# Killing Browser Fingerprinting



## un_x (Jul 24, 2014)

After visiting https://panopticlick.eff.org/, and seeing:


```
Browser, Bits of ID, Unique as in 1/x
User Agent 21.05, 2178474.5 [Mozilla/5.0 (X11; FreeBSD 9.2-RELEASE i386; rv:2.0 Gecko/20100101 Firefox/4.0 Opera 12.16]
HTTP_ACCEPT Headers, 8.59, 385.5 [text/html, */* gzip, deflate en]
Browser Plugin Details, 3.92, 15.17 [undefined]
Time Zone, 5.12, 34.78 [480]
Screen Size and Color Depth, 5.99, 63.46 [1600x900x24]
System Fonts, 2.59, 6.02 [No Flash or Java fonts detected
Cookies Enabled, 0.43, 1.35 [Yes]
Limited supercookie test, 0.91, 1.88 [DOM localStorage:Yes, DOM sessionStorage:Yes, IE userData: No]
Your browser fingerprint appears to be unique among the 4,356,949 tested so far.
Currently, we estimate that your browser has a fingerprint that conveys at least 22.05 bits of identifying information.
```

I would like to reduce my fingerprint.  Just the USER AGENT string alone in Opera, combined with FreeBSD, makes me unique as 1 in over 2 million.  I know the settings under opera:config for this, but regardless of what I choose, it still detects FreeBSD and Opera.  And what is it about the HTTP_ACCEPT that is making me only 1 in nearly 400?  Time Zone is just GMT.  Can I kill the reporting of my Screen Size?  I dislike being a 1 in 4.4 million fingerprint when I'm on the Internet.

Thanks.


----------



## ChalkBored (Jul 25, 2014)

You can change the user agent string in Firefox in about:config by adding the setting general.useragent.override and setting the value to something like Chrome for Windows.

Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36


----------



## Monti (Feb 8, 2016)

Just for the record, I use the "Random Agent Spoofer" (GPLv3 license) addon with www/firefox.

Another option is to install the JonDoFox profile for Firefox and select 'No Proxy'. It's originally set up for the JonDoNym network or Tor, but it can be used for regular browsing too by selecting 'No Proxy' with the 'JonDoFox Settings' addon icon . By also doing the test over at ip-check.info you can see what is being exposed.

Download (JonDoFox for Linux and BSD (TAR)) and verify the file from the page provided with the initial link. Unpack the TAR file and go to the folder in terminal. For easy MD5sum verification I use the DownThemAll! (GPLv2 license) "right click download option" addon.

Run the command with '`sh`' in terminal (not double clicking the script):

`sh install_jondofox.sh`

At first run, run www/firefox with the profile manager flag '`-p`' and select 'JonDoFox'.


----------



## ronaldlees (Feb 8, 2016)

I imagine you've visited Panopticlick.eff.org ...

There's a problem with changing the user-agent string, if you do not simultaneously change all the other browser header strings.  If there is some (uncommon) mismatch (like the usual MS Edge user agent in combination with the usual Mac Safari http-accept string, you'll be unique with near certainty).  It requires a lot of thought, and the plugins don't necessarily aid in this process.

Sometimes it's a matter of an extra space (or lack thereof) in common strings.

With FreeBSD, there's yet another obstacle.  The FreeBSD network stack is identifiable by itself.  Most ad servers can identify whether or not it's FreeBSD, Linux, GoogleOS, or Windows (they each have different packet fingerprints).   Look up OS fingerprinting.  So, if your user-agent string says Mac, but your tcp/ip stack says FreeBSD, you're gonna be unique in the catalogue of the ad-spammer.  Sorry to say.


----------



## ronaldlees (Feb 8, 2016)

The best thing might be to stay with the operating system you're really using, and then try to select the most common browser config.  This turns out to be really tough, because of auto-update and rapid browser version change-over.  It's slowly becoming an unwinnable game.  I have one box at about 1/9000 - and I call that pretty good.

The other option is to build a browser that (chamelion-like) - changes its profile on every exchange, because the idea of the ad-tracker is to connect the dots, and a continuously changing profile would slow that down.   

There's TOR, as one poster mentioned, but do you *really* want your webmail going through Mozambique?


----------



## johnblue (Feb 17, 2016)

Using only noscript and requestpolicy gets me:


> Currently, we estimate that your browser has a fingerprint that conveys 12.03 bits of identifying information.


I assume less is more, eh?


----------



## Crivens (Feb 17, 2016)

Maybe it's time to introduce Bobby Tables to the spammer networks... If you are singled out anyway, you may as well create some headaches for them. I'm one to half a million in that test, by the way, but that is still too much for my taste.


----------



## getopt (Feb 17, 2016)

ronaldlees
You can exclude countries of dislike by specifying a 2 letter ISO3166 country code in your torrc. How to do this is explained there:
https://www.torproject.org/docs/faq#ChooseEntryExit


----------



## Deleted member 9563 (Feb 17, 2016)

I've fooled with this kind of thing on a copy of Iceweasel and in the end it really was just a way to learn stuff. I didn't achieve what I had hoped. The best way really is to install Torbrowser and don't change a thing (including window size) with that.

I find it too much trouble to use Torbrowser for everyday use though, so mostly use a VPN which gives a small amount of obfuscation to the adslingers.


----------



## shepper (Feb 17, 2016)

www/xombrero comes with detailed instructions on enabling tor browsing about 4/5 the way down on this page.

As far as browser fingerprinting, xombrero also offers round robin user agents
~/.xombrero.conf

```
# "user_agent" can be set to just about anything, for a comprehensive
# list see: http://www.useragentstring.com/pages/All/ . If more than one
# "user_agent" is given, then xombrero will use them in a round-robin
# fashion for each request.
```

<alt-j> lists all cookies which can be quickly cleared.  <alt-h> clears history.

Unfortunately, the FreeBSD port is broken at this time.


----------



## ronaldlees (Feb 18, 2016)

johnblue said:


> Using only noscript and requestpolicy gets me:
> 
> I assume less is more, eh?



Correct, less is more.  It's also true that javascript is probably the biggest contributor to making the fingerprint "closer to unique," through its ability to dig further into your details, using things like HTML5 canvas hashes, webgl hashes, etc.  Turning it off is the only way (on a recent browser) to get the numbers you've shown.  

The fly in the oil is that many of the most important sites don't work well without javascript, and unfortunately affiliates of those sites are the ones most likely to *want* your ad info.


----------



## Juha Nurmela (Feb 18, 2016)

Is this a contest?  1 in 6,464,738 and 22.62 bits of identifying information.

I haven't seen an ad in ages, thanks to Adblock+ and 
	
	



```
local-zone: "almamedia.fi." static
```
 (local tabloid "giant") in unbound configuration.

Juha


----------



## ronaldlees (Feb 18, 2016)

```
local-zone: "almamedia.fi." static
```
+1


----------



## johnblue (Feb 19, 2016)

ronaldlees said:


> The fly in the oil is that many of the most important sites don't work well without javascript, and unfortunately affiliates of those sites are the ones most likely to *want* your ad info.


"don't work well without javascript" is somewhat of a subjective sidestep that is typically bantered around because people assume that web browser javascript can either be on or off as a whole.  Reality is more nuanced and given that high traffic sites typically pull in outside code to construct the page is why noscript and requestpolicy should be used in tandem.

It has been my experience that you can generally allow noscript to be enabled for javascript at the root FQND of a website without much of an issue.  Based upon what is called from the root, you can allow scripts that will restore functionality while disallowing the ones you dont want.  If you think of noscript as your heavy lifter, requestpolicy is your forward recon ops squad.  requestpolicy tells you what is being requested to be loaded from outside of the root FQDN and that really is key to effective blocking.

googletagmanager.com wants to load?  umm .. I dont think so.  Recently, my insurance company went with some stupid salesforce.com backend with a bunch of hooks to outside websites.  In this particular case, the functionality of simply paying my bill could not be restored without enabling GTM, Facebook et al.  To work around this, I used fiddler to intercept the evil .js calls and instead it loads a local .js file:






That local file simply opens a dialog box so I know where the site is at in its loading:

```
alert('fbds.js')
```
The noscript / requestpolicy posture is not for everyone and I rarely will recommend it in conversations due to its nearly vertical learning curve but I enjoy the fine grained control it allows.


----------



## Carpetsmoker (Feb 21, 2016)

Hiding your footprint is, unfortunately, nigh-impossible.

Changing your user-agent reveals less information, but it doesn't stop sites from guessing the browser. This can be done in Javascript as well by accessing things like window.mozContact, window.opera, and some other variables I don't remember off-hand. I believe WebKit even stores the full version number somewhere in JS. I'm not sure if you can also "guess" the OS this way, but it's very feasible that this is possible.

Disabling Javascript would appear to "fix" this, but having Javascript disabled is in itself an identifying feature. The same applies to disabling things like Flash or localStorage; no "supercookies", but you are a lot of identifiable.

It's also broken from a functional point-of-view. For example, a few days ago I ran into a problem where hyphenation works on all browsers, *except* Safari on OSX; for some reason it shows a 9 instead of a dash. I have no idea why, but I suspect it's a Safari bug, and until I have time to investigate (and possibly fix) it I just disabled hyphenation for Safari only. This would break if you do funny things like spoofing user agents.

In short, IMHO hiding your footprint is not feasible without making severe compromises. I feel this is a problem that should be addressed at the legislative level; the EU "cookie law" is an attempt, but it's stupid, ineffectual, and annoying to boot.


----------



## shepper (Feb 21, 2016)

Carpetsmoker said:


> Disabling Javascript would appear to "fix" this, but having Javascript disabled is in itself an identifying feature





ronaldlees said:


> The fly in the oil is that many of the most important sites don't work well without javascript, and unfortunately affiliates of those sites are the ones most likely to *want* your ad info



The other neat thing about www/xombrero, that <ctl-j> will toggle javascript on/off - get to your destination site and then turn it on.  <alt-j> lets you delete cookes in another tab on the fly.  I wonder how much I stand out with the round robin user-agents and javascript that comes and goes?  

Brings to mind a passage in Alice's Restaurant - "if one person does it they think your crazy, if two people do it in harmony, they think you're gay".  "And if 50 people a day, 50 people a day then its a movement."


