How much information can websites get about your browser/PC?

browser website internet-security
45,061

Solution 1

There is more: the Electronic Frontier Foundation (EFF) brought out a tool called Panopticlick which shows mostly the same information but additionally scans your installed fonts.

Installed fonts are probably the most identifying piece of information as soon as you start adding one or two. Just because of the amount of fonts out there, it is unlikely to have the same set of fonts on two different computers. (As long as they are used by different persons)

Edit (from comments): A countermeasure to this is either disabling JavaScript (through an addon like NoScript for example) or to disable both Java and Flash plugins in the browser, as at least one of them is needed to extract the information.

Solution 2

How do they get it?

Passive identifiable information is mostly collected from headers of the communication packets.

When a browser requests a URL, this requests undergoes through several layers of OSI model and several network protocols. The upper level protocols such as HTTP and TCP/IP probably provide most of the information displayed on that web site. This information is usually stored in a packet header and was originally embedded there to help servers understand: what is the best representation of the information for your environment.

A user-friendly list of current HTTP headers is available from Wikipedia. A more technical reference is RFC 2616 Header Field Definitions or RFC 2616 itself, see section 14.

How to protect your privacy?

Another very popular technique to track a user is via specific cookie - this is how ad providers know which ad to show you (which makes me very wary). See answers for my question: How to remove tracking cookies. Answers actually cover a lot more possible defences against other tracking techniques.

Perhaps a more secure way to stay anonymous online is to use some dedicated security projects, one of which is TOR.

Solution 3

In terms of information you can obtain passively without using Java/Flash - that's pretty exhaustive.

You could perhaps do things like estimate PC performance using a JavaScript benchmark, but you're really pushing at that point.

Solution 4

That page doesn’t really show much if you simply deny the browser prompts to run plugins, allow location detection, etc.

The hostname, IP address, etc. can be easily hidden via a proxy, and browser/OS information can easily be spoofed via extensions and such.

In the end, unless you install and allow third-party plugins, web-sites cannot gather much information because browsers are specifically designed to limit how much access they have to a system. The most common tool that sites use to collect data is cookies, but there’s limits to how much they can report as well.

The only real way for a site to get unfettered access to your system is to try to exploit a vulnerability in the browser or one of its plugins, but you can mitigate even that by installing as little as possible and keeping them updated.

Solution 5

There is something extra what the previous answers don't list:

A website can track which other websites you have visited (before the last time you erased your browsing history).

How is it done?

Your browser colors links differently, based on whether you visited them before, or not. A website can make a big list of a lot of well-known websites (of which the site wants to know if you visited them), and display that list in a way the user cannot see it (hidden behind an image, with a font size of 1 pixel, with the same color as the background, etc.) Now a script scans how the list is "displayed" by the browser, and can know which of them were visited.

Share:
45,061
Pickledegg
Author by

Pickledegg

Updated on September 18, 2022

Comments

  • Pickledegg
    Pickledegg almost 2 years

    I am trying to determine if the information shown on www.whatsmyip.org is the absolute maximum amount of information that a webserver can obtain from a web visitor. Are there other sites that will be able to get more information from the user passively like this?

    I'm not talking about port-sniffing or any kind of interaction from the user, just the information that a server can get from a 'dumb' visit.

    This question was a Super User Question of the Week.
    Read the blog entry for more details or contribute to the blog yourself

