Fingerprinting, CDI & How to Deal With It

Page 2

This site is no longer being maintained so anything below could still be accurate, or very outdated.

Device identification isn’t just experimental or academic—it’s already in use. Banks, airlines and credit card companies, gaming, ecommerce and social networking, insurance providers, among many other areas. CDI is also used with packet inspection for intrusion detection on large private networks. There are tools like nmap, TAMD, Nessus and Argus which profile devices based on both hardware and software. Windows itself implements various forms of CDI to combat piracy.

The darker side of the coin is tracking for advertising and of course, the surveillance industry, with exponentially more available resources than your local bank. There are many companies who produce commercial software for device identification and fingerprint analysis, some of which develop exclusively for their own use.

Your Move

Fortunately there are a few solutions available. But first, a mental exercise. Divide up your browsing habits. Let’s say, your deep web searching for Tesla's schematics and then everything else; these are the two personas you’d like to keep separated. The goal is to make the platforms (the devices) for each persona as unique as possible.

The first scenario would be a regular Windows install (or OS X, Linux, whatever) for all your normal browsing, gaming, word processing, etc. But then you also have a virtual machine for the things you want to isolate from the area of normal, habitual behavior. In your VM you can have some nLite or RT Se7en Lite Windows creation, Ubuntu, one of the BSDs, anything you choose. You can have as many virtual machines as your computer's hardware will allow for.

With the virtual machine, you accomplish several things. The most important is that everything happening in the VM is totally separate from your host system so persistent cookies or malware infections won’t harm your host system. Your VM is also portable so you can store it on external media. You can use virtual machine snapshots to wipe all previous activity, store different points of progress for things you do in the VM, and revert back to clean states if you suspect your guest OS has been contaminated.

If you’re new to hypervisors, Virtualbox is probably the easiest VM software to learn. VMware ESXi is another popular choice for Windows hosts and probably the better of the two, since itruns with less overhead between hardware and software than Virtualbox does. Virtualbox and VMWare’s ESXi version are free. If you want maximum host/guest separation, don’t use anything like clipboard sharing or Guest Additions. If you want maximum persona separation, no exceptions, then instead of a VM, use an entirely separate computer.

* * * * *

In second place is a Linux live session. This is great for traveling or if virtual machines won’t run well on your hardware, but they loose points for convenience because you can’t start a live session from an already booted operating system as you can with a VM. If you’re traveling without a laptop, you’ll likely only have access to public computers so you can’t rely on having USB booting, 64-bit hardware and performance capable of running desktop effects. A USB stick with 32-bit an Lubuntu LTS release makes a great traveling Linux system but unless you need persistence across live sessions, Tails is your best bet.

Tails is based on Debian Stable, is 32-bit with Gnome 2 and it was made and is maintained by the Tor Project. Tails is restricted from writing data to its host computer’s hard drives, it wipes its RAM contents on shutdown, it connects to the internet by default through Tor, comes with security packages like MacChanger, OpenPGP, OTR for Pidgin, a virtual keyboard and EncFS. It even has a disguise mode to look like Windows XP to avoid drawing attention when used in public.

If you’re using your own computer for this, boot into the live session, spoof the MAC address, then connect to the internet to update your cats & ceiling fans blog. About USB live sessions, the Ubuntu/Debian repository package usb-creator-common is a USB image writer which lets you create a second partition on a flash drive. Now you have persistent storage on the same portable device as your live session, regardless of which distro you choose. You can do this with GParted too and then use LUKS or eCryptfs to encrypt the storage space. Persistence across your live session’s operating system for updates and customizations is also possible with a USB drive. Just be sure to use a known safe machine to prepare the portable OS.

* * * * *

You can accomplish many of the same goals of a live session by dual-booting your own computer, so this will be what falls into third place for dividing up your usage habits. The top Linux distros (Ubuntu, Mint, OpenSUSE, etc.) install flawlessly next to Windows and you obviously keep persistence between boots. You can encrypt /home or the entire Linux partition, but if one OS is compromised, you’ll need to reimage or reinstall it.

One more thing with live sessions on your own computer, is that the hardware you’re running the live session on is the same as what’s used for your real operating system. This also applies to dual-boot setups. If you foresee the potential for identification based on hardware specifications as a problem, then stick to a VM where you’re able to limit CPU cores, RAM, GPU access and you have control over the VM’s window size.

If virtual machines and live sessions are excessive for you, then at least consider using two different browsers or browser profiles. One is well hardened as much as you can tolerate and the other would be less tightly locked down, so when things don’t work properly in your first browser, you can quickly switch over to the second. This will block the trackers from 99% of the marketing & ad companies and it will minimize your exposure to exploitive plugins, fonts, scripts, iframes and other such things. As always, you have many options and any of this can be adapted to a wide range of specific goals.

The Panopticlick Paradox and Non-Standard Values

Let’s return to browser headers. With the topic of fingerprinting, Panopticlick and the JonDonym test are always recommended for estimating how unique your browser is. From here, the next step most people think they must take is to anonymize their browser according to JonDonym’s recommendations or how Tor’s browser is set up. Firefox is the only browser which allows so much freedom of reconfiguration, but I don’t recommend doing this for your everyday web browsing. In fact, it’s actually counter-productive to minimizing identification.