----------



## ronaldlees (Feb 26, 2016)

I remember  a few years back, Ebay was having some fraud resolution issues, and was barring logins from people who tried to sign on with a different browser than (apparently) what had been recorded as the "usual browser" for that person.

I had to call a certain telephone number, and give them security details before they would allow the "new browser".   I had to do this frequently for a while because I was experimenting with many different setups.  Well - that hasn't changed much.  

Today I tried to use Ebay without javascript (I've done it often in the past).  No dice.   Now, they demand javascript to use the site.  So now I guess my Netsurf won't cut it.  I wonder if they're still identifying browsers (as they did before) - but now want the extra bits that javascript gives them, for verification purposes?


----------



## cockroach (Mar 8, 2016)

One thing that I have been wondering is why browsers are so verbose with their version information, eg. my current browser says "Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0" (no FreeBSD this time I'm afraid). Why can't it just say "Firefox 38"? That alone would already make people quite a bit less unique while still providing enough information for browser-specific tweaks.

Most of the time I just set the user agent to an empty string which brings its own issues -- some sites will refuse to load (because hey, I could be trying to scrap your website without pretending to be IE) while others create infinite redirection loops. Plus I suppose an empty user agent is only marginally less unique than the string above.


----------



## drhowarddrfine (Mar 8, 2016)

cockroach The User Agent information you see is for legacy software that still uses that information. Even Microsoft's Edge still IDs itself as Gecko, iirc. I just woke up so I may blurt things out slightly incorrectly. 

There are services that look at the User Agent string to determine capability of the browser and which device you may be on; mobile vs desktop for example. So IDing it as Firefox 38 does no good if I serve you one page one way on mobile and a different way on a desktop.


----------



## shepper (Mar 8, 2016)

ronaldlees said:


> Today I tried to use Ebay without javascript (I've done it often in the past). No dice. Now, they demand javascript to use the site. So now I guess my Netsurf won't cut it. I wonder if they're still identifying browsers (as they did before) - but now want the extra bits that javascript gives them, for verification purposes?



NetSurf is working on it:


> NetSurf 3.4 released17 Feb 2016
> NetSurf 3.4 features many optimisations to improve performance over previous releases. It also contains many bug fixes, including improvements to page layout. This is also the first release to contain the DuktapeJavaScript engine. While our JavaScript bindings have seen a lot of development for this release, JavaScript remains disabled by default as the support is incomplete. We recommend all users upgrade to NetSurf 3.4.


----------



## drhowarddrfine (Mar 8, 2016)

I forgot to address the javascript issue.

Javascript is becoming as ubiquitous as HTML and CSS on web sites. Done properly, a site should allow all the functionality without javascript but market forces often deem it "necessary" to add pizzazz or responsive speed and the developer has no choice. Or there aren't enough developers to make all that happen so pizzazz wins out. 

In almost all cases, this fear of javascript is unwarranted. Legitimate sites use it for two reasons only; marketing and functionality. Marketing to learn what their customer is interested in. Functionality for speed and pizzazz.


----------



## shepper (Mar 8, 2016)

drhowarddrfine said:


> In almost all cases, this fear of javascript is unwarranted. Legitimate sites use it for two reasons only; marketing and functionality. Marketing to learn what their customer is interested in. Functionality for speed and pizzazz.



I have a sense that alot of javascript is buggy.  I run an OpenBSD machine that does not tolerate memory leaks (?privilege separation/regular sanitizing of 1/2 the free memory).  If I go to a site with embedded videos using Firefox-esr/Webkit3 browsers they will often core dump.  If I use Netsurf or Xombrero, with javascript toggled off, I can view the same site without problems.  For me the issue is not one of fear but rather the degree of security compromise I should tolerate in order to access content.


----------



## drhowarddrfine (Mar 8, 2016)

shepper Well, that fear of security is what most people mean and what I talk about. Mostly unfounded.

As far as buggy javascript, you're right. I'd bet 80% of all web site programmers sole javascript knowledge is how to copy/paste from Stackoverflow.


----------



## shepper (Mar 8, 2016)

On the topic of fingerprinting, <alt-j> in www/xombrero quickly lists the current cookies.  Starting with no cookies, if I look at the CNN web site, I end up with about 30 cookies.  Why do I end with a linkedin cookie and a .linkedin cookie?  My understanding is that 30 cookies, each with unique time/date stamps is another fingerprint.  I compulsively delete them;  not an ounce of sympathy for the effort it took to load them in the first place.

Addon:  I would also suggest that if the practice of deleting cookies was widespread it would significantly lessen the value of cookies as a means of tracking.  Perhaps to the point that value that is gained from cookies is outweighed by the resources it takes to place them.


----------



## drhowarddrfine (Mar 8, 2016)

In my case, cookies are used to let me know if you already visited that page so I don't show you something you already saw or did so you don't have to see or do it again. For example, one site flashes their slogan on first visit but not after that.  It stores any view settings you might make like language preferences or if you prefer to stay logged in. These bigger sites have advertisers who want to know the same thing, or slightly different, in their own way. Sometimes it sets what your device is so I can serve better pages for that. And on and on. iow, it's mostly for saving settings than anything else.

In fact, the vast majority of sites don't do much more than that with cookies.


----------



## Deleted member 9563 (Mar 8, 2016)

drhowarddrfine said:


> . . . like language preferences or if you prefer to stay logged in. These bigger sites have advertisers who want to know the same thing, or slightly different, in their own way. Sometimes it sets what your device is so I can serve better pages for that. And on and on. . . .
> 
> In fact, the vast majority of sites don't do much more than that with cookies.



Don't do much more? For somebody who's threat model includes browser fingerprinting, that's probably already way over the top.


----------



## shepper (Mar 9, 2016)

drhowarddrfine said:


> In fact, the vast majority of sites don't do much more than that with cookies.


These are the cookies I accumulated with one visit to www.nytimes.com.  I did not click on any content and my browser core dumped as I scrolled to the bottom.



> .imrworldwide.com
> 
> [ Remove All From This Domain ]
> Type Name Value Path Expires Secure HTTP
> ...


I would wager that .nr-data.net, .twitter.com, pixel.keywee.co, .flite.com, .scorecardresearch.com and .doubleclick.net have nothing to do with providing me with a quality browsing experience.


----------



## drhowarddrfine (Mar 9, 2016)

OJ said:


> For somebody who's threat model includes browser fingerprinting


I haven't a clue what you are talking about. And "fingerprinting" always sounds to me like link bait versus reality.

shepper As I think I said (but didn't look back to see if I did), big sites, such as the one you showed, have so much advertising associated with them, I'm not surprised but, again, it's for marketing purposes. No different than when you buy something from my little corner restaurant and I get your address or your local department store. I keep track of what you bought so the next time you come in I can market toward that. In fact, they did that to me when I was a kid in the 1960s and I bought something for my Dad for his birthday.



shepper said:


> have nothing to do with providing me with a quality browsing experience.


Of course it might. Maybe you don't get brassiere ads anymore but you do get ads for fishing gear like the one you were searching for on Amazon yesterday. Or you won't, at least, see the same ad over and over again.

If nothing else, it might show the NYTimes that you, along with thousands of others, don't care about visiting certain pages. Then those pages get removed from their site due to a lack of interest.

And don't forget that you don't have to login and the site saved the last page you were reading you're welcome very much.

That's what cookies are used for. And more creative things which I can't recall at the moment. Meh. So, what? Me, worry? No.


----------



## Deleted member 9563 (Mar 9, 2016)

drhowarddrfine said:


> I haven't a clue what you are talking about. And "fingerprinting" always sounds to me like link bait versus reality.



"Fingerprinting" is in the subject title, and "threat model" is a security term. (see here)

For a quick sense of the range one might consider in a browser have a look at the Tor browser privacy and security settings.


----------



## drhowarddrfine (Mar 9, 2016)

OJ I know what they are. I thought you were talking about some specific person or article.


----------



## protocelt (Mar 9, 2016)

I block all cookies and most javascript most of the time with a few exceptions. Both can be convenient and useful to both users and websites but can also be used maliciously. Besides that, my online browsing habits are really none of anyone's business. That said I do understand their use and am not against that as long as I have a choice in blocking them.

As far as fingerprinting itself, my understanding is it's almost impossible to do fully though admittedly it's above my knowledge level.


----------



## shepper (Mar 9, 2016)

protocelt said:


> As far as fingerprinting itself, my understanding is it's almost impossible to do fully though admittedly it's above my knowledge level.



Actually, I think it is currently being done.  The same NYTimes site I referenced provides viewing of 10 free articles/month.  Exceed 10 and a javascript, to pay a subscription, materializes over the content making it unreadable.  In xombrero, I can delete all history, cookies,  change the user agent and delete ~/.xombrero.  After doing all that, my article tally does not change.

Edit:  Toggling javascript off in xombrero and the subscription window, that obscures the content, is closed and the content becomes readable.  If I then fire up my Debian system and look at the NYTimes with Iceweasel, I will also have a new article tally.


----------



## ronaldlees (Mar 9, 2016)

drhowarddrfine said:


> I haven't a clue what you are talking about. And "fingerprinting" always sounds to me like link bait versus reality.
> ...
> shepper  No different than when you buy something from my little corner restaurant and I get your address or your local department store. I keep track of what you bought so the next time you come in I can market toward that. In fact, they did that to me when I was a kid in the 1960s and I bought something for my Dad for his birthday.
> ...



It's always a matter of who's ox is being gored.  Dr Howard is in the biz, so would have an opinion that leans towards what he perceives is necessary to make biz sites work.  

I feel my ox gets gored in a couple ways.  The first, and most obvious way, is that they "take" my address from me.  I don't voluntarily give it to them.  In Europe, "not taking" someone's particulars is called "opt-in" while in the US "taking" the particulars is called "out-out".   I think the US needs to implement some of those EU legislation bills relative to "opt-in".   

It's not really the same as handing over your address in the department store.


----------



## protocelt (Mar 9, 2016)

shepper said:


> Actually, I think it is currently being done.  The same NYTimes site I referenced provides viewing of 10 free articles/month.  Exceed 10 and a javascript, to pay a subscription, materializes over the content making it unreadable.  In xombrero, I can delete all history, cookies,  change the user agent and delete ~/.xombrero.  After doing all that, my article tally does not change.


