EFF's Panopticlick Project

Post by **FlyingPenguin** » Thu Sep 02, 2010 1:35 pm

Very interesting stuff here that Steve Gibson discussed in his Security Now #264: http://www.grc.com/sn/sn-264.htm

Since many people are blocking or deleting cookies nowadays, and the BIG money to be made in online marketing is uniquely identifying site visitors and their browsing habits, ad marketers are using a new technique to track you that doesn't require cookies and can even work if java and flash is blocked (although a Java and Flash do give them a much more unique "signature" of your PC).

There are marketers that make claims that their algorithms can uniquely identify 95% of the visitors to a website this way.

The EFF has been running a project called Panopticlick to test your "uniqueness" using these so-called Side-Channel data.:
https://panopticlick.eff.org

If you go here your computer will be compared to anyone else who has used the test and tell you how unique you are as compared to everyone else who has used the test, and then show you in detail what information the test garnered from your computer.

Very scary, especially considering that the EFF freely admits that marketers are using much more sophisticated tests than they are.

Here's my results with and without Java & Flash enabled:

WITH JAVA AND FLASH ENABLED:

Your browser fingerprint appears to be unique among the 1,155,865 tested so far.

Currently, we estimate that your browser has a fingerprint that conveys at least 20.14 bits of identifying information.

WITH FLASHBLOCK AND NOSCRIPT BLOCKING FLASH & JAVA:

Within our dataset of several million visitors, only one in 231,175 browsers have the same fingerprint as yours.

Currently, we estimate that your browser has a fingerprint that conveys 17.82 bits of identifying information.

EvilHorace · Post by **EvilHorace** » Thu Sep 02, 2010 4:24 pm

What happens if you use a non-MS OS? Same?

Post by **FlyingPenguin** » Thu Sep 02, 2010 7:51 pm

Same. Listen to the Podcast if you want more details. He starts discussing this topic about half way through (the first half of the show is always news).

Every browser voluntarily gives up a great deal of information about the computer it's running on. With Java and Flash you can write a script to reveal even more info.

The takeaway from this is that you really are not anonymous on the Internet so act accordingly. Don't bother erasing your cookies anymore either - it doesn't help.

Some banks apparently are using this tech to uniquely identify you when you login as a second factor (along with your password). The problem is that we have no idea what the banks do with this information or how securely it's stored.

Err · Post by **Err** » Thu Sep 02, 2010 10:09 pm

The implications of this tech are not good. I see this being use to entrap and blackmail people.

Shadow250 · Post by **Shadow250** » Fri Sep 03, 2010 8:43 am

there must be a way to block or fool it into giving wrong info.

Post by **FlyingPenguin** » Fri Sep 03, 2010 10:44 am

Gibson discussed that. Obviously disabling Java script and Flash helps a lot (it made my PC a lot less unique). I use Firefox with Flashblock and NoScript add-ons. Admittedly NoScript is awkward to use but over the years I've gotten used to it. The main reason I use it is to block scripting in general which I don't want running except on sites I whitelist or if I have no choice, since it can be used for both exploits and tracking. Websites sites also generally load a lot faster if you don't have to wait for 15 advertising scripts to load.

FlashBlock is a no brainer to use and I've used it far longer than NoScript. It sure cuts down on annoying flash ads. It's actually painful for me when I have to use a web browser on a client's PC and get bombarded with all that Flash crap.

Spoofing the user agent and header information is actually self-defeating since you'd usually end up making your system appear MORE unique, unless you specifically spoofed it to make it look like a statistically large number of other systems.

Turning off scripting and flash is probably the most effective tactic. That Panopticlick test harvested much less info from my system with them disabled.

One of the more interesting unique identifiers they can use via Java script is your fonts. Apparently everyone has a very unique list of fonts since fonts are always listed in the order they are installed. Many apps add fonts to your system and the order they would be installed will be very unique to you.

Post by **FlyingPenguin** » Fri Sep 03, 2010 1:14 pm

In the same episode they discussed how you can uniquely identify a digital camera from statistical analysis of sensor pattern noise in photos posted from that camera on the internet:

Now, when I was doing some background research, I ran across some interesting other instances of side-channel attacks, or side-channel information leakage, that I thought you'd get a kick out of, Leo, as would our listeners. For example, it's possible, it turns out, to identify individual digital cameras from non-uniformity in their optical sensors. That is, there's something called "sensor pattern noise" that individual digital camera elements have, that renders individual ones unique, such that, if you look at a number of pictures from different cameras, it's possible, absent any other information, to determine which cameras took which pictures. Even though they're completely, they're pictures of completely different things, there's just tiny - there's so much resolution now in cameras, so much bit depth, that variations in slight imperfections in the actual optical sensors are enough to identify cameras.

Err · Post by **Err** » Fri Sep 03, 2010 1:52 pm

FlyingPenguin wrote:In the same episode they discussed how you can uniquely identify a digital camera from statistical analysis of sensor pattern noise in photos posted from that camera on the internet:

I've seen people's houses identified because people forget to stip the geotag information from their photos before they post them.