Amidst the glossy marketing for VPN services, it can be tempting to believe that the moment you flick on the VPN connection you can browse the internet with full privacy. Unfortunately this is quite far from the truth, as interacting with internet services like websites leaves a significant fingerprint. In a study by [RTINGS.com] this browser fingerprinting was investigated in detail, showing just how easy it is to uniquely identify a visitor across the 83 laptops used in the study.
As summarized in the related video (also embedded below), the start of the study involved the Am I Unique? website which provides you with an overview of your browser fingerprint. With over 4.5 million fingerprints in their database as of writing, even using Edge on Windows 10 marks you as unique, which is telling.
In the study multiple VPN services were used, each of which resulted in exactly the same fingerprint hash. This is based on properties retrieved from the browser, via JavaScript and other capabilities exposed by the browser, including WebGL and HTML5 Canvas.
Next in the experiment the set of properties used was restricted to those that are more deterministic, removing items such as state of battery charge, and creating a set of 28 properties. This still left all 83 work laptops at the [RTINGS.com] office with a unique fingerprint, which is somewhat amazing for a single Canadian office environment since they should all use roughly the same OS and browser configuration.
As for ways to reduce your uniqueness, browsers like Brave try to mix up some of these parameters used for fingerprinting, but with Brave being fairly rare the use of this browser by itself makes for a pretty unique identifier. Ultimately being truly anonymous on the internet is pretty hard, and thus VPNs are mostly helpful for getting around region blocks for streaming services, not for obtaining more privacy.
It always makes me laugh to see NordVPN adverts, as if it’s somewhat “secure” because it’s located in Norway, Sweden or Finland. Here’s a tip summer child, if it’s a NATO country then all your traffic is routed through NSA collection points, like it or not. I actually feel more comfortable browsing the Internet when I’m visiting my gf parents in Minsk (Belarus) than while working in my cubicle in Wroclaw. If I could I would smash my computer with an axe and live tech-free to be rid of NSA and CIA survelliance, but sadly being able to call
gccormakeis what puts bread on my table.(Though I must admit, in Belarus I got some Telegram messages inviting me to work for a company doing embedded systems, pay was not great though.)
I don’t worry about nsa or cia or esa, xyz seeing my traffic…. When a request leaves the computer it is ‘public’ information. Like it or not…. Only protection is encryption which can be defeated if someone is determined enough. I am more concerned about what gets into my box to exploit it/use it for nefarious things.
Don’t worry about encryption either.
They own the CA hierarchy, so they can play man-in-the-middle snooping games to their heart’s content.
Secure encryption cannot simply be defeated if someone is determined enough. It that were true bitcoin and all other crypto currency would now be worthless.
Rubber hose attacks, poor password management, recovery from flash keys etc are by far the weakest links.
Right and those methods are necessary if you want to compromise secure crypto currency like BTC because the underlying encryption is not breakable with current computing technology. The idea that it is is just a myth.
They are worthless.
That doesn’t stop people from paying money for them, though.
You have no evidence to back up thst claim whatsoever.
You have no evidence to backup this claim which would also require the ability to defeat secure encryption on billions of simultaneous intercepts to be of much use. The traffic volume alone would preclude it. Your theory could also be very easily tested with very little imagination required via a bait communication of such a severe threat nature that it could not be ignored. Trivial surveillance of a high profile “target” identified in said communication would then quickly tell you if the communication was intercepted. It won’t be unless you personally are already a specific surveillance target because governments simply cannot effevtively monitor random encrypted internet traffic at will. Christ the US government can’t even act to stop mass shooters who loudly and proudly advertise their intentions in plain text on public forums. When compromising communications are successfully intercepted its because the person or persons were already indentified as suspect and they were specifically targeted and their devices compromised.
We found the sweet summer child I see.
When the British broke the Enigma encryption in WW2, they had a problem: if they used the information, the Germans would notice that their system was broken and stop using it. So while the war command monitored any German communications they could intercept, they actually did very little with the information.
You’d have to organize a pretty big threat for them to bother reacting, which would require you to communicate with other people to set it up in the first place. That means they would see both the setup and the play, and conclude that you’re trolling them. And, if you tried to troll the world’s largest mass surveillance system with a fake threat to expose it, what makes you think you’d even live long enough to release said information to the public?
