← Back to context

Comment by ekjhgkejhgk

2 days ago

OT on Tor:

Recently this link was on HN[1]. It ranks your browser on regular tracking and fingerprinting separately. "Tor without JS" was the only option I found to be completely fingerprint resistant. Even Tor "with JS on strict settings" ranked it as only "partly fingerprint resistant". (Interestingly firefox without JS never returns)

Scary stuff.

I'd like to hear other people's experiences/experiments here.

[1] https://coveryourtracks.eff.org/

38 comments

ekjhgkejhgk

Reply
twhb  2 days ago

This tool is deeply flawed. Fingerprinting protection is sometimes done by binning, which this tool rewards, and is sometimes done by randomizing, which this tool harshly punishes. The net result is it generally guides you away from the strongest protection.

The flip side of this, having the complementary flaw of testing only persistence, not uniqueness, is (warning, real tracking link) fingerprinting.com/demo. You can try resetting your ID and seeing if it changes here. Since tracking requires (a degree of) uniqueness AND (a degree of) persistence, the danger signal is only failing both the EFF test and this test.

Failing both is a requirement to derive meaning, not being lax: measuring only uniqueness would fail a random number generator, and measuring only persistence would fail the number 4.

  • ekjhgkejhgk  2 days ago

    You make an interesting point on binning vs randomization. I'm not an expert but to me your point is consistent with Tor having the "best protection" according to the website, because I know that Tor's strategy is binning. However, this is what actually makes sense for many variables though. For example, font sizes come in integers. If you're trying to be clever by "randomizing" and claiming to use decimal-sized, you might be the only person in the world to do so and immediately fingerprinted. So I think that randomization might indeed be a bad idea in many cases.

    Your link doesn't work though. I just get "file not found".

monerozcash  2 days ago

Regular OS X safari: Our tests indicate that you have strong protection against Web tracking.

>Your browser fingerprint has been randomized among the 378,837 tested in the past 45 days. Although sophisticated adversaries may still be able to track you to some extent, randomization provides a very strong protection against tracking companies trying to fingerprint your browser.

>Currently, we estimate that your browser has a fingerprint that conveys at least 18.53 bits of identifying information.

Anyway, this test doesn't really communicate the results very well. Yes, Tor browser stands out. No, it's not easy to differentiate between different Tor browser users via this kind of fingerprinting.

  • losvedir  2 days ago

    Huh, I use a "stock" (I think?) MacOS Safari and got "Your browser has a nearly-unique fingerprint" and "Partial protection" for ads and invisible trackers.

    Did you change a setting or add an ad blocker or something?

    edit: I feel like someone with a username "monerozcash" must have some customization to your browsing experience, that maybe you don't even remember doing...

    • reshlo  2 days ago

      The randomisation features were significantly improved in Safari 26. Is that the version you have?

47282847  2 days ago

Tor Browser tries to widen the fingerprint buckets you can get put into by eg rounding off canvas sizes. The widest bucket and unavoidable is “Tor (browser) user”.

Santosh83  2 days ago

Visiting this site with a freshly installed, stock Tor browser (therefore with JS enabled, no settings changed from defaults) on Debian stable gives me:

"Our tests indicate that you have strong protection against Web tracking."

"Within our dataset of several hundred thousand visitors tested in the past 45 days, only one in 301.9 browsers have the same fingerprint as yours.

Currently, we estimate that your browser has a fingerprint that conveys 8.24 bits of identifying information."

Interestingly, increasing the Tor Browser Security level from Safe to Safer actually increased the bits of identifying information and reduced the anonymity:

"Within our dataset of several hundred thousand visitors tested in the past 45 days, only one in 832.32 browsers have the same fingerprint as yours.

Currently, we estimate that your browser has a fingerprint that conveys 9.7 bits of identifying information."

And at the Safest Security level (i.e. with JS diabled) the identifying bits and anonymization appear to be at their best:

"Within our dataset of several hundred thousand visitors tested in the past 45 days, only one in 261.41 browsers have the same fingerprint as yours.

Currently, we estimate that your browser has a fingerprint that conveys 8.03 bits of identifying information."

mawadev  2 days ago

You can even track people by favicon which bypasses incognito mode. Another part is hiding font urls in css with more tracking...

  • mr_mitm  2 days ago

    Was incognito mode ever meant to prevent tracking? I thought it was for porn, I mean buying surprise presents on a shared computer.

    • jfindper  2 days ago

      You're correct, incognito mode never has been for privacy protection from websites, ISPs, etc.

    • sharperguy  2 days ago

      it's commonly used for checking how sites look when not logged in, without logging out, or logging in as another user temporarily.

  • shlomo_z  2 days ago

    While this was possible in the past, I believe it got patched and is impossible today.

fuddle  2 days ago

Interesting, Chrome failed but Firefox and Brave "have strong protection against Web tracking."