Feeling alone

The EFF is running an experiment to see how you can be identified with your web browser, without the use of cookies nor your IP address.

I'm apparently currently the only Iceweasel 3.5.6-1 amd64 (with an english locale) user who participated.

I feel alone. One in 268977 so far. That's more than 18 bits of entropy.

2010-01-30 10:21:43+0900

firefox

You can leave a response, or trackback from your own site.

8 Responses to “Feeling alone”

  1. Evgeni Says:

    Your browser fingerprint appears to be unique among the 318,830 tested so far. ;)

    Also 3.5.6-1, also amd64, but english and german locales and no further ****script.

  2. Obey Arthur Liu Says:

    Note that it also differentiate users based on sniffing plugins versions, system fonts, etc…

  3. jmw Says:

    I’m apparently also the only user with Iceweasel 3.5.6-1 amd64 and an English locale. Something seems broken.

  4. Dmitrijs Ledkovs Says:

    I’m unique Chromium daily users =( gotta try again…. dammit still unique “Your browser fingerprint appears to be unique among the 399,792 tested so far.”

    On the other hand I become unique every 24Hours?

  5. Peng’s links for Sunday, 31 January « I’m Just an Avatar Says:

    […] Hommey: Feeling alone. The Electronic Frontier Foundation has an experiment to see how much info your browser lets web […]

  6. Anonymous Says:

    I apparently also qualify as unique. My refusal to use proprietary plugins provides as much information as my choice of browser (when you count both the lack of plugins and lack of font detection). (And it seems worth pointing out that panopticlick has some serious self-selection bias, so I’d guess real sites could get even more unique identification.) Toss in time zone and screen resolution, and I end up pretty unique.

    I can also think of a few identification methods that Panopticlick doesn’t use. It detects fonts via Flash and Java, but what about simply rendering a text string in “sans” with a specified point size, and checking the dimensions of the resulting element? The result should stay at least as fixed as browser version. (They mention the idea in their FAQ, along with detecting the presence of fonts by changing the font with javascript and looking for a size change.)

    I see a couple of ways the browser could mitigate this. Do sites *really* need to know that a user runs 3.5.6, rather than just 3.5? For that matter, given that upstream encourages people to check for Gecko rather than Firefox, does it *really* help to say “Firefox/3.5” rather than just Firefox? To mitigate broken version detection scripts, what if all new versions of Firefox just said “Firefox/4”, much like “Mozilla/5.0”? The same goes for the Gecko date, which doesn’t actually represent a version of Gecko, just a build date. It doesn’t say anything about browser capabilities.

    The “rv” value seems like the only useful one for browser version detection, and it could become a bit fuzzier without any real loss.

    And Debian’s precise package version doesn’t seem helpful for anyone other than the Debian maintainer. Do you really get any value from having this in the User-Agent?

    Nothing good comes from putting “en-US” in the User-Agent either; that doesn’t have the same effect as Accept-Language (another mistake).

    And with the exception of a small handful of sites that helpfully want to offer the right download for the user’s OS, nobody needs to know “Linux” or “x86_64” either. Or “X11” for that matter. (“U” doesn’t matter given that other versions don’t exist anymore, though I’d hope nobody checks for it.) Unfortunately, some sites *do* sniff specifically for Firefox on Windows, but including something like “Windows Linux Macintosh” for backward compatibility could have detrimental effects .

    So, a much better User-Agent for Iceweasel:

    Mozilla/5.0 (rv:1.9.1.6) Gecko/99991231 Iceweasel/4 (like Firefox/4)

    And one for upstream:

    Mozilla/5.0 (rv:1.9.1.6) Gecko/99991231 Firefox/4

    I don’t think we can do any better until sites stop doing version detection.

  7. Adam Says:

    unique among 499,676
    18.93 bits of entropy

    Debian chromium 4.0.304.0

    Scores:
    Fonts 13.89
    User Agent 13.23
    Plugin 11.19
    Time Zone 9.68
    Screen 4.04
    HTTP Headers 3.58

    with Iceweasel 3.5.6-1 amd64 en_US and script disabled I get one in 4,584 (12.16 bits), which jumps to 18.93 bits (unique among 500,212):

    User Agent 9.12
    HTTP Headers 1.96

    So fonts and plugins are the main culprit.. and using a cutting edge browser..

  8. Sven Joachim Says:

    Even though you have removed the Debian revision from the useragent string in the meantime, mine is still unique among now 655,346 participants.

    The only comfort is that any new xulrunner or iceweasel upstream version will change the UA string, so that websites will hopefully not identify me anymore after a few weeks.

Leave a Reply