Why browsers reveal fingerprinting information? - browser

According to https://coveryourtracks.eff.org/ my Chrome and Firefox browsers disclose seemingly unnecessary information. Why those (and possibly other) browsers readily reveal any of that information?
Fingerprinting information that has nothing to do with serving:
Hardware concurrency
Device memory
Platform
Fingerprinting information that is needed only rarely (if at all) for serving:
User agent: browser and version
HTTP_ACCEPT headers: system language
List of browsers plugins
Timezone
Screen size and color depth; canvas hash
Audiocontext
WebGL vendor and renderer; WebGL hash

I think your'e mischaracterising this. Browsers don't deliberately reveal fingerprintable information; they provide information that is useful in lots of different contexts that also happens to contribute to fingerprinting.
Whether these are relevant for serving can't be determined from the client end. Historically, user agent and screen size/depth were critical in the days before the heavy dependence we now see on Javascript to achieve similar things, when differences between browsers and client platforms was much greater, and many sites are still built that way. For example my bank's web site still has obvious, visible workarounds for IE6. Prior to CSS media queries (around 2009), many things could only be achieved by telling the server about these things, and many of those browsers are still with us.
Knowing whether a browser supports a particular plug-in can also be critical - for example if I want to render a PDF in an iframe, your browser had better be able to render it, and it's useful for a server to know if it can before trying to use it.
You missed off fonts and battery level from your list. These are also very often part of a fingerprint, but at the same time useful for sites to know what to serve to a client.
Some clients deliberately add noise to these values. For example whether a battery is at 10.4% or 12.6% doesn't really make much difference – it's quite low, so adding 5% noise to this information retains its utility while reducing identifiability.
Precisely how much noise you need to add to preserve anonymity, or at least provide reasonable (and measurable) ambiguity of identity, is covered by the concept of differential privacy, which I'll leave you to read up on.

Related

Detecting Private Browsing mode: 2019 edition

It used to be the case, as described in this answer from five years ago, that web sites could not reliably tell whether a client's browser was in Incognito Mode. However, in the past few months, I've started encountering sites which are able to throw up a banner that says, "hey, you're in Private Browsing mode, so we won't show you any content."
I have two questions, which are opposite sides of the same coin:
As a web developer in 2019, how would I construct a reliable check for a user's Private Browsing status?
As a privacy-conscious web user in 2019, who might like to keep the meta-information of his privacy-consciousness private as well, how could I reliably generate a first-time-visitor experience from a site that is desperate to track me?
In pre-Incognito days I would have accomplished #2 by using a "clean profile" to visit a site that I didn't want to follow me around. User profiles are apparently still in Firefox, though I suspect they probably don't protect against browser fingerprinting. But I'm not sure whether that is a good summary of my threat model --- my interest is mostly in opting out of the advertisement-driven data-mining ecosystem, without being treated differently for doing so.
I'll leave the main question to others who know how each browser's Private mode may differ from default. I do use Private modes extensively, but when I encounter a page that won't work, I simply use a clean non-private window, then clear all cookies and other stored state again afterwards.
You also mention fingerprinting, which is more insidious. Often it's based on collection by a client-side script, which is detectable but only somewhat defendable in practice. But server-detectable characteristics can also provide a good enough correlation for cross-site, even cross-device correlation.
Fingerprinting is very difficult to thwart. but I recommend using Tor for as much casual browsing as practical, using multiple browsers with your activity partitioned across them in a disciplined way, using a common browser with the best fingerprinting protections or at least using the most common browser config for your platform(s), keep your browsers updated and never install Java or Flash, change your IP address(es) often, change your window size often, and clear all cookies and other stored state often. Use a common platform (machine + display size + os) if possible. Making your browser more unique by loading it up with privacy extensions is quite likely to make you look more unique. There are also a few resources out there that list fingerprinting servers / domains, and you can block those in your machine, DNS, router, or wherever practical.
Keep in mind that Panopticlick and sites like it suffer from selection bias, and also combine all platforms, obscuring how unique your browser is compared to other browsers on the same platform (it's hard to change your platform, but at least you can try to make your browser look more like others used on your platform).

Why do browsers still spoof user agents?

