Fingerprint test, show how private you are

[CaffeineAddict]

"Run your browser in VM"
Does it need an OS? If not that would be cool.

Ofc. it needs an OS, how else would you run a VM?

If you're worried about hardware resources, you can install very minimalistic OS, with only a window manager because for browsing you only care to bring up the browser.

 

[Rocketing-warp9]

Or something like Qubes OS, where it fires up a VM for every app. Unsure how it roll's however.

 

[Rocketing-warp9]

Alrighty! Here are my results-

Done on my MX install.

 

[Trml]

I'll tell you guys the secret for browser privacy

Good call, haha. And yes, true, my result actually was from a VM. I'm testing around different ISO in VMs on a second hand notebook until I commit how I set it up. That it is a VM actually surprised me most about the overall result. I don't bother with extensions, so I can't compare influence to other's results. But I know I got lower identifying bit scores on a regular install (same setup, Intel CPU), which is strange.

 

[CaffeineAddict]

That it is a VM actually surprised me most about the overall result.

Hm, I use ublock origin + noscript, didn't disable them during testing, it could be that.
However GPU profiling should never happen like on bare metal system.

 

[Trml]

However GPU profiling should never happen like on bare metal system.

I did a couple more tests and it's related to a config.

When I started playing with the VMs, I noticed they are too slow to stream HD videos in the browser. What I did was add a kernel option to share virtual slices of the GPU (i915.enable_gvt=1). This results in the webGL headers of the VM being the same as the host - and trying the test on the host indeed does yield the same score/headers.

Interestingly, the different ISO VMs I setup to play (Arch niri, Debian Trixie KDE, Fedora 43) all roughly achieve the same score, give and take some variances of the other setup variables covered in the eff page (e.g. debian ff-esr version, one VM using default en-US, others en-GB, one using UTC, others GMT, some installing more default fonts than others, etc). It's quite interesting that they conclude the same overall score.

Then, without the GPU kernel option, a VM would use software rendering (llvmpipe), which is much more common (halving the webGL identifier score to 7). I'm think this was what you had in mind. But obviously this affects the browsing performance negatively. I know because my old notebook uses llvmpipe on metal as well..

All in all, I don't think one can tell from the eff test results, that it is run in a VM, which is good.

I'd wager a bet that the newer the hardware is, the higher the default overall score. Simply because there are less machines in the testing pool, the newer hardware (like the GPU) sticks out. To diffuse it, one might need to heavily restrict capabilities (which takes the fun out of computing to an extent, see streaming example).

Of course the other mentioned advantages of browsing in a VM do hold. For example, on encountering the unfortunate defacement this week, I simply rebooted the VM (and could have deleted it without loss).

 

[Terminal Velocity]

Blocking tracking ads?	Yes
Blocking invisible trackers?	Yes
Protecting you from fingerprinting?	Your browser has a unique fingerprint

FF with UBO... that's all, and of course I'm unique

 

[CaffeineAddict]

When I started playing with the VMs, I noticed they are too slow to stream HD videos in the browser. What I did was add a kernel option to share virtual slices of the GPU (i915.enable_gvt=1). This results in the webGL headers of the VM being the same as the host - and trying the test on the host indeed does yield the same score/headers.

Then, without the GPU kernel option, a VM would use software rendering (llvmpipe)

I don't use llvmpipe, I use virtio-gpu, searched for difference:

Virtio-GPU is a paravirtualized GPU designed for virtual machines, allowing for better performance and support for OpenGL, while llvmpipe is a software rasterizer that provides basic graphics rendering without hardware acceleration. This means that virtio-gpu can leverage the host's GPU for better graphics performance, whereas llvmpipe relies solely on CPU processing, resulting in lower performance.

See also:

VirtIO GPU — QEMU documentation

www.qemu.org

I'm watching videos and running music in the browser just fine, and overall rendering performance isn't bad, no need to pass trough GPU or set any kernel parameters.

virtio-gpu is what you get in QEMU/KVM, I'm using this setup.

