In this new and updated guide, we’ll cover all aspects of browser fingerprinting and device fingerprinting. In addition to explaining what exactly this is, we’ll also show you how to protect yourself against these threats.
Many people use VPN services to hide their IP address and location – but there is another way you can be identified and tracked: through browser fingerprinting.
Whenever you go online, your computer or device provides the sites you visit with highly specific information about your operating system, settings, and even hardware. The use of this information to identify and track you online is known as device or browser fingerprinting.
As browsers become increasingly entwined with the operating system, many unique details and preferences can be exposed through your browser. The sum total of these outputs can be used to render a unique “fingerprint” for tracking and identification purposes.
Your browser fingerprint can reflect:
- the User agent header
- the Accept header
- the Connection header
- the Encoding header
- the Language header
- the list of plugins
- the platform
- the cookies preferences (allowed or not)
- the Do Not Track preferences (yes, no or not communicated)
- the timezone
- the screen resolution and its color depth
- the use of local storage
- the use of session storage
- a picture rendered with the HTML Canvas element
- a picture rendered with WebGL
- the presence of AdBlock
- the list of fonts
How accurate is browser fingerprinting?
Some researchers have found this method of identification to be extremely effective.
Why is this being done?
Browser fingerprinting is just another tool to identify and track people as they browse the web. There are many different entities – both corporate and government – that are monitoring internet activity, and they all have different reasons for doing so. Advertisers and marketers find this technique useful to acquire more data on users, which in turn leads to more advertising revenue.
Some websites use browser fingerprinting to detect potential fraud, such as banks or dating websites, so it’s not always nefarious.
Surveillance agencies could also use this to identify people who are employing other privacy measures to cloak their IP address and location, such as with VPN services or the Tor (onion) network.
Browser fingerprinting test websites
One good test website to see all of the information that is being revealed by your browser is www.deviceinfo.me.
There are also a few websites that reveal browser data and also assess a “uniqueness” score based on your variables in comparison to their database of browsers.
- Panopticlick is run by the Electronic Frontier Foundation.
- amiunique.org is another good resource, but unlike Panopticlick, it is open source and provides more information and updated fingerprinting techniques, including webGL and canvas.
Are browser fingerprinting test websites very accurate?
Yes and no.
Yes, these websites do provide accurate information about your browser’s fingerprint and the different values being gathered.
No, the “uniqueness” conclusion about your browser from these websites can be wildly inaccurate and very misleading. Here’s why:
- Data sample: Panopticlick and amiunique.org are comparing your browser’s fingerprint to a giant database of old, outdated browsers – many of which are no longer in use. When you test your browser’s fingerprint with an updated browser, it may show it as being extremely rare and unique, even though the majority of people are using the same updated version. Conversely, running the test with an old, outdated browser may show a very good result (not unique) when in reality very few people are using the older browser today.
- Screen resolution: At least on desktop machines, most people regularly adjust their browser screen size. Every minor screen size value will be measured as a factor for uniqueness, which can be misleading.
- Randomized fingerprints: Another problem with these test sites is that they don’t account for randomized fingerprints that can be regularly changed through browser extensions. This method may be an effective way to prevent real-world fingerprinting, but it can’t be tested/quantified through these sites.
In general, the browser fingerprinting test websites are good for revealing the unique information and values that can be rendered from your browser. Aside from that, however, trying to beat the test by getting the lowest “uniqueness” score may be a waste of time and counterproductive.
How to mitigate your browser fingerprint
Before we jump into potential solutions, it’s important to note that implementing browser fingerprinting protection methods may break some websites. Be sure to research these different options carefully before adjusting your browser settings.
Another consideration is your threat model. How much privacy do you need or want? The answer to that question will be different for every user.
Lastly, I use the word “mitigate” rather than “solve” because browser fingerprinting is a very complex and evolving issue. For example, a new study revealed that there’s nothing you can do to mitigate some fingerprinting attacks on smartphones (discussed more below).
Here are some good ways to mitigate your browser fingerprint:
1. Browser modifications and tweaks
Depending on the browser you are using, you might have some different options for tweaks and modifications to mitigate browser fingerprinting. Below we’ll discuss various Firefox and Brave browsers, which are both secure and private browsers.
Firefox browser fingerprinting
Firefox is a good browser for privacy and security, and it can also be modified and hardened for your unique needs. (For an overview of Firefox privacy tweaks, see the Firefox privacy guide.) The first thing you need to do is type about:config into the URL bar of Firefox, hit enter, then agree to “accept the risk” and make the following changes:
- privacy.resistFingerprinting (change to true) – Changing this value to true will offer some basic protection, but it’s far from a complete solution. The privacy.resistFingerprinting preference was added to Firefox as part of the Tor Uplift project and it continues to be improved.
- webgl.disabled (change to true) – WebGL is another tricky issue for privacy and security. Disabling this preference is generally a good idea – see some of the issues with WebGL here.
- media.peerconnection.enabled (change to false) – Disabling WebRTC is a good idea since this can reveal your true IP address, even when you are using a good VPN service. See the WebRTC leak guide for more details and how to disable WebRTC in other browsers.
- geo.enabled (change to false) – This disables geolocation tracking.
- privacy.firstparty.isolate (change to true) – This is another great update from the Tor Uplift project that isolates cookies to the first party domain.
Note: This is just a brief overview of changes that improve your privacy and help to mitigate your browser fingerprint. Nonetheless, there are many different factors that go into fingerprinting and you may still have a unique fingerprint even with these changes.
Firefox with the ghacks user.js file
Another great option is to run Firefox with a unique user.js file, such as the ghacks user.js. This is a custom Firefox configuration file that has been modified for more privacy and security. I like this option because it can save lots of time with setup and is regularly updated and improved. See the Wiki page for an overview and setup instructions.
When I tested a fresh install of Firefox with the ghacks user.js file, amiunique.org showed my browser fingerprint as as not unique.
Brave browser fingerprinting
Although it is based on Chromium, the Brave Browser may be a good option for those wanting a simple, privacy-focused browser that blocks tracking by default and still supports Chrome extensions. Brave allows you to enable fingerprinting protection, which is under the Brave Shields settings:
When I tested out a fresh install of Brave with the “Block all fingerprinting” enabled, I still had a unique fingerprint according to Panopticlick and amiunique.org.