I know that browsers originally spoofed user agents in order to allow for feature detection. But I am wondering why they still do so. I don't think user agent spoofing has a place in the modern era of standards compliance; what is basically a browser nirvana for web developers compared to the situation during the infancy of the web.
Someone will probably say that it's for backwards compatibility for all the old code out there. Is that the only reason? After all this time I think browser vendors would be looking beyond those sites with old code. Is this being worked on, or are these user agents just forgotten relics from tougher times for browsers?
Additionally, most feature detection these days seems to be done with JavaScript, which makes part of the feature detection use case for a user agent irrelevant.
Because nowadays we have multiples possibles user agents like Iphone5s, Galaxy SIII, IPad 2 and so on. Because that it is sometimes necessary to handler the site features in different ways to specific rules for example.
Think in the scenario with user requirements look like that:
The site should be able to chat with customer only for tablet.
In mobile should not be able because it is smaller.
Thus, because we have multiples devices, we sometimes have to handler in different ways to give for user a great experience.
I'm not aware that they do. Some smaller browsers user agents might not be recognized by a server so they announce themselves as one of the major ones so they don't get ignored or treated as malicious but, otherwise, you are right; there is no need to do so and the major ones don't.

Shall I ignore IE6 while developing a website? also any other browser to avoid? [duplicate]

This question already has answers here:
Closed 12 years ago.
Possible Duplicate:
Should we support IE6 anymore?
ripie6.com
I would like to know which browsers we can avoid. Many sites have stopped support to IE6. So, as developers we can also start avoiding some sites? If yes, what are all? (which versions of what broswers)
Even though I have asked the question already here: which browser to start with? IE, Firefox, Chrome, Safari? , I dint get the answer since its combined with another question.
Assuming it's a business site:
What's your target market?
How long do you expect until you release a working version of your website?
If current trends continue, what will be IE6's market share by then?
How much profit/value will those users bring?
How much will it cost to support those additional users?
Unless the costs are far below the profit, then don't bother. Otherwise, it might be a good idea.
If it's not a for-profit site(hobby, for instance), then you probably shouldn't bother, unless there's a really significant IE6 market share in your target market.
By the way, remember to use graceful degradation when possible and use feature detection instead of browser detection.
Finally, avoid blocking IE6 users and instead just display a warning saying the website is untested in their browser and suggesting an update(this last piece of advice only applies if you don't plan to support IE6)
Support the browsers that your users use.
stackoverflow.com can probably be less strict than other sites in the browsers it supports, since the vast majority of users are technically adept, and likely to be using a reasonably modern browser. amazon.com probably needs to support more browsers, since it will attract a broader spectrum of internet users.
Who uses your site? Who uses similar sites? What browsers are they using? That's how you decide what browsers to support - not based on what the population of internet users use, since the population of internet users probably isn't your audience (unless you're Google, that is).
You need to evaluate a few things:
Your audience. If you are targeting home users, informal or young audience, or technically advanced audience, you may wish to consider not supporting IE6. On the contrary, if you are targeting conservative business audience or large corporations, you should take IE6 in consideration
Are you developing for yourself, or on commission? If you are developing for someone, you need to discuss this with them
Is this a restructuring of an old site? You may use instruments like google analytics, to find out who your visitors are, and what do they use
Not supporting IE6 will save you a lot of headache, and many sites are starting to avoid it, to be free to implement new features using modern tools. But there are situations where you just can't afford this.

How Big a Security Risk are Browser Extensions?

