In this guide we cover all aspects of browser fingerprinting and device fingerprinting. In addition to explaining what exactly this is, we’ll also show you how to protect yourself against these threats.
Many people use VPN services to hide their IP address and location – but there is another way you can be identified and tracked: through browser fingerprinting.
Whenever you go online, your computer or device provides the sites you visit with highly specific information about your operating system, settings, and even hardware. The use of this information to identify and track you online is known as device or browser fingerprinting.
As browsers become increasingly entwined with the operating system, many unique details and preferences can be exposed through your browser. The sum total of these outputs can be used to render a unique “fingerprint” for tracking and identification purposes.
Your browser fingerprint can reflect:
- the User agent header
- the Accept header
- the Connection header
- the Encoding header
- the Language header
- the list of plugins
- the platform
- the cookies preferences (allowed or not)
- the Do Not Track preferences (yes, no or not communicated)
- the timezone
- the screen resolution and its color depth
- the use of local storage
- the use of session storage
- a picture rendered with the HTML Canvas element
- a picture rendered with WebGL
- the presence of AdBlock
- the list of fonts
How accurate is browser fingerprinting?
Some researchers have found this method of identification to be extremely effective.
Why is this being done?
Browser fingerprinting is just another tool to identify and track people as they browse the web. There are many different entities – both corporate and government – that are monitoring internet activity, and they all have different reasons for doing so. Advertisers and marketers find this technique useful to acquire more data on users, which in turn leads to more advertising revenue.
Some websites use browser fingerprinting to detect potential fraud, such as banks or dating websites, so it’s not always nefarious.
Surveillance agencies could also use this to identify people who are employing other privacy measures to cloak their IP address and location, such as with VPN services or the Tor (onion) network.
Browser fingerprinting test websites
One good test website to see all of the information that is being revealed by your browser is www.deviceinfo.me.
There are also a few websites that reveal browser data and also assess a “uniqueness” score based on your variables in comparison to their database of browsers.
- Cover Your Tracks is run by the Electronic Frontier Foundation. You can learn more here.
- amiunique.org is another good resource. It is open source and provides more information and updated fingerprinting techniques, including webGL and canvas.
Are browser fingerprinting test websites very accurate?
Yes and no.
Yes, these websites do provide accurate information about your browser’s fingerprint and the different values being gathered.
No, the “uniqueness” conclusion about your browser from these websites can be wildly inaccurate and very misleading. Here’s why:
- Data sample: Cover Your Tracks and amiunique.org are comparing your browser’s fingerprint to a giant database of old, outdated browsers – many of which are no longer in use. When you test your browser’s fingerprint with an updated browser, it may show it as being extremely rare and unique, even though the majority of people are using the same updated version. Conversely, running the test with an old, outdated browser may show a very good result (not unique) when in reality very few people are using the older browser today.
- Screen resolution: At least on desktop machines, most people regularly adjust their browser screen size. Every minor screen size value will be measured as a factor for uniqueness, which can be misleading.
- Randomized fingerprints: Another problem with these test sites is that they don’t account for randomized fingerprints that can be regularly changed through browser extensions. This method may be an effective way to prevent real-world fingerprinting, but it can’t be tested/quantified through these sites.
In general, the browser fingerprinting test websites are good for revealing the unique information and values that can be rendered from your browser. Aside from that, however, trying to beat the test by getting the lowest “uniqueness” score may be a waste of time and counterproductive.
How to mitigate your browser fingerprint
Before we jump into potential solutions, it’s important to note that implementing browser fingerprinting protection methods may break some websites. Be sure to research these different options carefully before adjusting your browser settings.
Another consideration is your threat model. How much privacy do you need or want? The answer to that question will be different for every user.
Lastly, I use the word “mitigate” rather than “solve” because browser fingerprinting is a very complex and evolving issue. For example, a new study revealed that there’s nothing you can do to mitigate some fingerprinting attacks on smartphones (discussed more below).
Here are some good ways to mitigate your browser fingerprint:
1. Browser modifications and tweaks
Depending on the browser you are using, you might have some different options for tweaks and modifications to mitigate browser fingerprinting. Below we’ll discuss various Firefox and Brave browsers, which are both secure and private browsers.
Firefox browser fingerprinting
Firefox is a good browser for privacy and security, and it can also be modified and hardened for your unique needs. (For an overview of Firefox privacy tweaks, see the Firefox privacy guide.) The first thing you need to do is type about:config into the URL bar of Firefox, hit enter, then agree to “accept the risk” and make the following changes:
- privacy.resistFingerprinting (change to true) – Changing this value to true will offer some basic protection, but it’s far from a complete solution. The privacy.resistFingerprinting preference was added to Firefox as part of the Tor Uplift project and it continues to be improved.
