Traditionally, people assume they can prevent a website from identifying them by disabling cookies on their web browser. Unfortunately, this is not the whole story.

When you visit a website, you are allowing that site to access a lot of information about your computer's configuration. Combined, this information can create a kind of fingerprint - a signature that could be used to identify you and your computer. Some companies are already using technology to try to identify individual computers. But how effective would this kind of online tracking be?

EFF is running an experiment to find out. Panopticlick will anonymously log the configuration and version information from your operating system, your browser, and your plug-ins, and compare it to our database of many other Internet users' configurations. Then, it will give you a uniqueness score - letting you see how easily identifiable you might be as you surf the web.

Check it out here:
http://panopticlick.eff.org/

Here's my results with Adblock+, CS Lite and NoScript enabled....

Your browser fingerprint appears to be unique among the 121,324 tested so far.
Currently, we estimate that your browser has a fingerprint that conveys at least 16.89 bits of identifying information.

These are mine, I'm running Opera with the BlockIt addon:

Your browser fingerprint appears to be unique among the 122,399 tested so far.

Currently, we estimate that your browser has a fingerprint that conveys at least 16.9 bits of identifying information.

Within our dataset of several hundred thousand visitors, only one in 591 browsers have the same fingerprint as yours.
Currently, we estimate that your browser has a fingerprint that conveys 9.21 bits of identifying information.9.21 bits is quite low, for what I'm seeing.
I'm using many of anon-sbi's tips, plus some other home network policies.

Within our dataset of several hundred thousand visitors, only one in 591 browsers have the same fingerprint as yours.

Are you on Firefox? NoScript and Modify Headers were enough to make the fingerprint unique here.

which modify headers? those http referrers?
using noscript on FF.

which modify headers? those http referrers?

It's the name of an addon:
http://modifyheaders.mozdev.org/

Personally, I use it to filter "unimportant" HTTP headers out. It also lets you disable referers or edit your User-Agent without installing something else. It's very powerful as it puts you in control of almost everything Firefox sends to servers.

On a different note, the trend nowadays is using invisible Flash applets to store LSOs, that get assigned 100KB of disk space and remain even if you clear your cookies. In your case, NoScript should take care of them, but there's "Super-Cookie Safeguard" for those that don't like NS. People using other browsers (as it's my case) can disable Flash globally and individually allow it for sites that need it.

Also, don't forget to disable supercookies if you haven't already - set dom.storage.enabled in about:config to false.

here is what i get:

Your browser fingerprint appears to be unique among the 1,238,640 tested so far.Currently, we estimate that your browser has a fingerprint that conveys at least 20.24 bits of identifying information.no idea what the hell it means tho :ermm:

no idea what the hell it means tho :ermm:

Firstly, thank you for bumping this. More people should be aware about it.

Secondly, it basically means you're the only person (of all who have taken the test) that's using the same browser settings. So you can potentially be identified as an individual user, even if you delete your cookies, Flash LSOs and the like. The worst part is, disabling Flash/Java/JavaScript, referrers, etc. only makes your browser more unique. At the time I posted this, it was more of a proof of concept than anything, but now tracking software taking advantage of this is available in the market.

Also, if you're interested, have a look at:
http://samy.pl/evercookie/ - "virtually irrevocable persistent cookies". Thankfully, Opera's private tabs work pretty well against that, and BleachBit can delete all the traces evercookies leave in your computer.

Here is mine



Your browser fingerprint appears to be unique among the 1,241,183 tested so far.
Currently, we estimate that your browser has a fingerprint that conveys at least 20.24 bits of identifying information.


I hav no clue what above is about ! shud i hav configure any settings to make it better or something ?

I hav no clue what above is about ! shud i hav configure any settings to make it better or something ?

Refer to the second paragraph of the post above yours ;)

About unique people;

It means the stuff your browser tells to every site you connected is unique. You leave that unique trace behind, which makes you traceable. That is very bad!

Let me explain this by explaining my own

The browser string part of the trace I leave behind is something like this;

Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.7) Gecko/20100809 Fedora/3.6.7-1.fc14 Firefox/3.6.7 (http://www.useragentstring.com/Firefox3.6.7_id_16358.php)My firefox send this to every site I visit, and every site I visit records this.

This string says;


I use mozilla firefox 3.6.7 with gecko engine rv:1.9.2.7 that built at 2010/08/09



I have a Linux operation system designed for intel 32bit cpu, language of my os is en-US



It also says my OS is Fedora Linux Version 3.6.7 core 14.

This is too much information, which alone gives you a something about "one in 621,959". But this is not the only information your browser gives, it also gives headers, plugin details, time zone and lots more.