See also this article on Github discussing different aspects of fingerprinting protection in Brave.
2. Browser extensions and add-ons to minimize or spoof your fingerprint
There are a number of different browser extensions and add-ons that you may find useful. With that being said here are a few things to remember:
- Be careful with third-party extensions, which could potentially undermine your privacy and security.
- Be mindful that using extensions may make your browser fingerprint more unique (many factors).
Now that we’ve gotten those disclaimers out of the way, let’s examine some browser add-ons that may be useful:
Firefox browser:
- Canvasblocker by kkapsner – Protects against canvas fingerprinting methods (source on GitHub)
- Trace by AbsoluteDouble – Protects against various fingerprinting methods (source on GitHub)
- Chameleon by sereneblue – Allows you to spoof user agent values (source on GitHub)
- User-Agent Switcher by Alexander Schlarb – Allows you to spoof user agent (source on GitLab)
There are many other Firefox add-ons you may want to consider as well, which are discussed in the Firefox privacy guide. Some of these add-ons are also available for Chromium-based browsers, such as Brave.
Some people recommend spoofing different user agents through a browser extension, while others suggest this is a bad idea because it might make you more “unique”. Of course, there are many factors to consider, but adding noise to your fingerprint may not be a bad strategy.
For example, with Chameleon, you can cycle through different user agents at various time intervals:
Now let’s look at another option for modifying your browser fingerprint: the use of virtual machines.
3. Virtual machines
You can also consider running different virtual machines, which can utilize different operating systems on your host computer. VirtualBox is FOSS and offers an easy way to run different Linux VMs for more privacy and security. There are many different video tutorials online, depending on your operating system and the VM OS you are looking to use.
Virtual machines offer numerous advantages in terms of privacy and security, while also protecting your host machine. For privacy, VMs allow you to easily spoof different operating systems and also chain VPN services, as explained in the multi-hop VPN guide. This also helps keep your host machine secure by isolating a virtual environment. If the VM were to be compromised, simply delete it and create a new one. You can also use different VMs for different purposes.
4. Tor Browser
Another option is to use the Tor browser, which is simply a hardened and protected version of Firefox. It includes numerous privacy and security modifications that are built into the default version:
- HTTPS Everywhere
- NoScript
- Anti-tracking features
- Canvas image extraction blocked
- WebGL blocked
- Operating system cloaking (shows as Windows 7 for all users)
- Timezone and language preferences blocked
The key here is to use the default version (the developers do not recommend adding any plugins or extensions because this could compromise the browser’s effectiveness).
You can get the latest version of the Tor browser here.
Here were the fingerprint test results with the Tor browser from Panopticlick:
The default version of the Tor browser is configured to run with the Tor (anonymous/onion) network. While the Tor network does have added benefits in terms of privacy, it also has a number of disadvantages:
- Your internet speed will be reduced to around 2 Mbps, making streaming videos or music nearly impossible
- Tor only encrypts traffic through the browser, rather than encrypting all traffic on your operating system like a VPN
- Tor is vulnerable to IP leaks, especially with Windows
- Tor is not safe to use when torrenting (see the Best VPNs for Torrenting guide)
- Tor was created by the US government and is still funded largely by US government grants
- Some consider Tor to be compromised
Ultimately, like all privacy tools, Tor has both pros and cons.
While the Tor network has issues, you can still use the Tor browser with a virtual private network (VPN) and the Tor network disabled.
Tor browser with a VPN (Tor network disabled)
Some people like to use the Tor browser with a VPN (Tor network disabled). This gives you the browser fingerprinting protections of the Tor browser, with the speed and anonymity offered through a VPN.
Disclaimer – While this may be good for some users, it comes with the risks of misconfiguring the Tor browser bundle, which could de-anonymize the user (if you are relying only on the Tor network for anonymity).
Here’s how to download the Tor browser and disable the Tor network:
- Download the Tor browser for your operating system. After downloading, you should be prompted to connect to the Tor network, which you can do to get access to the settings.
- In the Tor browser go to the Menu button (three lines in the top right corner) and then select Options (Windows) or Preferences (Mac OS).
- Select Advanced > Network > Settings
- Select No proxy > OK
- Type about:config into the URL bar and hit the enter/return key. You will get some kind of warning message (“This might void your warranty!”) – just click continue or “I accept the risk!”.
- In the search box enter network.proxy.socks_remote_dns and then double click to disable; value = false
- To completely disable the Tor network, go to the search box again and enter extensions.torlauncher.start_tor and then double click to disable; value = false
- To ensure these changes don’t revert to the default settings when you close out the browser you need to disable TorLauncher. To do this go to Options > Add-ons > TorLauncher [Disable] and then restart the browser for the changes to be implemented.
You will need to restart the Tor browser for the changes to take effect.
Now, when you open the Tor browser, it will not connect through the Tor network. This will prompt a warning screen (“Something Went Wrong”), which you can just ignore.
Be sure to remember that your Tor browser is not configured to work with the Tor network, so it is now just like any other browser.
5. Don’t use smartphones
As we’ve covered before on Restore Privacy, every “smart” device is a data collection tool for corporate entities (and their surveillance partners).
Smartphones are especially vulnerable to browser fingerprinting. A team of researchers at Cambridge published a paper highlighting how smartphones can be fingerprinted using internal sensors – and there’s nothing the user can do about it.
The paper delves into the technical details, but here’s a brief overview of their findings:
- The attack can be launched by any website you visit or any app you use on a vulnerable device without requiring any explicit confirmation or consent from you.
- The attack takes less than one second to generate a fingerprint.
- The attack can generate a globally unique fingerprint for iOS devices.
- The calibration fingerprint never changes, even after a factory reset.
- The attack provides an effective means to track you as you browse across the web and move between apps on your phone.
Unfortunately, there’s nothing you can do about this attack – short of getting rid of your smartphone – and you are entirely dependent on the company to fix the problem with software updates. While Apple has apparently patched this attack vector with iOS 12.2, Google (Android) is still “investigating” the issue and has not fixed anything.
If you were thinking about ditching the “smart” phone, this research provides yet another reason to do it.
