Amidst the glossy marketing for VPN services, it can be tempting to believe that the moment you flick on the VPN connection you can browse the internet with full privacy. Unfortunately this is quite far from the truth, as interacting with internet services like websites leaves a significant fingerprint. In a study by [RTINGS.com] this browser fingerprinting was investigated in detail, showing just how easy it is to uniquely identify a visitor across the 83 laptops used in the study.
As summarized in the related video (also embedded below), the start of the study involved the Am I Unique? website which provides you with an overview of your browser fingerprint. With over 4.5 million fingerprints in their database as of writing, even using Edge on Windows 10 marks you as unique, which is telling.
In the study multiple VPN services were used, each of which resulted in exactly the same fingerprint hash. This is based on properties retrieved from the browser, via JavaScript and other capabilities exposed by the browser, including WebGL and HTML5 Canvas.
Next in the experiment the set of properties used was restricted to those that are more deterministic, removing items such as state of battery charge, and creating a set of 28 properties. This still left all 83 work laptops at the [RTINGS.com] office with a unique fingerprint, which is somewhat amazing for a single Canadian office environment since they should all use roughly the same OS and browser configuration.
As for ways to reduce your uniqueness, browsers like Brave try to mix up some of these parameters used for fingerprinting, but with Brave being fairly rare the use of this browser by itself makes for a pretty unique identifier. Ultimately being truly anonymous on the internet is pretty hard, and thus VPNs are mostly helpful for getting around region blocks for streaming services, not for obtaining more privacy.
It always makes me laugh to see NordVPN adverts, as if it’s somewhat “secure” because it’s located in Norway, Sweden or Finland. Here’s a tip summer child, if it’s a NATO country then all your traffic is routed through NSA collection points, like it or not. I actually feel more comfortable browsing the Internet when I’m visiting my gf parents in Minsk (Belarus) than while working in my cubicle in Wroclaw. If I could I would smash my computer with an axe and live tech-free to be rid of NSA and CIA survelliance, but sadly being able to call
gccormakeis what puts bread on my table.(Though I must admit, in Belarus I got some Telegram messages inviting me to work for a company doing embedded systems, pay was not great though.)
I don’t worry about nsa or cia or esa, xyz seeing my traffic…. When a request leaves the computer it is ‘public’ information. Like it or not…. Only protection is encryption which can be defeated if someone is determined enough. I am more concerned about what gets into my box to exploit it/use it for nefarious things.
Don’t worry about encryption either.
They own the CA hierarchy, so they can play man-in-the-middle snooping games to their heart’s content.
Secure encryption cannot simply be defeated if someone is determined enough. It that were true bitcoin and all other crypto currency would now be worthless.
Rubber hose attacks, poor password management, recovery from flash keys etc are by far the weakest links.
Right and those methods are necessary if you want to compromise secure crypto currency like BTC because the underlying encryption is not breakable with current computing technology. The idea that it is is just a myth.
They are worthless.
That doesn’t stop people from paying money for them, though.
They are no more “worthless” than paper currency is.
You have no evidence to back up thst claim whatsoever.
You have no evidence to backup this claim which would also require the ability to defeat secure encryption on billions of simultaneous intercepts to be of much use. The traffic volume alone would preclude it. Your theory could also be very easily tested with very little imagination required via a bait communication of such a severe threat nature that it could not be ignored. Trivial surveillance of a high profile “target” identified in said communication would then quickly tell you if the communication was intercepted. It won’t be unless you personally are already a specific surveillance target because governments simply cannot effevtively monitor random encrypted internet traffic at will. Christ the US government can’t even act to stop mass shooters who loudly and proudly advertise their intentions in plain text on public forums. When compromising communications are successfully intercepted its because the person or persons were already indentified as suspect and they were specifically targeted and their devices compromised.
We found the sweet summer child I see.
I accept your unconditional surrender on all points.
When the British broke the Enigma encryption in WW2, they had a problem: if they used the information, the Germans would notice that their system was broken and stop using it. So while the war command monitored any German communications they could intercept, they actually did very little with the information.