"one in 621,959" in browser string + other information of my browser makes me "one in 352,329"(worse).

Which means there is only one in the 352,329 people have the same trace. This means they can track me with a certain accuracy. A site with 1.000.000 users can track me with estimated accuracy of ~1/3, a site with 300.000 can track with me estimated accuracy of %99

But when you are unique, even the google (who records more than 2 billion searches everyday) can trace you with an %100 percent accuracy. It is like a leaving DNA behind.


But why I'm unique and you are not?
Actually I'm also unique, like you. But I have firefox addon noscript, which prevents the leakage of my add-on information. Like this:

Browser Plugin Details 4.18 no javascript
Time Zone 4.14 no javascript
Screen Size and Color Depth 4.14 no javascript
System Fonts 4.15 no javascript
Are Cookies Enabled? 1.27 Yes
Limited supercookie test 4.14 no javascriptas you can see I get a mundane "one in 4.14" from many parts, thanks to noscript.

But this was just an example. Noscript alone is very weak for privacy. That wasn't even my real agent string, I change my agent-string to a more common string every month. I also have shitload of other tricks to keep my privacy. But if you just want little more privacy without that much effort try these tips:

Privacy Tips;


Cookies are from hell!, never ever accept third party cookies, clean you cookies often or tell firefox to "keep them until I close the firefox" (firefox preferences, privacy tab, change it to "Firefox will use my custom settings for history", the real settings will reveal) If you set firefox to keep cookies for a limited time use this (https://addons.mozilla.org/en-US/firefox/addon/4703/) to allow some sites to have permanent cookies. (Sites needs cookies to remember you, for example if you don't allow this site to store permanent cookies you will have enter your id and pass everytime)(also notice that test give a perfect "1 in 1.27" for enabled cookies, even though my cookies are not permanent)



Disable referrer info, right now! Referrer means every site you visit know where you are coming from. Type "about:config” in the location bar of firefox, and press return. find the "network.http.sendRefererHeader" by using the filter and modify it to "0" or "1" (0 more private but it can cause some problems with the hotlink protection systems of some websites) than find "network.http.sendSecureXSiteReferer" make it false. Done!



Only thing worse than a cookie is a flash super cookie, get this (https://addons.mozilla.org/en-US/firefox/addon/6623/) or disable them completely (http://kb2.adobe.com/cps/526/52697ee8.html)



listen to the header tips of anon-sbi, he knows what he is talking about


Using this (https://addons.mozilla.org/en-US/firefox/addon/47934/) is also a nice way to fight advertisers. There is lots of goodies here (https://addons.mozilla.org/en-US/firefox/extensions/privacy-security/)
https://www.torproject.org also offers a great way to secure your traffic, but its ineffective if you are unique.

BTW, that test site is mostly and overly used by privacy freaks like myself, because of disabled cookies these people, that numbers are optimistic at best!

http://privacy.net/analyze/, another nice test with more detailed output.

Why the hell my browser gives so much info?
That information is there mostly for debugging purposes. But advertiser found a better use for that info, tracking you.

For more info check the great docs of the EFF, and don't forget google is not your friend, google is the biggest enemy of our privacy. Scroogle (http://www.scroogle.org/cgi-bin/scraper.htm) and ixquick (http://www.ixquick.com/) are your real friends.


I would also love to hear about other peoples precautions

listen to the header tips of anon-sbi, he knows what he is talking about

Thanks. :happy: So do you. Great post! :) To comment on a few parts of it:


I change my agent-string to a more common string every month.

I'm on Opera, and unfortunately you don't have much freedom when it comes to User-Agents. You can only choose to spoof old versions of IE and Firefox, and optionally append the fact you're actually using Opera at the end of the string. There's no addon like User-Agent Switcher or HTTP Header Editor. :(


Cookies are from hell!, never ever accept third party cookies, clean you cookies often or tell firefox to "keep them until I close the firefox" (firefox preferences, privacy tab, change it to "Firefox will use my custom settings for history", the real settings will reveal)

I have disabled third party cookies also, and do most of my daily browsing in private tabs. Once you close your browser (or all such tabs), cache, cookies and any other means of potentially persistent storage go boom. Did the evercookie test and passed. The only places I don't browse privately are FST and a few other other forums and trackers I frequent, and even so they have to go through a strong resource blocklist. This gets rid of most useless crap such as Google Analytics cookies and overly intrusive advertisements.


Disable referrer info, right now! Referrer means every site you visit know where you are coming from.

