# How unique is your browser?



## teckk (May 20, 2013)

https://panopticlick.eff.org/
https://panopticlick.eff.org/browser-uniqueness.pdf


----------



## NewGuy (May 20, 2013)

That test always says my browser is unique. Even if I visit the site, clear cookies and re-visit the site using the same browser and a different IP address. I think there is something wrong with their script.


----------



## zspider (May 21, 2013)

Mine says unique too, might have something to do with that fake user agent I implemented.


----------



## Avyd (May 21, 2013)

> Within our dataset of several million visitors, only one in 290,736 browsers have the same fingerprint as yours.



The script is working great. To look like others on the Net, first you need a common useragent (a unique one is not recommended). The browser setting should be common also. 


```
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
```

ip-check.info may help you a bit more if you run the test - red is bad. Good luck


----------



## kpa (May 21, 2013)

Avyd said:
			
		

> ip-check.info may help you a bit more if you run the test - red is bad. Good luck



Thanks but it requires Java to run. No joy for many people who are security conscious and have disabled Java altogether and refuse to turn it back on.


----------



## ShelLuser (May 21, 2013)

I'm pretty convinced this test is quite flawed. My browser of choice is SeaMonkey, this is a browser built on the Mozilla engine but without all the overhead and bloat which, in my opinion of course, sits in Firefox these days. I personally also like their update policies a lot better.

But, thanks to that Mozilla engine, I can still use some of my favourite plugins such as NoScript, AdBlock plus and more common plugins such as Quicktime, Acrobat and even VLC support.

So when I visit this testing page no scripting gets executed what so ever. No Javascript, no Java, no flash. Nothing.

"_Your browser fingerprint appears to be unique among the 2,910,712 tested so far.  Currently, we estimate that your browser has a fingerprint that conveys at least 21.47 bits of identifying information._".

So I then visit using Internet Explorer 9, which also has some of the previously mentioned common plugins available (Quicktime, Acrobat, etc.) but this time doesn't necessarily prevent their usage:

"_Your browser fingerprint appears to be unique among the 2,910,715 tested so far.  Currently, we estimate that your browser has a fingerprint that conveys at least 21.47 bits of identifying information._".

Rest assured: My MSIE9 is _not_ unique. The only difference could be the raised security and privacy settings, both are set to "Normal-High". But that's it; its a default installation, with some very commonly used extensions (Acrobat, Flash, etc.) and that's it.

Yet both browsers score exactly the same?  That makes no sense what so ever.


----------



## hitest (May 21, 2013)

```
Your browser fingerprint appears to be unique among the 2,910,863 tested so far.
```


----------



## ShelLuser (May 21, 2013)

hitest said:
			
		

> ```
> Your browser fingerprint appears to be unique among the 2,910,863 tested so far.
> ```


I have no idea to who this was addressed, but I'll just assume it's me being the previous poster. I'm well aware that the uniqueness factor heavily depends on the data which is already available in the database, yet that's also one of the reasons why I think it to be flawed; I have a hard time believing that considering the context of the website a browser like Internet Explorer would be so sparsely used.

What I also considered odd is that whenever I perform the test again using the previously mentioned SeaMonkey environment nothing changes, yet when I do the same using Internet Explorer I now suddenly get to see this:

"_Within our dataset of several million visitors, only one in 1,455,443 browsers have the same fingerprint as yours._".

That makes me wonder how much programming logic is done server-sided and how much it depends on client-side code. After all; with SeaMonkey nothing gets executed on my computer and it seems as if that environment didn't got included in the results. Internet Explorer on the other hand did; the main difference being the acceptance of running client side scripts.

But that shouldn't matter to determine the "browser fingerprint".

This gets somewhat confirmed when I use MSIE9 using the so called "InPrivate mode". Now the result is once again the same as before ("_Appears to be unique_"). Even when I visit the website again at a later time. Yet the browser environment is completely the same. Apart from the characteristics it couldn't determine due to javascript not getting executed, the user agent and "accept headers" are equal.

So why didn't it recognize this setup as well?

As such my previously mentioned opinion.


----------



## Avyd (May 22, 2013)

kpa said:
			
		

> Thanks but it requires Java to run. No joy for many people who are security conscious and have disabled Java altogether and refuse to turn it back on.



It does not need java to run. If it's disabled, it can't check some things which means your browser is not sending nasty information.

Interesting information: in Opera browser it could see my opened tabs and said it's some kind of vulnerability.


----------



## hitest (May 22, 2013)

ShelLuser said:
			
		

> I have no idea to who this was addressed, but I'll just assume it's me being the previous poster.



Greetings ShelLuser,

My apologies. My post was not addressed to anyone in particular.  I just posted the results of clicking on the first link in this thread using FF 18.0 on OpenBSD 5.3. 
I'm running FreeBSD 9.1 today.


----------



## poisonlux (May 28, 2013)

NewGuy said:
			
		

> That test always says my browser is unique. Even if I visit the site, clear cookies and re-visit the site using the same browser and a different IP address. I think there is something wrong with their script.



I haven't read the script itself, but if it does what it says it does ... it won't pay none to little attention to cookies or IP adress.

The "fingerprint" should be built from the OS info in the header (and with "FreeBSD" on it, you can bet your fingerprint has high chances of being unique), javascript gathered info, plugins info and a lot of other data that is considered with different levels of importance.

Even I could go more far and say the lack of certain data itself could be part of the fingerprint itself, as long as we talk of % of chances of uniqueness rather than "it is" or "it is not" and if the compute powers allows it, a more in-depth analysis of the connection could be made.

Regards.


----------

