Are you identifiable by extensions, logins and your browser?
Are you identifiable is a new web service that answers whether Internet sites may identify you based on your extensions, logins, and web browser.
Online privacy is a hot topic, and making sure that you you are not tracked or traced online may soon require a master's degree in privacy.
New technologies, the rise of HTML5 and all that came with it for instance, added new capabilities. As is the case with these things usually, they can be used for good and bad.
It is no longer enough to use a VPN, or a content blocker to keep some of your privacy while you are on the Internet. You also need to know and deal with new technologies such as WebRTC or intermediate CA caching, to avoid leaks or browser fingerprinting scripts.
Are you identifiable
Are you identifiable looks like any other browser fingerprinting site on first glance. Load the site, click on the I agree button to start the scan, and the results are displayed to you after a couple of seconds.
What is different about it is that it does not just check information the browser reveals to the site, e.g. the window resolution, browser version, or language, but tries to gather information on extensions and website logins as well.
The extension detection works by trying to detect resources, such as icons, that extensions use. All the site does is therefore check whether resources exist. If they do, it knows that there is a high probability that the extension is installed.
The developers of the browser extension and login-leak experiment have collected resources of about 12,000 Google Chrome extensions.
While that is a pretty large number, it means that the part of the test is limited to Google Chrome right now. It may work on other Chromium-based browsers as well, as they may use the same resources if the extensions are installed in those browsers.
The login detection runs a test to see if you are signed in to various popular online properties such as Facebook or Twitter. It uses image embeds for that, and tests these images to see whether the image is loaded or not. This allows the service to determine whether you are signed in to the service in question, or not.
Another method that it uses abuses Content-Security Policy by using the feature to determine whether contents get loaded, or not.
A technical explanation of all three methods is provided on the how page on the service's site.
The browser fingerprinting part on the other hand retrieves information from the browser just like other tests of its kind do.
One of the downsides of the test is that it just started. It has a very low sample size right now so that uniqueness may come from that more than it comes from what the site's scripts detect while it is running.
Still, the interesting part is that it merges these different methods into a single test. It determines uniqueness or the ability to track users for each test individually, but also for all three tests combined.
Now You: Are you identifiable according to the site?
I disabled Noscript, Adblocker and allowed all cookies but no identiable info showed up.
It requires 3rd party cookies to run. I did the same as you (cleared it thru NS, uBo, uMatrix .. AND .. I allowed session cookies via Cookie Controller, and then it worked (well kinda – all it could pull from me was some basic standard items such as UA string))
I had 3rd party cookies enabled when testing. But as I said, the site showed nothing.
I’m using online tests from time to time but this time the test you’re talking wont work:
Â«Unsupported browser detected!
We’ve detected that your browser is currently unsupported for our experiment. Our experiment supports the desktop versions of Chrome, Firefox, Opera and Safari browsers.Â»
hum… I’m using chromium 56.0.2924.76 on Linux Mint “serena” …
but this one works: https://amiunique.org/
or this one: https://www.doileak.com/
A very good list. Thanks.
I don’t get the point of all those services which berate you if you’re unique. Of course everybody is unique. There’s no way to be “like everybody else”, since everybody is busy customising his install (and even non-customised installs differ greatly). Even using specific methods such as browser add-ons to increase your privacy are liable to decrease it somewhat by making you less “unique”.
This has lead a guy who has a “security blog” in America to advise readers to only use his own (minimal) list of extensions, so that everybody can be as common as possible. Of course, this is absurd : why would everybody follow Mr. X’s extension rules, rather than Mr. Y’s or Z’s ? And at what point does the race not to be “unique”, in the hypothetical aim not to be identified in order not to suffer some quite hypothetical privacy invasion, generates more inconvenience that the lack of functionality and customisation it supposes ? Pretty fast, I reckon.
All those “uniqueness detecting” sites might be useful if they told us how to evade browser fingerprinting. But they never do. They just berate “unique” people. They never do because, I suspect, there’s no real way to be less unique. The real way to help privacy is to build methods to fight the way websites try and identify people through their fingerprints. That’s not up to users.