Use a VPN
Although a VPN won’t protect you against browser fingerprinting, it is a very important privacy tool to conceal your IP address, hide your location, and keep your data safe.
If you’re not using a good VPN, your internet provider can easily monitor all your online activity by recording your DNS requests. In many countries, such as the UK and Australia, this is mandatory. Internet providers in the US can also monitor and record their users, and since March 2017, they can also sell this information to third parties (advertisers).
Going through all the hassle to protect yourself against browser fingerprinting may be a waste of time if you aren’t using a good VPN that will encrypt your internet connection and hide your IP address and location. The best VPN services report discusses the top recommendations based on the latest results.
For those who are seeking a higher level of online anonymity, you can also use a multi-hop VPN, which will encrypt your traffic across more than one server (multiple hops) before exiting onto the regular internet. Both Perfect Privacy and ZorroVPN offer self-configurable multi-hop VPN configurations.
As mentioned above, combining VPNs also adds additional privacy and security while distributing trust across different VPN providers.
Conclusion on browser fingerprinting
While browser fingerprinting may seem like a daunting issue to some, mitigating your browser fingerprint is relatively easy. For those seeking the highest levels of privacy and security, I’d recommend utilizing virtual machines and perhaps chaining different VPN services.
As a general rule of thumb, Firefox remains a great all-around browser after some modifications and configuration. The secure browsers guide also discusses various options, while the Firefox privacy modifications guide takes a deep-dive into tweaks, extensions, and custom configuration.
Another issue to consider, which was not mentioned in this guide, is using a good ad blocker. Ads today basically function as tracking – they record your browsing habits so you can be hit with targeted advertisements. A good add-on is uBlock Origin, but there are other recommendations in the ad blocker article and privacy tools guide.
Stay safe, secure, and private online!
Updated and revised on May 27, 2019
using the TOR browser doesn’t mean we are fully protected, by avoiding it
using in full-screen mode and other small precautions might provide minor
exposure to tracking compared to Firefox.
@PrivacyEnthusiast October 28, 2019
“The settings in version 9.0 of the Tor Browser have changed. There’s no longer a “No Proxy” option, and Tor Browser Launcher is no longer listed under addons, so it can’t be disable.”
Create an empty file named autoconfig.js in your Tor Browser’s \defaults\pref folder with these two lines:
pref(“general.config.filename”, “firefox.cfg”);
pref(“general.config.obscure_value”, 0);
Create an empty file named firefox.cfg in the folder where firefox.exe is at with these three lines:
//
lockPref(“network.proxy.socks_remote_dns”, false);
lockPref(“network.proxy.type”, 0);
https://support.mozilla.org/en-US/kb/customizing-firefox-using-autoconfig
very interesting site, with very interesting comments … after Snowden, the issue of privacy and security makes me a bit paranoid, and thus (like many users) I am forced to self-censor …. I have read thousands of tips, tutorials, explanations and I feel like I’m spinning in circles because I’m just totally confused right now: I find completely contradictory information about various things, for example, not to use VPN with Tor, or necessarily use VPN with Tor, or Vpn with proxy, etc … hundreds various well-intentioned but also contradictory tips at the same time …
so, I try to apply what seems logical to me, and what I can do myself without unnecessary complications …. I always use VPN + proxy in Opera or Firefox, often change settings that can change, time zone, computer name, change passwords often , I use different browsers, several (in my opinion good) applications, which help increase privacy: Privacy Badger, Blur, KeyScrambler,etc… change DNS servers, change fonts, change resolution with monitor, and a bunch of similar things .. all the important datas are encrypted … I use a mandatory VPN, but since most VPN services use the same OpenVPN protocol with AES-256 encryption, I think it produces results … and it’s enough to download the openvpn protocol itself: [www.vpnbook.com], which is open code, so anyone who knows and wants it can check its configuration and evaluate how good or bad it is…
probably I didn’t write anything too revolutionary or new, I just briefly described how I try to function online … in a way, I think I reduce monitoring and tracking, even though I’m pessimistic, it’s impossible to do it completely! we just have to accept some things, which doesn’t mean it’s not worth fighting for privacy and security. and lastly, I feel completely safe only when using the TAILS usb system …. As it boot from the usb, it leaves no trace on the hdd, and there are Tor and some safe applications, mostly with end to end encryption ….
The settings in version 9.0 of the Tor Browser have changed. There’s no longer a “No Proxy” option, and Tor Browser Launcher is no longer listed under addons, so it can’t be disable.
Does anyone know how to use version 9.0 without connecting to the Tor network? I like using the Tor Browser for connecting to services that engage in fingerprinting like Facebook and Google.
Try this, worked for me.
In about:config:
Set extensions.torbutton.use_nontor_proxy to True
Set extensions.torlauncher.start_tor to False
Set extensions.torlauncher.control_host to a blank string
Set network.proxy.type to 0 for no proxy (direct connection), or 1 for a manual custom proxy configuration
If you want a custom proxy configuration (for example a SOCKS or HTTP proxy) change the corresponding settings network.proxy.socks or network.proxy.http in about:config.
Thanks for replying.
I made those changes, but now I get this error when I try to connect to any site:
Unable to find the proxy server
Firefox is configured to use a proxy server that can’t be found.
I tried reinstalling TBB, doing the settings changes again, but still the same thing.
OK, sorry, I didn’t test if using no proxy worked and it does not as you say. When setting network.proxy.type to 0 it reverts to 1 automatically.
Perhaps the team behind Tor Browser has made proxy use foolproof in and completely disabled using TB9 without a proxy. The only way to use TB9 without the Tor network would then be to use another proxy.
It’s really frustrating trying to mitigate browser fingerprint – I’m a bit lost to be honest. Should I add more addons to diminish it or does adding more addons make me more unique? I’m really struggling to find the sweet spot. Firefox should launch an out of the box private version, because currently everyone modifies firefox in their own way which allows for fingerprinting – there should be a standard the same way you use tor browser out of the box.
Sven or anyone else, I’m wondering the same as Anaxagoras. Specifically:
1) Is it possible to fingerprint you not only by what add-ons you have but also by any modified settings ON those add-ons? (Note, I have 3rd Party scripts blocked on uBlock origin.)