I was under the impression that fingerprinting also encompassed browser uniqueness as well. Is that not the case?


----------



## ronaldlees (Mar 9, 2016)

It's true that if I know all the technical details, I can make the browser refuse to cooperate with the "taking" of my address, ID number ... fingerprint ... or whatever else you want to call it.   Disabling javascript in some browsers is neither obvious or necessarily easy (especially for the 99 percent).  So, if some archane configuration is needed to "opt out" - that is not good enough from my perspective.  In the US, not only do we have "opt out" but we often make that nearly impossible for regular folks to do.

So, it's like saying it's OK to swipe your address/ID number/etc  from your pocket, because you didn't button the flap.

While it may be true that you have accepted this situation, if you follow the "legal terms" link, or some such, but an indirect, fine print disclaimer is often disqualified in contract/biz law, etc.  This part of the problem is really on the browser end, rather than the site end, because when you go to a site you're presenting what you present, in public. So, the legislation would involve browser makers.  We might say the browser vendors make it too easy to leave the pocket flap unbuttoned.


----------



## Deleted member 9563 (Mar 9, 2016)

ronaldlees said:


> This part of the problem is really on the browser end, rather than the site end, . . .


I agree that browsers could do a lot to help here. That said, the Tor Browser seems to do that quite nicely. It's simply a version of regular Firefox which is adapted to privacy needs and comes with Tor already. It installs like any other browser with a click or two. The browsing experience is pretty normal with the security slider set to low, which is the default.


----------



## ronaldlees (Mar 9, 2016)

OJ said:


> I agree that browsers could do a lot to help here. That said, the Tor Browser seems to do that quite nicely. It's simply a version of regular Firefox which is adapted to privacy needs and comes with Tor already. It installs like any other browser with a click or two. The browsing experience is pretty normal with the security slider set to low, which is the default.



I don't know how much I'd trust Tor beyond just obscuring my fingerprint from (relatively) benign sites.  Additionally, you're routing your traffic through the nether regions of the world, potentially.  Are the nether regions better?  Good question.

I think the term "swipe" in my previous message is a bit harse.  Of course, if you leave the pocket flap open,  it's possible to say that you're making some of your info public (since it's easy to see the edge of the VISA card, and know you're a VISA user).  But, getting a fingerprint, in my mind is more like scanning a person with xrays, in the sense that much more effort is then applied to ferret out a way to subsequently identify a patron.  The bottom line though, is that the patron probably doesn't realize the pocket's not buttoned, and his underwear is showing.  This may be because of his posture in life.


----------



## shepper (Mar 9, 2016)

ronaldlees said:


> But, getting a fingerprint, in my mind is more like scanning a person with xrays, in the sense that much more effort is then applied to ferret out a way to subsequently identify a patron.



To me the wonder of the Internet is that it allows one to quickly gather information.  I'll date myself by remembering when I went to the library, with a pack of 3x5 cards and manually searched for relevant articles.  Even though I now search for information from home, I feel like I'm wearing an ankle bracelet or being shadowed.  I wonder if it matters that I read content written by Glen Greenwald at theintercept.com?


----------



## drhowarddrfine (Mar 9, 2016)

Most of the fingerprinting stuff is inocuous. I don't know what's to be lost in that. As far as getting your address, I assume you mean IP, it must be known to respond to you, as you know, so how do you get around that. If by using Tor, then you are putting everything you do in the hands of untrusted people.


----------



## Deleted member 9563 (Mar 10, 2016)

ronaldlees said:


> I don't know how much I'd trust Tor beyond just obscuring my fingerprint from (relatively) benign sites. Additionally, you're routing your traffic through the nether regions of the world, potentially. Are the nether regions better? Good question.



No idea what you mean by "nether regions". It sounds like a pejorative.   If, by chance, you're interested in Tor here is the description. There's a FAQ here.



drhowarddrfine said:


> Most of the fingerprinting stuff is inocuous. I don't know what's to be lost in that. As far as getting your address, I assume you mean IP, it must be known to respond to you, as you know, so how do you get around that.



I agree that most fingerprinting is indeed innocuous. Although I use a VPN for most regular on-line use I can be easily traced through the server anyway. I have basically no anonymity except for IP as a website would see it. I'm not too worried about me as an individual. Few people are easier to find on the net. However, there are some principles that are important to me and which relate here. It only takes one bad actor to make ubiquitous tracking worth avoiding. I'm not the least bit concerned about the way you do it with your websites - seems fine to me - but the fact that www users can be surveilled using these methods (and taking advantage of the whole framework) makes me want to minimize the effectiveness of that.



drhowarddrfine said:


> If by using Tor, then you are putting everything you do in the hands of untrusted people.



Trust, of course, is a central subject in security. Most of the web does a very poor job of addressing trust and generally only does so minimally through the use of certificates. Tor considers the trust issue much more comprehensively by using a model of distributed trust. I'm sorry, but to just refer to putting "everything you do in the hands of untrusted people" sounds like a slur to me. There's a lot of easily digested information in the TOR FAQ, but this paper by Roger Dingledine is a bit more academic.

In all, I highly recommend that people actually study the workings of Tor before making off the cuff or pejorative comments about it and its use. Nevertheless, my earlier comment about using the Tor Browser was not meant to be a recommendation of Tor itself, but rather to point out that the Tor Browser being simply a recent version of Firefox could likely easily be replicated without Tor support for the purpose of having a browser which makes privacy issues easy to manage for a casual user simply by moving a slider.


----------



## Maxnix (Mar 10, 2016)

ronaldlees said:


> I don't know how much I'd trust Tor beyond just obscuring my fingerprint from (relatively) benign sites. Additionally, you're routing your traffic through the nether regions of the world, potentially. Are the nether regions better? Good question.


For what I know, obscuring fingerprint is peculiarity of the Tor browser itself (being a modified version of the official firefox) more than the Tor network.
That said, you are right about routing the traffic through possibly untrusted regions; and if perhaps you may not care about relays, you should about Tor exit points. Indeed, even if using Tor, it's important to use https for browsing.
Here an infographic from the EFF.


----------



## getopt (Mar 10, 2016)

drhowarddrfine said:


> If by using Tor, then you are putting everything you do in the hands of untrusted people.


You miss the point. People better should think about the whole Internet as an area of not trustworthiness. Depending on who uses an Intranet and how it is separated from the Internet you may have similar problems even there.

Tor is designed for anonymity and really nothing else. And this feature Tor covers pretty well. When you are using Tor you need to encrypt from end to end. And encrypting is clearly the task of the user himself.

Trusting in the Internet is not always a wise behavior. In fact it is a big problem as the quality of trust can only be evaluated in hindsight.


----------



## getopt (Mar 10, 2016)

For those interested in Internet-related fingerprinting here is some stuff for reading:



> The paper "FPDetective: Dusting the Web for Fingerprinters" (PDF) describes the first comprehensive effort to measure the prevalence of device fingerprinting on the Internet.


https://www.cosic.esat.kuleuven.be/fpdetective/



> The Web never forgets: Persistent tracking mechanisms in the wild is the first large-scale study of three advanced web tracking mechanisms - canvas fingerprinting, evercookies and use of "cookie syncing" in conjunction with evercookies.


https://securehomes.esat.kuleuven.be/~gacar/persistent/index.html

Those using Tor might be interested in the following, as fingerprinting is a method attacking anonymity:
http://jcarlosnorte.com/security/2016/03/06/advanced-tor-browser-fingerprinting.html

I do know, that those who are talking here about fingerprinting like "So what? I do not care" probably won't study it. And even more probably they won't stop talking like they did before.


----------



## ronaldlees (Mar 10, 2016)

OJ said:


> No idea what you mean by "nether regions". It sounds like a pejorative.   If, by chance, you're interested in Tor here is the description. There's a FAQ here.



Sorry.   "Nether regions" came through my syntax checker erroneously, and conveys an entirely inaccurate thought.  I meant what MaxNix said.   Anyway, who knows?  Poor third world countries have less money/resources/technology to waste on tracking my many trips to forums.freebsd.org, so may in fact be less likely to engage in certain types of surveillance.  

Overall, I think I must agree with the quote Maxnix used, apparently attributed to Theo de Raadt:



> The world doesn't live off jam and fancy perfumes - it lives off bread and meat and potatoes. Nothing changes. All the big fancy stuff is sloppy stuff that crashes. I don't need dancing baloney - I need stuff that works. -- Theo de Raadt



Outside of Netsurf, major graphical browsers are in the "big fancy stuff" category, and that includes what's in the Tor bundle.   I haven't looked at any code, am sure that I can't really have an opinion about whether or not any of it is "sloppy" - and I'm sure the applicable parties work very hard to make it all nice and tidy.  It's a tough job, no doubt. 

There is a common thread among the legendary software personalities of the stratosphere ... De Raadt, Stallman, etc.  They all are engaged in a seemingly futile battle to use the most simple technology, that which is more easily vetted for problems, to do ordinary tasks that the commercial world tries hard to keep them from doing (via the use of that simple technology).   On the RMS site, IIRC - there was a blurb about that particular person of legend, and his preferred browsing and email reading technology (all text browsers, text mode stuff, nothing fancy at all). 

By my reckoning, they all have "too much knowledge" and (seemingly) little trust in the software that the ordinary mortals use (the 99 percent).  Or, maybe they just like it simple.  Like me.


----------



## drhowarddrfine (Mar 10, 2016)

getopt said:


> You miss the point.
> ...
> Trusting in the Internet is not always a wise behavior.


Well, you're missing my point. When you visit a site, you generally know what you're getting into. With Tor, you have no clue who's handling your traffic and if they're doing anything with it. Not a slur, as OJ stated earlier.

Many, here, are showing concern about using the internet cause there are bad people out there. There are bad people walking down your street, too, but you don't cloak yourself before going out your door, cover up your street address, and so on. The internet doesn't know anything more about you than you tell it. Knowing which browser you use and OS isn't saying anything worthwhile. 

I am more concerned about making sure who I am communicating with is who they say they are than someone knowing something about me randomly just by surfing the web.