You’d have to organize a pretty big threat for them to bother reacting, which would require you to communicate with other people to set it up in the first place. That means they would see both the setup and the play, and conclude that you’re trolling them. And, if you tried to troll the world’s largest mass surveillance system with a fake threat to expose it, what makes you think you’d even live long enough to release said information to the public?
Total evidence offered in support of your claims – The usual zero. This is the typical pattern of those claiming essentially unlimited surveillance capabilities that simply don’t exist. One baseless claim rationalized by yet another baseless claim and so on. In answer to your final question, because I’m rational and don’t suffer from raving paranoia about all powerful all knowing intelligence apparatus that can decrypt every secure communication and trace every device that connects to public wifi. The significant limits of US and international intelligence to even collect analyze and act on plain text in the public domain that hundreds if not thousands of people have seen in order to mitigate clear threats is demonstrated again and again by events both domestic and international . Yeah I know I know its just all part of their ruse. Yeah sure it is. They wouldn’t want anybody to think they can read.
If we could, there would be less need of the NSA Utah Data Center.
https://en.wikipedia.org/wiki/Utah_Data_Center
Recording data, even encrypted data, isn’t hard. It just requires space to store.
Then, if a person or persons of interest stand-out, that data can then be mined and used by the organization that recorded it.
Even older encrypted data can easily be decrypted because the methods used in the past don’t always stand the test of time. So, what you think is encrypted today, may not be secure tomorrow.
Because information on people is valuable, companies like google collect it. But, for some reason, you think governments are unable to see the value of it? Interesting.
Oh, sorry one more thing, can you please clarify, are they going to kill me or just ignore me, because you claim both. I’m trying to plan the rest of my week here. :)
I call rage bait :-)
But just in case this poor soul is woefully misinformed let’s not forget the lovely folks at these paradigm organisations such as: FSU, GRU, PSIA, RGB, NIS, MSS, DGSE, BND, BfV, MAD, AISI, AISE, CII, FIS, CNI, DI, SIRP etc. all of which have a deep burning desire to know all that there is to know about you. Also, there’s Microsoft, Apple, Amazon, Facebook, WhatsApp, Instagram, Youtube, Samsung, Ford, BMW, Audi, Nissan, Toyota, Oura, Philips etc. who also share a common interest in order to provide you with the very best customer experience. ;-)
Being fingerprinted is not the same as being identified.
Exactly. Even if they could identify the computer, they can only go “look, it’s that computer again”. They have no clue where that computer is, who it belongs to, and so on.
haha tell yourself what you need to hear in order to sleep at night
but privacy is obsolete. come on in, the water’s warm
Of course as usual you have no actual evidence to back up your claim. Its supposed to just be accepted at face value. Browser finger printing is like most other attacks on cyber privacy. It depends on sloppy practices by the individuals being targeted to identify more than just the browser by anyone who matters. The fact that the encryption you ecrypt a file with is, in and of itself, secure and unbreakable does you no good if you write the passphrase on the zip drive.
Thats where exploiting human error in the use of the technology comes in. To make the finger prints useful for actual identification you need to match them to finger prints collected by other sites where the individual has left the same browser finger print and provided actual identifying information.
Being able to identify a computer or browser profile on a computer and distinguish it from other computers or briwser profiles which visit the same website doesn’t identify the actual user or the computers ip address. To do that you would have to match the browser finger print of the anonymized user to the browser finger print from a website where the user has provided identifying information or their true ip address. If the user uses a different local account and browser profile or better yet a different machine or virtual machine for their anonymous and non anonymous browsing that won’t work even with access to the fingerprints from a website where the user identified themselves or their true ip.
Now the actually interesting bit is that apparently blocking Java script and cookies and as much stuff as possible makes you “unique”. Now that is something I find weird and really worrying. Not for me being identifiable, but rather for folks just not caring about their own security (and bandwidth, telling the browser to avoid java script as much as possible makes sites load faster and more reactive).