2) What is a greater concern for fingerprinting: modified browser privacy preferences or using privacy add-ons (NOT INCLUDING, perhaps, any anti-fingerprinting preferences in either one)? Is it the case that the accuracy of fingerprinting is so high, even with very few browser modifications that further modifications can’t really hurt you much more? What’s the logical way to think about this?
3) You: “Some people recommend spoofing different user agents through a browser extension, while others suggest this is a bad idea because it might make you more “unique”. Of course, there are many factors to consider…” —
This is a very conflicting piece of advice! Hard to make sense of for the average user like me (likewise for some of your other recommended software/settings throughout the site). Can you go into more detail? What’s the logical way to think about these questions and choose a default protocol in the absence of oneself’s expert knowledge?
Dear sir, could you test and tell about UR browser and VIA browser ?
Hello, I’ll check those out with the next update.
Any idea about UR Browser?
Haven’t looked at it.
Setting privacy.firstparty.isolate to true in Firefox breaks paying for anything with Paypal. Thanks for the warning.
Mike, just use another browser for payments, and then a hardened browser for general web browsing.
Good article! A few points:
* ditching smartphone is a huge demand in today’s world… think of the loss in convenience/productivity/efficiency — you’d need a backpack of stuff to replace it (a laptop [for maps, internet, etc.], USB cellular modem, a camera, a basic feature-phone [hopefully with flashlight, FM/radio receiver — otherwise that’s separate], USB storage stick — did I miss something?) This kind of major downshift would hardly be acceptable to most people (unless you’re retired/nearing end of life or something) — we should really try to come up with other solutions, e.g.:
+ create a rating of hardware manufacturers based on friendliness to freedom, open source, security-/privacy-conscious people (lobby orgs like EFF, FSF, EPIC, Access Now, Privacy International to do it & publish widely (with regular updates obviously)) — that would encourage market forces to work in the right direction;
+ spread knowledge about these issues as widely as possible and really try to make all (or at least one) browsers’ fingerprint _uniform_ and minimal, and then get as many people using that as possible;
+ engage politically — lobby/petition for the right regulation of tech and break-up of tech monopolies to encourage competition; support Pirate party, maybe create a Privacy party or something;
+ generally support “free culture movement”.
* it’d be good to look into what state actors, intelligence operators/spys, and even criminals are doing about all of this & learn from their tricks [Please include this kind of info (whatever you can find) in your articles, Sven.], because the stakes are really high for them and they can’t “quit the game” — they have to and will find a way to operate regardless! That’s why we should really listen to Snowden on this — nobody who’s talking has the kind of knowledge, training, & experience, not even close. He knows what the ultimate “threat” is capable of and what the best practical advice is. His words on this should pretty much be gospel as far as I’m concerned.
It’s easier to just learn from them, than to develop your own solutions/methods — after all they spend huge $$ coming up with the simple, practical methods for operators, assets to use and they do that with access to classified intel about the capabilities of their adversaries… think about the budgets involved and don’t reinvent the wheel, I’d say… our wheel won’t be as good probably. [That’s why if US agencies are using Tor for their ops, they wouldn’t leave vulnerabilities in it for their adversaries to exploit. But US aren’t the only ones who need this kind of functionality… i wonder what the others were doing before Tor… — chain-linked VPNs? There wasn’t such a big market for VPNs to blend in probably… Do you know, Sven? You wonder why US didn’t just go with chain-linked VPNs, rather than develop Tor, eh?]
* I agree with the good comment by “#” on JANUARY 25, 2019 here about not judging VPNs based on whether they are paid or free — the phrase about you being the product if you’re not paying is the kind of marketing/PR/sales BS we should call out — one could be _paying_ AND getting ripped off or just being taken for a sucker, i.e. just because you’re paying doesn’t mean you’re getting quality product/service. Same goes for Facebook, Google, etc., and their shills or zombies claiming “privacy is dead” [or movie studios, etc. inventing & then using the concept of “spoilers”] — we should try not to fall for their profiteering butts peddling us this BS and call them out on it! [In the case of spoilers — don’t ever delay knowing something you could know NOW — you may not live long enough to find out, and/or the knowledge could just save your life!]
Not all people are just out to make short-term profits — some see some kind of bigger picture and so you may find some free, albeit throttled (or limited in some other way), VPN provided by folks, who are fighting the good fight as well as trying to make some $ from those who _can_ pay.
* For now maybe this “chameleon” approach you mention is most promising; it even gets mentioned in general interest media.
* Sven, maybe an idea would be for you to create an article like this about the setups you use in different situations and how you make it work, in general terms, and then just link to _that_, rather than scatter explanations throughout the comments…
* Sven, maybe most people wouldn’t mind it too much if you ran ads on this site as long as they’re not targeted per user, are clearly marked, and don’t influence your writing… If it helps the cause, why not?
* In connection with security, privacy, anonymity, confidentiality, this point is worth considering: the authorities sometimes need to appeal to the public for tips and they provide some kind of anonymity/confidentiality assurance; if people know there’s no way they can stay anonymous, despite assurances, maybe those tips to law enforcement will just dry up…
Cheers, M Hayden.
ps. Sven, i read your reply to my Tor comment. My point was that US gov wouldn’t use tools with _known_ vulnerabilities for high-stakes ops, if more secure tools existed. We can assume, with all the PhDs and Snowden types working for them, they would use whatever is most secure. Losing HUMINT assets sucks big time — see NYT article above. It’s just about risk management — go with whatever carries the smallest risk. It’s possible they’re financing Tor for the suckers out there, but are using something else themselves… Is that what you think is happening?
Interesting points, thanks for the feedback. I still hate ads, and I think most readers here do as well, so I don’t see that as a route to go down.
Regarding Tor, I’m not really sure, and I don’t want to speculate. What I found most interesting is the history and some of the Tor developers’ own admissions regarding close ties and cooperation with government agencies.
M Hayden, excellent ideas, thank you! However waaay too much to read through…takes a patient reader like me to not just TL;DR it. Maybe split it up into a few smaller comments next time….
Sven,
I’ve found the Comment threads on your site to be almost as helpful as the main content. Unfortunately, due to the scattered distribution and some very long comments (like the one I’m replying to now!) and SO MANY, it is hard to focus on the most helpful info and organize it mentally.