----------



## Deleted member 9563 (Mar 10, 2016)

ronaldlees said:


> Sorry. "Nether regions" came through my syntax checker erroneously, and conveys an entirely inaccurate thought. I meant what MaxNix said. Anyway, who knows? Poor third world countries have less money/resources/technology to waste on tracking my many trips to forums.freebsd.org, so may in fact be less likely to engage in certain types of surveillance.



I don't think that the location of who is doing the surveilance is important. Both five eyes and major western commercial concerns make profiles based on information gathered on the whole net. FVEY has direct taps in many places.



ronaldlees said:


> Outside of Netsurf, major graphical browsers are in the "big fancy stuff" category, and that includes what's in the Tor bundle. I haven't looked at any code, am sure that I can't really have an opinion about whether or not any of it is "sloppy" - and I'm sure the applicable parties work very hard to make it all nice and tidy. It's a tough job, no doubt.



The Tor bundle is deprecated. Please don't use it.

Tor is a very sophisticated piece of software that was started in the 90s by the United States Naval Research Laboratory and a lot of money has been put into it. Look into how it works and you'll be amazed.


----------



## Deleted member 9563 (Mar 10, 2016)

drhowarddrfine said:


> Well, you're missing my point. When you visit a site, you generally know what you're getting into. With Tor, you have no clue who's handling your traffic and if they're doing anything with it. Not a slur, as OJ stated earlier.



Why does it matter who's handling the traffic?



drhowarddrfine said:


> Many, here, are showing concern about using the internet cause there are bad people out there. There are bad people walking down your street, too, but you don't cloak yourself before going out your door, cover up your street address, and so on. The internet doesn't know anything more about you than you tell it. Knowing which browser you use and OS isn't saying anything worthwhile.



Anything is "worthwhile" because when you put it together it associates you with your history and you do become an individual by simply running a targeted search. Surely you've read about the processes which Snowden has detailed, but you will note that Google and Facebook have similar capabilities. 



drhowarddrfine said:


> I am more concerned about making sure who I am communicating with is who they say they are than someone knowing something about me randomly just by surfing the web.



Fair enough, but surveillance is not usually a matter of individuals being targeted but rather information on everybody being gathered. How that information is processed now is not the only issue. 

I think the OP was interested in not having his browser identified and had pointed out how this and related information makes him unique. Whether one is against mass surveillance or not is a personal choice that someone should be allowed to make and I can't see an argument for making it mandatory.

PS: Tor solves the browser identity problem by having all users appear alike. This is a solution they adopted after much research into the problem.


----------



## Maxnix (Mar 10, 2016)

ronaldlees,


ronaldlees said:


> apparently attributed to Theo de Raadt



Yeah, it's him.  You can read the full article here (it's a bit dated, but the meaning have not changed): http://www.itwire.com/opinion-and-a...onthly-releases-openbsd-shows-the-way?start=1



ronaldlees said:


> Outside of Netsurf, major graphical browsers are in the "big fancy stuff" category


Right. Seem that including more and more functionalities (at any cost) is the main aim (even if I would save even Opera. At least I find it less bloated than others). But perhaps it's just my perception.



ronaldlees said:


> and that includes what's in the Tor bundle.


I don't know if it can be defined sloppy, but ,at least in my experience, generally Firefox is becoming more nad more heavy and resource consuming.



ronaldlees said:


> By my reckoning, they all have "too much knowledge" and (seemingly) little trust in the software that the ordinary mortals use (the 99 percent). Or, maybe they just like it simple.


IMO both.  After all, how I said before, including more and more seem the only important thing.

drhowarddrfine,


drhowarddrfine said:


> The internet doesn't know anything more about you than you tell it.


Well, this is not always true (or can be referred to data explicitly submitted by the user). Websites can collect more infos about who visit them than users may want or know. The last link posted by getopt explains it very well:


getopt said:


> Those using Tor might be interested in the following, as fingerprinting is a method attacking anonymity:
> http://jcarlosnorte.com/security/2016/03/06/advanced-tor-browser-fingerprinting.html



There are of course even sites that use such technologies only to offer a better experience, but before really trusting a site I would be very careful.


----------



## getopt (Mar 10, 2016)

drhowarddrfine said:


> When you visit a site, you generally know what you're getting into.



Really? I have to admit, that I do not have such capabilities.

First of all you have the right to say such sentences as it is protected by Freedom of Speech and is a matter of dissent and truth.

Your sentence might be the description of your honorable perception, but ...

... what can been known ex ante?
... "generally knowing" is a really big word!
... undercomplex models provide a limited reach of findings 

Let's take an example for a restaurant owner:

A customer is going to pay the bill you presented to him.
He is giving you a piece of paper that looks like a hundred Dollar note.
Do you generally know what you are getting?
And what about smaller Dollar notes? Can you ever be sure?

Now don't come across saying this is a wrong example. It was you presenting this:


> "There are bad people walking down your street, too, but you don't cloak yourself before going out your door, cover up your street address, and so on."



Remember we talk about security aspects. Shared basic knowledge in industry is that 100% security simply cannot be achieved, as one can generally never know. But risks can be minimized by taking appropriate steps.


----------



## drhowarddrfine (Mar 10, 2016)

getopt Your examples only prove what I was saying in my quote. Yes, people know what they're getting when they exchange money with a restaurant they are visiting. Yes, sometimes things go wrong. No, hardly anything ever goes wrong.

In your first sentence, you seem to be saying that if you visit Amazon to browse for books, you have no expectations of how that will turn out. I find that strange. (And my point is that your expectations are more predictable than if you visit Joe Death's Meth Emporium.)


----------



## Deleted member 9563 (Mar 11, 2016)

getopt said:


> I do know, that those who are talking here about fingerprinting like "So what? I do not care" probably won't study it. And even more probably they won't stop talking like they did before.



looks like


----------



## Crivens (Mar 11, 2016)

Why tracking and piling up data about you is bad is explained here in some detail.


----------



## Crivens (Mar 11, 2016)

getopt: The "Meth Emporium" most likely is a placeholder name for whatever drug den of ill respute can be found around the city you live in. And the owner 'Joe Death' may be the same kind of person who is called 'honest Al' when selling used cars. Does this make things clear, or am I wrong on the interpretation of what drhowarddrfine said?


----------



## drhowarddrfine (Mar 11, 2016)

getopt Crivens is saying what I was meaning. Your expectations from visiting Amazon are totally different than if you were to visit a shady web site like the one I mentioned. You feel more comfortable visiting Amazon than an unknown "Honest Al's" don't you?

Your first paragraph is a complaint about marketing. Every company in the world targets customers based on their previous inquiries and purchases.


----------



## drhowarddrfine (Mar 12, 2016)

getopt said:


> I personally would not feel more comfortable clicking unprotected on sites like Amazon, because they are tracking visitors.


Which leads me back to one of my original points. Everyone is tracking you as much as they can and have been doing so since time immemorial. Again. It's marketing. No one cares about you. It's not personal. You're just a number and a sales objective. It's just that nowadays people immediately think Macy's is selling your DNA to the NSA. It makes great headlines cause it sells newspapers.


----------



## Deleted member 9563 (Mar 12, 2016)

drhowarddrfine said:


> Which leads me back to one of my original points. Everyone is tracking you as much as they can and have been doing so since time immemorial. Again. It's marketing.



Marketing is fine. Surveillance is not. Recent years of internet development has seen marketers cross the line.



> No one cares about you. It's not personal. You're just a number and a sales objective. It's just that nowadays people immediately think Macy's is selling your DNA to the NSA. It makes great headlines cause it sells newspapers.



What do you mean that no one cares about me? I do!

What do you think Wheeler is on about with his recent effort to make gathering of information by ISPs opt-in? (In case you're not from North America, here's an article.) By the way, I don't read FCC proposals because they make great headlines. And I'm fairly certain that FCC chairman Tom Wheeler is not trying to sell newspapers. These things are actual issues of concern for many people. That you may poo poo them is fine, but please don't assume it is trivial to everybody just because you don't agree or don't follow Wheeler's line of reasoning.


----------



## Deleted member 9563 (Mar 12, 2016)

getopt said:


> Those using Tor might be interested in the following, as fingerprinting is a method attacking anonymity:
> http://jcarlosnorte.com/security/2016/03/06/advanced-tor-browser-fingerprinting.html



Sorry, I couldn't leave that alone - especially after reading the article and thinking about it. From what I understand those are pretty old techniques. Yes, it's a good blog post but at the end he makes an outrageous statement. You may have caught it:



> It is easy to fingerprint users using tor browser to track their activity online and correlate their visits to different pages.



It is one thing to fingerprint a user when you know the user and have control of where they're connecting, but it is quite another to make a correlation within the Tor framework. One would have to first identify the user on a non-Tor site and then while she's logged in there, correlate that fingerprint with the "hidden" service connection. And the person being attacked would have to have javascript turned on (which they most certainly wouldn't do if they were paranoid), and both sites would have to be owned or under control of the same entity. As you see, it's getting pretty far fetched.


----------



## tingo (Mar 12, 2016)

OJ said:


> It is one thing to fingerprint a user when you know the user and have control of where they're connecting, but it is quite another to make a correlation within the Tor framework. One would have to first identify the user on a non-Tor site and then while she's logged in there, correlate that fingerprint with the "hidden" service connection. And the person being attacked would have to have javascript turned on (which they most certainly wouldn't do if they were paranoid), and both sites would have to be owned or under control of the same entity. As you see, it's getting pretty far fetched.


Well, it depends on what the "fingerprint" is, doesn't it? If the site (or adsystem on the site) is able to get an accurate fingerprint from just the browser you are using, the don't need to worry if you are connecting through TOR or not.
To prevent the likelyhood of this happening you should always use a different browser (than your "normal" one) when you are using TOR.


----------



## Deleted member 9563 (Mar 12, 2016)

tingo said:


> Well, it depends on what the "fingerprint" is, doesn't it? If the site (or adsystem on the site) is able to get an accurate fingerprint from just the browser you are using, the don't need to worry if you are connecting through TOR or not.



The browser fingerprint is the save from all Tor Browsers, with the exception that if you're using an older version (which is bad) you will have an earlier print. I can confirm this from looking at logs on my onion servers.



tingo said:


> To prevent the likelyhood of this happening you should always use a different browser (than your "normal" one) when you are using TOR.