In any case fingerprinting is much more capable when you expose your GPU, I guess by using webGL.

 

[Mike-BTU]

Cover Your Tracks

See how trackers view your browser

coveryourtracks.eff.org

That's a better one than https://whatmyuseragent.com.
Thanks.

 

[CaffeineAddict]

That's a better one than https://whatmyuseragent.com.
Thanks.

While eff.org is well known and old, their fingerprinting subdomain is relatively new site.
Their other good subdomain is:

Surveillance Self-Defense

We’re the Electronic Frontier Foundation, a member-supported non-profit working to protect online privacy for over thirty-five years. This is Surveillance Self-Defense: our expert guide to protecting you and your friends from online spying. Read the BASICS to find out how online surveillance...

ssd.eff.org

It is a good read for everyone.

 

[MikeWalsh]

Curiouser & curiouser....

Fonts:-

Tellingly, it ONLY reveals standard Windows fonts. They appear to be coming from my portable-WINE install! (Any WINE install includes a "standard" list of fonts commonly used on an average Windows system). So; I "unlinked" WINE from the system, and re-ran the test.

It now told me I had "no fonts installed in your system". Heh. That's good.....so how's the browser managing to show me the results of the test, hmm?

Comical.

....and:-

Device Memory:-

This one is odd, too. It tells me I have 8 GB of system memory. (in fact, I have 32 GB). So where's the other 24 GB "gone"?

~~~~~~~~~~~~~~~~~~​

I'm with @osprey on this one. I may well be "unique".....but it creates zero inconvenience for me on a day-to-day basis. And I fail to see the point in getting upset by OR "obsessive" over it.

(shrug...)

There must be a TON of websites out there whose sole function is to wind people up.....especially those who seem to literally believe everything they read.


Mike.

 

[Condobloke]

^^^^^.....what mike said

+

smoke and mirrors

words that have their meaning alter/twisted

outright lies and deceit

^^^^...all the above = the internet and the companies/corporations etc etc etc that inhabit it.

 

[Condobloke]

I still believe the most important/simplest way to beat 'the system' is to post false info about yourself in other words spike the info with bs ....incorrect birthdate, country of residence, your work, family etc etc etc....the list is as long as your arm. But: keep a record of what bs you spread. The internet has a long memory.

 

[CaffeineAddict]

@MikeWalsh
Don't think I'm trying to defend the site but fingerpriting can give incorrect results, quote below is from github link whose library is used on eff site:

Since FingerprintJS processes and generates the fingerprints from within the browser itself, the accuracy is significantly lower than in the commercial version

GitHub - fingerprintjs/fingerprintjs: The most advanced free and open-source browser fingerprinting library

The most advanced free and open-source browser fingerprinting library - fingerprintjs/fingerprintjs

github.com

Here is another fingerprinting test somebody shared on forums a while ago, I noticed various incorrect stats as well:

CreepJS

abrahamjuliot.github.io

Quick web search also says fingerprinting can give incorrect stats, which isn't hard to believe.
Even tools such as nmap (port scanner) doesn't give exact results about remote host, such things give estimations, it's not exact science.

There must be a TON of websites out there whose sole function is to wind people up.....especially those who seem to literally believe everything they read.

outright lies and deceit

I don't believe everything I read, but I did search for you for reasons why something is false.

You should understand that even if the result is not accurate it will repeatedly be inaccurate and always give the same result (provided you don't change any settings or environment) and this can be used to generate a unique fingerprint, consistency matters just like accuracy.

 

[Trml]

virtio-gpu is what you get in QEMU/KVM, I'm using this setup.

Great article you wrote, I remember it; can't see the GPU option you chose in it though. In any case I believe this here is effectively using virtio as well.

Streaming HD video from a background VM was my only benchmark when I set it up. I noticed a lot of dropped frames and de-sync of audio. I had tried the default available options and somehow it did not work well and fan noise started. That's when I recalled someone on the internet(TM) (it was Wendell from Leve1Linux) raving about slicing the GPU for their benchmark tests, and set it up like that. It works really nice.