- webgl.disabled (change to true) – WebGL is another tricky issue for privacy and security. Disabling this preference is generally a good idea – see some of the issues with WebGL here.
- media.peerconnection.enabled (change to false) – Disabling WebRTC is a good idea since this can reveal your true IP address, even when you are using a good VPN service. See the WebRTC leak guide for more details and how to disable WebRTC in other browsers.
- geo.enabled (change to false) – This disables geolocation tracking.
- privacy.firstparty.isolate (change to true) – This is another great update from the Tor Uplift project that isolates cookies to the first party domain.
Note: This is just a brief overview of changes that improve your privacy and help to mitigate your browser fingerprint. Nonetheless, there are many different factors that go into fingerprinting and you may still have a unique fingerprint even with these changes.
Firefox with the ghacks user.js file
Another great option is to run Firefox with a unique user.js file, such as the ghacks user.js. This is a custom Firefox configuration file that has been modified for more privacy and security. I like this option because it can save lots of time with setup and is regularly updated and improved. See the Wiki page for an overview and setup instructions.
When I tested a fresh install of Firefox with the ghacks user.js file, amiunique.org showed my browser fingerprint as as not unique.
Brave browser fingerprinting
Although it is based on Chromium, the Brave Browser may be a good option for those wanting a simple, privacy-focused browser that blocks tracking by default and still supports Chrome extensions. Brave allows you to enable fingerprinting protection, which is under the Brave Shields settings:
See also this article on Github discussing different aspects of fingerprinting protection in Brave.
2. Browser extensions and add-ons to minimize or spoof your fingerprint
There are a number of different browser extensions and add-ons that you may find useful. With that being said here are a few things to remember:
- Be careful with third-party extensions, which could potentially undermine your privacy and security.
- Be mindful that using extensions may make your browser fingerprint more unique (many factors).
Now that we’ve gotten those disclaimers out of the way, let’s examine some browser add-ons that may be useful:
Firefox browser:
- Canvasblocker by kkapsner – Protects against canvas fingerprinting methods (source on GitHub)
- Trace by AbsoluteDouble – Protects against various fingerprinting methods (source on GitHub)
- Chameleon by sereneblue – Allows you to spoof user agent values (source on GitHub)
- User-Agent Switcher by Alexander Schlarb – Allows you to spoof user agent (source on GitLab)
There are many other Firefox add-ons you may want to consider as well, which are discussed in the Firefox privacy guide. Some of these add-ons are also available for Chromium-based browsers, such as Brave.
Some people recommend spoofing different user agents through a browser extension, while others suggest this is a bad idea because it might make you more “unique”. Of course, there are many factors to consider, but adding noise to your fingerprint may not be a bad strategy.
For example, with Chameleon, you can cycle through different user agents at various time intervals.
Now let’s look at another option for modifying your browser fingerprint: the use of virtual machines.
3. Virtual machines
You can also consider running different virtual machines, which can utilize different operating systems on your host computer. VirtualBox is FOSS and offers an easy way to run different Linux VMs for more privacy and security. There are many different video tutorials online, depending on your operating system and the VM OS you are looking to use.
Virtual machines offer numerous advantages in terms of privacy and security, while also protecting your host machine. For privacy, VMs allow you to easily spoof different operating systems and also chain VPN services, as explained in the multi-hop VPN guide. This also helps keep your host machine secure by isolating a virtual environment. If the VM were to be compromised, simply delete it and create a new one. You can also use different VMs for different purposes.
4. Tor Browser
Another option is to use the Tor browser, which is simply a hardened and protected version of Firefox. It includes numerous privacy and security modifications that are built into the default version:
- HTTPS Everywhere
- NoScript
- Anti-tracking features
- Canvas image extraction blocked
- WebGL blocked
- Operating system cloaking (shows as Windows 7 for all users)
- Timezone and language preferences blocked
The key here is to use the default version (the developers do not recommend adding any plugins or extensions because this could compromise the browser’s effectiveness).
You can get the latest version of the Tor browser here.
The default version of the Tor browser is configured to run with the Tor (anonymous/onion) network. While the Tor network does have added benefits in terms of privacy, it also has a number of disadvantages:
- Your internet speed will be reduced to around 2 Mbps, making streaming videos or music nearly impossible
- Tor only encrypts traffic through the browser, rather than encrypting all traffic on your operating system like a VPN
- Tor is vulnerable to IP leaks, especially with Windows
- Tor is not safe to use when torrenting (see the Best VPNs for Torrenting guide)
- Tor was created by the US government and is still funded largely by US government grants
- Some consider Tor to be compromised
Ultimately, like all privacy tools, Tor has both pros and cons.
Note: You can also first connect to a VPN and then load the Tor browser. This will hide your real IP address from malicious Tor nodes and give you an extra layer of protection. Read more about this in the main Tor guide here.
