If you visit this site My Fingerprint- Am I Unique ? through your Tor browser, you will be surprised to learn that Yes! You are unique among the 46… fingerprints in our entire dataset. It doesn’t matter to me, but many people want to be truly anonymous using the Tor browser.
Thank you for your attention.
Read About Browser Fingerprinting - it’s a presentation and I have linked to slide 50 which is about Test Sites and how much nonsense they are (slides 51 to 58) - it’s a quick read
2 Likes
Welcome to the forum @User25.
I just tried this site myself with Tor Browser 15.0 on Linux with security level set to Standard (the default). Here are the results from 2 separate visits (I closed Tor Browser & opened it again before the second, so there were no traces left from the first):
Yes! You are unique among the 4613068 fingerprints in our entire dataset
Yes! You are unique among the 4613091 fingerprints in our entire dataset
From this I can conclude that being unique according to amiunique.org is no indication that my anonymity has been compromised.
It would appear that their methodology for determining uniqueness may be flawed. In particular, the “Similarity ratio” column reads 0.00% for both HTML5 and WebGL Data metrics. When you see this with Tor Browser it means a random value has been generated.
This point is a frequently misunderstood aspect of browser fingerprinting: A deterministically random value is actually equivalent to a deterministic fixed value - both make the user ‘blend in’ will all others. To put it a different way, a randomized value for a given metric negates any attempt to fingerprint a Tor Browser user using that metric in the same way that a fixed value does (e.g. the User Agent) - i.e. it ensures that any one user is indistinguishable from all others.
I suspect that rather than discounting the randomized values in these 2 metrics from their overall fingerprint value, amiunique.org are in fact including the random values and thus generating a random overall fingerprint on each visit. This would certainly explain how my 2 visits using the same browser on the same computer were recorded as ‘unique’. If you are interested I suggest you reach out to them and ask about their methodology.
Other browser fingerprinters correctly discount randomized values and only include deterministic, fixed values in their fingerprint. IMHO a good example is fingerprintjs. FingerprintJS is a commercial browser fingerprinting tool and probably the best available. You can try the demo version yourself here. Note that the “Entropy components” for canvas geometry and canvas text are recorded as “unstable” (i.e. random). If you try the fingerprintjs demo with Tor Browser on 2 separate occasions, you should find you get the same “Visitor identifier” each time. So far so good. If you then get your friends to try it* they should see exactly the same value too - i.e. you are indistinguishable from one another. Tor Browser’s goal as regards fingerprinting is exactly this; to make all users indistinguishable from one another.
*using the same version of Tor Browser on the same OS (i.e. Windows/macOS/Linux etc.)
Finally, the Tor Browser team does extensive testing with its own in-house fingerprinting tool called Tor Zilla Print (TZP). Rest assured that each release goes through very extensive fingerprinting tests to ensure there are no ‘leaks’.
I hope this helps.
tl;dr: it’s not Tor Project’s tool (they haven’t contributed a single thing, not even feedback), it’s not in-house, and using it for QA testing is dubious at best (I have seen it checked off and devs ignore real failures)
please don’t quote TZP as something it isn’t
Just to be clear - this is not Tor Project’s tool - it is mine. Except for @PieroV helping with a few code snippets, they haven’t contributed a single thing. No-one communicates to me about any it (again PieroV is the exception). I do not get any communication about their plans to use it (beyond a vague idea to take it and automate it themselves - almost 3 years ago) and I have never been given input into it’s design or contents or functionality. It’s my play tool and has a very long way to go to being comprehensive (more tests) and robust (all methods to determine things and all sources such as iframes, workers, service workers, third parties). It’s not just for checking patches do not regress, it’s also designed to be a tool to determine and show up differences.
In the last six months or so (I am not involved), AFAIK builds are supposed to be checked against TZP by Tor Project (it’s part of their QA/release issue template) - i.e each dev checks TZP on a few platforms, but even then it’s not comprehensive e.g. different languages/locales, spoof english, manual tests that require transient user activation
It’s also inconsistent regards health failures - outside of PieroV a few times, not a single query has been sent my way when this happens - I have had to step in numerous times in the past (by letting PieroV know). Keep in mind I built and designed the tests and that only PieroV would understand what’s going on with most of it - I don’t expect them to all understand all of it - but that’s what I’m here for (and PieroV). It’s early days I guess, but it is progress
Anyway, the long term plan (based on a nod of the head and some mumbling in Costa Rica years ago) is for Tor Project to take all my work and ideas and refactor to suit and provide their own instance with automated testing - and it would be comprehensive because they can automate clicks etc as well and test every language with and without spoof english etc - but that’s a very long way off
[I don’t expect to be involved given the lack of communication or urgency, which makes me very very sad]
please don’t quote TZP as something it isn’t
@thorin my apologies, I was not aware of this sad situation and will not misrepresent your work again.
FWIW I use TZP myself to test my Selenium WebDriver library for Tor Browser (Ruby). Clearly a lot of thought and work has gone into this excellent tool. My best wishes.
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.