Panopticlick - What does your browser reveal?

[anon]

I hav no clue what above is about ! shud i hav configure any settings to make it better or something ?

Refer to the second paragraph of the post above yours

[Expeto]

About unique people;

It means the stuff your browser tells to every site you connected is unique. You leave that unique trace behind, which makes you traceable. That is very bad!

Let me explain this by explaining my own

The browser string part of the trace I leave behind is something like this;

Code:

Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.7) Gecko/20100809 Fedora/3.6.7-1.fc14 Firefox/3.6.7

My firefox send this to every site I visit, and every site I visit records this.

This string says;

• I use mozilla firefox 3.6.7 with gecko engine rv:1.9.2.7 that built at 2010/08/09

• I have a Linux operation system designed for intel 32bit cpu, language of my os is en-US

• It also says my OS is Fedora Linux Version 3.6.7 core 14.

This is too much information, which alone gives you a something about "one in 621,959". But this is not the only information your browser gives, it also gives headers, plugin details, time zone and lots more.

"one in 621,959" in browser string + other information of my browser makes me "one in 352,329"(worse).

Which means there is only one in the 352,329 people have the same trace. This means they can track me with a certain accuracy. A site with 1.000.000 users can track me with estimated accuracy of ~1/3, a site with 300.000 can track with me estimated accuracy of %99

But when you are unique, even the google (who records more than 2 billion searches everyday) can trace you with an %100 percent accuracy. It is like a leaving DNA behind.


But why I'm unique and you are not?
Actually I'm also unique, like you. But I have firefox addon noscript, which prevents the leakage of my add-on information. Like this:

Code:

Browser Plugin Details 4.18 no javascript
Time Zone 4.14 no javascript
Screen Size and Color Depth 4.14 no javascript
System Fonts 4.15 no javascript
Are Cookies Enabled? 1.27 Yes
Limited supercookie test 4.14 no javascript

as you can see I get a mundane "one in 4.14" from many parts, thanks to noscript.

But this was just an example. Noscript alone is very weak for privacy. That wasn't even my real agent string, I change my agent-string to a more common string every month. I also have shitload of other tricks to keep my privacy. But if you just want little more privacy without that much effort try these tips:

Privacy Tips;

• Cookies are from hell!, never ever accept third party cookies, clean you cookies often or tell firefox to "keep them until I close the firefox" (firefox preferences, privacy tab, change it to "Firefox will use my custom settings for history", the real settings will reveal) If you set firefox to keep cookies for a limited time use this to allow some sites to have permanent cookies. (Sites needs cookies to remember you, for example if you don't allow this site to store permanent cookies you will have enter your id and pass everytime)(also notice that test give a perfect "1 in 1.27" for enabled cookies, even though my cookies are not permanent)

• Disable referrer info, right now! Referrer means every site you visit know where you are coming from. Type "about:config” in the location bar of firefox, and press return. find the "network.http.sendRefererHeader" by using the filter and modify it to "0" or "1" (0 more private but it can cause some problems with the hotlink protection systems of some websites) than find "network.http.sendSecureXSiteReferer" make it false. Done!

• Only thing worse than a cookie is a flash super cookie, get this or disable them completely

• listen to the header tips of anon-sbi, he knows what he is talking about

Using this is also a nice way to fight advertisers. There is lots of goodies here
https://www.torproject.org also offers a great way to secure your traffic, but its ineffective if you are unique.

BTW, that test site is mostly and overly used by privacy freaks like myself, because of disabled cookies these people, that numbers are optimistic at best!

http://privacy.net/analyze/, another nice test with more detailed output.

Why the hell my browser gives so much info?
That information is there mostly for debugging purposes. But advertiser found a better use for that info, tracking you.

For more info check the great docs of the EFF, and don't forget google is not your friend, google is the biggest enemy of our privacy. Scroogle and ixquick are your real friends.


I would also love to hear about other peoples precautions

[anon]

listen to the header tips of anon-sbi, he knows what he is talking about

Thanks. So do you. Great post! To comment on a few parts of it:

I change my agent-string to a more common string every month.

I'm on Opera, and unfortunately you don't have much freedom when it comes to User-Agents. You can only choose to spoof old versions of IE and Firefox, and optionally append the fact you're actually using Opera at the end of the string. There's no addon like User-Agent Switcher or HTTP Header Editor.

Cookies are from hell!, never ever accept third party cookies, clean you cookies often or tell firefox to "keep them until I close the firefox" (firefox preferences, privacy tab, change it to "Firefox will use my custom settings for history", the real settings will reveal)

I have disabled third party cookies also, and do most of my daily browsing in private tabs. Once you close your browser (or all such tabs), cache, cookies and any other means of potentially persistent storage go boom. Did the evercookie test and passed. The only places I don't browse privately are FST and a few other other forums and trackers I frequent, and even so they have to go through a strong resource blocklist. This gets rid of most useless crap such as Google Analytics cookies and overly intrusive advertisements.

