18 replies to this topic

[Sundance]

Reducing Browser Fingerprinting

 

Prerequisites 

- Firefox / Iceweasel / Nightly

- Any OS that supports FireFox / Iceweasel / Nightly

 

What is Browser Fingerprinting?

When a browser visits a website it leaves data behind that can be used to track you or provide details about who you are, an example would be if I were to visit Google they could give me a cookie that gives me a unique ID and they can then track me across their websites (YouTube, etc) and by doing so they can tell what I am viewing and personalise adverts on my Google searches to be more accurate or suggest YouTube videos that I might enjoy. 

 

Now if you have cookies disabled they can still track you via your browser fingerprint, what a site can do is grab your useragent, your headers, your plugin info, screen size and system fonts and identify you, to check how unique you are go to Panopticlick and click "Test Me"

 

How can it affect me?

Browser fingerprinting can make you traceable and if you are someone like myself who prefers to remain anonymous online just due to the respect for privacy, being easily printed is not so good!

 

How do I defend against it?

To defend against browser finger printing we need to throw some curve balls against any type of script that is trying to gather our data.

 

Step 1

- Install FireFox / Iceweasel / Nightly

 

Step 2

- Open up the preferences / options tab

- Navigate to "privacy"

- Select "Tell sites I do not want to be tracked"

- Navigate to "Applications" 

- It should display a list of services such as Flash, mailto, Podcast

- Select "Always Ask" OR "Preview in X" X being your respective browser.

 

Step 3

- Install Ghostery

- Install Adblock Plus

- Install NoScript

 

Step 4

- Open up about:config 

- To do this, open up a new tab and type "about:config" into the address bar

- It will give you a confirmation message to make sure it's what you want to do

- There will be a search bar, in that search bar enter "general.useragent.override"

- It should come up blank and that's fine, right click on the blank space

- Select New > String

- A new pop up will appear, enter in "general.useragent.override"

- When it asks you for a variable enter in "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0"

- Do the same with the following entries

 

 

                            STRING NAME | STRING VARIABLE

                                                     |

​general.appname.override           |  Netscape

general.appversion.override        ||  5.0 (Windows)

general.oscpu.override                ||  Windows NT 6.1

general.platform.override             |  Win32

general.productSub.override       ||  20100101

general.buildID.override              ||  0

general.useragent.vendor           ||  (Leave Blank!)

general.useragent.vendorSub     ||  (Leave Blank!)

intl.accept_languages                  || en-us,en;q=0.5

network.http.accept.default          || text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

network.http.accept-encoding      || gzip, deflate

 

 

Step 5

- Restart FireFox / Iceweasel / Nightly

- Test your fingerprint again on Panopticlick

- It should be much lower than your original score!

- Anything less than 18 bits is good!

 

Any problems feel free to contact me!

[Vaielab]

If you trully want to be anonymous online you should simply use tor browser.

You will get a complete safe browsing experience, everything is encrypted, and will be able to change your whole identity with a single click (or two click depending on the version of tor browser)

[Sundance]

Tor is really not secure Vaielab, it's got some real big flaws, I'll post evidence when I'm on my PC

 

--- Evidence ---

 

 

- When using TOR you use about five times your normal bandwidth - which makes you stick out for your ISP - even with obfuscate bridges in use.

- TOR-nodes (!) and TOR-exit-nodes can be and are being used to deploy malicious code and to track and spy on users.

- There are various methods of de-anonymizing TOR-users: from DNS-leaks over browser-info-analysis to traffic-fingerprinting.

 

Youtube Videos

Attacking TOR at the Application-Layer
De-TOR-iorate Anonymity
Taking Control over the Tor Network
Dynamic Cryptographic Backdoors to take over the TOR Network
Security and Anonymity vulnerabilities in Tor
Anonymous Internet Communication done Right 
Owning Bad Guys and Mafia with Java-Script Botnets

Tor: Exploiting the weakest link

Edited by Kadence, 24 April 2014 - 05:46 PM.

[Vaielab]

For the bandwidth issue, it will only depend on how you configure tor, you can use tor without being a node, so you will only use your bandwidth and not someone else.

Even more if you do this, no one will be able to use your network to do something illegal (so I suggest switching it), it always depend on the version you are using, but it's kinda easy to find that option.

 

For the fact that it's weak, that the first time I heard about tor being weak (it's kinda late right now, but for sure I will watch thoses videos, thx for the links)

In a conference in last october snowden confirmed that even the nsa didn't break tor network, but they did break the browser (firefox in this case)

http://www.pcworld.c...g-you-down.html

 

 

As far as we know, yes. Even the NSA has struggled to spy on the network. "We will never be able to de-anonymize all Tor users all the time," a slide from a 2007 NSA presentation stated. "With manual analysis we can de-anonymize a very small fraction of Tor users." But at least as of 2007, the NSA didn't have any techniques that would allow them to target particular users on demand.

http://www.washingto...tor-in-one-faq/

They can try to find a way to decrypt the tor network, but it's all random, they never know who they will find and what he's doing.