It's a very bad idea to use another browser with tor. If you read Tor FAQs you will see that it is in fact strongly advised not to. Always use the Tor Browser. It works very well so there's really no reason not to anyway.

BTW, since I know you to be very knowledgeable I'm thinking that there's probably a lot of outdated information out there which those who don't actively keep up with Tor (and fair enough) will be working with. I've seen other comments in this thread which seem to be based on very old information as well.


----------



## drhowarddrfine (Mar 12, 2016)

> What do you mean that no one cares about me? I do!



Again, I'm talking marketers. You are making it about someone standing outside your house watching your every move.

I try never to involve myself in these discussions anymore so I'm going to stop now.


----------



## ronaldlees (Mar 12, 2016)

Perhaps it would help to get back to the original poster's question, relating to the technical detail applicable to fingerprint reduction.  

From the OP:


> I dislike being a 1 in 4.4 million fingerprint when I'm on the Internet.



On that note I checked panopticlick.eff.org yesterday, and it seemed to be reset to only 100,000 total samples.  Did they change their algorithm enough to warrant a reset?  Is anyone else here seeing the same (low) number?   

panopticlick.eff.org


----------



## ronaldlees (Mar 12, 2016)

I think they're playing with the algorithm or something.  Today I get a "several hundred thousand" sample total on my result.


----------



## tingo (Mar 17, 2016)

OJ said:


> The browser fingerprint is the save from all Tor Browsers, with the exception that if you're using an older version (which is bad) you will have an earlier print. I can confirm this from looking at logs on my onion servers.
> 
> 
> 
> It's a very bad idea to use another browser with tor. If you read Tor FAQs you will see that it is in fact strongly advised not to. Always use the Tor Browser. It works very well so there's really no reason not to anyway.


Ok, just turn it around then; your "normal" browser should be a different browser than the one you use with TOR (and it probably is). You get the idea.


----------



## Deleted member 9563 (Mar 18, 2016)

tingo said:


> Ok, just turn it around then; your "normal" browser should be a different browser than the one you use with TOR (and it probably is). You get the idea.



We're probably in agreement here and it is me that doesn't understand what you're saying, but I just want to make sure.  There is only one Tor Browser. Using Tor separately with a browser is never done.


----------



## max21 (Mar 18, 2016)

ronaldlees said:


> Perhaps it would help to get back to the original poster's question, relating to the technical detail applicable to fingerprint reduction.
> 
> From the OP:
> 
> ...


I went to their site a few hours ago and got a difference format that said I was something like 257,000 and 12.7 .  I just did it again about ten minutes ago and the format was difference and with these exact rating.  I think they may be modifying the algorithm as we speak.  I wonder have they found something interesting since this thread, or receiving more hits and conversations about them elsewhere since this thread [un_x, Jul 24, 2014] done came back up just a little over a month ago.

```
Within our dataset of several hundred thousand visitors, only one in 68668.5 browsers have the same fingerprint as yours.

Currently, we estimate that your browser has a fingerprint that conveys 16.07 bits of identifying information.
```

Is this good, fair or bad.  I don’t understand the less is more thing but maybe panopticlick saw something in that statement and trying to make changes for some reason.

Anyway, there is no excuse not to protect yourself against any kind INTERNET activity.   About fingerprinting …  I keep my browser(s) clean.  I use one portable Opera for banking, and another for my most trusted sites, and the rest of them I have everything thing turn off and more.  I kill GEO through about:config which works for all Firefox and opera:config  which only works for opera 12.   to keep the world from tracking me.  At install time I disconnect.  At first run I grab all affiliated sites that are built in the browser and I block them all until it’s time to upgrade. I'm sure I still get fingerprinted when I don't want to, but I will soon allow only a few to do it thanks to the hints in this thread.  I been very close already.  I like my VPN provider.  I might tor to them now that I learn so much about it, right here!


----------



## Deleted member 9563 (Mar 18, 2016)

getopt said:


> Just to add some confusion



Actually you're clarifying. 



getopt said:


> 1. With FreeBSD there is no port "Tor Browser". Did you compile the "Tor Browser" from original sources successfully?



I did not compile. Although this thread really is about FreeBSD, I use multiple systems and when it comes to security actually have a separate machine for that purpose, which is probably "best practice". So, at least regarding this point, I think I would have to concede that it is probably me who is causing confusion. Sorry.



getopt said:


> 2. There is a port security/tor that allows any browser and more to be used with tor. And this is mainly done with FreeBSD while lacking other opportunities except some browser plugins that I do not like.



And that makes it very bad to use with a browser. I don't think that anybody in the Tor community would condone that approach. Just use a separate machine - browser capable computers are free nowadays.



getopt said:


> 3. It makes a lot of sense using Tor Browser regarding fingerprinting (and other reasons) when using Tor, because it is a cloned fingerprint.



That is really my only point earlier in this thread. Tor has an evolved solution, and perhaps the only practical way to do this. At least a lot of thinking has gone into arriving at it.



getopt said:


> 4. To me it does not make much sense using the fingerprint of Tor Browser while not using Tor because it hints to a user also using Tor which should be avoided IMO.



Agreed. Tor developers have put a lot of work into solving the fingerprinting problem, and it would seem that they have the best solution to date. I don't know if a similar approach is practical in another scenario, but at this point in time it looks to me like there is no good way to avoid fingerprinting other than using Tor Browser, which unfortunately precludes using FreeBSD at this time.


----------



## ronaldlees (Mar 20, 2016)

max21 said:


> I went to their site a few hours ago and got a difference format that said I was something like 257,000 and 12.7 .  I just did it again about ten minutes ago and the format was difference and with these exact rating.  I think they may be modifying the algorithm as we speak.  I wonder have they found something interesting since this thread, or receiving more hits and conversations about them elsewhere since this thread [un_x, Jul 24, 2014] done came back up just a little over a month ago.
> ...



Today, panopticlick.eff.org gives me 135,000 as the total sample.   So, yes I think they're working on the algorithm(s).  The fingerprint detail page has been updated too.  IIRC, _platform, hashes_, and _touch support _weren't on the list before. Could be wrong.  On my visit to the site just now, the biggest contributor to my fingerprint was the _HTML5 canvas hash_ (by quite a bit), followed by user-agent and then platform (which the user-agent normally contains anyway, but not always).  Looks like the _canvas hash_ was killer, but my _FreeBSD_ attribute pushed me over the edge. If I had kept javascript off, I would have been in better shape, but I wanted to see the maximum list.

The fact that only 135,000 people have visited the page since they started making algorithm and/or detail chart changes is a bit disappointing.


----------



## drhowarddrfine (Mar 20, 2016)

I wonder how many of you guys are aware that, when you use your cellphone, there's a record of tracking your movement around town.


----------



## drhowarddrfine (Mar 20, 2016)

getopt said:


> But what about you? Do you like it to be tracked?


I'm not concerned that the boogey man is out to get me so I spend my time on more productive things.


----------



## ronaldlees (Mar 20, 2016)

drhowarddrfine said:


> I wonder how many of you guys are aware that, when you use your cellphone, there's a record of tracking your movement around town.



You're correct when you say that, especially when referencing newer phones.  

But - should it be that way?  Really?  If you track a person's daily detail, and (most importantly) his whereabouts on a second-by-second basis, you can own him.


----------



## sidetone (Mar 20, 2016)

I agree. On the humorous side, they'll know how many daily bowel movements everyone has, then publish it as trivial knowledge.


----------



## ronaldlees (Mar 20, 2016)

We'd want to relate it to FreeBSD, and computers, so it's not OT.   So, it's like being rooted or pawned.  It's the flesh and blood version of a rootkit.  Think about what a rootkit can do to a computer, and then think about a person's life, and how it can be rooted in the very same way as a rootkit can handle your laptop.


----------



## sidetone (Mar 20, 2016)

I understand how dangerous it is, even before coming across this thread. I don't want to compete against Computer Blue, for someone who is nefarious. You know, like how Banks did in the early 2000's, when they do "market research" to find psychological terms to get away with lopsided practices and cheating. This is worse. Look at what some "questionable" organizations did with their privacy knowledge. And I was hesitant to post this.


----------



## Deleted member 9563 (Mar 20, 2016)

drhowarddrfine said:


> I wonder how many of you guys are aware that, when you use your cellphone, there's a record of tracking your movement around town.



That would be all of us.


----------



## drhowarddrfine (Mar 21, 2016)

The tracking is a requirement to switch you between cell towers to improve reliability of the service. One of the reasons for recording it is to improve the service by seeing where users are and how much data they use.

Similarly, most web sites use tracking data to improve service by finding out where users go and what data they view.

Improving service. Not looking over your shoulder. Hmm.


----------



## protocelt (Mar 21, 2016)

Most websites are not _all_ websites though, and therein lies part of the problem, at least as far as I see it.


----------



## Deleted member 9563 (Mar 21, 2016)

protocelt said:


> Most websites are not _all_ websites though, and therein lies part of the problem, at least as far as I see it.


You're right. Also people and their needs are different. My needs are philosophical, and commercial pragmatism is of little use to me when it comes to web sites. If I were to assume that _all _other people were like me I'd be quite mistaken, I'm sure. In fact I'd be mistaken if I were to assume that everyone else would accept my individual freedom to think as I wish as being legitimate.


----------



## drhowarddrfine (Mar 21, 2016)

protocelt said:


> Most websites are not _all_ websites though, and therein lies part of the problem


You're right. And most web sites don't have malware and don't spam you  either.

There are good guys and bad guys in everything but, far too often, we let the tail wag the dog nowadays. The honest marketer, the majority, is just trying to do his job but it's being relegated to the boogey man looking over your shoulder and watching everything you do, as if that was actually possible.

Sites that attempt to do anything like that are those you wouldn't visit anyway.


----------



## ronaldlees (Mar 21, 2016)

According to the comments on github.com, the TOR project is (apparently) listing the HTML5 canvas as the single biggest fingerprinting issue.   


> "After plugins and plugin provided information, we believe that the HTML5 canvas is the single largest fingerprinting threat browsers face today."  - Tor Project.



