i put together a demo site: https://tb-fingerprinting.tiiny.site/

even when safer mode is on (which blocks wasm and jit), the site still leaks too much info. it can still figure out things like:

• your mouse polling rate (kloak stops this one)
• whether you have gpu acceleration (via canvas)
• your cpu type by running tests (cache, subnormal)
• clock skew (sdwdate stops this one)
• if you’re running tails or whonix

i’m happy ublock origin is coming, but it won’t stop all fingerprinting tricks. i think what we really need is a browser extension that checks for common fingerprinting code in javascript.

https://www.researchgate.net/publication/367585237_Browser-Based_CPU_Fingerprinting

i based most of the website this. the paper uses wasm but its not required and neither is jit

examples of fingerprinting

cache and subnormal fingerprinting is not common in my findings but all else can be found

hCAPTCHA

hcaptcha accesses getCoalescedEvents() which can be used for determining mouse polling rate

Cloudflare Turnstile

cpu performance fingerprinting, proof-of-space for memory allocation, mouse movement

reCAPTCHA

cpu performance fingerprinting, mouse movement

I wouldn’t trust any third-party extension that claims to solve particular fingerprinting/anonymity problem. Russian and NK linked state actors/hacking groups are known to use tactic wherein they present some problem publicly and provide some solution installation of which quietly installs malware.

tor project could develop it

Interesting post @victor, welcome to the forum.

It will be good to hear from the Tor Project’s fingerprinting experts like @thorin and @PieroV if any of the metrics you have illustrated here are new/unknown and if so, how much entropy is added in reality in each case. If the answer is non-zero I am sure the Tor Project will be interested in developing relevant defenses, if feasible.

i think what we really need is a browser extension that checks for common fingerprinting code in javascript

This is an interesting idea, it could perhaps be incorporated into NoScript. The obvious question is “what should Tor Browser do in this event?”. Should Tor Browser simply log the event, warn the user via the UI or even prevent navigation to other sites until the user requests a new identity? I would be in favor of all 3 on Safest security level.

The CloudFlare turnstile & CAPTCHA fingerprinting techniques are interesting too, especially given the ubiquity of CloudFlare’s DDoS service online (which uses Turnstile &/or reCAPTCHA). I have previously highlighted the fact that CloudFlare is potentially in a position to potentially track a user across all sites using their DDoS service. Various forms of CAPTCHA are of course widely used on sites that don’t use CloudFlare. The fact that some such technologies use biometric fingerprinting techniques like mouse movement may be an argument to use a new identity after each encounter with them. Personally, I already try to practice this discipline in my own browsing habits.

I’ll be very interested to hear what others have to say on the issues raised by your post.

Hi, thanks for sharing this.
Several of the metrics are known and already dealt with , other ones have never been investigated yet (especially the wasm-based ones).
We’ll need some time to address them.
Also, this is a lot to unpack for a single forum thread. Specific GitLab issues could be helpful to go through one vector at a time.