The bottom line is still that you should ideally use separate machines entirely for anonymized and intentionally deanonymized activities like, for most people anyway, online banking, your personal social media, ebay, Amazon, or whatever you choose to give identifying information to. Browser finger printing is far from the only reason to do that.
For a previous employer (this was in 2008), I once scraped some airline booking sites (for a consumer organisation who wanted to file a claim against them for unfair pricing). I did this on my work laptop, but working from home. We were quickly blocked, tried a few obfuscation and VPN methods, but kept being blocked again and again.
For over a year, it was practically impossible for me to book a flight, even with a different computer on a different network. This showed me the (scary) power of browser fingerprinting.
Why would the different computer be running the same browser? After all, it’s the browser that is identified.
Browser finger printing alone did not block an entirely different machine. You gave something else away.
I’m not a fan of ads. What I allow on my computer should be put through.
I try my best to block them, as I really have no interest in anything advertised.
Besides, if I want something, I’m sure I can figure out how to get it myself.
I like to watch live trains. I’ve found reloading the page rapidly 4 or 5 times tends to stop the ads.
Or just use uBlock Origins. I see no ads on Youtube – at all. Never. None. Nada. Keine.
It is so rare for me to see an ad that it usually surprises me when one gets by.
Youtube messes with adblockers in some regions by delaying the video loading, not starting playback until you press pause and then play, or loading it up with no sound. They basically find new ways of breaking the player every few months, then the adblockers get around that, rinse and repeat.
They’ve also kept turning the maximum volume down on videos, so they can play the ads louder as the users have to crank their volume up to hear.
Oh yeah… I forgot Google and probably lot’s of other wonderful businesses and agencies that are there to simply look after us and have nothing but the best intentions for everyone. :-)
SYSTEM PROTECTION FAULT
ILLEGAL INSTRUCTION at CS:IP 0x847fb73ca SARCASM OUT OF BOUNDS.
HALT.
Identifying a specific machine or its approximate location using fingerprinting is scary enough. But it gets even scarier.
Let’s way your machine is “fingerprint proof” to some extend. It tries to hide it’s uniqueness. And not in such a way that it’s unique in the way it hides it uniqueness. You can even mask some user behavior such as mouse movement, click timing and key stroke timing, by adding some randomness.
But even if you have a machine that is “fingerprint proof” to some extend there are also ways to identify the user itself.
Examples of identifying users:
-Pattern-of-life analysis. Uses timestamps of events to identify a user. (detectives use this, like “L” in “Death Note”, but also IRL by authorities)
-Stylometric analysis. Identifies writing style. Combined with machine learning you can narrow down the list of potential authors. Articles: https://arxiv.org/abs/2211.07467 and https://academic.oup.com/dsh/article/35/4/812/5606771
Yep, I got ” Yes! You are unique among the 4552552 fingerprints in our entire dataset. ”
The ones that really narrowed it down were – (in order of most narrowing)
– fonts
– navigator properties
– canvas
– firefox,
– permissions
– screen size
I suspect I might have just been unique on those alone (it reckoned 0.00% have the same fonts installed as me, for a start).. I would have thought more than 1.18% were running a big hi res screen (my 6th smallest number), but obviously not the people who use the web site..
It is certainly a relevant thing to be concerned about – as all you have to do is log into one web site somewhere, and they know who you are and your ‘fingerprint’ . They can then sell that to others, who can tell if you vist their site even via vpn or with no cookies….
Indeed HaD should be filling in the box below with my username and email…
VPNs aren’t about hiding from nation states. They are about protecting your first hop. You are slightly more trusting someone who is incentivized to maintain your privacy over an ISP who is probably your only option and who would love to make money selling your personal information. They have the information to link your computer to a person, that is the real danger. A VPN can add one extra hop there. As far as fingerprinting goes, I have had really good luck with Brave and an extension to spoof the latest chrome user-agent.
93.38% flash not detected.
On the one hand, reassuring that flash is dead. On the other hand, what’s wrong with the remaining 6.62% of browsers that they’re still installing flash??