At cseweb.ucsd.edu/~hovav/dist/canvas.pdf is an explanation of how it works.  HTML5 coders can draw to the HTML5 canvas, and then grab the image back (as it has been drawn) with the getImageData() function, which returns an ImageData object.  That object is then analyzed, and in combination with other things is used to create the fingerprint.

I understand the purpose of the drawing functions, and they'd be used a lot.  But, what purpose does getImageData() have, other than to provide a dang good way to grab a fingerprint?  OKAY - I can think of uses for it - but I think I'll just do without.

Maybe just recompile your browser, and disable it (return nothing) ... although  I suppose this could monkey wrench a few sites that *really* needed the function.


----------



## shepper (Mar 21, 2016)

drhowarddrfine said:


> Sites that attempt to do anything like that are those you wouldn't visit anyway.



I think the line between "those that you would not visit" and those that you visit is becoming blurred.  An example:  I use Earthlink as an email provider and I cannot log into my webmail without at least 3 advertisements.  One advertisement wants to know if a Political Candidate should go to jail.  Another tells me the President encourages me to refinance my home.  The last is telling me of the benefits of Chia Tea.  I started with an empty cookiejar in Xombrero.  Xombrero opens on a "favorites" listing of websites and in the process of going directly to Earthlink's Webmail site and logging in, I acquire 51 cookies.

I just want to empty my suspects folder.

I'll also bet that if you inventory the cookies, they have nothing to do with improving service for the user.  Why would the NYTimes place .linked.com cookies on my system?  What possible benefit would my liberal inclinations gain from a linkin cookie? Any why so many cookies?  One per site would be enough.


----------



## drhowarddrfine (Mar 21, 2016)

shepper said:


> Why would the NYTimes place .linkin.com cookies on my system?


Marketing for linked in.



shepper said:


> Any why so many cookies?


One for each advertiser.



shepper said:


> I'll also bet that if you inventory the cookies, they have nothing to do with improving service for the user.


Advertising targeted at your preferences so you don't get ads for brassieres again.


----------



## Deleted member 9563 (Mar 21, 2016)

shepper said:


> One per site would be enough.



Ha! I use Ghostery, and it shows how many trackers are on each site. Sometimes the number goes into two figures. In fact I wonder if the site "contents" is actually secondary.


----------



## Deleted member 9563 (Mar 21, 2016)

drhowarddrfine said:


> Advertising targeted at your preferences so you don't get ads for brassieres again.


That would only apply to those people who look at ads. For those of us who block perhaps there is some other purpose but one might classify that as cookie spamming.


----------



## getopt (Mar 21, 2016)

OJ said:


> That would only apply to those people who look at ads.


Ads are like cancer, they spread like metastases. The cost to society are enormous.


----------



## Deleted member 9563 (Mar 22, 2016)

getopt said:


> I'd prefer getting no ads at all! I do not want to be stalked by the marketing industry. And I do not want to be forced to "opt-out" of anything. Opting-in should be the default.


Yes, how about a red bar at the top of cookie sites with wording like "click here to opt in". 
In any case, I currently use uBlock Origin, but have been using blocking techniques for years - simply because I can't afford the equipment, time, and bandwidth to do otherwise.


----------



## shepper (Mar 22, 2016)

British Television produced a 17 episode series called the The Prisoner.  One of the more memorable quotes from the series is
"I will not make any deals with you. I've resigned. I will not be pushed, filed, stamped, indexed, briefed, debriefed, or numbered! My life is my own!".  In addition to being numbered, I feel I'm being "parsed, sorted, abstracted and analyzed".  My journey through the web is my own.


----------



## drhowarddrfine (Mar 22, 2016)

OJ said:


> That would only apply to those people who look at ads.


Whether you look at them or not doesn't matter. If you were shown an ad once, they  may not want to show it to you again. Or, if you clicked on it, they might want to remember that, too. If the site you were on was a tech site, and you clicked on a RaspberryPi ad, that's informative. If you were on a tech site and clicked on a brassiere ad, that's informative, too. Or maybe not to that advertiser.


shepper said:


> My journey through the web is my own.


Except when it's sponsored. Without sponsors, that TV show, and possibly the web site you visited, wouldn't exist.


----------



## protocelt (Mar 22, 2016)

Personally, I'm okay with that. FreeBSD exists because people donate their time and/or money to keep the project alive, and get a great OS out of it. Content on the web would probably be of much smaller but much better quality if the "supported by ads" model went away.


----------



## shepper (Mar 22, 2016)

drhowarddrfine said:


> Except when it's sponsored


.

I'll point out that I pay Earthlink for email services, I pay for the connection and I pay for bandwidth.  There seems to be no limit to how much bandwidth they feel entitled to.  We won't even discuss how much my time they consume while I tend the to business of managing my emails.

It would be a different story if I was using gmail for free.

I can't drop them at the moment and I am not aware of any other email providers that does not sell some piece of me.


----------



## drhowarddrfine (Mar 22, 2016)

shepper That you pay for that and still get ads is between you and them and what I consider a bad email service. Why do you use them instead of your own on a FreeBSD system?



protocelt said:


> Content on the web would probably be of much smaller but much better quality if the "supported by ads" model went away.


I can't agree more. Quality stuff is still out there. It's just small signal to high noise to filter.


----------



## protocelt (Mar 22, 2016)

drhowarddrfine said:


> shepper That you pay for that and still get ads is between you and them and what I consider a bad email service. Why do you use them instead of your own on a FreeBSD system?
> 
> 
> I can't agree more. Quality stuff is still out there. It's just small signal to high noise to filter.


There is, but it's taking more and more effort to find it over time.

We're kind of veering off topic here though. Lets all try to keep on track. I'm guilty of this in this thread as well.


----------



## Deleted member 9563 (Mar 22, 2016)

drhowarddrfine said:


> Whether you look at them or not doesn't matter. If you were shown an ad once, they may not want to show it to you again.



??? By not looking at them I meant blocking them, of course. I think it's pretty standard these days among those who consider browser performance.


----------



## Deleted member 9563 (Mar 22, 2016)

protocelt said:


> We're kind of veering off topic here though. Lets all try to keep on track. I'm guilty of this in this thread as well.


Right. 

We see various on-line browser and fingerprinting tests from time to time. Here is another one which I just tried. Doileak.com I'm careful about DNS leaks and always do relatively well with these tests generally. It did strike me that they detected two operating systems, which is probably normal for a VPN, but also identifying. Also, I'm not so happy about IPv6. I find it hard to control because I don't know it well enough yet. This test showed they were not able to detect an IPv6 request, which confuses me because I can browse IPv6 sites that have no IPv4 support.


----------



## ronaldlees (Mar 22, 2016)

OJ said:


> Right.
> 
> We see various on-line browser and fingerprinting tests from time to time. Here is another one which I just tried. Doileak.com I'm careful about DNS leaks and always do relatively well with these tests generally. It did strike me that they detected two operating systems, which is probably normal for a VPN, but also identifying. Also, I'm not so happy about IPv6. I find it hard to control because I don't know it well enough yet. This test showed they were not able to detect an IPv6 request, which confuses me because I can browse IPv6 sites that have no IPv4 support.




OJ: Tnx for that link.  My report from that site says it detects both Linux (via javascript) and FreeBSD (via fingerprint).  I wonder if they're using OS fingerprinting or the user-agent for the latter?  DNS request sources were detected with javascript, but not without javascript.  Other than that, they didn't get much from me  

I should be using static settings, and not DHCP, and  I probably should not be using the ISP's DNS. Likely the default local DNS should be inaccessible. By turning off javascript, they don't have websockets to play with, to query my local DNS resolver.  But, it turns out they can do it another way.  All they have to do is put an url in the browser page that points to a subdomain (of theirs) that doesn't exist.  Thus, the DNS caches won't have it, and so a query will be made to their servers.  Then, I imagine they vary the "nonexistent" domain to turn it into a GUID, and figure out where the servers are.

Seems there's no hope to obscure DNS, outside Privoxy/Socks/Tor/VPN.  WIthout using anon software, I lessen the damage only a little bit with external DNS, cuz there's less specific info in the remote DNS than the one my router uses.


----------



## ronaldlees (Mar 22, 2016)

The WebGL hash is listed on panopticlick.eff.org as a contributing factor to the fingerprint, but a lesser one than the canvas hash.  So, in firefox config, we can set `webgl.disabled=true`, and `media.peer*` to false.  The latter kills off WebRTC AFAIK, which can leak the local subnet IP.  Thanks again to the link OJ supplied, which details this pretty well.   I'm always a little leary about random "test" links - hope this one is safe  

I'm looking for a way to disable the canvas, short of recompiling Firefox (though the latter is an option).  Some people are recommending a smart add-on that is basically like "noscript" but with the canvas in mind.  Can't remember the name of the extension.   It'd be better to have javascript, and no canvas, from the whizbang site experience POV.


----------



## getopt (Mar 22, 2016)

A practical approach for defeating Nmap OS-Fingerprinting can be found here:
https://nmap.org/misc/defeat-nmap-osdetect.html


----------



## ronaldlees (Mar 22, 2016)

getopt said:


> A practical approach for defeating Nmap OS-Fingerprinting can be found here:
> https://nmap.org/misc/defeat-nmap-osdetect.html



I see that the kernel module they provide to cloak the FreeBSD TCP/IP stack's idiosyncracies is from 2001.  What version of FreeBSD would that have been?

But, the source is there so could be adapted ...


----------



## ronaldlees (Mar 25, 2016)

I would advise it is especially important to disable cache (although that may seem like an automatic thing to do).  Apparently, HTML5 engenders a "cookie replacement" via the caching of uniquely built on-the-fly PNG images.  The data is read back with getImageData().  The cache action can be requested in the response header from the server, but doesn't necessarily need to be honored.  Still, it's scary.  So I regularly flush cache, or don't use it.

Another function to add to the fingerprint enabler list:  getClientRects().  It's about the same as the getImageData() of canvas, but it's not known if panopticlick factors it into their algorithm.