5. Don’t use smartphones
As we’ve covered before on Restore Privacy, every “smart” device is a data collection tool for corporate entities (and their surveillance partners).
Smartphones are especially vulnerable to browser fingerprinting. A team of researchers at Cambridge published a paper highlighting how smartphones can be fingerprinted using internal sensors – and there’s nothing the user can do about it.
The paper delves into the technical details, but here’s a brief overview of their findings:
- The attack can be launched by any website you visit or any app you use on a vulnerable device without requiring any explicit confirmation or consent from you.
- The attack takes less than one second to generate a fingerprint.
- The attack can generate a globally unique fingerprint for iOS devices.
- The calibration fingerprint never changes, even after a factory reset.
- The attack provides an effective means to track you as you browse across the web and move between apps on your phone.
Unfortunately, there’s nothing you can do about this attack – short of getting rid of your smartphone – and you are entirely dependent on the company to fix the problem with software updates. While Apple has apparently patched this attack vector with iOS 12.2, Google (Android) is still “investigating” the issue and has not fixed anything.
If you were thinking about ditching the “smart” phone, this research provides yet another reason to do it.
Use a VPN
Although a VPN won’t protect you against browser fingerprinting, it is a very important privacy tool to conceal your IP address, hide your location, and keep your data safe.
If you’re not using a good VPN, your internet provider can easily monitor all your online activity by recording your DNS requests. In many countries, such as the UK and Australia, this is mandatory. Internet providers in the US can also monitor and record their users, and since March 2017, they can also sell this information to third parties (advertisers).
Going through all the hassle to protect yourself against browser fingerprinting may be a waste of time if you aren’t using a good VPN that will encrypt your internet connection and hide your IP address and location. The best VPN services report discusses the top recommendations based on the latest results.
For those who are seeking a higher level of online anonymity, you can also use a multi-hop VPN, which will encrypt your traffic across more than one server (multiple hops) before exiting onto the regular internet.
As mentioned above, combining VPNs also adds additional privacy and security while distributing trust across different VPN providers.
Conclusion on browser fingerprinting
While browser fingerprinting may seem like a daunting issue to some, mitigating your browser fingerprint is relatively easy. For those seeking the highest levels of privacy and security, I’d recommend utilizing virtual machines and perhaps chaining different VPN services (using more than one VPN at the same time).
As a general rule of thumb, Firefox remains a great all-around browser after some modifications and configuration. The secure browsers guide also discusses various options, while the Firefox privacy modifications guide takes a deep-dive into tweaks, extensions, and custom configuration.
Another issue to consider, which was not mentioned in this guide, is using a good ad blocker. Ads today basically function as tracking – they record your browsing habits so you can be hit with targeted advertisements. A good add-on is uBlock Origin, but there are other recommendations in the ad blocker article and privacy tools guide.
Stay safe, secure, and private online!
While I use my own PC for day to day activies on the Web, when I want to hide my identity for searches or any activity that does not require me to login somewhere, I use the public library as do many other people that day. Any searches I do there are never duplicated on my home PC so that should prevent any connection via a unique search phrase/subject. Not convienent for some people but for me it’s added privacy, until they ban annoymous use of any PC so everyone can be tracked and profiled. Aslo never used a smartphone and never will.
Unique can be cool.
Please correct me if I am wrong.
Method of testing fingerprint using various sites, I use http://www.deviceinfo.me, Panopticlick and amiunique.org.
1 On the first run I get an unique result. I take down all the relevant data
2 Restart the browser (firefox). Repeat the first test. Unique again. Take down data again.
3 Compare data between the 2 runs noting any readings that are the same.
4 Reboot PC
5 Redo steps 1 to 3
6 Wait 24 hours and rerun all steps again.
7 Compare data from all test runs.. If there is any common data points investigate methods of mitigation.
If all tests appear unique on all test runs I am happy that very little data is not being spoofed / blocked by my VPN / plugins.
Concerning the about:config changes you recommended, you made no reference to the fact that making these changes could break a lot of websites. Most of these settings have been implemented during the first few years of web browsers and use of the internet without creating a problem though I do understand the normal configuration lends to easily allow tracking. Novice users making changes here could end up with having a lot of trouble especially where income and jobs are concerned as some would not back up the profiles beforehand or make notes on these changes to refer back to, nor bookmark this page and be able to return to it for help.
Reference to this fact should be made first and in bold lettering immediately under “1. Browser modifications and tweaks”.
Hi!
“ If you were thinking about ditching the “smart” phone, this research provides yet another reason to do it.”. Quoting Sven from above.
Hypothetical scenario!
So you and I are driving across the Brooklyn Bridge, in NY. You say “ ditch the crazy iPhone. We will stop in Manhattan and pick up what you need.” So I throw the $800 iPhone in the East River while driving. I feel safer!! Yay!!!