One of the more powerful features of modern day browsers is the ability for software developers to write browser extensions to enhance, modify and tweak the pages visited by the user. As more of our lives migrate onto the browser, aren't we potentially exposing ourselves to a massive privacy and security holes created by the installation of a browser extension that is malicious in nature?
I realize the source code of these extensions is extractable and readable if the author has not made attempts to obfuscate the behavior. But the effectiveness of this type of review is compromised by the browser encouraging users to keep their extensions up to date. While version 1.0 of an extension may be innocuous, a users browser may suggest an upgrade to version 1.1 which could contain malicious code which could be used to scrape information from the screen of the compromised browser.
As both a user and developer of browser extensions, is the developer's reputation the only thing in place to provide assurances to their users that their browsing activity will be secure? Are there any mechanisms in place to help protect users from a compromised browser extension?
Are there any best-practices to develop extensions in a manner that provides users with the assurance that the code they install and update is benign in nature?
Browser extensions can do almost anything user can do. They can send your bank passwords, read files on local disk, execute commands etc. Security of a browser depends not only on browser itself, but also on all installed extensions.
I've written a few extensions for Chrome recently, and I had no idea how much harm extensions could really do before that.
Extensions ask for permissions, but these are very broad. Any non-trivial extension would most likely end up asking for "Full Permission", and most users would just bang the "YES" button. Even a tech savvy user may shrug this off as legitimate, I know I have.
Most extensions are free. It costs time and money to code them up, so how are developers getting their investment back? Some do it for fun, but chrome web store specifically asks if you are planning to inject adds - I can only deduce that this is a common practice for extension developers. Extensions could also act as tracking cookies, and sell usage stats to whomever.
It's near trivial to write an extension that would glob up your passwords and send them on to a third party. Even if these passwords are 'saved'. One of my extensions had a legitimate use case to modify all input fields on all pages, and I found out that chrome would just happily paste-in stored passwords in plain text. Same goes for CC information.
Many extensions include analytics packages, to help developers identify who their users are, which parts of the app is used and so forth. I think that this is a legitimate use case, but you may not necessarily agree.
If you are a developer, be advised that Chrome extensions could significantly impact page load times. My own extension, which I tirelessly optimized to be as lightweight as possible, caused all pages to have an additional 50-200ms load time.
So after I've seen what's possible, I've disabled all extensions in Chrome except for my own. I really only miss AdBlock.
Internet Explorer Browser Helper Objects are extremely unsafe. They basically allow the browser to run native code, which could be anything. I'm not sure if they're still as pervasive now as they were in years past, but they're one of the reasons why Internet Explorer is so much less secure than Firefox and other browsers.
Mozilla style plug-ins using XUL and Microsoft's Silverlight plug-ins are sandboxed to try and prevent malicious behavior. Ultimately it rests on the developer's reputation for any kind of software to be deemed trustworthy by its users, however. Even in cases where the developer is not trying to write malware, bugs in the program may expose security exploits.
Which is why you have multiple machines, and if you can't afford a new one, use a virtual machine to run most of the stuff and monitor it's behavior. Its what i do atleast before I do anything.
RnVja3Mgd2l0aCBtZSBmYW0hIGhpdCBtZSB1cCBhdCB0aGVib3NzODkwN0B5YWhv
by5jb20gaWYgeW91IGhhdmUgYW55IHF1ZXN0aW9ucw==

When is a browser considered "dead"? [closed]