Also, nobody ever says what exactly are the threats the user faces through browser fingerprinting : targeted advertising ? trouble with the law if you say things on the Internet the government doesn’t like ? trouble with the law if you sell drugs and plant ransomware ? trouble with intelligence agencies if you’re an undercover operative for the Russian secret services, and trying to wreak havoc on foreign countries’ power plants ? All very different situations, implying very different consequences.
Browser extension details : This part of the test is only available in Chrome browsers
Website login details (login-leak) :Your browser’s website login presence fingerprint is not unique! We found 212 collision(s) among the 686 browsers tested so far!
Standard fingerprint details : Your browser’s standard fingerprint is not unique! We found 105 collision(s) among the 686 browsers tested so far!
All right, my browser’s fingerprint is unique among the 685 browsers already tested (only 685 ? that’s not a very busy site…). Not just uncommon, mind you ; there’s no one else like me among the 685 users who’ve already volunteered. Now what ? Now nothing. There’s no next step. The INRIA, which devised this test, does not help you one bit to become less “unique” and protect your privacy.
Now let’s engage into a bit of paranoia. What is INRIA ? A research outfit which is part of the French governement. I’m sure you’re all warm and fuzzy at the idea that the French government is working hard to protect your privacy on the Internet. (Remember : those are people whom the American intelligence agencies recognize as “damn good” when it comes to intelligence, and specifically SIGINT.) And you have just signalled to them that you don’t want to be identified on the Internet. And they’ve just told you that yeah, you’re quite identifiable on the Internet…
Paranoia is the right word :) Why not consider while we’re at it that the Prime Minister is works for the West, the President for the East and the Secretary of State to Health is a Monaco agent?
Frankly, Clairvaux, I’d say it looks like paranoia hadn’t you mentioned the word (still could be though if you believe in what you wrote!). Intelligence is always a separate world and when you see what governments do there’s little place to doubt about it!
About the test. It does concern a computer’s profile rather than a computer’s user(s)’ identity(ies). Here on Saturday nights when my wife and my ex-girlfriends get on for a late chat, all with their parents and kids and all messing around on the computer now and then I guess it would drive nuts any profiler! (lol).
What calls my attention in these tests is above their capacity to remind us that the true revelation is when a user pretends with a VPN/Tor one thing and that contradiction is brought by a tracking tool. Lying is an art requiring far more talent than simply moving a few switches. The ultimate would be to dive one’s personality into that of another, once and beyond all other technical considerations fulfilled. But why? I did it once, at the time of our Minitel here in France, on a meeting “site” (address rather), had a long Minitel conversation with a guy in search of a lovely young lady. I initiated Natasha and played my role so well the poor buddy was falling (in love). Was funny but as a game, to try. After I guess it’d be boring, especially as a duty. Be natural, forget the tests, and try to keep your privacy in the limits of a rational approach. There aren’t spies all over the place. Tracking is a fact but it has to do with business unless you get into the undergrounds where you could have plain police, or even agencies as your chat pal. Otherwise no reason to get upset because your device is shared by another 100, 100, 10,000 … and so what. Many profiles are fit with a percentage of same data, especially nowadays in this world of sheep. That doesn’t include you, dear reader, of course it doesn’t!
I wasn’t seriously implying that you should be overly afraid that INRIA would use that test against you. Just that you should be, if you accepted their own logic.
Also, intelligence is very much in the picture. On privacy forums, one of the main concerns is about NSA. Knowing your threat model is the first step of privacy-building. What is it you’re trying to protect from ? Most privacy discussions never take this into account.Therefore stupid arguments get a lot of airtime, such as “I have nothing to hide, I am just not that interesting”. This might well be the case, but it depends. It depends on who you are and what your risk is.
It also depends on things completely beyond your control. Data that has leaked from you might be inocuous today. But provided it stays stored somewhere (which is highly likely), it might turn dangerous one or ten years from now, for technical or legal reasons. Or because your own circumstances may have changed.
