Fingerprinting web browser to track you

gut

Senior Member

Sun, Jun 9, 2019 5:55 PM

So I guess this isn't really new at this point, though maybe not widespread, but they don't need cookies to track you.  Instead they can ping your browser for all kinds of info that is almost unique to you.  You can hit this link to see how you do: https://panopticlick.eff.org/

Firefox now has options to protect against cryptominers and fingerprinting.  You have to manually enable these features, but the fingerprinting protection didn't seem to do anything.

 

What are people's thoughts on this?  Seems the only practical solution is to use the NoScript add-on which can disable javascript by default and effectively stops them from pinging your info.  Except that breaks a lot of websites, so is it worth it?  I suppose the advantage is creating the exception for a site still blocks all the 3rd party crap that might be fingerprinting to track you.

I know some of you are pretty paranoid about privacy, so wondered what you guys do.  I use a VPN and reject all 3rd party cookies.  Got tired with incognito/private browsing having to constantly re-validate at login, so I had to allow those sites to set cookies and save them - makes me wonder if I'm not self-defeating all the privacy steps I take.

justincredible

Honorable Admin

Mon, Jun 10, 2019 8:53 AM

Running Chrome with uBlock does a decent job, but I ended up adding the Privacy Badger add-on from EFF in that link you sent.

gut

Senior Member

Mon, Jun 10, 2019 10:12 AM
posted by justincredible

Running Chrome with uBlock does a decent job, but I ended up adding the Privacy Badger add-on from EFF in that link you sent.

I tried it all, privacy badger and ghostery included.  I actually do run uBlock.  Cookies aren't a problem - it's fingerprinting I can't defeat without ruining the user experience.  From what I can tell, it's canvassing that is the main culprit and if you spoof or block it, you're still basically unique because so few people do that. 

I'll have to look at privacy badger again.  NoScript definitely does the job, but it's a waste if I have to disable it on 2/3 of the sites I visit for them to work properly.

justincredible

Honorable Admin

Mon, Jun 10, 2019 11:28 AM

Javascript is so prevalent now that NoScript is definitely not feasible for the average person.

gut

Senior Member

Mon, Jun 10, 2019 12:53 PM
posted by justincredible

Javascript is so prevalent now that NoScript is definitely not feasible for the average person.

I gave up on it.  Apparently Firefox does work, but only against known unsolicited fingerprinting (in partnership with Disconnect, which is another add-on frequently mentioned with uBlock, Ghostery and Privacy Badger to thwart this).  So that's why EFF still reads a unique fingerprint, because Firefox doesn't block them.

Once Firefox turns this on by default for all users, then in theory even if they only spoof a couple key identifiers that would do the job (because you then have millions of users vs. only tens of thousands of users, at most, of the other add-ons).

gut

Senior Member

Thu, Jun 13, 2019 3:07 PM

Been playing around with containers in Firefox, and a couple of extensions that are pretty slick.  Really liking containers, as it solves a lot of my problems with trying to keep and maintain cookies for certain websites (mostly financial ones that make you jump thru hoops without a cookie identifying/remembering your pc).

Containers are like a sandbox for the websites you put in.  And then another extension will automatically open a new site in a temporary container.  So you could group all your financial sites in one banking container, or you could put each in their own container.

So if I was shopping on Amazon, and then head over to Ohio Chatter, it launches Ohio Chatter in a different container.  Amazon can't track what I do on the OC, and the OC can't see what I did on Amazon.  I can still be fingerprinted, but at least this way cookies I need to keep can't collect information on me outside the sites I allow in that specific container.

O-Trap

Chief Shenanigans Officer

Thu, Jun 13, 2019 4:09 PM

I have multiple iterations of the Firefox browser that are completely separate from each other (separate cookies, cache, bookmarks, addons, etc.), use Lastpass for all my passwords instead of saving them to the browser, delete cookies and cache at the end of every browsing session (at least once a day), and have the ability to use Tor with proxies and/or VPNs if I need particular privacy.

gut

Senior Member

Thu, Jun 13, 2019 4:16 PM
posted by O-Trap

I have multiple iterations of the Firefox browser that are completely separate from each other (separate cookies, cache, bookmarks, addons, etc.)