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
Keep in mind that I'm not looking for a list of current browsers to support, I'm looking for logical ways to make that list, backed by some kind of hard statistics.
Since it's been a while since my last web job, I decided to do this latest site up from scratch. Now I have to decide again what to support in terms of browsers. Certainly I have a list of what I'd like to support, but the decisions that went into that list seem to be a little arbitrary to me. Where can I go to get a reliable picture of browser usage and what seems to be a good point at which to cut off an old version of a browser from support?
Browsers don't die out completely for about a decade. The first thing you must realise is that you will have some visitors that are using a browser you don't support. The question is not which browsers are not dead, but which browsers are worth supporting (the benefit) relative to the work it takes to do so (the cost).
I've never seen browser statistics I'm comfortable recommending, they all seem to be snake oil. A rule of thumb I feel is appropriate is that a browser isn't worth supporting if somebody using that browser is going to regularly run into problems on other websites as well. In other words "stick with what everybody else is supporting". To that end, Yahoo's graded browser support is useful.
Ultimately, the best choice depends on your individual circumstances and will change over time. For instance, 37signals have recently dropped support for Internet Explorer 6 and Facebook are slowly heading in the same direction. This isn't a decision that most organisations can make yet, but give it a year or two and you'll see a lot more organisations follow suit. Right now, it's a bold step that you probably can't justify, but give it time.
Don't fall into the trap of thinking that supporting as many browsers as possible is automatically the best choice - it may be that you are doing your visitors a disservice by wasting time working on compatibility with a browser used by five people when you could be improving the experience for the other million users you have.
Also, it's worth considering that you can "officially" not support a browser. For example, one thing I've done in the past is use JavaScript served only to Internet Explorer 5.5 and below (via a conditional comment), to automatically remove stylesheets, JavaScript and replace images with their alt text. Without those measures, the site would be unreadable due to Internet Explorer's many layout bugs, but with it, the site at least works, even if it's too much work to "support" it.
The easiest way to do it is sign up for Google Analytics and add their tracking code to your site (there are a number of similar services, but Google's one is the best I've found). It gives you detailed statistics as to what browsers people who visit your site use.
Once you have a couple of months data, you can start making decisions as to which browsers you will support. I work for a mainstream web company who want to make our site work for as many users as possible, so we consider any browser with above 0.5% market share to be within our testing matrix. However, other sites may choose to only support and test on major browsers such as IE and Firefox.
As a rough guide, the major browsers you'll see are IE 6 and 7, and Firefox 2 and 3. This should cover well over 90% of your audience so is a good starting point for the first couple of months. Then use your analytics data and make a business decision as to whether the potential revenue (or whatever you're trying to achieve) is worth the additional effort it will take to support other browsers.
Added 2008-09-18:
Admittedly one issue with this method is that if your support for some browser types is so bad that your site is unusable with them then it will potentially skew the statistics as those people will stop coming back, and thus those browsers will appear to have a lower percentage of users.
To determine whether this is happening, you can use Google Analytics' detailed breakdown of behaviour for each browser type and version. This gives you the bounce rate, average time on site, pages per visit, and percent of new visits. If the figures for a given browser type and version are significantly worse than others (i.e. the bounce rate is higher, time on site is lower, pages per visit is lower, or percent of new visits is higher) then it's possible that your site isn't supporting that browser sufficiently well and that you might get more users with it if you had better support.
At this point the figures will still give you a reasonable feeling for how important the browser is (i.e. if it you don't support Google Chrome and it is being shown as 2% of your traffic, then it wouldn't jump to 20% just because you added support) so you can use that browser to see how bad your site is, and make a judgment call as to whether you add support; sometimes this may involve fixing only the worst issues and leaving the site imperfect but usable until the browser gets to a higher percentage of users, or out of beta status.
You could take a look at the way Yahoo! supports browsers at Graded browser support.
The browser is dead when (a) a very small percentage of people use it and (b) you don't care about (selling to? educating? whatever your business is) such a small percentage of people.
Unfortunately, you won't find a good answer to this; even if you found some hard statistics on browser versions for visitors to your website, that almost certainly doesn't tell you what you need to know.
What you need to know isn't "what percent of my visitors use Browser X", it's "what percent of my revenue comes from visitors who use Browser X". That one guy visiting your site using an ancient copy of IE might be the managing director of a big company wanting to buy a site license; the 10k visitors you had last month using Firefox 3 might be college students wanting to plagiarize your documentation for an essay.
Really, you need to know your market - not just the raw browser statistics. If you pay the bills by selling stuff to graphic designers, then rock solid Safari support matters a lot more than if you're in the job of selling Visual Studio plugins. Not helpful, I know!
