oooooooo dis no good, dis no goood;

http://io9.com/5458479/just-by-visiting-this-website-you-reveal-who-y…

Need another reason to be paranoid about companies and governments watching what you’re doing online? A technology researcher has created a web tool that shows just how easy it is to identify you based on nothing more than a click.

Called Panopticlick, the tool comes from Electronic Frontier Foundation staff technologist Peter Eckersley. He wanted to show how easy it would be for a bad person – let’s call her Eve – to identify you based entirely on information she gets when you visit her website. No, Eve isn’t tricking you into filling out forms with personal information. And she’s not shooting evil code into your computer from afar. All she’s doing is looking over the data that almost any web host gathers from its visitors, which is to say: What kind of computer you have, what operating system it runs, what kind of browser you are using to surf the web, and what kinds of plugins you have on that browser.

Maybe you didn’t know that most sites gather that data. Or maybe you did, but you always thought, “Who cares? That’s not personal information.” Unfortunately, it is.

Eckersley writes:

When you visit a website, you are allowing that site to access a lot of information about your computer’s configuration. Combined, this information can create a kind of fingerprint – a signature that could be used to identify you and your computer.

In another essay, Eckersley explains how many pieces of unique data are required to identify someone – not very many, it turns out. As long as you have many unique properties to your computer configuration, our evil Eve could conceivably track you down without you ever knowing she was even trying to do it.

Want to find out how unique your browser fingerprint is? Eckersley says:

Our new website Panopticlick will anonymously log the configuration and version information from your operating system, your browser, and your plug-ins, and compare it to our database of five million other configurations. Then, it will give you a uniqueness score – letting you see how easily identifiable you might be as you surf the web.

My score didn’t make me very happy. Apparently, my configuration is “unique among the 46,293 tested so far.” My browser fingerprint “conveys at least 15.5 bits of identifying information.” Great.

RE’s NOTE – Check out this plan to build your own free security suite, basically this is what we use with a few small tweaks and additions.

How To Build Your Internet Security Program on Howcast

Luckily, there are solutions that will help protect your privacy, and EFF recommends several.

Is it possible to defend against browser fingerprinting?

Browser fingerprinting is quite a powerful method of tracking users around the Internet. There are some defensive measures that can be taken with existing browsers, but none of them are ideal.

Try to use a “non-rare” browser

The most obvious way to try to prevent browser fingerprinting is to pick a “standard”, “common” browser. It turns out that this is surprisingly hard to do. It appears that the most likely candidate would be the latest version of Firefox running on a modern Windows version. But even so, many of those Firefox on Windows browsers can be distinguished from one another by the enourmous range of plugin versions and fonts that can be installed with them.

Pending the results of the Panopticlick experiment, the only browsers which we believe really meet the conflicting criteria of being common but not accompanied by high-entropy plugin and font configurations are the browsers in smartphones. This is not intuitive, since these browsers tend to be less common than desktop browsers. But, importantly, there are few other variables beyond the user agent. Current versions of the iPhone, Android, and Blackberries do not vary much with respect to plugins, installed fonts, or screen size. This situation may well change in the future, but until it does, most of these devices are far less fingerprintable than any sort of desktop PC.

Disable JavaScript

Disabling JavaScript is a powerful defense against browser fingerprinting, because it cuts off the methods that websites can use to detect plugins and fonts, as well as preventing the use of most kinds of supercookie. Unfortunately, JavaScript is necessary to make a lot of sites work well.

At least two ways to block some sites from using JavaScript while allowing others to use it are available. One, NoScript, tends to be overprotective: it will block JavaScript everywhere and allow you to manually reenable it for some sites. This is a lot of work, and requires good intuitions about when a site isn’t working because JavaScript is disabled. The other, AdBlock Plus, tends to be underprotective. AdBlock Plus tends to be quite good at blocking ads, because users can instantly see when they’re present. Tracking or fingerprinting scripts are generally invisible, so even the AdBlock Plus subscriptions that focus on privacy will tend to miss a lot of tracking sites.

Use TorButton

Modern versions of TorButton “standardize” various browser charcteristics like the User Agent string, in order to prevent them from being used to track Tor users. TorButton is also quite agressive at blocking JavaScript in the browser. Taken together, these measures make TorButton a strong defense against fingerprinting. Unfortunately, browsing through Tor is currently a lot slower than browsing without it.

A Better Solution: Browsers’ “Private Browsing” Modes

There is a lot that browser and plugin developers could do to protect their users against fingerprint tracking. In general, it might not be a good engineering decision to remove all of the version-number entropy from browsers, since knowing the precise version of flash, quicktime, or whatever, is occasionally useful for debugging.

One solution would be to add a “debugging” mode to browsers, and to round version numbers off when the browser is not in debugging mode. Another solution would be to improve the “private browsing” modes that are already present in most modern browsers, so that when the mode is active, User Agent, navigator.plugins and font lists take on standardized values (or, perhaps, normalized values).

Please participate in the research by testing your browser on the Panopticlick site!

http://io9.com/5458479/just-by-visiting-this-website-you-reveal-who-you-are

- what’s out there and why you want to know about it first -

Related articles by Zemanta

• Poisoned PDF pill used to attack US military contractors (go.theregister.com)
• More Acrobat security issues – try Foxit (consumingexperience.com)
• Tracking Browsers Without Cookies Or IP Addresses? (yro.slashdot.org)
• EFF kicks off browser tracking project (v3.co.uk)
• Panopticlick Shows How Easy Your Browser Is to Track [Browsers] (lifehacker.com)
• Even without cookies, a browser leaves a trail of crumbs (arstechnica.com)
• Social media giants survey their growing kingdom (cnn.com)
• E-book buyer’s privacy guide – reading isn’t solo anymore (pheedcontent.com)
• EFF Reveals How Your Digital Fingerprint Makes You Easy to Track (webmonkey.com)
• Yes, Rogue Marketers Can Steal Your Public Facebook Data (allfacebook.com)
• Panopticlick: EFF’s tool for telling you how unique your browser profile is (boingboing.net)