So, where do we go and what do we get
when we drive into Manhattan? In this hypothetical, say we have two hours!
I could have asked you before I threw my phone over the bridge what you use, I imagine it’s Tecnical with dongles and such. Maybe not!
Regardless, there is value I feel in the question!
Best to you all !
Caveat: Before the phone started swimming with the fish, I used it everyday, for email, research, Twitter. Four hours a day. Minimum.
Android has mostly been open to users making the phones they buy actually their own (by root).
Apple on the other has mostly discouraged this with users and their phones (jail breaking).
Holy cr_p batman (rainier) Sir what else could there possibly be for something that gets more attention and use in our life to pose such a risk for us.
That is, if we have one…we surely have the other.
Look into this privacy attempted company/group/purpose and it seems more than merely phones and laptops they are trying to cover in your privacy. [https://puri.sm/]
This is something I would try (same group as above) – Librem One is a growing bundle of ethical services. If your tired of your digital life being exploited online that is!
[https://librem.one/]
I briefly looked at their phone and laptops noticing the way and structure as the route to get at what they are to claim within modern web workings and these modern devices we use. They basically (as I understood), use kill switches and I envisioned a Frankenstein of a device then as it seemed like it required some hardware’s KS used and not just in software.
To me they mentioned some hardware that’s needed or required inside all modern devices for them to even work online/cellular. In that of each piece of hardware installed to a device there was required a kill switch to restrict that one piece of hardware to satisfy their claims of privacy (ex: more than one not over 4 kill switches – escapes me exactly).
Maybe it’s not that bad and if you dug in to it relating what other routes don’t work. Could prove interesting not only are the KS needed to pull off your privacy but it works like a beautiful marriage.
Moral here don’t give up. Restrict all you can till the day comes it’s law and life in your digital worlds privacy is respected.
For all those people who need Tor browser without Tor networking-
https://www.whonix.org/wiki/SecBrowser
Why not to update modifying Tor browser for VPN. I see many users have posted some methods.
Yep, we’re looking into it.
also a new version of TorBrowser is out and some previous things do not work
dear sir your explanations and teachings on this page is 100 % accurate and true
but sir the addons trace and chameleon are absolutely useless as they does nothing as I conducted extensive test on many sites.
also the addon canvas blocker is just 10% good as it just block the domrect ID part of fingerprint. Only The user agent switcher addon is 100% very good as it allow to switch useragent.
if you want to block your fingerprint totally you have to block the audiocontext fingerprint, font fingerprint, webgl fingerprint(can be disabled manually in firefox), and canvas fingerprint altogether.
the canvas blocker only falsify the domrect id and the audiocontext fingerprint, webgl fingerprint, font fingerprint and canvas fingerprint all four remain unchanged
Fingerprinting seems to be the single most challenging aspect of internet security/privacy. Kameleo and Fraudfox sound like some serious tools for combatting the issue. They cost real money.
Thank you Sven , this is exactly what I was looking for , you’ve explained it really clearly.
I have also found this very useful , https://github.com/Lissy93/personal-security-checklist , it’s quite long though
Test your browser defense against fingerprinting https://nothingprivate.ml
Some guides to defend against fingerprinting:
– Desktop
Install extension such as canvas fingerprint defender on browsers eg Firefox, Chrome, Brave, Vivaldi etc. There is currently no option for Safari.
– Mobile
For iOS, use SnowHaze app. For Android, use Firefox and install said extension, or use Bromite (download from its website or F-droid)
another AMAZING tool (with links to many other resources) to see tons of info about your personal fingerprint:
https://browserleaks.com/proxy
this specific page detects what ad blockers you have installed. It can even detect which filter lists you have enabled on uBlock origin, which is one argument for using only the default filter lists.
Sven, I really appreciate your work. I feel increasingly uncomfortable in the cyber world, and having accessible information like this is critical to help protect civil liberties. Thank you.
Hi Peter, happy to help.
tutorial dont working for torbrowser 9.5
Have you heard about AEZAKMI browser? Is it a worth product?
Just a friendly opinion
– Never upload anything to your hard drive.
– Run the operating system – Kali Linux, Parrot, Ubuntu, etc. – from external memory.
– Do not use virtual machines.
Proton does a great job of anonymity and security and there is no better browser than John Do. The browser is configured perfectly and even much better than Thor.
If you use Tor browser, the whole world will know you are using it.
When your browser is set up correctly, the panopticlick should not display more than 8 bits of information.
The Spy
My only problem is the following error on the whatleaks.com:
VPN
:
open ports detected: 500 (udp) IPSec Internet Key Exchange, 1723 (udp) PPTP VPN, 4500 (udp) IPSec NAT traversal
How to solve this section? Thank you!
