Fingerprinting

Posted on Sep 9, 2022

It’s been well known for a while that fingerprinting is an extremely useful mechanism for personally identifying users using javascript techniques. The most recent variations of “cookies” from Google have been “privacy sandbox” and “Federated learning of cohorts”. But little has been discussed about the use of server-side fingerprinting.

I browse the web without javascript. I use uBlock Origin’s advanced feature to turn off not just ads, but also images or media larger that 50kb, and fonts. Font usage has been known to easily identify unique users, but also it leaks network information such as your IP by linking to an external site.

AmIUnique.org is a simple tool that allows one to understand how easily one can be identified based on both headers and javascript techniques. I periodically check it, as it also provides a good barometer of whether your browser is extremely different to others’ (which is often my case for using Linux).

While browsing, today I read that my fingerprint was unique, and one of the things that made me unique was a header I had never heard of: “Sec-CH”.

Chasing behind “secure client hints”

A quick Kagi search gave me some interesting thoughts:

  1. It looks like Chrome returns a “Not a Brand” value that was seriously identifying me: although the first character in that stackoverflow post says that “\”" is the start of the string, in my case it was a space. I felt the need to track this down to realize in which point the NixOS build generates that mis-interpretation of this string value.
  2. The practise of GREASE, whereas one user agent might mis-configure and change values over time to prevent ossification of sofware.
  3. How these changes over time can be used to convey enough entropy to (a) establish a hidden communication channel and (b) uniquely identify each user at a given time against an eavesdropper.

Privacy in HTTP Requests can be improved

I downloaded SimpleModifyHeaders to prevent sending these headers, but then I realized, that is fingerprinting myself, if this is a common practice by all major browsers. Also, due to it being a WebExtension V2, it’s about to get deprecated by Google. It looks like too much power for the users to change the headers they send to servers, clearly it’s too powerful of a technology and should be banned, as third-party cookies, a strategy that consolidated Google’s Advertising business model.

Cheers,
Claude