Browser tracking

Discussion:

Browser tracking

Jorge Arellano Cid

2014-09-08 19:15:53 UTC

Hi,

This site is interesting. It gives kind of a score of web browser
trackability. [1]

@corvid, I thought you'd like to give it a look (AFAIR, you have submitted
some standardizing to our HTTP querying in the past). It looks like
our HTTP_ACCEPT and "User Agent" are the most vulnerable to tracking.

It looks simple to provide some less unique alternatives in dillorc.

DISCLAIMER: this is just on little aspect of the privacy chain.
Most probably this is moot unless you're behind a TOR ring. YMMV.

[1] https://panopticlick.eff.org/

--
Cheers
Jorge.-

Sebastian Geerken

2014-09-08 19:42:06 UTC

Permalink

Post by Jorge Arellano Cid
Hi,
This site is interesting. It gives kind of a score of web browser
trackability. [1]
@corvid, I thought you'd like to give it a look (AFAIR, you have submitted
some standardizing to our HTTP querying in the past). It looks like
our HTTP_ACCEPT and "User Agent" are the most vulnerable to tracking.
It looks simple to provide some less unique alternatives in dillorc.
[1] https://panopticlick.eff.org/

I once started to read the paper (stopped where the math gets too
complcated ;-) ); I remember that it is relatively simple to track a
browser even if the browser fingerprint, which consists of numerous
attributes, changes slightly when only few attributes (e. g. browser
version) change. This gave me a vague idea to randomize these
attributes exactly in a way to break re-detection. Dillo could perhaps
be a good testbed for this.

Post by Jorge Arellano Cid
DISCLAIMER: this is just on little aspect of the privacy chain.
Most probably this is moot unless you're behind a TOR ring. YMMV.

For what I've understood, TOR wouldn't help.

Sebastian

Jorge Arellano Cid

2014-09-09 17:27:37 UTC

Permalink

Post by Sebastian Geerken
[...]

Post by Jorge Arellano Cid
DISCLAIMER: this is just on little aspect of the privacy chain.
Most probably this is moot unless you're behind a TOR ring. YMMV.

For what I've understood, TOR wouldn't help.

I mean: usually an IP and a time window is all you need.

Unless the site is being accessed in parallel from the same IP,
there's almost no way to avoid session tracking. That's were TOR
helps (AFAIU).

--
Cheers
Jorge.-

Andreas Kemnade

2014-09-08 20:25:01 UTC

Permalink

Hi,

On Mon, 8 Sep 2014 16:15:53 -0300

The User Agent string of dillo does not have that many version numbers
like the ones of other browsers.
I compared the table with iceweasel and chromium. dillo was the least
unique browser of them.

But there is of course much more to improve.

Greetings
Andreas Kemnade

eocene

2014-09-09 18:44:46 UTC

Permalink

Post by Jorge Arellano Cid
This site is interesting. It gives kind of a score of web browser
trackability. [1]
@corvid, I thought you'd like to give it a look (AFAIR, you have submitted
some standardizing to our HTTP querying in the past). It looks like
our HTTP_ACCEPT and "User Agent" are the most vulnerable to tracking.
It looks simple to provide some less unique alternatives in dillorc.

Yes, this site was part of the impetus to work on the headers in March to
make dillo resemble firefox more closely, and add deflate decompression
and add keepalive.

User-agent is a little misleading in that I have a current firefox
user-agent string, and panopticlick says that's one in 2701.57 browsers,
but no doubt it's rather more common among the visitors in
September 2014 specifically.

Somewhat related, I've been working on SSL in the browser, and
https://www.ssllabs.com/ssltest/viewMyClient.html
shows some more ways for browsers to reveal what they are.

Post by Jorge Arellano Cid
DISCLAIMER: this is just on little aspect of the privacy chain.
Most probably this is moot unless you're behind a TOR ring. YMMV.

Indeed.

Post by Jorge Arellano Cid
[1] https://panopticlick.eff.org/

James C

2014-09-16 12:15:56 UTC

Permalink

The browser on my not-incredibly-old ipod touch returned as unique, so
people who run that configuration apparently have not found this site.

Dillo currently returns one-in-~85000, with the user-agent being the
lion's share of that.

If we implement configurable user-agents, will we start getting code
optimised for other people, which we can't run?

Post by eocene

Yes, this site was part of the impetus to work on the headers in March to
make dillo resemble firefox more closely, and add deflate decompression
and add keepalive.
User-agent is a little misleading in that I have a current firefox
user-agent string, and panopticlick says that's one in 2701.57 browsers,
but no doubt it's rather more common among the visitors in
September 2014 specifically.
Somewhat related, I've been working on SSL in the browser, and
https://www.ssllabs.com/ssltest/viewMyClient.html
shows some more ways for browsers to reveal what they are.

Post by Jorge Arellano Cid
DISCLAIMER: this is just on little aspect of the privacy chain.
Most probably this is moot unless you're behind a TOR ring. YMMV.

Indeed.

Post by Jorge Arellano Cid
[1] https://panopticlick.eff.org/

_______________________________________________
Dillo-dev mailing list
http://lists.dillo.org/cgi-bin/mailman/listinfo/dillo-dev

eocene

2014-09-16 17:57:49 UTC

Permalink

Post by James C
If we implement configurable user-agents, will we start getting code
optimised for other people, which we can't run?

There is the http_user_agent preference in dillorc.

As for getting pages shaped for others, yes.
If you're curious, I suppose you could check the Vary header in the
HTTP response and see how often User-Agent is included there.