If that wasn't bad enough, HTML5 offers "web storage api" storage (up to 5M usually) of website-origin data on the user's computer, and if it's of the local or global variety, will survive operating system reboots (yes, even FreeBSD).  Ostensibly, the browser is supposed to ask for permission before allowing this type of storage (which is data that can mimick cookies, or simply take the form of GUIDS.  Nice).  Problem is, there have been instances (so I have read) where a browser allowed silent storage from  certain domains.  Don't know if the latter statement is true, but where does it end?


----------



## drhowarddrfine (Mar 25, 2016)

ronaldlees said:


> Another function to add to the fingerprint enabler list: getClientRects(). It's about the same as the getImageData() of canvas


Huh? It gets the bounding box locations for HTML elements and has nothing to do with images or data or anything else.



ronaldlees said:


> Ostensibly, the browser is supposed to ask for permission before allowing this type of storage


Yes, it does. And only from that domain.


----------



## ronaldlees (Mar 25, 2016)

http://jcarlosnorte.com/security/2016/03/06/advanced-tor-browser-fingerprinting.html


----------



## drhowarddrfine (Mar 25, 2016)

Ya' know.....with CSS, I can control the size of those same elements on the screen.....and the color.....and this will bring down civilization as we know it.


----------



## Deleted member 9563 (Mar 25, 2016)

ronaldlees said:


> http://jcarlosnorte.com/security/2016/03/06/advanced-tor-browser-fingerprinting.html


That is interesting, but as I mentioned earlier in this thread, I do think he is wrong in his conclusion. His work is fine, though old, and I do understand the fun of making blog posts like that - but he is still grandstanding.


----------



## ronaldlees (Mar 26, 2016)

OJ said:


> That is interesting, but as I mentioned earlier in this thread, I do think he is wrong in his conclusion. His work is fine, though old, and I do understand the fun of making blog posts like that - but he is still grandstanding.



It's a lesser issue than getImageData(), so I mis-stated that.   

Relative to the web storage API, if using FF, one can set dom.storage.default_quota to zero and set dom.storage.enabled to false.  If a site depends on these, then of course it will break.

I kind of like FF for the ability to set some of these things.  Lord knows what's setup in Chrome, for instance.  Hmmm, I notice TOR project didn't select them (or Chromium) for their TorBrowser.  Hmmmm.

When Netsurf can do javascript I'm going away from *all* of them.


----------



## Deleted member 9563 (Mar 26, 2016)

ronaldlees said:


> It's a lesser issue than getImageData(), so I mis-stated that.


Not intending to get into an argument here, but I think the issue is that what that guy is saying doesn't work. At all. He is just plain wrong abut that having a practical use in identifying a Tor user. There is nothing "lesser" about it.  It's an unfortunate aspect of "nerd" culture, but some love to puff up their chests and announce vulnerabilities in Tor. Only a few pan out and get fixed. Nobody is going to look at this one. There was some discussion among programmers, but most of it was just rolling of eyes.



ronaldlees said:


> I kind of like FF for the ability to set some of these things. Lord knows what's setup in Chrome, for instance. Hmmm, I notice TOR project didn't select them (or Chromium) for their TorBrowser. Hmmmm.



I'm also a fan of FF because of the flexibility. As for Tor Browser, Chromium was apparently not used because it has proxy bypass bugs.


----------



## ronaldlees (Mar 27, 2016)

OJ said:


> Not intending to get into an argument here, but I think the issue is that what that guy is saying doesn't work. At all. He is just plain wrong abut that having a practical use in identifying a Tor user. There is nothing "lesser" about it.  It's an unfortunate aspect of "nerd" culture, but some love to puff up their chests and announce vulnerabilities in Tor. Only a few pan out and get fixed. Nobody is going to look at this one. There was some discussion among programmers, but most of it was just rolling of eyes.



I'll take your word for it.  I'm not really a browser/javascript guy (have always been a backend coder).  Obviously his stuff looked good to me ...


----------



## getopt (Apr 17, 2016)

For those interested in defending fingerprinting see https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkability

There are two strategies for a defense: Randomization or uniformity

Those who cannot or want not to hide in a defined fake fingerprint among others can only try to randomize their fingerprint on each use.


----------



## ronaldlees (May 21, 2016)

I hate to necro-bump this old thread, but this is very informative.  I'm a little sheepish that I didn't think of it:



> The new study, which was conducted using an open-source tool, also uncovered a stealthy new technique used by some small
> tracking companies that exploits the way browsers process audio, using it to "fingerprint" computers so they can be tracked ...



_From:_
https://www.technologyreview.com/s/...king-proves-google-really-is-watching-us-all/

Probably uses the new HTML5 Webaudio API.  Wow ...


----------



## drhowarddrfine (May 21, 2016)

**sigh**

You know those images you get in your email? When you open them, your email client has to fetch them from a server somewhere. Because you fetched the image, I know you opened the email. Does that make you duck and run for cover? (Actually, I don't do this)

With audio, I can tell what kind of browser you are using! If you play my .ogg files, I know you're using Firefox! And if I know you're using Firefox, I'll serve you .ogg files instead of .mp4!!! OMG!!!!!

EDIT: Just saw the fingerprinting test page. It shows that I can find the audio capabilities of your audio system. Is this world coming to an end?


----------



## obsigna (May 21, 2016)

drhowarddrfine said:


> **sigh** ...



Let me guess, you are tired to respond again and again to these privacy topics.

Let me assure you, that everybody else knows your opinion, since it is simple enough to remember it, and at the same time is tired to reading your same insights on this again and again.

So please feel free, to participate on privacy topics only, once you can't wait telling us some amazingly inspiring news, and nobody would be tired.



drhowarddrfine said:


> ...
> You know those images you get in your email? When you open them, your email client has to fetch them from a server somewhere. Because you fetched the image, I know you opened the email. Does that make you duck and run for cover? (Actually, I don't do this) ...



Let me guess, you know 2 categories of people, category 1 = Idiots, category 2 = You.



drhowarddrfine said:


> ...
> With audio, I can tell what kind of browser you are using! If you play my .ogg files, I know you're using Firefox! And if I know you're using Firefox, I'll serve you .ogg files instead of .mp4!!! OMG!!!!!
> 
> EDIT: Just saw the fingerprinting test page. It shows that I can find the audio capabilities of your audio system. Is this world coming to an end?



On this answer I don't even need to guess anything, since it is perfectly clear, that you misunderstood this test and the technology behind it. This is not about querying the audio capabilities of any browser. This is about generating a unique ID of a given machine by utilizing DSP results of an audio sample of your computer.

Well, we know already that you don't care. For those who care, this is interesting enough to become aware about it.


----------



## drhowarddrfine (May 21, 2016)

obsigna What you are saying is you only want to hear one side of this story. This whole thread is about every tech out there is out to get you and, as one who uses most of the tech on a daily basis, I'm here to let anyone know that, as one who writes code that uses this tech,  most of it is tin hat worry. 

You can be chicken little or you can go about your normal life. The people I know and myself choose to wake up in the morning, drink our coffee and do our work without giving these concerns one thought cause they are of no concern. It makes life so much more relaxing.


----------



## Deleted member 9563 (May 22, 2016)

drhowarddrfine said:


> This whole thread is about every tech out there is out to get you and, as one who uses most of the tech on a daily basis, I'm here to let anyone know that, as one who writes code that uses this tech, most of it is tin hat worry.



I think you're misunderstanding the thread.


----------



## drhowarddrfine (May 22, 2016)

getopt said:


> Some people cannot stand other opinions other than their own. Even worse is it, when facts are denied.


Totally agree. As I so said.

Some people, and the same people, are pushing one point of view and don't want to hear anything else. Going to the point of calling people "trolls" They have no experience in the field as shown by their statements and examples. As one who works with this on a daily basis, I am trying to explain the error in their thinking and hope they can learn from it cause the people on this board are, far and away, more intelligent and right thinking than the multitude of similar posts on places like Reddit or HN. There, people pile on with repetitive statements from unknown sources and the same, total lack of knowledge and experience in this area. They act like the "boogie man" is around every corner and hiding behind every line of code and spend every waking moment looking for such things cause "they" are out to get them.

But, like the kids on reddit, I learned long ago you can't educate such people just like in politics and religion. They'll go on about it amongst their small group till they grow tired of it and move on to another thread about the same thing. So I regret responding to this. I should have known better.


----------



## fernandel (May 22, 2016)

George Orwell 1984 is relatively new but to old what "big brother" watch and want to watch today...

Fernandel
-------------
_*Bury My Heart at Wounded Knee*_


----------



## ronaldlees (May 22, 2016)

1984 was a pretty good read in its day.  But, seriously, it's lame compared to today's culture and what that culture accepts.  I don't think that six decade old novel is much more notable than the stuff currently out (or outted) in the online press, as regards such issues in today's frame of reference.  Consider the telescreen, which was a big heavy appliance permanently affixed to Smith's apartment room.  Today, people carry a telescreen around with them all day long - and it's a much more powerful one.

But, the use of the term does put an accurate fix on that general genre of conversation, and is useful for defining the topic in conversation.


----------



## wblock@ (May 22, 2016)

It is reasonable to be concerned about capabilities, especially when automation allows those capabilities to be applied to large groups.  Assuming those capabilities will not be used because they are unlikely is not a good way to approach computer security.


----------



## shepper (May 22, 2016)

wblock@ said:


> Assuming those capabilities will not be used because they are unlikely is not a good way to approach computer security.



Big Data, IBM in Nazi Germany.  It is not a question of if those capabilities will be exploited, but when and to what end.


----------



## Deleted member 9563 (May 23, 2016)

drhowarddrfine said:


> Some people, and the same people, are pushing one point of view and don't want to hear anything else. Going to the point of calling people "trolls"



Point of view is your topic. The OP wrote:



un_x said:


> I would like to reduce my fingerprint.



You may be able to help with that.



drhowarddrfine said:


> They act like the "boogie man" is around every corner and hiding behind every line of code and spend every waking moment looking for such things cause "they" are out to get them.



_That_ is a troll. 



drhowarddrfine said:


> But, like the kids on reddit, I learned long ago you can't educate such people just like in politics and religion. They'll go on about it amongst their small group till they grow tired of it and move on to another thread about the same thing. So I regret responding to this. I should have known better.



And so is that. There is no reason not to respond to the topic in a direct and useful manner. Insisting on questioning people's motives is not helpful.