That's a good option, except I don't like launching different browsers to do different things.  Although, I've run out of space on my bookmarks bar.  I added Coffee Quantum which is a cool one-click option to launch multiple sites in separate tabs (I've currently set it up for about 8 news sites I visit frequently).  Wish I could have multiple clones of Coffee Quantum to launch different groups of sites.

Containers do basically the same thing as multiple iterations, except you're limited to the same bookmarks and addons.  But I'd expect there's an addon that would use tabs to replicate separate browsers.

O-Trap

Chief Shenanigans Officer

Thu, Jun 13, 2019 4:22 PM
posted by gut

That's a good option, except I don't like launching different browsers to do different things.  Although, I've run out of space on my bookmarks bar.  I added Coffee Quantum which is a cool one-click option to launch multiple sites in separate tabs (I've currently set it up for about 8 news sites I visit frequently).  Wish I could have multiple clones of Coffee Quantum to launch different groups of sites.

Containers do basically the same thing as multiple iterations, except you're limited to the same bookmarks and addons.  But I'd expect there's an addon that would use tabs to replicate separate browsers.

Probably.  I've been using Firefox profiles for so long that it doesn't even feel like I'm using the same browser anymore.  It started out as a convenience thing, but it quickly turned into a means to "silo" my activity.

As a result, if I were to click on something sketchy, it can't access any info from my "work" browser, because the work browser is used strictly for regular work tools.  Same with online media (videos/streams/music, etc.).

A bonus is that if one freezes or hits a page with a looping script, and I need to shut that one down, the other windows will stay open and unaffected.

It's really pretty handy.

O-Trap

Chief Shenanigans Officer

Thu, Jun 13, 2019 4:23 PM

Ends up looking something like this.  Two top windows and the bottom-left window are all Firefox, but they're completely separate from one another.

gut

Senior Member

Thu, Jun 13, 2019 5:06 PM
posted by O-Trap

Probably.  I've been using Firefox profiles for so long that it doesn't even feel like I'm using the same browser anymore.  It started out as a convenience thing, but it quickly turned into a means to "silo" my activity.

I never got into profiles.  I use my laptop at different client sites, so over the years I've become increasingly paranoid about keeping my personal separate.  For example, Firefox is not my default browser so if I launch a link from an email in a meeting it doesn't show everyone my bookmarks.  I leave Edge and Chrome completely stock for that stuff.  The email is actually the worst because I have personal as well as work in one inbox for convenience, so you can imagine the risk I'm taking there (need to set-up a separate email client just for work for that situation).

But mainly what triggered it all was occasionally having to hand my laptop to IT to install software at a client, and I have email, browser, lastpass with all my financial login info, etc... I did the whole Admin and then local users, but usually to install software they need Admin access.  Plus, my VPN doesn't like local user accounts.  Now I run encryption software, so I can pop-out my security key before handing over my laptop and they can't access anything other then my C drive, which is mainly stock Windows.

A few pretty minor tweaks I need to make and then I'd have Firefox doing 100% of what I want/need it to do.  I might have to look at profiles to see if it doesn't solve a couple of my remaining issues.

O-Trap

Chief Shenanigans Officer

Thu, Jun 13, 2019 5:54 PM
posted by gut

I never got into profiles.  I use my laptop at different client sites, so over the years I've become increasingly paranoid about keeping my personal separate.  For example, Firefox is not my default browser so if I launch a link from an email in a meeting it doesn't show everyone my bookmarks.  I leave Edge and Chrome completely stock for that stuff.  The email is actually the worst because I have personal as well as work in one inbox for convenience, so you can imagine the risk I'm taking there (need to set-up a separate email client just for work for that situation).

But mainly what triggered it all was occasionally having to hand my laptop to IT to install software at a client, and I have email, browser, lastpass with all my financial login info, etc... I did the whole Admin and then local users, but usually to install software they need Admin access.  Plus, my VPN doesn't like local user accounts.  Now I run encryption software, so I can pop-out my security key before handing over my laptop and they can't access anything other then my C drive, which is mainly stock Windows.

