Amidst the glossy marketing for VPN services, it can be tempting to believe that the moment you flick on the VPN connection you can browse the internet with full privacy. Unfortunately this is quite far from the truth, as interacting with internet services like websites leaves a significant fingerprint. In a study by [RTINGS.com] this browser fingerprinting was investigated in detail, showing just how easy it is to uniquely identify a visitor across the 83 laptops used in the study.
As summarized in the related video (also embedded below), the start of the study involved the Am I Unique? website which provides you with an overview of your browser fingerprint. With over 4.5 million fingerprints in their database as of writing, even using Edge on Windows 10 marks you as unique, which is telling.
In the study multiple VPN services were used, each of which resulted in exactly the same fingerprint hash. This is based on properties retrieved from the browser, via JavaScript and other capabilities exposed by the browser, including WebGL and HTML5 Canvas.
Next in the experiment the set of properties used was restricted to those that are more deterministic, removing items such as state of battery charge, and creating a set of 28 properties. This still left all 83 work laptops at the [RTINGS.com] office with a unique fingerprint, which is somewhat amazing for a single Canadian office environment since they should all use roughly the same OS and browser configuration.
As for ways to reduce your uniqueness, browsers like Brave try to mix up some of these parameters used for fingerprinting, but with Brave being fairly rare the use of this browser by itself makes for a pretty unique identifier. Ultimately being truly anonymous on the internet is pretty hard, and thus VPNs are mostly helpful for getting around region blocks for streaming services, not for obtaining more privacy.
It always makes me laugh to see NordVPN adverts, as if it’s somewhat “secure” because it’s located in Norway, Sweden or Finland. Here’s a tip summer child, if it’s a NATO country then all your traffic is routed through NSA collection points, like it or not. I actually feel more comfortable browsing the Internet when I’m visiting my gf parents in Minsk (Belarus) than while working in my cubicle in Wroclaw. If I could I would smash my computer with an axe and live tech-free to be rid of NSA and CIA survelliance, but sadly being able to call
gccormakeis what puts bread on my table.(Though I must admit, in Belarus I got some Telegram messages inviting me to work for a company doing embedded systems, pay was not great though.)
I don’t worry about nsa or cia or esa, xyz seeing my traffic…. When a request leaves the computer it is ‘public’ information. Like it or not…. Only protection is encryption which can be defeated if someone is determined enough. I am more concerned about what gets into my box to exploit it/use it for nefarious things.
Don’t worry about encryption either.
They own the CA hierarchy, so they can play man-in-the-middle snooping games to their heart’s content.
Secure encryption cannot simply be defeated if someone is determined enough. It that were true bitcoin and all other crypto currency would now be worthless.
Rubber hose attacks, poor password management, recovery from flash keys etc are by far the weakest links.
Right and those methods are necessary if you want to compromise secure crypto currency like BTC because the underlying encryption is not breakable with current computing technology. The idea that it is is just a myth.
You have no evidence to back up thst claim whatsoever.
You have no evidence to backup this claim which would also require the ability to defeat secure encryption on billions of simultaneous intercepts to be of much use. The traffic volume alone would preclude it. Your theory could also be very easily tested with very little imagination required via a bait communication of such a severe threat nature that it could not be ignored. Trivial surveillance of a high profile “target” identified in said communication would then quickly tell you if the communication was intercepted. It won’t be unless you personally are already a specific surveillance target because governments simply cannot effevtively monitor random encrypted internet traffic at will. Christ the US government can’t even act to stop mass shooters who loudly and proudly advertise their intentions in plain text on public forums. When compromising communications are successfully intercepted its because the person or persons were already indentified as suspect and they were specifically targeted and their devices compromised.
We found the sweet summer child I see.
I call rage bait :-)
But just in case this poor soul is woefully misinformed let’s not forget the lovely folks at these paradigm organisations such as: FSU, GRU, PSIA, RGB, NIS, MSS, DGSE, BND, BfV, MAD, AISI, AISE, CII, FIS, CNI, DI, SIRP etc. all of which have a deep burning desire to know all that there is to know about you. Also, there’s Microsoft, Apple, Amazon, Facebook, WhatsApp, Instagram, Youtube, Samsung, Ford, BMW, Audi, Nissan, Toyota, Oura, Philips etc. who also share a common interest in order to provide you with the very best customer experience. ;-)
Being fingerprinted is not the same as being identified.
Being able to identify a computer or browser profile on a computer and distinguish it from other computers or briwser profiles which visit the same website doesn’t identify the actual user or the computers ip address. To do that you would have to match the browser finger print of the anonymized user to the browser finger print from a website where the user has provided identifying information or their true ip address. If the user uses a different local account and browser profile or better yet a different machine or virtual machine for their anonymous and non anonymous browsing that won’t work even with access to the fingerprints from a website where the user identified themselves or their true ip.
Now the actually interesting bit is that apparently blocking Java script and cookies and as much stuff as possible makes you “unique”. Now that is something I find weird and really worrying. Not for me being identifiable, but rather for folks just not caring about their own security (and bandwidth, telling the browser to avoid java script as much as possible makes sites load faster and more reactive).
For a previous employer (this was in 2008), I once scraped some airline booking sites (for a consumer organisation who wanted to file a claim against them for unfair pricing). I did this on my work laptop, but working from home. We were quickly blocked, tried a few obfuscation and VPN methods, but kept being blocked again and again.
For over a year, it was practically impossible for me to book a flight, even with a different computer on a different network. This showed me the (scary) power of browser fingerprinting.
I’m not a fan of ads. What I allow on my computer should be put through.
I try my best to block them, as I really have no interest in anything advertised.
Besides, if I want something, I’m sure I can figure out how to get it myself.
I like to watch live trains. I’ve found reloading the page rapidly 4 or 5 times tends to stop the ads.
Oh yeah… I forgot Google and probably lot’s of other wonderful businesses and agencies that are there to simply look after us and have nothing but the best intentions for everyone. :-)
SYSTEM PROTECTION FAULT
ILLEGAL INSTRUCTION at CS:IP 0x847fb73ca SARCASM OUT OF BOUNDS.
HALT.
Identifying a specific machine or its approximate location using fingerprinting is scary enough. But it gets even scarier.
Let’s way your machine is “fingerprint proof” to some extend. It tries to hide it’s uniqueness. And not in such a way that it’s unique in the way it hides it uniqueness. You can even mask some user behavior such as mouse movement, click timing and key stroke timing, by adding some randomness.
But even if you have a machine that is “fingerprint proof” to some extend there are also ways to identify the user itself.
Examples of identifying users:
-Pattern-of-life analysis. Uses timestamps of events to identify a user. (detectives use this, like “L” in “Death Note”, but also IRL by authorities)
-Stylometric analysis. Identifies writing style. Combined with machine learning you can narrow down the list of potential authors. Articles: https://arxiv.org/abs/2211.07467 and https://academic.oup.com/dsh/article/35/4/812/5606771