been using Tor browser for a long time and really like it, but for some things I don’t use it, because it is not fast enough and I don’t want to “steal” bandwidth from others, for example for watching videos. I am a bit into fingerprinting protection, and couldn’t find a good solution to resist fingerprinting while not using Tor. Since fingerprinting protection is an essential part of Tor browser, I assume that some people here are knowledgeable in that area and can give some advice. There are a few solutions I have in mind, all of them I would use in combination with a VPN, but I am not really convinced by either of them, especially lacking bigger real-world studies with advanced fingerprinting techniques.
Just use the most widely used OS and browser (Windows 10 and MS Edge) without modifications and hope that there are enough people with the same device, OS, browser, drivers, libraries (fonts etc), language, timezone, settings and extensions. I wouldn’t change settings or install extensions in this case, just delete browser data after use.
Use Tor browser without Tor (is easily modified by placing two config files into the Tor browser folder, with just a few lines of code). But how many people do this? If only a few do this, I could be tracked, because of the lacking exit node ip, even though my browser fingerprint would be in the Tor users crowd.
Use Brave browser with fingerprinting and tracking protection in strict mode. Not sure how good their fingerprinting and tracking protection is tbh. They definitely lack some things, like fonts, language and timezone protection, for others I don’t know how well they are implemented. Pro of this solution, is that I have to change only two browser settings and I guess, that a lot of people set them to strict anyways.
Use Firefox Release with arkenfox user.js (has FPI and RFP enabled) and uBlockOrigin in medium mode. Has really good settings and blocking capabilities, but even though it is the most popular user.js, the absolute number of people using it, are not that high (I assume), and a lot of people will modify it or install different extensions, so I will be in a small group
Use Firefox with some other configuration (e.g. only change to ETP and RFP). Again the problem, how many people will use this configuration?
So the question comes down to:
How much of trackers/fingerprinting scripts come through, in case of using an ad/tracker blocker?
Which features can then be exploited and how much information can be gained from it?
Is the information shared with 3rd parties to establish cross-site linkability?
How many other browsers share the same information exploited under 2. and how persistent are these features over time?
Brave apparently gives a random fake fingerprint for every site. How come Tor doesn’t have this option? I know it wants everyone to look the same but if the way we are all viewed is spoofed anyway it would be irrelevant as they wouldn’t truly have our fingerprint ID.
I run Tor Browser 11.0 on Linux Mint with the Security Level on Safer. My fingerprint is 483f464b and I signed it like this so it is easier to recognize for myself: Tor Browser on Linux Mint. Unique phrase: thee-trouble-recognize
It would be interesting if you people could do this little experiment and reply with the fingerprint ID you get. Should the fingerprints all be different, we might be able to find out where they are different, to suggest improvements to Tor Browser’s fingerprinting resistance. But either way, I think it would be interesting.
I got 9799722b and I also run Tor Browser on Linux Mint.
Since the website is telling me that I already visited 7 times and the first time over a month ago, I doubt it is able to do much. Apart from guessing Linux and Firefox correctly, none of the other information I can see on this site about my computer is correct (timezone, screen, CPUs, GPU etc).
Wouldn’t it be better to just petition for a law that makes all this needlessly intrusive shit illegal? When was the last time a terrorist got caught because of browser fingerprint? I did see an app on fdroid a while back which lets you configure your own user agent, you choose what OS the site will see so it doesn’t match your real OS
Hi @raglegumm welcome to the Tor Project forum & thanks for sharing about JShelter.
I’ve just tried it out & I think it could be especially useful for people who are new to the Tor Browser & also provide a helpful insight for those who need to be especially mindful of how their connections are observed by any potential overseers, in situations where the risks are perhaps greater for whatever reason.
As @Nameless suggests perhaps one day JShelter might be integrated into TB?!
Tor doesn’t need anything like this, the tb browser fingerprint is already standardized across as many users as possible
JShelter just provides minor defense against fingerprinting, but that may fall short too. For example, two colluding websites can send a user with unique referrer links (happens all the time, like Twitter’s t.co) and then they can see your browser is lying. the eff’s fingerprinting test site really just gives you a false sense of security, because you only need one unspoofed fp vector to be completely unique. Epheremal posted the creepjs link, which is a good example of how invasive js is, and creepjs is meant to unmask lying browser extensions, which is really easy. Another example of js completely nullifying these sort of extensions is TorZillaPrint which has a whole host of fp vectors that JShelter does not cover, and it is even possible to fingerprint users via CSS, which I have yet to see any anti-fp extensions for.
I’m curious how well Tor is able to resist fingerprinting
I think you are underestimating how much work the tb devs actually put into tb. They have gone through almost every single api in the browser that could leak data in any way and applied patches to them. Actually give the tp design doc a read and it’s fascinating how they have mitigated fingerprinting.
After reading the actual JS that many anti-fp addons use, and checking how many fp vectors there are, I’m convinced that Tor is the only sensible fingerprinting defense besides using Windows 10 on Chrome, but then that has webgl / canvas / etc. leaks making it unique among a billion others.
We don’t know because threads run on with nobody being made aware. Its a difficult center to look out from, is our biggest threat going to come from fingerprinting, traffic analysis or some zero day. There are so many points of attack and failure that surely at least one must be unknowingly open, the ability to scrape passwords through exit nodes was unknown until after somebody had already done it.
Probably nobody. There are good reasons it shouldn’t be done and it is certainly unsupported.
Even if you used the most common OS and browser with the most common configuration (not possible; there is no 100% “common” configuration), there are a hundred ways to fingerprint you anyway.
Which adversary are you trying to protect against?
Not that I’m endorsing Brave but something like this is probably good enough for most people who just want to “hide from ad trackers” or something. Of course TB will give you the most protection in this scenario as well, but that’s not what you’re asking.
Using TorBrowser your IP is hidden. With Firefox it isn’t.
Please correct me if I am wrong about this; I’d say, at that point it does not matter anymore, how many people use your configuration.
Once your IP is revealed, you are already identified. The only thing you can still do, is limit the amount of information they collect.
LibreWolf is designed to increase protection against tracking and fingerprinting techniques, while also including a few security improvements. This is achieved through our privacy and security oriented settings and patches. LibreWolf also aims to remove all the telemetry, data collection and annoyances, as well as disabling anti-freedom features like DRM.
I have just recently begun looking into anonymous surfing, fingerprinting etc, and using Tor browser. I have a fresh installation of Tor browser 11.5.2, using default settings. I have now visited amiunique.org to see my browser fingerprint, and to my surprise, Canvas i unique, and an image with vertical stripes is displayed there. When I change security level of Tor browser to “Safer”, it is the same (but everything goes to NA when changed to “Safest”).
For comparison, I have done this check with my customized regular Firefox browser, and Canvas similarity ratio is 3.4% and two rows of text are displayed.
Is there some way to change the Canvas fingerprint and make it less unique in Tor browser? Or is this not an anonymity problem?
canvas is deliberately randomized per execution - i.e every single time you check it, is it RANDOM and this cannot be used to linkify
see here: canvas spoof fingerprinting - click re-run and note that every single time the first and second reads change - i.e per execution (every time the code asks for it)
