Plug Leaks Block Fingerprinting
Ad-Free No Ads. No tracking.
Download on Chrome Store

fingerprint-testing-websites

Browser Plugs is the solution for Browser Leaks

Test your browser settings and find out what uniquely identifying information you may be exposing. Plus learn what the real device fingerprinting companies are doing that not one single free public fingerprinting test will ever show you!

https://browserleaks.com/javascript

What’s good about BrowserLeaks.com/javascript? This gives you basic common properties, their most powerful being the ‘div.clientWidth’ and ‘div.clientHeight’ because that is created by creating a new random div element at 100% width and height and measuring that, never requiring browser properties. That is harder to fake and a solution is in the works for an upcoming version of the browser plugs extensions. More importantly, is to make sure we are protecting you against real modern fingerprinting that you CAN’T test for on these public fingerprinting test websites yet!

What’s bad about BrowserLeaks.com/javascript? Real device fingerprinting scripts don’t use almost any of the functions on that page and neither do any others as far as I could tell. So, even though having good protected javascript properties showing on this page is a good start, it sadly won’t tell you even the slightest idea of how protected you really are against actual threats.
….
Browser Resolution and Window Size differences: Browser Leaks uses width, height, availwidth, availheight, pixeldepth, colorDepth — which none of the major companies are using when it comes to modern active fingerprinting scripts. These companies are using alternative sneakier methods that many spoofing and privacy extensions would forget to fake. Common properties device trackers are using but that aren’t shown on fingerprint testing websites include: screen.deviceXDPI, screen.deviceYDPI, screen.logicalYDPI, screen.fontSmoothingEnabled, screen.bufferDepth, document.documentElement.clientWidth, document.body.clientWidth, window.outerHeight, SomeRandomCreatedElement.offsetWidth, document.body.scrollLeft,

Some of the other important differences (click to open examples):

Browser Language Differences
Browser Leaks only checks for navigator.language and navigator.languages, and so that is all most extensions would think they need to spoof. Real fingerprinting scripts are trying a number of alternative ways to try to get the real settings from your browser, which definitely includes:

  • navigator.systemLanguage
  • navigator.browserLanguage
  • navigator.userLanguage.

Time and date differences + plugin differences
Browser Leaks checks for new Date(), Intl.DateTimeFormat(), new Date().toLocaleString(), new Date().toLocaleFormat() but there are plenty of methods being used to check for the real date and time even if those properties are spoofed, which has been observed to include:

  • getTimezoneOffset, jan.getTimezoneOffset(this.getFullYear(), 0, 1);
  • Date.prototype.toNDJSON,
  • this.getUTCFullYear, this.getUTCMonth, this.getUTCDate, this.getUTCHours, this.getUTCMinutes, this.getUTCSeconds, this.getFullYear
  • ((new Date).getTime,
  • Date.now,
  • Math.random().toString(36).substr(2,16)+a.getTime().toString(36)}
  • b-A.time,
  • pos:G,time:h, gmtHours–;timestamp instanceof Date
  • f(“time-local”,a.toLocaleString(), time-tz-dst-active, time-tz-fixed-locale-string, time-tz-has-dst

https://browserleaks.com/webrtc

What’s good about BrowserLeaks.com/webrtc? This shows multiple privacy risks that can be exposed by WebRTC. There is Local IP Address, which might never change and could potentially be quite unique. It also shows unique device IDs for cameras, microphones, and media devices that could be giving trackers and fingerprinting javascript an instant and reliable way to track your device with 100% accuracy.

https://browserleaks.com/fonts

What’s good about BrowserLeaks.com/fonts? This combines 3 different font fingerprinting methods on one page. They have the Glyph fingerprinting, which was harder to protect against until our recent Chrome extensions, which have had a lot of research, time, and experimenting to develop in a way that protects against Glyph fingerprinting as well as font white lists of any size. Previously, it was limited to FireFox white list settings and only a maximum of 10 fonts or so could be on that list. That doesn’t create realistic lists like our Windows 10 Default Installation standard font lists that only allow normal included fonts to be detected for a fingerprint that isn’t so unique. Plus, our extensions don’t even change the look of the page or mess with actual page fonts used. You won’t even know it is running, but it will be protecting you the entire time. Fonts are something that all of these fingerprinting companies are using, and I would like to publish an actual real font list [Real Font List For Fingerprinting] of what a major commercial device fingerprinting service uses, because that is the only bad thing about BrowserLeaks is that they are using a public generic font list and not a real advanced one that real companies use.

https://browserleaks.com/canvas

https://panopticlick.eff.org/

https://amiunique.org/

https://browserprint.info/

https://audiofingerprint.openwpm.com/

Note that these tests offer virtually no insight into what real websites are capable of with their commercial fingerprinting services.

I have spent months (or years) researching what real techniques are being used online, by collecting suspicious and obvious fingerprinting scripts from all industries including:

  • Ecommerce for online shopping and services
  • Ad-powered free services like search and e-mail
  • Advertisers and big personal data sellers
  • Operating systems including extreme levels of tracking built-in to Windows 10,
  • News content from online newspapers and blogs
  • Entertainment, gossip, videos, and stories
  • Services such as restaurant delivery and groceries
  • Hospitality and travel including hotel websites, travel agencies, and airlines
  • Social networks, especially the most popular (Facebook, Instagram, Twitter)
  • Internet Services including web hosting, build your own websites, and shopping cart software
  • Mobile games, apps, and smart phone targeted content

Some interesting finds to share and research:

  • Unique way to detect if you are using a proxy by tricking your browser, used by MasterCard
    Appears to purposely try to load a non-existent fake url to an image via a random port over Ajax with the ability to determine if the browser is a proxy or real IP based on measuring the ping time for loading this fake image.var url = document.location.protocol+”//”+ ip + “:” + getRandomPort() + ‘/NonExistentImage’ + getRandomPort() + ‘.gif’;
    ProxyCollector.doAjaxViaImage(returnFunction, url);
    request = new window.XDomainRequest();
    _timer = new Timer();
    request.open(“GET”, url, true);
    request.send();
    ProxyCollector.doAjaxViaImage(returnFunction, url);
    ProxyCollector.doAjax(ProxyCollector.externalIP, ProxyCollector.setExternalPingTime);

Project that is being implemented into Browser Plugs Privacy Firewall Extension:

Ability to overwrite functions and variables to force fingerprinting scripts to treat you better, give you a new unique ID, or remove personally identifiable information before it is saved. That extension has implemented this technique on Browser Leaks and Panopticlick as a way to see what is possible and to have the engine and framework built-in to start implementing real-world uses.

Examples of possible functions to override:

  • encode_deviceprint
  • nds.common.bi.getHTML5CanvasSignature
  • self.dom_data.collection_status = DomDataCollection.Fail; or  self.dom_data.collection_status = DomDataCollection.Partial; forced to overwrite as self.dom_data.collection_status = DomDataCollection.Success;
  • all_collection_failure ||  any_collection_failure || true; forced to overwrite as any_collection_failure = false;
  • var isFirst = true; to var isFirst = false; (or visa versa depending on benefits)