29 January 2010

panopticlick

I've seen several posts about the panopticlick project in the last few days. If you go to the panopticlick Web page and click the "test me" button, it'll tell you how identifiable your Web browser is. The idea is that it might be possible for someone to track your Web browsing based solely on certain characteristics of your Web browser (without using cookies or even IP addresses).

So I hit the "test me" page with several different kinds of browsers to see what kind of results I would get. The results are given below (all Firefox browsers below have the NoScript extension). In terms of security, these are like golf scores: you want low numbers in the second (BII="bits of identifying information") and third (NIF="number of identical fingerprints") columns. And in terms of security, being unique is bad (it makes it easy to identify you).




















































browser/platformBIINIF
MSIE7 on XP17.64unique in 204,788
Firefox 3.6 on XP8.62one in 392
Firefox 3.6 on Ubuntu12.64one in 6,364
MSIE6 via wine on Ubuntu17.66unique in 207,713
lynx on Ubuntu14.67one in 26,001
elinks on Ubuntu17.67unique in 208,111
wget on Ubuntu9.57one in 761
curl on CEntOS17.67unique in 208,688



Firefox 3.6 on XP did pretty well, so I captured the HTTP request headers from that browser:

GET / HTTP/1.1
Host: vmware:8000
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive


Then I installed the Modify Headers extension to Firefox on Ubuntu and set the User-Agent header to the value from the request headers above. After doing that, Firefox 3.6 on Ubuntu got panopticlick scores like Firefox 3.6 on XP.

An interesting side effect of this is that the Firefox Add-Ons site uses the User-Agent header. So if you do this and want to add extensions later, you will probably need to disable the header. And I've just done this today, so I don't yet know what effect this will have on updating extensions.