As a follow-up. For those who are programmers, perhaps you can create a script or .bat file that allows the user to simply run based on their OS for Tor Browser so we can disable Tor accessing it’s the network. Would this be do-able? It certainly will help others.
I am currently using Tor Browser version 8 with the previous modifications that worked. It’s worked awesome according to my needs.
@Please Update
@Tor9.0 NetworkDisabled
Thank you from the bottom of my heart for your TOR setup guide. Life has sucked since the update to 9.0 but today is a bright day in my life now that I have it back up and running.
Please share what you did because the instructions Sven provided above don’t work and have been tested as well. See my post.
Hi Sven, Am new to this site and seems I really picked a topic doozy for the first time. So much info, mind-boggling to this poor GGma’s brain. Have you ever checked CLIQZ browser? I have CLIQZ, Brave, Yandex, Epic, and Firefox browsers. Have not used FF for quite awhile now. Epic is a new one. Yandex is set up for my petitions, surveys, PC games, etc which load on cookies, so have Cookie Auto Delete set up there. Brave I have just started using. However, CLIQZ is the browser I use for banking, credit card payments, anything financial or private, like some family corr. Have checked all but the Epic browser on deviceinfo.me and panopticlick. As I figured, Yandex is the least secure and, for what it’s used for, it has to be. That’s why I use Cookie Auto Delete. CLIQZ is the most secure, even more so than Brave. FF is not that secure so I’ve let it pretty much go unused. Since Epic is brand new here I’ll just play with it and see what happens. Had Tor for awhile but seldom used it so uninstalled it.
After all this, I do understand about add-ons and security. Yandex has the most, but I find that I need Ghostery, Print-friendly (downloading craft patterns and copies of any software I’m interested in, so I can look at it all later when I have time), Cookie Auto Delete, Lightshot and my password manager…all on Yandex. The Brave browser does not have anything in its Options for fingerprinting so I cannot deal with that one the way this article says.
My main problem with tracking is that all these Mega Corps have been making money off MY info and me getting Nothing for that personal info. Wish Congress would tell these Nosy So-and-Sos to pay us for our info or stop tracking…stop laughing…could happen when HFO.
Hello, I haven’t looked into Cliqz too closely yet, but perhaps we can get a review of it soon.
Wow, I’ve been skipping all over this site today , eye opening, full noise very informative , keep up the awesome , a one stop book the leads to a highway of great depth, one must do what one can only try to do as effectively as on seems possible, in an ever changing digital environment
nessacary> individually
We are Guided by the best better solutions available now, the variables are plenty, far from a true solution of a standardization=true anonymity
I’m not explicitly ranked , but in surging no the less
knowing my deserved right to be left the * alone
Thank you S’T for the knowledge you share ,💪 mean maxhine
and the comrades that share more
Thank you for interesting article. I’d like to suggest you try a new antidetect tool GoLogin https://gologinapp.com With GoLogin you can create any number of browser profiles and use them at the same time, access individual settings for proxies and geolocation. GoLogin has developed a privacy browser Orbita. It is used to maintain confidentiality. There is also an option for Orbita to manage the fingerprints of the browser.
What about antidetect browsers like gologinapp and others? Good alternative?
It is really a mistake to use any browser other than Chrome, Firefox , Edge or Safari, although you might be saddled with using a different one on a smart phone. Other browsers are either outdated (Internet Explorer, Opera) or implemented by ‘coders’ who can’t get a job at a legitimate software company.
Some people are convinced that open source browsers are better, but in reality those people can’t/don’t read the source code, lack any real knowledge of software engineering or security expertise, and just blindly take install images created by someone else and install them on their computer/phone and tell themselves how clever they are for doing so.
Modern browsers are highly complex and connect to an internet where all kinds of malware is lurking. Installing a substandard browser (anything other than the 4 above are substandard, regardless of the opinion of people with no real knowledge of software engineering or security expertise) is overtly self destructive.
Opinion is not the same thing as knowledge and expertise, and only fools believe their opinions are equivalent to knowledge and expertise. Go forth and exercise your freedom of choice, and accept the consequences.
“implemented by ‘coders’ who can’t get a job at a legitimate software company.”
Has it ever occurred to you that some people would rather contribute to open source and privacy-respecting software than work for a so-called “legitimate software company” like Google that is in bed with the NSA?
“… lack any real knowledge of software engineering or security expertise…”
“anything other than the 4 above.. knowledge of software engineering or security expertise”
*Cough cough Edward Snowden!
@Just CallMeKano
I know this is late, but just saw this.
I would, if you want reputable businesses, double check your thought on FF.
They took money from George Soros through one of his foundations. He is not a man of trust or privacy for anyone but himself and his friends.