There are a few potential website design solutions you might use for this, such as M Hayden’s recommendation to “create an article like this about the setups you use…and then just link to _that_”
Another idea would be to add a “social feedback” prioritization feature to the Comment Section, as many websites do, so that readers can “Like”/”Dislike” comments, which could be ranked automatically and would display on the page in order of how Helpful readers found them. What do you think about this?
Another idea for Comments, Sven:
Can you add an option on your site’s search to search the comments (including user Names) (globally, not page by page as with Ctrl+F) ?
Oh yeah, also I totally agree with M Hayden about running very limited ads, as long as you follow a protocol to prevent any conflicts of interest with the advertisers. Seems like a good, pragmatic idea!
A basic question: does mitigating browser fingerprinting have any sens for users who don’t use Tor, or a VPN, or a proxy? What I mean is that if a user’s device IP is not spoofed that IP will always be his device’s signature, right? In which case mitigating fingerprinting is meaningless, or am I missing something?
I think the answer to that question would depend on many factors, and the adversary you are protecting your data from, but in general, yes, the IP address is probably the first and biggest consideration.
It must be these many factors I’m not aware of, Sven.
When you write that you prefer to use the word “mitigate” rather than “solve” (” because browser fingerprinting is a very complex and evolving issue.”) I understand that hiding cannot be a 100% guaranteed.
In other words fighting fingerprinting requires an armada of precautions on top of TOR/VPN to higher probability of success and is an analyst’s big laugh when a user’s IP address is not spoofed.
As I see it the best is still to avoid TOR/VPNs, let fingerprinting do its work, and clean regularly a browser’s traces. Not to mention acting on what is feasible and mainly cross-site information exchange.
Entropy spots a user. And a badly crafted anti-fingerprinting on top of a VPN is high entropy. I don’t know. There’s just something which bothers me when a project requires perfection and is otherwise worse than no project.
Hi Sven
Please test Aloha Browser,Aloha Browser lite and Aloha VPN as soon as possible i really need a full complete review for Aloh
Please respond as soon as you read this.
Could you please give us your personal step by step guide towards the privacy setup that you enjoy and satisfied with,if it’s not to much of a trouble.
thank you for your great work and help it is truly effectual.
Hello, I would definitely not recommend this. It’s an unknown browser, unknown developer, closed source, and offers a “free unlimited VPN”. All of these issues are red flags. The VPN part is a lie (it’s just a proxy), which could be used for data collection, such as with Opera’s “free VPN”.
With the new update 8.5 disabling Tor network cripples all internet connections. I’ve noticed in about:config the update made some changes to the settings such as the Remote DNS setting.
If you figure out how to make Tor work again can you give an update?
Thanks
Thanks Zucker, I’ll check this out and will update the guide soon. I no longer use the Tor browser.
Sven,
I got it to work now. The 8.5 update set to default most of the TOR NETWORK settings. Theres a few differences but its still pretty straighforward.
What do you use instead of TOR and did you make a switch because of convenience or do you no longer reccommend?
Well I’m currently using a handful of different browsers, mainly Firefox, Brave, Waterfox, and Iridium.
A good website to check for proof of concept is Device Info [https://www.deviceinfo.me/]. A lot of the information mentioned is on there, and there’s also sections that test for fingerprinting resistance detection, canvas fingerprinting detection (allowed or blocked or spoofed), etc.
One suggestion to add to a list such as this would be the default window size. For example, many suggest to not change the Tor browser window size. But what is that size exactly? As far as I know, it is sort of 1000 x 1000. but there are often some variations in that. You also have some browsers that save the window size last used and reopen to that size. This would be a great thing to prevent is set to do as such.
If you’re really interested in security and anonymity do not hesitate to use JonDonym browser.
Also, using a bootable device is must.
Good Luck.
The Spy
Hi Sven
I am having problems registering some sites in EU, i get kicked out 20mins after registration. I have tried VPN, SOCK5 ,RDP, EPIC browser, configuring firefox(ipconfig),multi-login. When i check whoer.net i get 100%, My question are;
1. there any settings you recommend?
2. browsers and add-ons
3. any suggestions for solving this problem?
Thanks
Great article, though I would mention that
“privacy.resistFingerprinting = true ” might disable google maps 3D for firefox users
hello sven, i have install epic browser and i think it is better than brave browser at least , is not?
brave: fingerprint protection do not work well , google search is defualt , ad and tracking block is not work well ( brave use tor network in private mode that better than epic proxy)
epic : fingerprint protection work great , do not use google , tracking protection use adblock and work fine also ( epic use your own proxy)
Hi Kevin, regardless of the browser fingerprinting results, I still would not use Epic. It’s based on Chromium, the developers are in India, and it’s closed source. They offer “encrypted proxies” that route your traffic through their servers in India and US. No thanks. This sounds like the “Opera free VPN” data collection scheme.
hi, i use tor with vpn (tor network disable)
can i install more addons (example translator or privacy badger) or it is decrease my privacy?
Hi Jim, modifications generally aren’t recommended with the Tor browser due to the risks of breaking or misconfiguring something, but you should be OK with a few reputable add-ons.
Don’t expect a VPN service that you pay a few dollars a month to save you , Capitalism has it’s short comings ” you will be sold out” It’s a Myth all paid VPN services are good , all free services are bad ! there are plenty of good activist services i would trust over most/all corporate VPN’s
Hi Sven,
Why would it be problematic to actually use the TOR Browser remaining connected to the TOR network AND using a VPN? Should the VPN not actually make up for any of the potential leakage that the TOR network might cause? THX
Hi, yes, you can do this, but it will be slow. There are two different ways to use Tor with VPN, discussed in the main ‘What is a VPN‘ guide.
Hi Sven, Please have a look at the this Chrome/Firefox Add-on that lets you leave almost no traces In your online Browsing.
It blocks tracking pixels, page ads, media requests, code requests (3rd party scripts and ping requests) and some more advanced blocking features.
https://absolutedouble.co.uk/trace/
Trace – Changelog & Roadmap – https://absolutedouble.co.uk/trace/information.html
There’s a basic version (Free) and a (Paid) premium version – the premium version supports further development of the extension and gives you access to a premium blocklist for a few dollars.
