Fingerprints: unique browser traces
Browser fingerprints stability
There are many ways of changing the browser’s fingerprints and making it less recognizable: updating the browser (by constantlt downloading updates), using typical plugins, changing screen resolution to more typical, deleting non-standard system fonts, etc.
A system can “forget” about browsers with certain configuration. This is shown by the test wherein a user visits an experimental Internet resource several times and returns after some time.
The results of this test are not very precise, but still interesting. If a user repeatedly visits a site after 2.5 weeks, the uniqueness of his or her browser falls 30% and more. It is considered that changes take effect after just 5 days of inactivity.
Changing time zone leads to an even better result. Users living in different time zones set incorrect time and then changed it to the correct one after visiting the site. A client with the remotest (from the initial value) time interval had his uniqueness decreased the most.
Additional methods of client tracking
Basic techniques of browser fingerprints identification are far from being the sole problems for privacy advocates. Today, many sites track their clients by very subtle pieces of data like precision in the transmitting of a plugin version. Each program has some version (1.2, 1.4, etc.), but this number is often a micro number (for example, DivX Web Player 188.8.131.523). The last four digits are a micro version that allows a very easy identification.
Micro versions help the developers to target users with a specific product version more precisely, thus fixing errors faster. However, it is a serious privacy vulnerability for end users. The more digits a program version uses, the more is the uniqueness of the browser. This drawback is difficult to fix.
Adobe Flash poses another danger for privacy due to its very specific mechanism of transmitting fonts data. Adobe Flash often reports font lists in the proper order, but returns them in an unsorted and chaotic way. As a result, the user obtains a special cookie that is different from the standard library data, and his or her browser becomes more unique.
In some cases, only font order is changed which affects uniqueness to a lesser degree. It is interesting to note that only Lucida fonts are vulnerable due to errors in their implementation. This refers to both Windows (all versions) and OS X.
The list violation does not depend on Flash and Java operation, the inaccuracy usually appears when the program is updated. This problem is very difficult to avoid. The only relatively safe method is disabling updates altogether. The studies show that in at least 30% of cases the problem disappears or mitigates.
Testing browser uniqueness on one’s own
To check the vulnerability of your browser you need to test its uniqueness, and this may be done on Panopticlick.eff.org. This site was named after a program for browser uniqueness sampling, it allows everyone to protect from browser fingerprints and achieve anonymity on the Internet. Many studies on fingerprints were also made thanks to this resource.
Open the site in your browser to test and click “Test me.” The site will do an analysis according to the aforementioned principle by studying language, font, and screen settings and give the recognizability score.
If the score is bad, work with your settings and continue testing until the recognizability is at the minimum. Statistically, Panopticlick allows to decrease recognizability significantly. If you set typical settings, your browser will be identical to 50,000+ counterparts.
It is recommended to repeat this procedure on a regular basis, at least monthly. People often change browser settings which increases recognizability of each individual client.
Fingerprints are a cookie alternative, but their recording is more dangerous for privacy lovers since it combines abilities of fingerprints and cookies together. As a result, the methods effective against cookies may not work against fingerprints. For example, the “incognito” mode blocks execution of some unwanted scenarios, but does not change browser fingerprints and moreover, makes the browser more recognizable. Various plugins have little effect because they are not so different from special modes and just increase the uniqueness of the browser.
The main disadvantage of this method is possible problems with sites rendering. This is where a combined method may help. It is based on disabling Flash and Java along with using a special plugin NoScript. Rendering problems will be down to minimum, but the uniqueness will slightly increase because of the plugin.
It is not recommended to use plugins separately. The only exception is a special product called Ghostery which protects from cookies and decreases uniqueness.
The easiest protection against fingerprints is tight control of browser scenarios. Special plugins for Google Chrome and Mozilla Firefox can ask the PC owner for permission to render a page or execute processes connected with getting cookies or transmitting data.
As was mentioned, some programs have updating issues which essentially creates a different type of cookies. Complete disabling updates may help, but do not forget that many system components (like drivers) need them. It is better to control components installation manually. Be very careful when you view this list to avoid execution of any operation that may increase your browser uniqueness.
Mozilla Firefox extensions
The user should not approve scenario execution each time, it is enough to include it into the white list once. All digital sources in this list work with no restrictions. Some versions of NoScript already contain the default white list with the following resources: developers sites, Google sources, Microsoft and Yahoo sites.
NoScript is universal and cross platform, it can work in Windows and Linux. The plugin protects from XSS attacks based on malicious code injection.
Some sites written specifically for Internet Explorer or Google Chrome may render incorrectly in Firefox. The extension User Agent Switcher allows to solve this problem. It masks Firefox as another browse as defined by the user, be it Internet Explorer, Google Chrome, Opera, etc. It allows to easily view resources intended for other browsers.
User Agent Switcher allows to fake your computer’s operating system data. But you should take care: TCP still sends some OS data, so if you have Windows, but User Agent Switcher shows Linux, it drastically increases your browser uniqueness since there are too few users with such settings.
There are NoScript and User Agent Switcher for other browsers as well, but they work better in Mozilla Firefox.
Protection against browser fingerprints is a very difficult task to achieve. To conclude:
1. Fingerprints are a unique system of tracking users based on their browser data.
2. Fingerprints gather lots of information from settings, browser, and computer as a whole. It may be language settings, screen resolution, any plugins, receiving/sending cookies settings, etc.
3. If the browser is marked with fingerprints, deleting cookies has a limited effect. It is more effective to completely change browser and OS settings, but attentively. The new settings should not be too unique, since it leads to more, not less, recognizability of your browser.
4. Many studies have been done on browser fingerprints which revealed protection strategies and very intricate tracking methods, such as micro version number reporting and font data transmitting errors.
5. Any fingerprint has an expiry date. If you avoid visiting some resource for a long time (min. 2.5 weeks), your browser recognizability will become slightly less.
6. You cannot protect from fingerprints fully, but you can minimize the probability of marking your browser by installing special plugins, disabling scenarios (especially Java and Flash), controlling updates. One of the best defenses is Tor.
7. The Mozilla Firefox browser is particularly useful as a protection means. NoScript disables unwanted scenarios that reveal the user. User Agent Switcher masks the browser as another one (Opera, Internet Explorer, Google Chrome). It can also mask the operating system, but take care when using this feature.