Second, recently and even with FDroid, FF has participated in silencing free speech on the net while claiming to be about free speech. They followed the cues of Google, Amazon and Facebook.
Question: Why?
To verify what I am saying, search for key words and ideas of what I have said. You can also see the very app they tried to silence: GAB.
Because of that, Gab has made their own app store, and Browser. Do I think they are ready for main stream? Not yet. But because of the above issues, I would really doubt using FF and would take more than a second glance at them.
I do differ from Sven in this that I think FF is more dangerous in a way as they say one thing and do another. Trojan horse?
The beauty of the site is that we can differ. We can hold to what is “best” and have these discussions. But please be careful to not assume you can speak for how others have arrived at using what they do or that they are being lazy. That may not be the case at all.
Just a follow up: My comment was not, in any way, meant to say that Chrome, Edge, or Safari is good. Apple, Google and Microsoft are really bad, in view of privacy and security.
I am drawing attention that FF may very well be a sleeper that should be looked at twice as hard because what they say and what they are doing conflicts.
Any super techies that can verify CyDec Platform AntiFingerprint? I’m using this on Windows 10 with new version of Firefox. Every time I go to AmIUnique or Panopticlick I get a different unique fingerprint. This is what we’re after right? Most websites seem to be working with it, and this is hands down the best add-on I could find.
using the TOR browser doesn’t mean we are fully protected, by avoiding it
using in full-screen mode and other small precautions might provide minor
exposure to tracking compared to Firefox.
very interesting site, with very interesting comments … after Snowden, the issue of privacy and security makes me a bit paranoid, and thus (like many users) I am forced to self-censor …. I have read thousands of tips, tutorials, explanations and I feel like I’m spinning in circles because I’m just totally confused right now: I find completely contradictory information about various things, for example, not to use VPN with Tor, or necessarily use VPN with Tor, or Vpn with proxy, etc … hundreds various well-intentioned but also contradictory tips at the same time …
so, I try to apply what seems logical to me, and what I can do myself without unnecessary complications …. I always use VPN + proxy in Opera or Firefox, often change settings that can change, time zone, computer name, change passwords often , I use different browsers, several (in my opinion good) applications, which help increase privacy: Privacy Badger, Blur, KeyScrambler,etc… change DNS servers, change fonts, change resolution with monitor, and a bunch of similar things .. all the important datas are encrypted … I use a mandatory VPN, but since most VPN services use the same OpenVPN protocol with AES-256 encryption, I think it produces results … and it’s enough to download the openvpn protocol itself: [www.vpnbook.com], which is open code, so anyone who knows and wants it can check its configuration and evaluate how good or bad it is…
probably I didn’t write anything too revolutionary or new, I just briefly described how I try to function online … in a way, I think I reduce monitoring and tracking, even though I’m pessimistic, it’s impossible to do it completely! we just have to accept some things, which doesn’t mean it’s not worth fighting for privacy and security. and lastly, I feel completely safe only when using the TAILS usb system …. As it boot from the usb, it leaves no trace on the hdd, and there are Tor and some safe applications, mostly with end to end encryption ….
The settings in version 9.0 of the Tor Browser have changed. There’s no longer a “No Proxy” option, and Tor Browser Launcher is no longer listed under addons, so it can’t be disable.
Does anyone know how to use version 9.0 without connecting to the Tor network? I like using the Tor Browser for connecting to services that engage in fingerprinting like Facebook and Google.
Try this, worked for me.
In about:config:
Set extensions.torbutton.use_nontor_proxy to True
Set extensions.torlauncher.start_tor to False
Set extensions.torlauncher.control_host to a blank string
Set network.proxy.type to 0 for no proxy (direct connection), or 1 for a manual custom proxy configuration
If you want a custom proxy configuration (for example a SOCKS or HTTP proxy) change the corresponding settings network.proxy.socks or network.proxy.http in about:config.
Thanks for replying.
I made those changes, but now I get this error when I try to connect to any site:
Unable to find the proxy server
Firefox is configured to use a proxy server that can’t be found.
I tried reinstalling TBB, doing the settings changes again, but still the same thing.
OK, sorry, I didn’t test if using no proxy worked and it does not as you say. When setting network.proxy.type to 0 it reverts to 1 automatically.
Perhaps the team behind Tor Browser has made proxy use foolproof in and completely disabled using TB9 without a proxy. The only way to use TB9 without the Tor network would then be to use another proxy.
It’s really frustrating trying to mitigate browser fingerprint – I’m a bit lost to be honest. Should I add more addons to diminish it or does adding more addons make me more unique? I’m really struggling to find the sweet spot. Firefox should launch an out of the box private version, because currently everyone modifies firefox in their own way which allows for fingerprinting – there should be a standard the same way you use tor browser out of the box.