----------



## shepper (May 26, 2016)

> A provision snuck into the still-secret text of the Senate’s annual intelligence authorization would give the FBI the ability to demand individuals’ email data and possibly web-surfing history from their service providers without a warrant and in complete secrecy.
> 
> If passed, the change would expand the reach of the FBI’s already highly controversial national security letters. The FBI is currently allowed to get certain types of information with NSLs—most commonly information about the name, address, and call information associated with a phone number or details about a bank account.



More here.


----------



## surv (Jul 29, 2016)

ronaldlees said:


> With FreeBSD, there's yet another obstacle.  The FreeBSD network stack is identifiable by itself.  Most ad servers can identify whether or not it's FreeBSD, Linux, GoogleOS, or Windows (they each have different packet fingerprints).   Look up OS fingerprinting.  So, if your user-agent string says Mac, but your tcp/ip stack says FreeBSD, you're gonna be unique in the catalogue of the ad-spammer.  Sorry to say.


There are ways to fix it?


----------



## tomxor (Jul 30, 2016)

Kind of a side step but... most of the fingerprinting is done by the ads, so adblockers are probably the best way avoid the vast majority of fingerprinting (it can even prevent the GET request to the server so they can't inspect your packets and infer OS)


----------



## Murph (Jul 30, 2016)

As far as OS fingerprinting goes, it shouldn't really be a major concern.  It does not identify a unique machine, there's no tracking enabled by it.  If you try to defeat OS fingerprinting, there are two significantly likely negative outcomes: 1) you actually give your machine a unique and trackable fingerprint instead of a generic fingerprint; and/or 2) you significantly harm the operation (security, performance, features, standards compliance) of your network stack.  I strongly caution against misguided attempts to defeat OS fingerprinting, especially if you don't fully understand the things you might be tinkering with.

Fingerprinting is actually a slightly misleading word in the context of "OS fingerprinting", as it is not unique  like a person's fingerprint, only identifying a generic OS variant (e.g. FreeBSD 10.x).  It would be like the entire global population sharing 244 sets of fingerprints.  See /etc/pf.os for examples of the level of detail provided by the OS fingerprinting supplied as part of PF.  It's handy for things like sending all incoming SMTP connections from Windows into a tarpit, but that's about it.  In the hands of an advertising network, about the worst that will happen is you'll see more Cisco, O'Reilly, network management, and server hosting adverts.


----------



## tomxor (Jul 30, 2016)

Murph said:


> Fingerprinting is actually a slightly misleading word in the context of "OS fingerprinting", as it is not unique  like a person's fingerprint, only identifying a generic OS variant (e.g. FreeBSD 10.x).  It would be like the entire global population sharing 244 sets of fingerprints.  See /etc/pf.os for examples of the level of detail provided by the OS fingerprinting supplied as part of PF.  It's handy for things like sending all incoming SMTP connections from Windows into a tarpit, but that's about it.  In the hands of an advertising network, about the worst that will happen is you'll see more Cisco, O'Reilly, network management, and server hosting adverts.



More specifically OS fingerprinting should refer to more than the network stack just like browser fingerprinting refers to more than the user agent string... it's how many pieces you can stick together that make it converge to a "fingerprint", for OS you could try to probe for as many services as possible and then probe the services to see how they are configured... so you could probably make it more unique than just "OS". Obviously browsers are much easier.


----------



## surv (Jul 30, 2016)

Murph said:


> As far as OS fingerprinting goes, it shouldn't really be a major concern.  It does not identify a unique machine, there's no tracking enabled by it.


I do not believe that it is not used as much as possible. All the possible ways. It brings great profit money


Murph said:


> If you try to defeat OS fingerprinting, there are two significantly likely negative outcomes: 1) you actually give your machine a unique and trackable fingerprint instead of a generic fingerprint; and/or 2) you significantly harm the operation (security, performance, features, standards compliance) of your network stack.  I strongly caution against misguided attempts to defeat OS fingerprinting, especially if you don't fully understand the things you might be tinkering with.


That's the problem, that FreeBSD' generic fingerprint is already very unique in the context "Surfing the Internet on FreeBSD desktop"
Also, the value of uptime can be recorded: http://lcamtuf.coredump.cx/p0f3/ , section 4
I tried to play with net.inet.tcp.* options, until the results of such:
p0f signature changes from
`4:64+0:0:1460:65535,6:mss,nop,ws,sok,ts:df:0`
to
`4:64+0:0:1460:65535,0:mss:df:0`
with
net.inet.tcp.sack.enable=0 (TCP Selective Acknowledgments)
net.inet.tcp.rfc1323=0 (TCP timestamps)
Now uptime not determined and machine is defined as "Linux generic" (should ideally be Windows 10 or 7)

I could be wrong, but in this case
less additional options = more security
Some optimization, that added these options is not significant for desktop machine, I think



Murph said:


> Fingerprinting is actually a slightly misleading word in the context of "OS fingerprinting", as it is not unique  like a person's fingerprint, only identifying a generic OS variant (e.g. FreeBSD 10.x).  It would be like the entire global population sharing 244 sets of fingerprints.  See /etc/pf.os for examples of the level of detail provided by the OS fingerprinting supplied as part of PF.  It's handy for things like sending all incoming SMTP connections from Windows into a tarpit, but that's about it.  In the hands of an advertising network, about the worst that will happen is you'll see more Cisco, O'Reilly, network management, and server hosting adverts.


Of course it is used in combination with other data. In addition, one value may be 80% of visitors (win), other 0.01%.
but for those 80% users other methods are used


----------



## getopt (Jul 30, 2016)

surv said:


> That's the problem, that FreeBSD' generic fingerprint is already very unique in the context "Surfing the Internet on FreeBSD desktop"
> Also, the value of uptime can be recorded: http://lcamtuf.coredump.cx/p0f3/ , section 4


True! And thanks for the link.

Also see https://gnunet.org/knock where is a TCP Stealth patch for FreeBSD 10.0


----------



## Murph (Jul 30, 2016)

surv said:


> I could be wrong, but in this case
> less additional options = more security
> Some optimization, that added these options is not significant for desktop machine, I think



You are wrong.

The window scale and timestamp options exist to improve TCP's performance and reliability.  Read RFC 7323 for descriptions of the circumstances where window scaling and timestamps are beneficial.  They are no less relevant for desktop systems.  In the current era, desktop systems certainly can have the bandwidth to benefit from those features, combined with lower quality connectivity which can see round trip times rise under load.  Selective ACKs improve performance and recovery from loss.

You gain no additional security by crippling your TCP stack in that manner.  Those options are long established and do not have any negative impact on security.  In a narrow set of circumstances, disabling those options is harmful to data integrity (high bandwidth combined with packet retransmission).  Degrading the integrity of a protocol which software assumes to be reliable could be considered to weaken security.


----------



## Murph (Jul 30, 2016)

getopt said:


> I won't argue with the term security in first line. It is more a concern of privacy (which can have an impact on security also).
> When there is the point reached that leaking the used OS could have negative effects (i.e. tailored attacks), argumentation with performance does not matter anymore.



You should assume that the tailored attacks will occur regardless of any precautions, as to do otherwise is security through obscurity.  The state of the black art seems to routinely include anything and everything.  If a tailored attack would be a problem for your system, it should not be on the net, not even briefly.

While I may have stopped publishing HINFO records in DNS rather a long time ago, I do not believe that knowledge of the OS should be considered to be a security problem in the current era.  You should assume that the attacker does know precisely what OS you are running, and defend accordingly.


----------



## surv (Jul 31, 2016)

Murph said:


> The window scale and timestamp options exist to improve TCP's performance and reliability.  Read RFC 7323 for descriptions of the circumstances where window scaling and timestamps are beneficial.  They are no less relevant for desktop systems.  In the current era, desktop systems certainly can have the bandwidth to benefit from those features, combined with lower quality connectivity which can see round trip times rise under load.  Selective ACKs improve performance and recovery from loss.
> 
> You gain no additional security by crippling your TCP stack in that manner.  Those options are long established and do not have any negative impact on security.  In a narrow set of circumstances, disabling those options is harmful to data integrity (high bandwidth combined with packet retransmission).  Degrading the integrity of a protocol which software assumes to be reliable could be considered to weaken security.


Too categorical. I did not see anything dangerous. In https://wiki.freebsd.org/SystemTuning is about the benefits for gigabit satellite links. I have only 20Mbit DSL


----------



## surv (Jul 31, 2016)

By the way, from the same (RFC 7323):
"A naive implementation that derives the timestamp clock value directly from a system uptime clock may unintentionally leak this information to an attacker. This does not directly compromise any of the mechanisms described in this document.  However, this may be valuable information to a potential attacker.  It is therefore RECOMMENDED to generate a random, per-connection offset to be used with the clock source when generating the Timestamps option value"
As far as I understand FreeBSD does not use random per-connection offset?


----------



## Murph (Jul 31, 2016)

surv said:


> Too categorical. I did not see anything dangerous. In https://wiki.freebsd.org/SystemTuning is about the benefits for gigabit satellite links. I have only 20Mbit DSL



Window scale solves performance issues on links as slow as a T1 (1.5Mbit/s), when you encounter larger round trip times.  You will certainly suffer from performance problems caused by disabling it on a 20Mbit/s link.  For 100ms round trip times (e.g. typical transatlantic, coast to coast in the US, or longer European distances), TCP is limited to around 5Mbit/s without window scaling.  Add in the typical 25-50ms that you can see from a DSL local link, and the problem only gets worse.  A 64KB window hits its performance limit at around 25ms on a 20Mbit/s link, which pretty much makes it impossible to hit 20Mbit/s performance on a DSL without window scaling, and the problem will get significantly worse as the distance beyond the DSL link increases.

TCP window scaling has been an essential performance feature for a very long time.  It was released as a standard back in 1992 (as RFC 1323, although had been experimentally around prior to then), and it has only become more important as the years passed.  TCP itself is a very old protocol and hits some significant limitations on modern networks if you do not use a properly modernised implementation.  Disabling the standard extensions turns it back into a 1980s protocol, when 1.5Mbit/s was a fast WAN link.

As far as gigabit links go, it can be needed on a gigabit LAN, never mind a satellite link.


----------