In any case fingerprinting is much more capable when you expose your GPU, I guess by using webGL.

That applies to all features your browser has access to. (for example, mine often has access to a yubikey - I'd be very surprised if the eff test accounts for such). Please correct when wrong, but fingerprinting the GPU should not yield more than what we see in the test result plus a performance estimation. Not a serial number, or something equivalent to a MAC address, right?

Frankly, I was used to user.js disabling WebGL for FF, it certainly has the options. Not sure if they changed defaults sometime. While I left OpenGL enabled for the VM, I'll see if disabling changes test results on next reboot and also have a peek at the current user.js.

For comparison, what does your GPU section of the eff test show for a VM with the default GPU you use?

 

[CaffeineAddict]

what does your GPU section of the eff test show for a VM with the default GPU you use?

There is no GPU section, the only thing related is this:

This is for tor browser, for Firefox with extensions enabled it is:

fingerprinting the GPU should not yield more than what we see in the test result plus a performance estimation. Not a serial number, or something equivalent to a MAC address, right?

I don't think online test like this is good enough to show us what GPU fingerprinting can do, there are some articles online about GPU fingerprinting capabilities, only few of them actually and I found not a single detailed worth sharing.

It can reveal exact GPU model, capabilities etc. but not things like its serial number from what I've searched.
I probably overestimated GPU fingerprinting.

Here is an old article also worth reading:

Technical analysis of client identification mechanisms

 

[Trml]

There is no GPU section, the only thing related is this:

Yes, I was referring to the WebGL related results. I could not get the OpenGL disabled without fiddling with the host pass-through kernel options. What I did now is disable "3D acceleration" for virtio. This already resulted in a decrease of the eff overall score from 18.24 to 16.65 bits, and for the WebGL renderer from 13.48 to 3.26 (!). Also, the GPU type is not recognised anymore in the VM (type exception), which is an improvement for this purpose.

I'd say I stand no chance to get a clean result as the tor browser you show above, because user.js defaults obscure too many other settings. Frankly, I use it as a quick and stable solution - it's much faster to deploy and keep updated than going through regular settings on a new profile. There is at least 20 webGL related config settings in firefox still active, I'm not interested enough atm to figure out which further tweaks would be necessary. I'd rather have a look how the tor browser does it and copy that in whole, if needed.

Thanks for the chromium link, I definitely have a look at that sometime.

 

[CaffeineAddict]

I'd say I stand no chance to get a clean result as the tor browser you show above, because user.js defaults obscure too many other settings.

user.js should only strengthen the configuration not weaken it.

IDK what settings tor uses, I don't use user.js but for FF my no-script rules whitelist a set of websites, for each extra domain per site is handcraft whitelisted.
On top of that is ublock with plenty of filters.

copying tor settings is probably not bad idea.

and for the WebGL renderer from 13.48 to 3.26

this is similar to what I have in tor, but GPU is completely absent, even with creepJS (the other link):

 

[Trml]

user.js should only strengthen the configuration not weaken it.

The Debian Trixie VM here does not have user.js yet and it was the same webGL score nonetheless (when I checked earlier). The user.js defaults enable partial fingerprinting resistance only (they call it FPP), because full resistance (RFP; see https://github.com/arkenfox/user.js/blob/master/user.js#L733) breaks too many regular websites. I now see they disable some webGL renderer in RFP, but recall trying that a long time ago and it was just overboard for regular browsing.

Anyway, I'll have a look at tor browser config sometime. It's been a while. I do recall they only base on ff-esr, which is a hurdle outside Debian ecosystem.

 

[CaffeineAddict]

because full resistance (RFP; see https://github.com/arkenfox/user.js/blob/master/user.js#L733)

resistFingerprinting option in FF does break a lot of things, I recall setting this option some time ago but was forced to reset it.

When I was considering user.js I gave up because there are so many options, I'd want to understand all of them before using, but that's too much to study and experiment, I'm lazy heh