Nice excerpts from the test site :
“– How can I avoid such kind of tracking?”
“– There is not much you can do against browser extensions detection.”
“We do not log IP addresses, but we do compute HMAC-SHA-256 of each IP address.”
“Although we make good faith efforts to store information collected by Inria in a secure operating environment, we cannot guarantee complete security. Information collected by Inria will be maintained until our project ends (at most until December of 2019). At the end of the project, all the data will be deleted.”
Sure ! So that’s two years of their keeping the data, without any way for users to get back at them in 2019 and check that promises have been kept. And who would remember to check in 2019, anyway ?
“No, you are not identifiable, as there are 2 user(s) who look like you among the 714 users we tested so far:”
Those two tests were also done by me. It initially told me that I’m a unique snowflake (extensions = N/A | logins = no | fingerprint = yes). Second time I got that there’s one more user like me, and now that I’ve done it the tird time, well.. the above mentioned result.
I do know that these websites (like panopticlick) always tell me that my browser has a unique fingerprint. But this one is the first that allows me to become more common with every visit. I think they need to make a few adjustment. Or maybe because their database is currently very small? (714 users)
Panopticlick will always tell you that you are unique because it includes the canvas value. Even if you spoof it, it is a unique value every time, therefore you are unique! If you don’t spoof it, it is still a unique value.
This new site has limited data since it has only just been up and running, but seriously, I find the test to be lacking an awful lot. For one, if you block cookies it fails to even run (I know not everyone blocks cookies, they should IMO). If you use SDC then the cookie part won’t find anything. Cookies are easily controlled, and so last decade in terms of tracking (but you should keep control of them). Then the first part is chrome only. The second part fails if you control cookies properly. The third part hold nothing new. Standard FP items which we can block (WebGL) or spoof (language, screen res etc in FF thru preferences – timezone and “proper” UA spoofing are coming). Additionally the results are not combined for an overall assessment, but rather for each of the 3 sections.
And lastly, these FP sites are heavily skewed by the vary nature of those who visit them. And as Yuliya just said … each subsequent visit added one in his example. The same happens at Panopticlick – I know for a fact on Panoticlick version 1, every visit I made with no changes reduced my entropy – lulz! They also seem to be heavily biased towards Firefox as browser, and DNT is massively over-represented than in the real world. Read between the lines – if anything, sites like AmIUnique and Panoticlick give you stats per item, which is more relevant in terms of reducing the FP surface
Does this mean that using a browser with a smaller user base, like Pale Moon, would be inherently safer?
A more unique fingerprint means you’re easier to be tracked. The most common fingerprint right now probably is latest stable Chrome on Windows 7 with default settings and maybe ABP installed running maximised on 1366×768 or 1920×1080.
PaleMoon is relatively uncommon.
“Unsupported browser detected!” – Yandex Browser 17.3.1 (Chrome/56.0.2924.87)
Can anyone tell me what an extension called site deployment checker is thats located in ff 52. 02. Just appeared out of nowhere. Is hidden from view in ff also. I used cc cleaner and disabled it. Nothing on google or duck about this. Correction. Just one result which leads nowhere. Ff help has nothing also. Thanks
James, click on the link below ref “site deployment checker”
ipfilterx blocked me from the site. It must be a bad site if one of the rules is blocking it.
“Your browser’s website login presence fingerprint is unique among the 1004 browsers tested so far!”. Using Brave.
Everyone is “identifiable” if you have 3rd party cookies and scripts enabled. I suppose that’s why we disable them. Otherwise, you might as well put your full name and address in the HTML headers…
I am like a ghost, it is like I was not even there
The method used for detecting websites I’m logged has never heard of before, it is pretty damn clever, I’ll give them that.
Chrome is a piece of shit when it comes to privacy. Makes me want to bash-in some heads at Mozilla with my mechanic keyboard for abandoning xpi for web extensions.
Thank you much TJ! Is a full time job anymore keeping up with all the changes.