Sven or anyone else, I’m wondering the same as Anaxagoras. Specifically:
1) Is it possible to fingerprint you not only by what add-ons you have but also by any modified settings ON those add-ons? (Note, I have 3rd Party scripts blocked on uBlock origin.)
2) What is a greater concern for fingerprinting: modified browser privacy preferences or using privacy add-ons (NOT INCLUDING, perhaps, any anti-fingerprinting preferences in either one)? Is it the case that the accuracy of fingerprinting is so high, even with very few browser modifications that further modifications can’t really hurt you much more? What’s the logical way to think about this?
3) You: “Some people recommend spoofing different user agents through a browser extension, while others suggest this is a bad idea because it might make you more “unique”. Of course, there are many factors to consider…” —
This is a very conflicting piece of advice! Hard to make sense of for the average user like me (likewise for some of your other recommended software/settings throughout the site). Can you go into more detail? What’s the logical way to think about these questions and choose a default protocol in the absence of oneself’s expert knowledge?
CyDec Platform AntiFingerprint I am using this and it gives me a unique different fingerprint every time.
Dear sir, could you test and tell about UR browser and VIA browser ?
Hello, I’ll check those out with the next update.
Any idea about UR Browser?
Haven’t looked at it.
Setting privacy.firstparty.isolate to true in Firefox breaks paying for anything with Paypal. Thanks for the warning.
Mike, just use another browser for payments, and then a hardened browser for general web browsing.
Sven…TY for everything!!! Finally found an add-on I think works. CyDec Platform Anti-Fingerprinting
I’m not sure if I’m right but have a look see. When I check this on amiunique it comes up with a different unique fingerprint every time. This is what we want right? My OS is Windows 10, Firefox (Version 71.0 64 bit). Running uBlock Origin with Privacy Badger, HTTPS Everywhere and CyDec.
Amiunique comes up with all sorts of different fingerprints every time when checked. Websites seem to be functioning as normal.
Good article! A few points:
* ditching smartphone is a huge demand in today’s world… think of the loss in convenience/productivity/efficiency — you’d need a backpack of stuff to replace it (a laptop [for maps, internet, etc.], USB cellular modem, a camera, a basic feature-phone [hopefully with flashlight, FM/radio receiver — otherwise that’s separate], USB storage stick — did I miss something?) This kind of major downshift would hardly be acceptable to most people (unless you’re retired/nearing end of life or something) — we should really try to come up with other solutions, e.g.:
+ create a rating of hardware manufacturers based on friendliness to freedom, open source, security-/privacy-conscious people (lobby orgs like EFF, FSF, EPIC, Access Now, Privacy International to do it & publish widely (with regular updates obviously)) — that would encourage market forces to work in the right direction;
+ spread knowledge about these issues as widely as possible and really try to make all (or at least one) browsers’ fingerprint _uniform_ and minimal, and then get as many people using that as possible;
+ engage politically — lobby/petition for the right regulation of tech and break-up of tech monopolies to encourage competition; support Pirate party, maybe create a Privacy party or something;
+ generally support “free culture movement”.
* it’d be good to look into what state actors, intelligence operators/spys, and even criminals are doing about all of this & learn from their tricks [Please include this kind of info (whatever you can find) in your articles, Sven.], because the stakes are really high for them and they can’t “quit the game” — they have to and will find a way to operate regardless! That’s why we should really listen to Snowden on this — nobody who’s talking has the kind of knowledge, training, & experience, not even close. He knows what the ultimate “threat” is capable of and what the best practical advice is. His words on this should pretty much be gospel as far as I’m concerned.
It’s easier to just learn from them, than to develop your own solutions/methods — after all they spend huge $$ coming up with the simple, practical methods for operators, assets to use and they do that with access to classified intel about the capabilities of their adversaries… think about the budgets involved and don’t reinvent the wheel, I’d say… our wheel won’t be as good probably. [That’s why if US agencies are using Tor for their ops, they wouldn’t leave vulnerabilities in it for their adversaries to exploit. But US aren’t the only ones who need this kind of functionality… i wonder what the others were doing before Tor… — chain-linked VPNs? There wasn’t such a big market for VPNs to blend in probably… Do you know, Sven? You wonder why US didn’t just go with chain-linked VPNs, rather than develop Tor, eh?]
* I agree with the good comment by “#” on JANUARY 25, 2019 here about not judging VPNs based on whether they are paid or free — the phrase about you being the product if you’re not paying is the kind of marketing/PR/sales BS we should call out — one could be _paying_ AND getting ripped off or just being taken for a sucker, i.e. just because you’re paying doesn’t mean you’re getting quality product/service. Same goes for Facebook, Google, etc., and their shills or zombies claiming “privacy is dead” [or movie studios, etc. inventing & then using the concept of “spoilers”] — we should try not to fall for their profiteering butts peddling us this BS and call them out on it! [In the case of spoilers — don’t ever delay knowing something you could know NOW — you may not live long enough to find out, and/or the knowledge could just save your life!]
