I'm sure we're all aware that the browser we use (the User Agent in internet-speak) reports back information to each web server we visit. But could a web server gain any information about who we are just from the browser? Could we be identified when we visit later on? You might think: easy, just turn off cookies and we'd be pretty much unidentifiable, but is that the case?
I tried out a web site called Panopticlick put up by the Electronic Frontier Foundation (EFF) to see how identifiable I was (or, if you like, how unique my browser fingerprint is). I got back:
Your browser fingerprint appears to be unique among the 139,433 tested so far.
Currently, we estimate that your browser has a fingerprint that conveys at least 17.09 bits of identifying information.
Yikes!
The information that is gathered and analyzed for uniqueness is the User Agent string, the HTTP_ACCEPT headers, the browser plug-ins, time zone, screen size and color depth, the system fonts, whether cookies are enabled, and the "Limited supercookie test", whatever that is. The things that are most unique for me are my list of plug-ins and my fonts. In essence, those are unique amongst the data they currently have collected in their database. The EFF have gathered some recommendations to mitigate against browser fingerprinting here.
Go on, try yours, I dare you...
Posted via email from Julian's posterous
2 Responses
#1 Thorsten said...
29-Jan-10 12:20 AM"Within our dataset of several hundred thousand visitors, only one in 7,661 browsers have the same fingerprint as yours.
Currently, we estimate that your browser has a fingerprint that conveys 12.9 bits of identifying information."
But that's mainly because everything except User Agent and HTTP_ACCEPT Headers just says "no javascript" (who in their right mind is browsing the web without having NoScript installed?).
If I DO allow javascript, then yes I also get a "appears to be unique" rating. Interestingly, blocking cookies from eff.org makes my browser more unique: "only one in 58,789 browsers have the same fingerprint as yours".
What the test doesn't properly show is that while I am allowing cookies from all sites that are not explicitly on a blacklist, they are all only allowed as session cookies except if the site is on a special whitelist, which prevents cookies from begin used to track me across session limits.
#2 Anders Isaksson said...
29-Jan-10 2:42 AMWhen I switched on "Start private browsing" in FireFox 3.5.7 the fingerprint dropped from 17.67 to 16.43 - one full bit of entropy! Not much more privacy in that...
Leave a response
Note: some MarkDown is allowed, but HTML is not. Expand to show what's available.
_emphasis_
**strong**
[text](url)
`IEnumerable`
* an item
1. an item
> Now is the time...
Preview of response