|
|
|
|
|
|
by varenc
74 days ago
|
|
|
It is depressing how robust it is! I can beat it, but only be changing my IP. Since I'm not using a shared IP like a university/company might, my IP is giving them a lot of bits about me since I'm the only entity using it... No matter the browser switch, if I hit it from the same IP, it correctly assumes that my IP is still me. But the moment I switch to a different browser and change IPs I get a new fingerprint. Haven't dug deep on it though, like would an incognito window in Chrome on a new IP, have the same fingerprint as a non-incognito Chrome window on another IP? Not sure I would love to play around with that fingerprint demo while on a large shared IP, where they the IP itself provides less signal and is less unique. |
|
|
They start with a supercookie approach (first-party cookies, third party cookies, indexdb, localstorage, session storage, favicon timing, etc) which is a direct look up, and unique. This is tier-1.
Next they slam as many signals as they can get your browser and network to cough up into an ML db and find your nearest neighbor. If its greater than threshold ${x} - they return its ID with a confidenc of say 85%
If that misses, they slide down to tier 3 which is your IP address plus some browser signals on a TTL so they don't just call everyone with your IP address "you". This is maybe say 50% confident.
Below that, they create a new record.
If you want to beat it - tbh - Safari, especially on IOS is a monster. Most people with an iPhone default to it, and they remove their biggest entropy signals (offlineAudio, canvas profiling), so they're left with almost nothing to work with that is really unique.
Fingerprint _really_ pushes merchants to reverse proxy their services so that they can serve cookies as first party and Apple doesn't nuke them after 1 week. Its complicated and most merchants don't want to diddle with it - but it circumvents adblockers (ps - use an adblocker and call out fingerprint specifically if you want to hit them. LLM to see who else you need to include).
After that, if you're on Apple, use their Apple-VPN service (forget what its called) - which exists _literally_ for this.