 

 

I mean, if the nsa can't follow you without some extreme mesure, and trying to target you directly, for me, I think it's safe to say that tor network can be considered safe, mostly if what you wish to do is only be anonymous online and not leave traces on websites.

But like I said, I will take a look at your video, internet privacy was always one of the thing I like to learn more!

Edited by Vaielab, 24 April 2014 - 06:54 PM.

[BlackRabbit]

I think we are talking different kind of anonymity.

Browser fingerprint is about sites to recognize you as unique user or so.

Tor is about encrypting communication and hiding IP adress from sites.

Also, exploit of fingerprint is something done automatically with no effort, while attacking Tor, is an ant-work, with no guarantee of success.

 

Again, Tor is a network, not a browser, I don't see why are we comparing them as if they were the same.

 

About fingerprint, I didn't know ghostery, I will try it

[Sundance]

As far as we know, yes. Even the NSA has struggled to spy on the network. "We will never be able to de-anonymize all Tor users all the time," a slide from a 2007 NSA presentation stated. "With manual analysis we can de-anonymize a very small fraction of Tor users." But at least as of 2007, the NSA didn't have any techniques that would allow them to target particular users on demand.

 

2007 was over 7 years ago now, a lot has changed in 7 years, technology has advanced, decrypting has come across leaps and bounds to the point of where you can calculate MD5 hashes using your GFX Card and achieve extremely high check rate, I guess just from my own personal experience with Tor it's good as a "layer" but like all things it's not good to rely on just one layer of security, it's good for anonymity on a base level but extra security protocols such as preventing fingerprinting.

[Vaielab]

Again, Tor is a network, not a browser, I don't see why are we comparing them as if they were the same.

 

 

Tor bundle come with tor config nessessary to use the network and a browser pre configured for anonymous.

There are many script pre-install (noscript like kadence suggest is already installed) to help us, they disable flash & java, and many more configuration made for anonimity

[0xFACEB004]

Actually, a properly configured TOR based browser is very secure and the most anonymous browser that I can think of. But the key is in the proper configuration. Most of those TOR network attacks mentioned were MITM attacks (one set up his own proxy server, and another set up a TOR relay node), and were against the basic "non-geek" user of the browser (the researcher who set up as a TOR relay node even mentioned this as a disclaimer).

 

I use the TOR browser with NoScript (scripts globally disabled) and HTTPS Everywhere when I am researching pentesting and security -- and I use search engines like DuckDuckGo.

 

My non-TOR browser with NoScript, Ghostery, ABP, and HTTPS Everywhere (cookies accepted):

 

Currently, we estimate that your browser has a fingerprint that conveys 14.81 bits of identifying information.

 

My non-TOR browser with NoScript, Ghostery, ABP, and HTTPS Everywhere (cookies not accepted):

 

Currently, we estimate that your browser has a fingerprint that conveys 13.53 bits of identifying information.

 

My secure TOR browser with Vidalia:

 

Currently, we estimate that your browser has a fingerprint that conveys 8.49 bits of identifying information.

 

Reducing the browser fingerprint is always good, but all browsers are susceptible to MITM attacks...and based solely on anonymity while browsing and not being tracked by websites (this is not counting the NSA or MITM attackers), a properly configured TOR based browser is better than a standard browser.

And as a point of irony, the EFF (the researchers behind Panoptickick and HTTPS Everywhere) actually endorsed TOR for anonymity, and provided financial support for them until TOR Project became a non-profit organization.

 

But all of this is just my 2 cents, and is in no way endorsed by the NSA or anyone else who wants to track you.

Here is a cool interactive page about TOR and HTTPS Everywhere -- and the further irony is that you have to enable Javascript to use the interactive feature. But it kind of cool to see the effects of what happens to data on the network.

Edited by KJGino, 25 April 2014 - 07:23 PM.

[Vaielab]

Great post KJGino!

I may sound a little bit noob asking this, but what is MITM attackers?

[Sundance]

Perhaps KJGino should make a tutorial on what MITM attacks are and how to avoid them? 

[BlackRabbit]

Kadence, Gino didn't explain because he didn't want to let you out of it, because he is a gentleman (said PSY? )

 

The thing is MITM stands for man in the middle, so, you know, it's a men thing  LOL (kidding of course)

 

This is the wiki for it

 

Also, you are failing to explain the good use the fingerprint has, it's not all bad.

[0xFACEB004]

Yep, as BR said, it stands for man-in-the-middle. This is where the attacker appears to be the authentic server to the client -- and appears to be the client to the authentic server. Anything can be done from this position, from spying to adding malicious code.