A few pretty minor tweaks I need to make and then I'd have Firefox doing 100% of what I want/need it to do.  I might have to look at profiles to see if it doesn't solve a couple of my remaining issues.

I just use all my email in a browser anymore.  I like Thunderbird, but as you mentioned, there's a certain tenuousness to keeping personal and professional email in the same place.

As for all the admin/local stuff, it's been awhile since I've messed with that.  For any truly sensitive stuff, I have a bootable flash drive with persistent memory and its own operating system, so I can remove the whole "computer" anytime I was concerned about anyone else being on it.  I keep it pretty "bare bones," so that I can use it for work stuff, as well.

In fact, I've actually contemplated making that my daily driver, but I just have so much storage space on my internal memory, it feels like a waste, and I do still get better performance when I use the internal SSD as opposed to the flash drive.

gut

Senior Member

Thu, Jun 13, 2019 7:01 PM
posted by O-Trap

... For any truly sensitive stuff, I have a bootable flash drive with persistent memory and its own operating system, so I can remove the whole "computer" anytime I was concerned about anyone else being on it.

I probably have a false sense of security, but all my data - private AND work - are kept on the encrypted partition of my SSD.  I run CCleaner (with the advanced plugin) religiously, and usually run portable apps when I can (mainly because it's a giant PITA setting up a new computer when it's not easy to export a lot of app settings).  As far as I know, the only issue I might potentially have is CCleaner autorun craps out and then flash player, DNS cache and a few other places have some traces.

Thought about putting portable Firefox on my sd card, but figured it's fine on my encrypted partition.  With the temporary containers, even if I clicked on some random link all traces would be obliterated when I close my browser.

O-Trap

Chief Shenanigans Officer

Thu, Jun 13, 2019 7:13 PM
posted by gut

I probably have a false sense of security, but all my data - private AND work - are kept on the encrypted partition of my SSD.  I run CCleaner (with the advanced plugin) religiously, and usually run portable apps when I can (mainly because it's a giant PITA setting up a new computer when it's not easy to export a lot of app settings).  As far as I know, the only issue I might potentially have is CCleaner autorun craps out and then flash player, DNS cache and a few other places have some traces.

Thought about putting portable Firefox on my sd card, but figured it's fine on my encrypted partition.  With the temporary containers, even if I clicked on some random link all traces would be obliterated when I close my browser.

With all that, I'd imagine you're going to be safe unless someone targets you specifically and knows how you have things set up.

gut

Senior Member

Thu, Jun 13, 2019 7:27 PM
posted by O-Trap

With all that, I'd imagine you're going to be safe unless someone targets you specifically and knows how you have things set up.

Yeah, I think if there's anything sensitive on my C drive it'd take a lot more sophistication than your average IT person has to find it.

Oddly, I don't do much for virus protection.  I let Windows Defender handle it because I don't download torrents and I can count on one hand how many viruses I've had in 20 years.

I just wish the banks and shopping sites would get their ass in gear and implement user-friendly two-factor authentication.  I had the yubikey, but found it doesn't work many places (and you still have to touch it to authenticate).  If my phone can stay unlocked when my watch is connected via bluetooth, they should be able to do a lot better on two-factor authentication than a text message (which actually isn't totally secure).

O-Trap

Chief Shenanigans Officer

Fri, Jun 14, 2019 12:06 AM
posted by gut

Yeah, I think if there's anything sensitive on my C drive it'd take a lot more sophistication than your average IT person has to find it.

Oddly, I don't do much for virus protection.  I let Windows Defender handle it because I don't download torrents and I can count on one hand how many viruses I've had in 20 years.

I just wish the banks and shopping sites would get their ass in gear and implement user-friendly two-factor authentication.  I had the yubikey, but found it doesn't work many places (and you still have to touch it to authenticate).  If my phone can stay unlocked when my watch is connected via bluetooth, they should be able to do a lot better on two-factor authentication than a text message (which actually isn't totally secure).

I know banks tend to rely on their encryption, which is actually pretty good, but it doesn't account for other network vulnerabilities.  As such, I get wanting it.

I get annoyed with the notion of two-factor authentication being required, because I actually don't prefer it, but I certainly think it should be an option.