Because only PayPal is excepted, your name and PayPal email address is known when you buy Trace Premium due to how PayPal works.
Where ‘Trace’ protections runs (I’m on Slimjet and this is from the Trace extensions UI):
Canvas Fingerprinting Protection
Audio Fingerprinting Protection
Google Header Removal
E-Tag Tracking Protection
Ping Protection
Network Information API
getClientRects Protection
Hardware Fingerprinting Protection
Screen Resolution Tracking
JS Plugin Hide
WebRTC Protection
Cookie Eater
Referer Controller
User-Agent Randomiser
Battery API Protection
Proxy IP Header Spoofing
And in 4 settings sections Trace, Advance, Browser, Options.
–
Here’s some other test sites when I was reading through the Trace browser add-on/extension UI.
Test browser-fingerprinting using the AudioContext and Canvas API.
https://audiofingerprint.openwpm.com/
Demo – see if browser Protects against WebRTC Local IP Address Leaks.
https://diafygi.github.io/webrtc-ips/
– –
https://lucb1e.com/rp/cookielesscookies/
‘Mostly quoted’ – One thing I would strongly recommend you to do anytime you visit a page where you want a little more security,
is opening a private navigation window and using https exclusively.
In Firefox (and I think MSIE too) it’s Ctrl+Shift+P, in Chrome it’s Ctrl+Shift+N.
Doing this single-handedly eliminates attacks like BREACH (the latest https hack), disables any and all tracking cookies that you might have, and also eliminates cache tracking issues or ETag tracking as the Cookieless cookies.
– Cache tracking is virtually undetectable – if very paranoid, it’s best to just disable caching altogether.
This will will then stop any such tracking from happening, but I personally don’t believe it’s worth the downsides.
– – –
So how’s this for restoring ones privacy on top of just fingerprinting methods?
Thanks, I’ll check this out – it looks interesting.
Thanks Sven your the man that I trust for an opinion.
Trace has a good looking interface besides helpful info to each of setting it has, helping you know what’s to happen setting one.
I don’t normally use browser extensions, and ‘Trace’ appears to me like an installed program on the PC.
PS: forgot my / between “the this” in 1st sentence.
–
I’ve set all these setting options in their sections and it hasn’t negatively affected my browsing.
‘Trace Features’ – all 8 options Enabled.
‘Advance Features’ – 7 of the 8 Enabled, except for (JS Plugin Hide).
‘Browser Settings’ – all 5 protected settings are Enabled.
‘Trace Options’ – is more for the TRACE extension itself and the 1st three are Enabled.
Thank you Good Sir looking forward to your insights and thoughts.
This is an interesting News article from mid-year 2018.
[https://www.eff.org/deeplinks/2018/06/gdpr-and-browser-fingerprinting-how-it-changes-game-sneakiest-web-trackers]
–
If you’d think about it computers, smart-devices and even some applications have a global settings menu that’s universal across the device at large. These all use the Internet most part …
The Internet being the one tool or network that allows computer networks around the world run by companies, governments, universities, and other organisations.
The Internet allows a good amount of commerce around the Worlds people and besides being used to talk to one another.
– The Internet should have a set standard in a universal understanding on privacy worldwide pertaining to the whole World’s sum in the use of it.
Where as in one nation or country with the best internet’s privacy legislations is applied across the whole sum of the Internet reach, so lesser restraints of/in privacy is influenced across the full Internet.
– – I’d guess like in an United Nations approach – so a United Nations Internet policy where it would be a global world wide rule as to covering all Internets users privacy.
All have the Internet’s use but, not all have a good defined users privacy in it’s use.
I have tried all the list of tools / methods above,
but my need as an online marketer that manages many accounts can only be achieved by using ndalang and a good proxy.
Sven…
A confused newbie question from this new user.
Re: Browser fingerprinting solution (Tor + VPN)
I d/l’ed Tor, following your instructions, I disabled the Tor network and get the ‘Something Went Wrong’ message whenever I load Tor. After loading Tor, I then load my NordVPN.
Problem… I cannot connect to the ‘dark side’ discussion groups or any Internet https sites??
Tor indicates “Firefox is configured to use a proxy server that is refusing connections”, yet my Firefox is setup to _not_ use a proxy.
How can this be corrected and what should I do?
Lastly…how can I send a donation…I don’t have any Bitcoins (yet),
but can use Paypal or my Thailand debit card?
Your site is the most informative one I’ve found, but maybe I just don’t have
enough computer knowledge to use some of it 😉
Thanks for any help you may provide to this frustrated user!
Hello, sorry for the delayed reply. I’m currently revising this guide. In your case I would recommend leaving the Tor browser bundle as is, and then using a modified version of Firefox (see this guide) for everything that you don’t need the Tor browser for.
Regarding donations, I’m currently looking into PayPal and other options, I should have that up soon.
Hi Sven, i’ve tried disabling the tor network – but then all i get is your connection is not secure. The solution to this seems to not tick the “no proxy” box? where am i going wrong?
Not sure to be honest. I am now using a modified version of Firefox, rather than the Tor browser.
What is the point please in using any addons to include RUA when their privacy policies state that they may access and store, glean anything on your pc they want to and share as well?
I am no longer using Random User Agent (RUA) and updated the comment above. Regarding your question, it all depends on the add-on you are using and if it collects any information. But as you point out, it’s important to do your research before installing anything because many free browser add-ons and extensions are indeed data collection tools.
Hey Sven,
How about you provide us with an in-depth Android guide? Mobile phones being insecure, there is a lot to consider – I’d like to hear your opinion. The lack of a Tor browser for Android make life soo difficult. I suppose one could use Orbot, except there is no way to use Orbot together with a VPN. That being said, I’d very much like to see your recommendation for a secure Mozilla’s setup for daily browsing.
I have opted to keep the fingerprint resist disabled (as it is by default) and installed Canvas fingerprint defender instead. Manually changed my language zone, installed an extension to change my time zone – in addition to the “industry standard” combo of decentraleyes, random ua, cookie auto delete, and audio context fingerprint defender. I just wish Firefox let me use containers on Android.
