit. IMHO

is the better alternative than using the stock-browser (because of the privacy feature set). By the way, Lighning also works great in combination with Tor.

With Lightning you're also able to modify your user-agent over
  • Settings -> General Settings -> User Agent.

Here you can see a difference between "Default" (20.80) and "Mobile" (16.83) in the "bits of identifying information" (on the https://panopticlick.eff.org test-site).
If I choose "Custom" and entered something like this: "Mozilla/5.0 (Android; Mobile; rv:38.0) Gecko/38.0 Firefox/38.0", the value shrunk to 12.77.

And here seems to be the problem of choosing the right user-agent. IMHO the less unique user-agent depends on which browser is actually used by a great crowd of people. Means that the faked Mozilla user-agent (in this example) increases it's "bits of identifying information"-value in a few weeks, because the most people will upgrade their browsers and will use an other version than the faked one.

There are numberless user-agents on the market: http://www.useragentstring.com/pages/Browserlist/
and if you really run Firefox, you make yourself individual by installing specific add-ons for example...

So I don't know how much sense it would make to change the user-agent to a fix "vanilla" value.

Like I said in my first post (http://redmine.replicant.us/boards/39/topics/9093?r=9111#message-9111) I really don't know what could help to make the situation better, (neither on Replicant nor on any other platform).

Be aware, that if you modified the configuration of your browser, this still keeps unique and trackable, even if you using VPN So the best option (for now) could be using Tor in combination with

Orweb fakes the user-agent (out of the box) to a Mozilla/Windows one. The "bits of identifying information"-value is here tiny: 6.67 (at the moment), with the additional benefit to be (more or less) anonymized through the Tor network.

And as always: please keep in mind that the browser alternatives, (depending on the outdated [< Android v4.4] WebView-rendering-engine, like the stock-browser, Lightning, Orweb, ...) are seriously vulnerable (for a bunch of attacks): http://redmine.replicant.us/boards/39/topics/8007?r=9081#message-9081

RE: [URGENT]Browser Fingerprinting - Added by My Self over 6 years ago

One more update, related to the user agent.

First of all, I'm using Fennec (a mobile Firefox version), which needs proprietary graphics files, (what is not recommended, because they're not free code). By the way, I updated the bug report in that context: https://bugzilla.mozilla.org/show_bug.cgi?id=778175#c37 but I don't think there will happen much more...

With Fennec I grabbed a extension, (like the MPL licensed: https://addons.mozilla.org/de/firefox/addon/custom-user-agent-string/) which is able to modify my Fennec user agent instantly and I cleared the entry completely to a blank one.

As you remember, I wrote:

If I choose [...] this: "Mozilla/5.0 (Android; Mobile; rv:38.0) Gecko/38.0 Firefox/38.0", the value shrunk to 12.77

With the same user agent it was now 12.54, which could slightly confirm my theory, about the variability:

IMHO the less unique user-agent depends on which browser is actually used by a great crowd of people

(Please note, Firefox 38.0 is the up-to-date version at the moment, so the value could has shrunk because some people may have updated a bit later to the current version).

Back to my blanked user agent. Furthermore I installed another extension to (optionally) block scripts, (like the GPL licensed: https://noscript.net/nsa/).
With this combination I finally got this Panopticlick-values:

But please keep in mind, if the web servers don't know what you're using, you mostly get the fallback desktop site, which could lead to:
  • less readability (especially on smaller devices)
  • bigger data usage
  • probably other side effects...

Hope this helps anyway.

RE: [URGENT]Browser Fingerprinting - Added by Paul Kocialkowski over 6 years ago

By the way, I updated the bug report in that context: https://bugzilla.mozilla.org/show_bug.cgi?id=778175#c37 but I don't think there will happen much more...

Great! I've always wanted to do it but never got my head around it. I may come across some Mozilla developers next week, so I'll try to direct their attention towards that (it's harder to say no face to face)!

RE: [URGENT]Browser Fingerprinting - Added by My Self over 6 years ago

Just a general information update.

The https://panopticlick.eff.org website will get an update to test your browser for tracker blockers, soon.
Source: Privacy Badger talk on the cccamp15: https://media.ccc.de/browse/conferences/camp2015/camp2015-6733-privacy_badger.html#video
More about Privacy Badger: https://www.eff.org/de/node/73969

By the way, some basics about online tracking are well explained in the first ~5 minutes of the "Gotta Block’em all" talk, too: https://media.ccc.de/browse/conferences/camp2015/camp2015-6753-gotta_block_em_all.html#video

    (1-7/7)