I call rage bait :-)
But just in case this poor soul is woefully misinformed let’s not forget the lovely folks at these paradigm organisations such as: FSU, GRU, PSIA, RGB, NIS, MSS, DGSE, BND, BfV, MAD, AISI, AISE, CII, FIS, CNI, DI, SIRP etc. all of which have a deep burning desire to know all that there is to know about you. Also, there’s Microsoft, Apple, Amazon, Facebook, WhatsApp, Instagram, Youtube, Samsung, Ford, BMW, Audi, Nissan, Toyota, Oura, Philips etc. who also share a common interest in order to provide you with the very best customer experience. ;-)
Being fingerprinted is not the same as being identified.
Exactly. Even if they could identify the computer, they can only go “look, it’s that computer again”. They have no clue where that computer is, who it belongs to, and so on.
Being able to identify a computer or browser profile on a computer and distinguish it from other computers or briwser profiles which visit the same website doesn’t identify the actual user or the computers ip address. To do that you would have to match the browser finger print of the anonymized user to the browser finger print from a website where the user has provided identifying information or their true ip address. If the user uses a different local account and browser profile or better yet a different machine or virtual machine for their anonymous and non anonymous browsing that won’t work even with access to the fingerprints from a website where the user identified themselves or their true ip.
Now the actually interesting bit is that apparently blocking Java script and cookies and as much stuff as possible makes you “unique”. Now that is something I find weird and really worrying. Not for me being identifiable, but rather for folks just not caring about their own security (and bandwidth, telling the browser to avoid java script as much as possible makes sites load faster and more reactive).
For a previous employer (this was in 2008), I once scraped some airline booking sites (for a consumer organisation who wanted to file a claim against them for unfair pricing). I did this on my work laptop, but working from home. We were quickly blocked, tried a few obfuscation and VPN methods, but kept being blocked again and again.
For over a year, it was practically impossible for me to book a flight, even with a different computer on a different network. This showed me the (scary) power of browser fingerprinting.
Why would the different computer be running the same browser? After all, it’s the browser that is identified.
I’m not a fan of ads. What I allow on my computer should be put through.
I try my best to block them, as I really have no interest in anything advertised.
Besides, if I want something, I’m sure I can figure out how to get it myself.
I like to watch live trains. I’ve found reloading the page rapidly 4 or 5 times tends to stop the ads.
Or just use uBlock Origins. I see no ads on Youtube – at all. Never. None. Nada. Keine.
It is so rare for me to see an ad that it usually surprises me when one gets by.
Oh yeah… I forgot Google and probably lot’s of other wonderful businesses and agencies that are there to simply look after us and have nothing but the best intentions for everyone. :-)
SYSTEM PROTECTION FAULT
ILLEGAL INSTRUCTION at CS:IP 0x847fb73ca SARCASM OUT OF BOUNDS.
HALT.
Identifying a specific machine or its approximate location using fingerprinting is scary enough. But it gets even scarier.
Let’s way your machine is “fingerprint proof” to some extend. It tries to hide it’s uniqueness. And not in such a way that it’s unique in the way it hides it uniqueness. You can even mask some user behavior such as mouse movement, click timing and key stroke timing, by adding some randomness.
But even if you have a machine that is “fingerprint proof” to some extend there are also ways to identify the user itself.
Examples of identifying users:
-Pattern-of-life analysis. Uses timestamps of events to identify a user. (detectives use this, like “L” in “Death Note”, but also IRL by authorities)
-Stylometric analysis. Identifies writing style. Combined with machine learning you can narrow down the list of potential authors. Articles: https://arxiv.org/abs/2211.07467 and https://academic.oup.com/dsh/article/35/4/812/5606771
Yep, I got ” Yes! You are unique among the 4552552 fingerprints in our entire dataset. ”
The ones that really narrowed it down were – (in order of most narrowing)
– fonts
– navigator properties
– canvas
– firefox,
– permissions
– screen size
I suspect I might have just been unique on those alone (it reckoned 0.00% have the same fonts installed as me, for a start).. I would have thought more than 1.18% were running a big hi res screen (my 6th smallest number), but obviously not the people who use the web site..
It is certainly a relevant thing to be concerned about – as all you have to do is log into one web site somewhere, and they know who you are and your ‘fingerprint’ . They can then sell that to others, who can tell if you vist their site even via vpn or with no cookies….
Indeed HaD should be filling in the box below with my username and email…