That being said, it is ridiculous how much effort one needs to put into their browser setup – a browser touted for taking privacy and security seriously. Ridiculous. Somebody, or something, needs to replace this ridiculous peace of garbage people have chosen to trust and rely on. The trust is unjustified; Mozilla is straying away from its initial promises.
Hey John, great suggestion. Yes, the whole browser fingerprinting issue is frustrating, completely agree.
You might want to check out Firefox Focus for Android – see here.
Hello Sven.
Greate article, and I like that you included the VPN.ac link on Firefox Tweaks at least in the comments =)
Came here from your article about Firefox privacy.
I think this is a little outdated, and regarding the browser fingerprinting itself, I found that tweaked Firefox provides better solution for that than Tor Browser. That being said, scientifically, there is nothing much that can be done against browser fingerprinting itself. Speaking of the browser add-ons, most browser fingerprinting test sites cannot track those. For example I’ve made a Firefox add-on configuration to include uBlock Origin with advanced user turned on, globally blocking 3rd party scripts and frames, HTTPS Everywhere and Privacy Badger, and those haven’t been detected.
Cheers.
PS: Thanks for actively supporting the blog up to date, though uBlock usually blocks around 32 requests on it =P
Hi Josh, great feedback, thanks. I’ll be doing some comparison tests between modified Firefox, the Tor browser, and also Brave in the coming weeks and will update this guide with the results and new information I’ve come across regarding fingerprinting.
Are my bookmarks and favorites a part of fingerprint ?
In general I think the answer is no, but it may depend on the browser you are using and fingerprinting technique. Also see this regarding the Tor browser and bookmarks.
I stay at Airbnb properties sometimes when I travel with wifi provided. This is the homeowner’s wifi. Is it possible to secure my laptop and files on wifi where the owner has the admin rights and the trust level is unknown? VPN secures my connection to the internet, but I’m looking at the first link – the connection to the private wifi. Any help is greatly appreciated.
Yes, this is the key problem with any WiFi that you do not control – whether it’s at an AirBNB, cafe, hotel, or airport. The best solution here is a VPN, which will establish an encrypted tunnel between your computer and the VPN server. This makes all your data and online activities completely unreadable. Without a VPN, the person controlling the network, or someone on the same network, could snoop on your activities, hack your accounts (man in the middle attack), or just easily record every website you visit by storing the DNS requests which are handled in clear text without encryption (when you aren’t using a VPN). So long story short, use a good VPN whenever you need to connect to an untrusted network.
Hello Sven,
Having problem with Tor now. I followed your instructions as of above and everything seemed ok.However something happened and now get message “Windows cannot access the specified device, path or file. You may not have appropriate permissions to access the item.” I think I somehow deleted it so I tried to reinstall and then do instructions above. Since you mentioned that Tor is just another version of foxfire, I thinking since I am using Foxfire, that could be part of my problem getting it to work with Express VPN??? I have it installed already (That is the Foxfire browser before I tried to use TOR.) Anyway I am now have trouble getting Tor to show up or work! Any suggestions.
Hi Steve, no I don’t think Firefox and the Tor browser are conflicting with each other, but it sounds like an issue with the Tor browser installation. My only suggestion would be a complete uninstall and then try installing it again. But as a backup, there are some tweaks and modifications you can do to standard Firefox that will really help with privacy. VPN.ac put this guide together which is pretty good.
Thank you Sven for the advice. I will definitely look at that guide. This is great information to have in this age of “big brother watching over us.”When I was in Air Force, the command I worked for was part of the military that worked with NSA. LOL It was quite different back then I believe. How times have changed.
Hello, first a big thank you for your articles. It helped me alot.
I was wondering if you would recommend using Tor for Android devices. The Orbot Proxy app has been developed by the same team.
Hi Martigar, I have not tested that out – not sure how well Tor would do on mobile devices.
What about Waterfox browser as an alternative to Tor?
Hi Joey, I’m not sure about Waterfox to be honest. I stick with the Tor browser as my go-to browser of choice when I want more privacy.
Thanks Sven. Tor browser is designed and built to use the Tor network. I know you adjust the settings with yours to prevent accessing the Tor network, but isn’t that a waste of time when all you need is a browser? What makes it better in your view than using, for example, regular old Firefox?
I want two levels of security, one for general day to day stuff (i like not to be tracked whatever i am doing, purely to obtain privacy) but another higher level if I am accessing sites or saying things I fear might get me watched etc, none of it illegal, but much of it “of interest” to the powers that be. For that higher level I am tempted to try the Tor browser route, just wondering how it is more private/secure than FF or Opera etc?
Hi Joey, to see exactly how the Tor browser benefits you, I’d recommend running two browser fingerprinting tests (and here’s another one):
First, run the test with a VPN using regular, plain Vanilla Firefox, and notice all the information about your system that can be identified and used to track you.
Then, run the same test using a VPN and the Tor browser.
You’ll notice a big difference.
Once you setup the Tor browser settings, you’ll be good to go. Just open it up and use it like any other browser. When you close it, it will automatically delete all cookies, history, etc. It is great if you want a higher level of privacy, like you mentioned, but it may be overkill for everyday use with all sites.
Thanks Sven, yes I had already been scaring my pants off by looking at those fingerprint checkers you mentioned! I am CRAZY unique, using very old OS, old version of browser, and some weird and rare (0.01%) extensions, so I am basically identifiable down to one person on the planet. I get the point about not wanting a browser footprint etc, just wasn’t sure if you could achieve the same thing without Tor browser. If I am honest, I trust nobody, and I get the feeling downloads of Tor browser alone could be enough to get you tracked or noticed, whereas downloading FF and adjusting settings yourself could be a more discrete way of doing the same thing? I am asking, not telling, I really don’t know, but I wondered what your thoughts were on this in principle.
P.S. I was tempted to install Tails OS, but again, just downloading that surely has to flag somewhere, so will stick with hiding “in plain sight” in some ways, but doing as you say otherwise with the most common tools available.
Hi Joey, we’re probably all on some list somewhere 🙂 I’m not going to sweat it. There are many people using the Tor browser (with and without the Tor network), so I think this is a good option. If you want to go the Firefox route with adjustments/tweaks, VPN.ac created a guide for that, although it may be a bit outdated since it was published back in 2015.
