[ef2k]

A few years ago, intentionally fingerprinting or tracking your users without disclosure was spyware and unethical. Alas, here we are.

Anyway, what they're calling "spectroscopy", is a combination of extension probing and doing residue detection (looking for what extensions might leave behind in the DOM).

An ad blocker is not necessarily equipped to help since the script is embedded with the application code. Since they're targetting Chrome, switching browsers will help with the probing but not the detection part and you'll still be fingerprinted.

The only way forward is for browser vendors to offer a real privacy or incognito mode where sites are sandboxed by default. When the default profile is identical across millions of users there won't be anything unique to fingerprint.

[tombert]

It's the typical Microsoft playbook, where they release a product and convince everyone that it has to be used everywhere, and by the time people realize how unbelievably terrible the product is it's too late and it has entrenched itself everywhere.

They've run this experiment before; Windows is terrible and has been for a very long time, Microsoft Office is terrible and has been for a very long time, Sharepoint is terrible and has been for a very long time, LinkedIn is terrible and has been for a very long time, etc.

It's what they do, there is not a single thing that Microsoft does not half-ass, because all they focus on is getting embedded into places, and that does not require that any of their products be good.

[varenc]

> A few years ago, intentionally fingerprinting or tracking your users without disclosure was spyware and unethical. Alas, here we are.

For over 15 years reCAPTCHA has relied on browser fingerprinting to help distinguish humans from bots. And fingerprintjs.com has been around for well more than a couple years.

That said, sniffing the browser extensions someone is using is NOT a common fingerprinting method used by my examples, but just saying fingerprinting itself without explicit disclosure has been around for quite a long time. It happens on literally every CAPTCHA service. I hate it of course, but the ship sailed a long time ago.

--

I like this demo for testing my browser's resilence against fingerprinting: https://fingerprint.com/demo/

[purplehat_]

Have you (or anyone reading this) been able to "beat" fingerprint.com without Tor or turning JavaScript off outright?

I've tried it various times over the last couple years, using different browsers with various privacy settings enabled and a VPN.

I can get good partial results and am able to reset my fingerprint by changing my OS and browser at the same time, so it's not entirely there with regards to sniffing the hardware. But I can never revisit the site and have it not recognize me. Is there no one but me using (for example) Debian testing Librewolf with resistFingerprinting on Proton VPN? If there are others, then resistFingerprinting is doing a bad job hiding my hardware.

That's depressing! Despite our genuine best efforts, enough identifiers leak that it seems to me there's no practical solution. I am genuinely at a loss for what we can do.

(If you're reading this and think it doesn't matter, it's possible you're not realizing that this means that any site collecting and storing these identifiers now will be able to talk to any site in the future and link your identity. Your past actions on every website on a given piece of hardware are liable to be linked to create a detailed profile in the future, so even if Reddit and Pornhub and Discord and the government aren't talking to each other now, you can put some decent probability in the fact that if they decided to share identifiers, they could link all your historical (signed out) activity to your real-world identity without much effort. I use those sites as examples because they're sites where people tend to generate information that they may want private, but they visit using the same hardware identifiers.)

[varenc]

It is depressing how robust it is!

I can beat it, but only be changing my IP. Since I'm not using a shared IP like a university/company might, my IP is giving them a lot of bits about me since I'm the only entity using it... No matter the browser switch, if I hit it from the same IP, it correctly assumes that my IP is still me. But the moment I switch to a different browser and change IPs I get a new fingerprint. Haven't dug deep on it though, like would an incognito window in Chrome on a new IP, have the same fingerprint as a non-incognito Chrome window on another IP? Not sure

I would love to play around with that fingerprint demo while on a large shared IP, where they the IP itself provides less signal and is less unique.

[jwally]

Fingerprint (and its ilk) use a tiered identification system to identify you, with a decrease in confidence with each step down.

They start with a supercookie approach (first-party cookies, third party cookies, indexdb, localstorage, session storage, favicon timing, etc) which is a direct look up, and unique. This is tier-1.

Next they slam as many signals as they can get your browser and network to cough up into an ML db and find your nearest neighbor. If its greater than threshold ${x} - they return its ID with a confidenc of say 85%

If that misses, they slide down to tier 3 which is your IP address plus some browser signals on a TTL so they don't just call everyone with your IP address "you". This is maybe say 50% confident.

Below that, they create a new record.

If you want to beat it - tbh - Safari, especially on IOS is a monster. Most people with an iPhone default to it, and they remove their biggest entropy signals (offlineAudio, canvas profiling), so they're left with almost nothing to work with that is really unique.

Fingerprint _really_ pushes merchants to reverse proxy their services so that they can serve cookies as first party and Apple doesn't nuke them after 1 week. Its complicated and most merchants don't want to diddle with it - but it circumvents adblockers (ps - use an adblocker and call out fingerprint specifically if you want to hit them. LLM to see who else you need to include).

After that, if you're on Apple, use their Apple-VPN service (forget what its called) - which exists _literally_ for this.

[wraptile]

It's definitely possible to bypass fingerprinting (just take a look at countless web scraping services that manage to do that) but consumer browser actively reject this.

If I were to wear a tin-foil hat I'd say that fingerprinting is a spyware feature not a bug but it can also be explained by the fact that current web market relies on fingerprinting too much thus blocking adoption of anti-fingerprinting features. Firefox half-ass tried to but now all the anti-fingerprint features are hidden deep in the about:config somewhere because people rather see less captchas than have privacy.

Unfortunately, there's no way to patch fingerprint ressistance into a compiled browser and even then nobody actually wants this because then cloudflare won't let you visit any web page.

The only way to get anti-fingeprinting would be to force it on everyone so that the tools that rely on it would be forced to respect the user. Considering that 2 major browsers are owned by mega corporations and 3rd one by a leech that just exists to leech billions from the first two we'll never actually defeat web fingerprinting until something absolutely catastrophic happens forcing everyone to start paying attention.

[pamcake]

Yes!

At least for now. Tried many browsers and Mullvad Browser and Konform Browser are the only two that I managed to beat them with. They both enforce bundled set of fonts like Tor Browser. Firefox and other forks are fingerprintable via variations in font rendering due to system fontconf or fonts differing.

[pixelmelt]

I've been getting into making and breaking these antibots recently and it's funny to me how the person who wrote this post gave so much attention to what LinkedIn was doing and left the other antibots on the page as a footnote. They grab way more, they just don't let you see it. I haven't reversed PX or Recap yet but the antibot on twitch and Nike similarly checks if you have any of these 53 apps installed (when loaded on a WebKit browser) https://pastebin.com/raw/KACvjpTK

[mosquitobiten]

this should lead to the browser be the one doing human or robot user check, is that possible?

[Neikius]

By GDPR this is illegal. But I assume no action will be forthcoming