undefined | Better HN

0 pointsvarenc1mo ago0 comments

> A few years ago, intentionally fingerprinting or tracking your users without disclosure was spyware and unethical. Alas, here we are.

For over 15 years reCAPTCHA has relied on browser fingerprinting to help distinguish humans from bots. And fingerprintjs.com has been around for well more than a couple years.

That said, sniffing the browser extensions someone is using is NOT a common fingerprinting method used by my examples, but just saying fingerprinting itself without explicit disclosure has been around for quite a long time. It happens on literally every CAPTCHA service. I hate it of course, but the ship sailed a long time ago.

I like this demo for testing my browser's resilence against fingerprinting: https://fingerprint.com/demo/

0 comments

purplehat_1mo ago

Have you (or anyone reading this) been able to "beat" fingerprint.com without Tor or turning JavaScript off outright?

I've tried it various times over the last couple years, using different browsers with various privacy settings enabled and a VPN.

I can get good partial results and am able to reset my fingerprint by changing my OS and browser at the same time, so it's not entirely there with regards to sniffing the hardware. But I can never revisit the site and have it not recognize me. Is there no one but me using (for example) Debian testing Librewolf with resistFingerprinting on Proton VPN? If there are others, then resistFingerprinting is doing a bad job hiding my hardware.

That's depressing! Despite our genuine best efforts, enough identifiers leak that it seems to me there's no practical solution. I am genuinely at a loss for what we can do.

(If you're reading this and think it doesn't matter, it's possible you're not realizing that this means that any site collecting and storing these identifiers now will be able to talk to any site in the future and link your identity. Your past actions on every website on a given piece of hardware are liable to be linked to create a detailed profile in the future, so even if Reddit and Pornhub and Discord and the government aren't talking to each other now, you can put some decent probability in the fact that if they decided to share identifiers, they could link all your historical (signed out) activity to your real-world identity without much effort. I use those sites as examples because they're sites where people tend to generate information that they may want private, but they visit using the same hardware identifiers.)

3 more replies

pixelmelt1mo ago

I've been getting into making and breaking these antibots recently and it's funny to me how the person who wrote this post gave so much attention to what LinkedIn was doing and left the other antibots on the page as a footnote. They grab way more, they just don't let you see it. I haven't reversed PX or Recap yet but the antibot on twitch and Nike similarly checks if you have any of these 53 apps installed (when loaded on a WebKit browser) https://pastebin.com/raw/KACvjpTK

j / k navigate · click thread line to collapse