I tried TOR browser with Perfect Privacy as you suggested, and the browser would not work even on the public library site. Even on the Perfect Privacy site results were not rendered for the CHECKS because JavaScript is needed.
The Tor browser can be a bit tricky, but if you set it up following the steps above, everything should work correctly. I just checked the Perfect Privacy IP leak test – worked fine (screen shot). Then I checked some random public library in the UK – working fine (screen shot).
The problem after disabling Tor Network is that Tor browser’s screen size will no longer remain its standard size 1000×600. The screen size after disabling Tor Network will be dependent on your PC/Laptop screen size. Mine is 1000×500 after disabling Tor network.
So the question is: how to automatically resize your changed screen size to Tor standard screen size of 1000×600 ?
Is there any way to do that without having to install additional Add-on which will only make your Tor Browser unique ?
Hi Hans, when I open the Tor browser, it opens to the default (standard) size. In other words, if you don’t maximize or modify the screen size, you shouldn’t have any issues. I just tested this on Mac OS (Sierra) and Windows (Windows 10).
When I open the browser it opens every time on the same resolution, but it’s not what it should be. A friend has the same issue.
Hi Taylor,
I see you replied to ‘Kevin’ above that a good solution for keeping away from government or google listen is to use a VPN on a router.
What do you mean by that ?
Saying router, did you mean a Wifi router? and does the router have to be a special-designed one to use in conjunction with a VPN?
Does using a VPN on a router need any extra configuration ?
Is there any previous article written about how to use a VPN on a router?
I have a Wifi router which is provided when my Internet Service Provider’s staffs came to install my Wifi for me and I have used it for 2 months now. Are purchasing a VPN service and connecting to its network all what I have to do next ?
Hi Hans, check out the VPN Routers guide for more info. 🙂
Hi, Sven
I’m happy to meet someone cares privacy and didn’t know scary from google, yahoo or microsoft selling my data. I wish knew about this when I was younger. 28 M California
What should the first step for keep away from government or google listen or sell my data. Can you send me link so I can protect my family.
Hi Kevin, one good solution is to use a VPN on a router. This will protect your entire network and all family members that connect to it. See this guide.
I appreciate it so 2nd, 3rd step or etc what else do I need to do like new email or internet browsers I want to be a ninja lol jk everything to be away from government/3rd party.
Hi Kevin, check out the Privacy Tools article or the Online Privacy guide, which includes a checklist.
I own a router already netgear 1900 nighthawk
Hi Kevin, that is a good router to use with a VPN.
So I check review for flashrouters have some pros and cons review on their website. This person location where he shipping from looks like his parents home. Should I be suspicious or what should trust them.
Hi Kevin, there are indeed mixed reviews regarding Flashrouters’ support. However, it is a well-established business that has been around a while – not a random dude in a basement 🙂 They also have a 30 day money-back guarantee if you aren’t happy with the product/service.
My netgear R7000 be good for gaming when I install vpn?
Hi Kevin, the Netgear R7000 has a 1 Ghz CPU, which is on the higher end for performance. Nonetheless, you will usually experience a performance drop when using a VPN on a router when compared to using a VPN on your computer. Therefore, a VPN on a router will generally be more suited for privacy/security than performance and gaming. But give it a shot and see what works best.
Again sorry to ask you alot of questions I’m just want to have privacy. I don’t used vpn or using google browsers. Is my info is expose already or if still have time to protect myself and my family.
I wouldn’t stress too much Kevin. Because you are here researching VPNs, you are already ahead of most people. Better late than never with online privacy 🙂
Unfortunately Tor Browser is very-very uncomfortable for daily work. He has a small window that they forbade to enlarge. There is no normal work with bookmarks, cookies are not saved.
What do you think about Firefox Portable?
Yes, you are correct – Tor Browser may not be the best option for daily work. However it’s a great alternative whenever you want more privacy. Additionally, you can enlarge the window (although they recommend not to) and you can definitely use bookmarks. Firefox Portable looks interesting.
Standard Firefox with some basic privacy add-ons and tweaks may be your best bet for daily work.
Hi Sven, congratulation for this amazing site! I’ve been trying to do what is written here but I found this problem: “no proxy” ok, about:config steps (5-7) ok, but when i put an address, like ex. https://www.iplocation.net/ , i get this message: “Your connection is not secure – The owner of http://www.iplocation.net has configured their website improperly. To protect your information from being stolen, Tor Browser has not connected to this website. ” I should add an excepiton for ANY website?? Thanks a lot
Hi Mauri, I just checked and your links load fine in my Tor browser.
See this Firefox thread, for potential causes and solutions.
Hi Sven. Thank you for your blog.
I tried your settings with last version of the Tor Browser, its work but they are not saved when the browser is closed. I found in the internet a recommendation to disable TorLauncher and TorButton extensions. Is it right?
In this case we can disable Tor in a simpler way (without about:config settings):
1. Go to Menu > Options > Advanced > Network > Settings
2. Uncheck “Proxy DNS when using SOCKS v5”
3. Select “No proxy”
4. Press OK
5. Go to Menu > Add-ons
6. Disable TorLauncher
7. Disable TorButton (I think this is not necessary actually)
8. Click “Restart now”
Is it right?
Hi Avi, thanks for bringing this up, I’ve been too busy to investigate it. You are correct – just disabling the TorLauncher add-on solves the problem. Now all settings are saved when you close out and re-open Tor.
Hi.
I don’t understand the need to disable the Tor network. Don’t you mind to elaborate?
Thanks
J.
Hi Jack, you don’t need to disable the Tor network, but with the disadvantages of Tor – namely slow speeds, leaks, and malicious Tor nodes – you may want to do that.
Hello sven this site is great! , congratulations! , I have a question, I disable the tor network but now when I open tor says: “The proxy server is refusing connections, Firefox is configured to use a proxy server that is refusing connections.
Check the proxy settings to make sure they are correct.
Contact your network administrator to make sure the proxy server is working.
What should I do? Thank you.
Hi Jack, thanks. You may need to just agree or click through some popups during the initial setup, because it is trying to use the Tor network. But you shouldn’t get this alert after you select “No proxy” under Preferences > Advanced > Network > Settings > “No proxy” > OK. Then to use the Tor browser without the Tor network, follow the About:Config steps in the article (5-7).