Not all people are just out to make short-term profits — some see some kind of bigger picture and so you may find some free, albeit throttled (or limited in some other way), VPN provided by folks, who are fighting the good fight as well as trying to make some $ from those who _can_ pay.
* For now maybe this “chameleon” approach you mention is most promising; it even gets mentioned in general interest media.
* Sven, maybe an idea would be for you to create an article like this about the setups you use in different situations and how you make it work, in general terms, and then just link to _that_, rather than scatter explanations throughout the comments…
* Sven, maybe most people wouldn’t mind it too much if you ran ads on this site as long as they’re not targeted per user, are clearly marked, and don’t influence your writing… If it helps the cause, why not?
* In connection with security, privacy, anonymity, confidentiality, this point is worth considering: the authorities sometimes need to appeal to the public for tips and they provide some kind of anonymity/confidentiality assurance; if people know there’s no way they can stay anonymous, despite assurances, maybe those tips to law enforcement will just dry up…
Cheers, M Hayden.
ps. Sven, i read your reply to my Tor comment. My point was that US gov wouldn’t use tools with _known_ vulnerabilities for high-stakes ops, if more secure tools existed. We can assume, with all the PhDs and Snowden types working for them, they would use whatever is most secure. Losing HUMINT assets sucks big time — see NYT article above. It’s just about risk management — go with whatever carries the smallest risk. It’s possible they’re financing Tor for the suckers out there, but are using something else themselves… Is that what you think is happening?
Interesting points, thanks for the feedback. I still hate ads, and I think most readers here do as well, so I don’t see that as a route to go down.
Regarding Tor, I’m not really sure, and I don’t want to speculate. What I found most interesting is the history and some of the Tor developers’ own admissions regarding close ties and cooperation with government agencies.
M Hayden, excellent ideas, thank you! However waaay too much to read through…takes a patient reader like me to not just TL;DR it. Maybe split it up into a few smaller comments next time….
Sven,
I’ve found the Comment threads on your site to be almost as helpful as the main content. Unfortunately, due to the scattered distribution and some very long comments (like the one I’m replying to now!) and SO MANY, it is hard to focus on the most helpful info and organize it mentally.
There are a few potential website design solutions you might use for this, such as M Hayden’s recommendation to “create an article like this about the setups you use…and then just link to _that_”
Another idea would be to add a “social feedback” prioritization feature to the Comment Section, as many websites do, so that readers can “Like”/”Dislike” comments, which could be ranked automatically and would display on the page in order of how Helpful readers found them. What do you think about this?
Another idea for Comments, Sven:
Can you add an option on your site’s search to search the comments (including user Names) (globally, not page by page as with Ctrl+F) ?
Oh yeah, also I totally agree with M Hayden about running very limited ads, as long as you follow a protocol to prevent any conflicts of interest with the advertisers. Seems like a good, pragmatic idea!
A basic question: does mitigating browser fingerprinting have any sens for users who don’t use Tor, or a VPN, or a proxy? What I mean is that if a user’s device IP is not spoofed that IP will always be his device’s signature, right? In which case mitigating fingerprinting is meaningless, or am I missing something?
I think the answer to that question would depend on many factors, and the adversary you are protecting your data from, but in general, yes, the IP address is probably the first and biggest consideration.
It must be these many factors I’m not aware of, Sven.
When you write that you prefer to use the word “mitigate” rather than “solve” (” because browser fingerprinting is a very complex and evolving issue.”) I understand that hiding cannot be a 100% guaranteed.
In other words fighting fingerprinting requires an armada of precautions on top of TOR/VPN to higher probability of success and is an analyst’s big laugh when a user’s IP address is not spoofed.
As I see it the best is still to avoid TOR/VPNs, let fingerprinting do its work, and clean regularly a browser’s traces. Not to mention acting on what is feasible and mainly cross-site information exchange.
Entropy spots a user. And a badly crafted anti-fingerprinting on top of a VPN is high entropy. I don’t know. There’s just something which bothers me when a project requires perfection and is otherwise worse than no project.
Hi Sven
Please test Aloha Browser,Aloha Browser lite and Aloha VPN as soon as possible i really need a full complete review for Aloh
Please respond as soon as you read this.
Could you please give us your personal step by step guide towards the privacy setup that you enjoy and satisfied with,if it’s not to much of a trouble.
thank you for your great work and help it is truly effectual.
Hello, I would definitely not recommend this. It’s an unknown browser, unknown developer, closed source, and offers a “free unlimited VPN”. All of these issues are red flags. The VPN part is a lie (it’s just a proxy), which could be used for data collection, such as with Opera’s “free VPN”.