There are 2 main groups to target. (There are plenty of others though)
Group #1 is browsers that use Webkit (Safari for example), Presto (Opera for example), KHTML (Konqueror for example) or Gecko (Firefox for example). These browsers should all get the same markup, CSS and Javascript code (as they're all in the same group of standard-compliant browsers). Only work around bugs in one of these if you absolutely have to and have the resources to do so. Instead, test in the latest stable versions of each (as you're developing so they can keep each other in check as to what the expected behavior is) and (after checking in the nightlies for the bugs) file bug reports. Again, avoid workarounds for a specific browser if you can. Instead, plan a cross-browser compatible solution from the beginning.
With Group #1, you don't have to worry about older versions much, if it all.
Group #2 is browsers that use Trident (IE for example). Target IE versions you care about and still only workaround the most severe bugs.
Also, don't deny browsers you don't officially support. Let them fend for themselves instead of blocking them (either intentionally or through crappy browser detection).
Also, remember that when looking at market share percentages, try to figure out the numbers they represent so you can see how many millions of potential visitors with that browser there are. 1% or 5% might not seem like a lot, but that could still mean millions.
Most of all, listen to the visitors. If you're getting multiple complaints about a certain browser, look into it if you can. Even if it's for a browser with low market share, if it's a trivial fix, you should just do it.
Ones that are definitely not dead are: IE6 (starting to push it), IE7, IE8, latest Opera 9.x, latest FF 3.x, latest Safari 3.x and others that have about the same capabilities. FF 2.x isn't dead either and is needed for Win9X users (if they don't want to use Opera)
See also this topic
You should use a good UI framework that solves most of the compatibility issues among browsers, like YUI!, jQuery, and so on...
Personaly, I recommend YUI!
Try to answer this locally, consider your audience. For example when I was developing my own Blog Engine, my appeal was mostly to .NET developers. I hope it stands to reason what browser I primarily develop for. From that point I consider the market share and try to ensure a "reasonable" support level for all other browsers. For example even .NET developers occasionally use Firefox, maybe even Opera. Safari and Chrome are possibilities too now. So my current level of support ranks in this order:
It MUST run perfectly in Internet Explorer 7. All features I intended to build are there
It MUST run reasonably in Internet Explorer 6, Firefox 3.0, Opera 9+ and Safari for Windows, not everything has to be flawless, but it can't look downright ugly either
Everything else I don't care about. I just don't have the time and willing effort to support everything.
How do I determine whether or not I want to even consider supporting another browser or continuing supporting one of the above browsers any more? Simply I look at the market share and the statistics of who is hitting my page. If someone is dying, or I just haven't seen them in awhile, then I consider support dropped.
So in short, I would simply make a statement to yourself about the browsers that must run your code perfectly then reasonably and update periodically as the browser world changes. For the first run of your website, just think about your audience, for subsequent updates, your statistics should tell you enough.
My (very poor) solution was to get stats from w3schools and base my decisions on that. While those numbers aren't really terrible, they are skewed because viewers of that site are more likely to be upgrade-conscious. Also, it doesn't give a breakdown of any browser versions except FF.
If you purely build to standards, some browser won't render correctly since no browser supports all standards. You have to pick a few browsers and test your site in those.
Don't try to be too bleeding edge. If you must use some cutting edge CSS, then you have to expect it not to work 100% of the time.
What are you really going to do with the list? Are you planning to block browsers you don't support? What if the user hacks the User-Agent response?
Like others, I would strongly suggest going with something like Yahoo's "Graded Browsers" and, if possible, leveraging YUI or other libraries so you don't have to do it yourself.
<1% market share isn't a criteria - esp if the browser is new.
For me, < IE6 is dead, and the HTML monkeys I work with WISH it was dead. < FF2 is dead. Opera is a nice to have. < Safari 2 is dead, tho most are designing for Saf 3 now.
So it's:
IE6,7,8
FF 2,3
Saf 3,4
Chrome (which is basicly Saf4)
But depending on your app, and how many people you think you are going to get wih hold machines, you COULD drop IE6, which would make your life so much easier.
I would say IE6 and below are dead... but many are still stuck using it.
This site has a nice live listing of each browser and its actual age.
http://webbugtrack.blogspot.com/2008/08/browser-life-statuses.html
I'd go with the http://browser-update.org/ defaults, which currently say the following are dead:
IE <= 6
FF <= 2.0
Op <= 10.01
Sf <= 2.0
My opinion (has always been) build it to the standards and leave it to the browsers to render it correctly.
Start with the browser with the highest market share and work your way down from there.
If you have existing metrics on browsers that visit your site, use those instead of the general market share.
Whichever has < 1% market share.
I agree with Unkwntech.
You should try to make the website compatible to both IE and Firefox
It's simple - most users keep using the browser that came with the PC when they bought it (think of your mom). The browser is dead when the machines that it pre-installed with are not longer used for Internet access... which is probably around 5 years. As prices of new PC's drops and they become more of a consumer electronics item then this period will drop as people will easily buy a new PC

Resources