Disable referrer info, right now! Referrer means every site you visit know where you are coming from.

Done this ever since I learnt what an HTTP referer is.

Only thing worse than a cookie is a flash super cookie, get this or disable them completely

A good measure for this is having Flash disabled by default. Why not Java, also - a friend goes even further and does the same with JavaScript and cookies. You can then manually add exceptions for sites you want those to be enabled on. There's a Firefox addon to make this easier, which is basically NoScript for cookies (can't recall its name though). Also, you can kill a site's supercookies and prevent it from creating new ones if you right-click one of its Flash apps and set its allowed storage to 0KB.

[Expeto]

I'm on Opera, and unfortunately you don't have much freedom when it comes to User-Agents. You can only choose to spoof old versions of IE and Firefox, and optionally append the fact you're actually using Opera at the end of the string. There's no addon like User-Agent Switcher or HTTP Header Editor.

Opera's string options is also nice. At least you can't make typos while changing. I became unique so many times, just because of a single typo in the agent string.

A good measure for this is having Flash disabled by default. Why not Java, also - a friend goes even further and does the same with JavaScript and cookies. You can then manually add exceptions for sites you want those to be enabled on. There's a Firefox addon to make this easier, which is basically NoScript for cookies (can't recall its name though). Also, you can kill a site's supercookies and prevent it from creating new ones if you right-click one of its Flash apps and set its allowed storage to 0KB.

Very interesting method. I would love to learn more about that extension. Does you friend pass the super-cookie test? So far, I haven't able to find any way to beat evercookie without private browsing mode. Even though I do most of my surfing with "tor, private browsing, modified strings and filtered headers" combo, I'm still curios about beating the evercookie manually.

[anon]

Very interesting method. I would love to learn more about that extension. Does you friend pass the super-cookie test?

I just asked him, will get back to you when he replies. Here's the NoScript of cookies:
https://addons.mozilla.org/en-US/firefox/addon/2497/

So far, I haven't able to find any way to beat evercookie without private browsing mode. Even though I do most of my surfing with "tor, private browsing, modified strings and filtered headers" combo, I'm still curios about beating the evercookie manually.

My guess is that if there's a way to disable all of these, then you'd be able to beat the evercookies:

- Standard HTTP Cookies
- Local Shared Objects (Flash Cookies)
- Silverlight Isolated Storage
- Storing cookies in RGB values of auto-generated, force-cached
PNGs using HTML5 Canvas tag to read pixels (cookies) back out
- Storing cookies in Web History
- Storing cookies in HTTP ETags
- Storing cookies in Web cache
- window.name caching
- Internet Explorer userData storage
- HTML5 Session Storage
- HTML5 Local Storage
- HTML5 Global Storage
- HTML5 Database Storage via SQLite

The latest version of BleachBit can remove all the traces it leaves in your computer. I think that and/or private browsing are the best you can do right now.

[Expeto]

The latest version of BleachBit can remove all the traces it leaves in your computer. I think that and/or private browsing are the best you can do right now.

I almost always use private browsing, still I'm curious about getting rid of the evercookie manually. Bleachbit was also my first move against it, but not to destroy my password cookies and bookmarks I set it to not remove cookies and bookmarks. Than removed the cookies, DOM, LSO etc. manually. But super-cookie was somehow still alive. Thankfully there is still enough debugging info in the evercookie page. It seems like "slData mechanism: " is keeping the cookie alive.

[A]

Doesn't the "Better privacy" add-on for firefox delete those "super-cookies"?

[anon]

But super-cookie was somehow still alive. Thankfully there is still enough debugging info in the evercookie page. It seems like "slData mechanism: " is keeping the cookie alive.

slData sounds like Silverlight's isolated storage.

Doesn't the "Better privacy" add-on for firefox delete those "super-cookies"?

As far as I see, Better Privacy only helps you delete supercookies (i.e. Flash LSOs) and nothing else. Evercookies are something different, and much more intrusive, so it wouldn't work for them.

I just asked him, will get back to you when he replies.

He just did:

ok, only works with js enabled. there were 2 cookies that could be discovered even after "deleting" them via better privacy plugin:
windowData mechanism and lsoData mechanism

both discovery option could still find them so the better privacy plugin obviously doesn't work

[Expeto]

Doesn't the "Better privacy" add-on for firefox delete those "super-cookies"?

Yes, it does. It takes cares of supercookies in macromedia directory. Evercookie is not an cookie, its a dozen of cookies. Better privacy takes cares of 2-3 of these cookies but there is still at least 10 left. For example I wasn't able to take care of the Silverlight isolated store, which resurrected all other deleted cookies. Evercookie is bit like a virus, it multiplies itself. Only way to get rid of it is deleting every of the of the cookies at once.


@anon-sbi
thank for the tip. I'm pretty amazed to find a microsoft Silverlight in my linux. I think my room-mate installed it, well, no more sudo access for him