Done this ever since I learnt what an HTTP referer is. :)


Only thing worse than a cookie is a flash super cookie, get this or disable them completely

A good measure for this is having Flash disabled by default. Why not Java, also - a friend goes even further and does the same with JavaScript and cookies. You can then manually add exceptions for sites you want those to be enabled on. There's a Firefox addon to make this easier, which is basically NoScript for cookies (can't recall its name though). Also, you can kill a site's supercookies and prevent it from creating new ones if you right-click one of its Flash apps and set its allowed storage to 0KB.

I'm on Opera, and unfortunately you don't have much freedom when it comes to User-Agents. You can only choose to spoof old versions of IE and Firefox, and optionally append the fact you're actually using Opera at the end of the string. There's no addon like User-Agent Switcher or HTTP Header Editor. :(
Opera's string options is also nice. At least you can't make typos while changing. I became unique so many times, just because of a single typo in the agent string.




A good measure for this is having Flash disabled by default. Why not Java, also - a friend goes even further and does the same with JavaScript and cookies. You can then manually add exceptions for sites you want those to be enabled on. There's a Firefox addon to make this easier, which is basically NoScript for cookies (can't recall its name though). Also, you can kill a site's supercookies and prevent it from creating new ones if you right-click one of its Flash apps and set its allowed storage to 0KB.
Very interesting method. I would love to learn more about that extension. Does you friend pass the super-cookie test? So far, I haven't able to find any way to beat evercookie without private browsing mode. Even though I do most of my surfing with "tor, private browsing, modified strings and filtered headers" combo, I'm still curios about beating the evercookie manually.

Very interesting method. I would love to learn more about that extension. Does you friend pass the super-cookie test?

I just asked him, will get back to you when he replies. Here's the NoScript of cookies:
https://addons.mozilla.org/en-US/firefox/addon/2497/


So far, I haven't able to find any way to beat evercookie without private browsing mode. Even though I do most of my surfing with "tor, private browsing, modified strings and filtered headers" combo, I'm still curios about beating the evercookie manually.

My guess is that if there's a way to disable all of these, then you'd be able to beat the evercookies:

- Standard HTTP Cookies
- Local Shared Objects (Flash Cookies)
- Silverlight Isolated Storage
- Storing cookies in RGB values of auto-generated, force-cached
PNGs using HTML5 Canvas tag to read pixels (cookies) back out
- Storing cookies in Web History
- Storing cookies in HTTP ETags
- Storing cookies in Web cache
- window.name caching
- Internet Explorer userData storage
- HTML5 Session Storage
- HTML5 Local Storage
- HTML5 Global Storage
- HTML5 Database Storage via SQLite

The latest version of BleachBit (http://bleachbit.sourceforge.net/) can remove all the traces it leaves in your computer. I think that and/or private browsing are the best you can do right now.

The latest version of BleachBit (http://bleachbit.sourceforge.net/) can remove all the traces it leaves in your computer. I think that and/or private browsing are the best you can do right now.
I almost always use private browsing, still I'm curious about getting rid of the evercookie manually. Bleachbit was also my first move against it, but not to destroy my password cookies and bookmarks I set it to not remove cookies and bookmarks. Than removed the cookies, DOM, LSO etc. manually. But super-cookie was somehow still alive. Thankfully there is still enough debugging info in the evercookie page. It seems like "slData mechanism: " is keeping the cookie alive.

Doesn't the "Better privacy" add-on for firefox delete those "super-cookies"?

But super-cookie was somehow still alive. Thankfully there is still enough debugging info in the evercookie page. It seems like "slData mechanism: " is keeping the cookie alive.

slData sounds like Silverlight's isolated storage.


Doesn't the "Better privacy" add-on for firefox delete those "super-cookies"?

As far as I see, Better Privacy only helps you delete supercookies (i.e. Flash LSOs) and nothing else. Evercookies are something different, and much more intrusive, so it wouldn't work for them.


I just asked him, will get back to you when he replies.

He just did:

ok, only works with js enabled. there were 2 cookies that could be discovered even after "deleting" them via better privacy plugin:
windowData mechanism and lsoData mechanism

both discovery option could still find them so the better privacy plugin obviously doesn't work :P

Doesn't the "Better privacy" add-on for firefox delete those "super-cookies"?

Yes, it does. It takes cares of supercookies in macromedia directory. Evercookie is not an cookie, its a dozen of cookies. Better privacy takes cares of 2-3 of these cookies but there is still at least 10 left. For example I wasn't able to take care of the Silverlight isolated store, which resurrected all other deleted cookies. Evercookie is bit like a virus, it multiplies itself. Only way to get rid of it is deleting every of the of the cookies at once.


@anon-sbi
thank for the tip. I'm pretty amazed to find a microsoft Silverlight in my linux. I think my room-mate installed it, well, no more sudo access for him :)