Re: Browser fingerprinting? [message #182839 is a reply to message #182838] |
Wed, 18 September 2013 16:24 |
J.O. Aho
Messages: 194 Registered: September 2010
Karma:
|
Senior Member |
|
|
On 18/09/13 15:09, Scott Johnson wrote:
> On 9/17/2013 10:06 PM, Denis McMahon wrote:
>> On Tue, 17 Sep 2013 22:53:30 +0200, Marc van Lieshout wrote:
>>> It has some 150 browser identification strings aboard (Including Amaya,
>>> Dillo, Bluefish), spoofs x-forwarded-for and via, spoof ETags and send
>>> random Accept: headers.
>>
>> That's spoofing, not fingerprinting.
>>
>> Spoofing is easy. Fingerprinting is not. Fingerprinting is attempting to
>> uniquely identify visitors to a site at the site server. Spoofing is
>> trying to tell the server you're someone different in some way to who you
>> really are. They're not the same thing, and while spoofing is easy,
>> fingerprinting accurately and reliably is incredibly difficult.
>>
>> If I visit your website today using firefox on my unix pc over my adsl
>> connection, and tomorrow using chrome on my android tablet over it's 3g
>> connection, how are you going to fingerprint me? I don't need to use
>> anything as "technical" as spoofing the browser id. You lost the game as
>> soon as I started playing!
>>
>
> I think the point he was trying to make, which is what I took out of it,
> was how easy it is to minimize the practical use of fingerprinting.
> Spoofing and fingerprinting are related in those terms.
Fingerprinting will most likely disregard the UA-string and just look
what they can get out of the plug-ins and fonts installed, those are
fare more static for a user over a long time. There are companies who
offer this kind of fingerprint detection to those willing to pay for it.
> In a prior post, I think the OP, was asking for proof on how easy it is
> to make fingerprinting unreliable, and one particular way was shown.
That really depends on the method for fingerprinting" and most of the
techniques are out of scope in the usergroup.
--
//Aho
|
|
|