Imagine this. You’re walking through Times Square in New York City. The place is packed and you’re just one of hundreds of random faces in the sea of people. Are you anonymous? Well, yes and no. Your face isn't obscured and while it may be difficult for onlookers to find and identify you in a sea of people, you are still exposed to facial recognition by CCTV cameras or whoever does know or find you. But to passive observation, do you blend in with that crowd? Yes, you do. There is no probable cause and nothing unique about you to pique interest.

Put yourself back in the crowd but now you’re wearing a Guy Fawkes mask. Are you anonymous? Well, your face and identity are hidden so yes, you are. Do you blend into the crowd? Hell no. You invoke interest, you’re flagged as a potential threat and NYPD will taze the stupid out of you. That’s what you accomplish when you change your browser headers away from default—you put on the mask in the crowd and become an anomaly among regular site visitors. While modifying your user agent string can be worthwhile in some cases (like when sites refuse to work without Internet Explorer), I don’t suggest you change anything else in your browser’s accepted HTTP headers beyond disabling referrers, because that has a significant gain compared to changing encoding formats or other trivial things.

The issue with Panopticlick comes when changing your everyday browser’s characteristics to get an extremely low result. If you get Opera down to 10 bits of identifying information, the makeup of that rating becomes your new fingerprint. You’ve merely switched Identity A for Identity B, only Identiy B is more uncommon compared to normal internet users. To avoid the fingerpring of Identity B being tracked, you would need to change it again to Identity C, then D and so on. Even casual users blocking all JavaScript or using no plugins are uncommon.

Any deviation from 100% default settings, even if they’re intended to lower a specific point of identification about you, starts your departure away from being merely part of the blur.

The JonDonym test is yet another example. It will only show you all green if you change everything to its recommendations, which is basically what the JonDoFox Firefox profile is supposed to do. (And due to a bug, at the time of this writing, JonDoFox doesn’t even score all green.) But again, which do you think is more common overall, the totally default HTTP headers of Mozilla Firefox, or a FF install changed to mimic JonDoFox?

The point of the JonDoFox profile, as is also a goal of the Tor Browser Bundle, is to provide a Firefox-based browser that is 100% the same for ALL users, thus giving all TBB or JDF users the same fingerprint. This starts to fall apart when not using JDF over their VPN though, and the same can be said when using TBB without the Tor network.

On the clearnet, the best thing to do is blend in and reduce yourself to another nameless, average-looking face in the crowd. This requires using browser attributes which are as generic as possible, forcing you into the majority of users. I’m against changing default values of the browser (the headers, specifically) which would make it more unique. However, I also recommend configuring your browser tightly for security which means yes, blocking plugins, cookies, referrers and Javascript unless needed, but even that creates a tool which becomes appropriate for some uses, an inappropriate for others.

That’s the tradeoff you have to decide for yourself, how far from default do you want to go? Easily identifiable non-standard values are exactly what you end up with when you set your browser to JonDonym’s recommended settings, or when you aim for the lowest possible Panopticlick result or try to mimic the Tor browser. In doing so, you deviate too far from default and there’s no need for any of that to begin with. Use the Tor browser bundle for the purpose it was created and use a normal browser (or several) for everything else. Don’t try make one browser be everything. It just won't happen.

Don’t Let it Get to You

Well, there you are, CDI 101. Be sure to check out the links below for fingerprint tests and more info on all of this. (This site has no affiliation to any of those sources or authors.) By now you see that this is not something internet users can fully avoid. Just as we’ve become accustomed to IP addresses and user agent strings, the potential for device fingerprinting is something we just have to live with at this point. As bad as this sounds, it’s almost a situation where the way to win is to simply not care about loosing. The only real answers are to pare down JavaScript to as little as possible and/or compartmentalization of your activities.

I’ve said before and will say again, your internet service provider and government intelligence agencies know the most about your internet traffic, more than any ad agency. Therefore, when it comes to smudging your online fingerprint, it’s best to pick and choose your battles rather than trying to Napoleon your way through everything in sight.

Share this article.


Fingerprint tests

Whoer. The most complete and thorough fingerprinting test I’ve found so far.

International Pet Portal Cross Browser Fingerprint Test will tell you all about your browser and OS Another good one for Flash, Java, OpenGL and extension info

Centralops Browser Mirror

Studies on fingerprinting and browser identification

User Tracking on the Web via Cross-Browser Fingerprinting. Károly Boda, Ádám Máté Földes, Gábor György Gulyás, Sándor Imre. Budapest University of Technology and Economics. 2011.

How Unique is Your Web Browser? Peter Eckersley, Electronic Frontier Foundation. 2010.

Browser Fingerprinting from Coarse Traffic Summaries: Techniques and Implications. Ting-Fang Yen, Xin Huang, Fabian Monrose, Michael K. Reiter. Carnegie Mellon University, University of North Carolina. 2009.

SkewMask: Frustrating Clock Skew Fingerprinting Attempts. Ben Ransford, Elisha Rosensweig. University of Massachussettes. 2007.

Remote Physical Device Fingerprinting. Tadayoshi Kohn, Andre Broido, KC Claffy. University of California, San Diego. 2005.