  • Pickledegg
    Pickledegg almost 12 years
    wow, interesting stuff!
  • PhonicUK
    PhonicUK almost 12 years
    This requires Java in order to extract some of its information (and it gets very little if you decline the prompt to allow Java on the site) - the test OP linked gathers far more using passive means.
  • PhonicUK
    PhonicUK almost 12 years
    Yes it does use java, it has a java applet that does the font check. Chrome even prompts you when you visit the page for whether or not you wish to allow the applet to run. Do an inspect element on the page and you see <applet codebase="java" code="fonts.class" id="javafontshelper" name="javafontshelper" mayscript="true" width="1" height="1"></applet>
  • Pickledegg
    Pickledegg almost 12 years
    @PhonicUK that being said, it uses Java, but doesn't require Java to get the list of fonts. That info was displayed regardless of my response to the dialog box.
  • Indrek
    Indrek almost 12 years
    It does seem to require Java. I don't have it (nor Flash) installed, and the result was "No Flash or Java fonts detected".
  • Baarn
    Baarn almost 12 years
    I don't even have a java plugin installed in firefox, still the site extracts the fonts correctly as soon as I set an exception for NoScript. Whatever, I think what @Pickledegg meant by passively extracting information is that there is no user interaction, not that there are no active scripts on the page.
  • PhonicUK
    PhonicUK almost 12 years
    If it can't do it via Java it uses Flash instead. If you disable both flash and java it just gives "No Flash or Java fonts detected". You can't get the list of fonts just using Javascript. Granted it's passive in so far that it doesn't require any interaction from the user but extras are still required to do it.
  • Baarn
    Baarn almost 12 years
    I updated the answer to reflect this, I didn't know this.
  • Synetech
    Synetech almost 12 years
    Panopticlick can find out what fonts you have installed!!!
  • Baarn
    Baarn almost 12 years
    @Synetech As mentioned in my answer the list of fonts is nearly unique to a user (if you installed one or two other than the system fonts), by this it makes the person identifiably throughout the net, even if you use anonymizers and other stuff.
  • Synetech
    Synetech almost 12 years
    @Informaficker, I was being facetious. Yes, it can be used like that, but many users never install fonts, or do so via installing Office and such, so it’s actually not as unique as you would think. For example, this Windows 7 laptop which has installed a few special fonts (for language rendering in Wikipedia) is unique to 1 in 2,399,787. Considering the sheer number of Internet-connected devices and the limited number of tests performed, that’s not as unique as one would expect. I’m sure there are extensions that can hide that data though, or at least browsers can make a setting to block it.
  • Baarn
    Baarn almost 12 years
    @Synetech You do realize that the number equals the browser fingerprints analysed so far? If it were not the EFF that did this scan and you were to visit the site again a month later, maybe even using TOR, they still could predict that you are (in the range of a certain, high percentage) the same user as before.
  • badboy24
    badboy24 almost 12 years
    Panopticlick never displays data for me. Firebug just keeps repeating a "fonts is null" error.
  • Synetech
    Synetech almost 12 years
    @Informaficker, yes I do, that’s why I said and the limited number of tests performed, and it’s because of a combination of a few really uncommon fonts I have. If I had not installed them (like most people), then the system would be fairly common and not unique. And like I said, there are/can be ways to hide the font (and other browser/system) information (simply running the test in Chrome’s incognito mode cuts it down to 1:800,090).
  • glenneroo
    glenneroo almost 12 years
    Peter Eckersley over at EFF gave a very eye-opening talk entitled "How Unique Is Your Browser?" about their use of this tool. You can watch/hear it here: defcon.org/html/links/dc-archives/dc-18-archive.html
  • Baarn
    Baarn almost 12 years
    I heard about this before, but I think it is no longer possible.
  • user56reinstatemonica8
    user56reinstatemonica8 over 11 years
    These days (2012), when a modern browser allows this, it's treated as a serious security vulnerability. For example, a beta (?) release of Firefox 16 was pulled recently when the developers realised they were vulnerable to this exploit. This was considered a serious enough near-miss to be a news story: bbc.co.uk/news/technology-19909106

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Can a website know about my browsing history?
Why do some websites only display on a mobile phone, not a PC?
How to find a file location from a web browser
My website is redirecting to a porn site on mobile browsers, where to look?
Can a website knows the programs that are running on my pc?
IE9 will not navigate to some websites but Google Chrome can
Stop sites from automatically changing language
How do I completely download a web page, while preserving its functionality?
Print From Browser Using Screen CSS?
Blocking hover ads