No-JavaScript Fingerprinting

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com

Our great sponsors
  • SurveyJS - Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • WorkOS - The modern identity platform for B2B SaaS
  • blog-nojs-fingerprint-demo

    A demo for the no-JavaScript fingerprinting article

    I thought it was going to use ETAG based fingerprinting, which I always thought was pretty clever. The etag header is supposed to be used to control caching, so it's typically a hash of the requested resource's content. But, there's no requirement for it to be, so you can generate a unique one, and the client will send it back to you next time you ask for that uri.

    The fingerprint sources are here: https://github.com/fingerprintjs/blog-nojs-fingerprint-demo/... Basically some css that uniquely identifies some browsers, then headers like user-agent, language, etc.

  • stealth

    :rocket: Stealth - Secure, Peer-to-Peer, Private and Automateable Web Browser/Scraper/Proxy

    Note that among a sea of tracked browsers, the untrackable browser shines like a bright star.

    Statistical analysis of these values over time (matched with client hints, ETags, If-Modified-Since, and IPs) will make most browsers uniquely identifiable.

    If the malicious vendor is good, they even correlate the size and order of requests. Because that's unique as well and can identify TOR browsers pretty easily.

    It's like saying "I can't be tracked, because I use Linux". Guess what, as long as nobody in your town uses Linux, you are the most trackable person.

    I decided to go with the "behave as the statistical norm expects you to behave" and created my browser/scraper [1] and forked WebKit into a webview [2] that doesn't support anything that can be used for tracking; with the idea that those tracking features can be shimmed and faked.

    I personally think this is the only way to be untrackable these days. Because let's be honest, nobody uses Firefox with ETP in my town anymore :(

    WebKit was a good start of this because at least some of the features were implemented behind compiler flags...whereas all other browsers and engines can't be built without say, WebRTC support, or say, without Audio Worklets which are for themselves enough to be uniquely identified.

    [1] https://github.com/tholian-network/stealth

    [2] https://github.com/tholian-network/retrokit

    (both WIP)

  • SurveyJS

    Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.

  • retrokit

    :joystick: Bring back the old Web(Kit) and make it secure

    Note that among a sea of tracked browsers, the untrackable browser shines like a bright star.

    Statistical analysis of these values over time (matched with client hints, ETags, If-Modified-Since, and IPs) will make most browsers uniquely identifiable.

    If the malicious vendor is good, they even correlate the size and order of requests. Because that's unique as well and can identify TOR browsers pretty easily.

    It's like saying "I can't be tracked, because I use Linux". Guess what, as long as nobody in your town uses Linux, you are the most trackable person.

    I decided to go with the "behave as the statistical norm expects you to behave" and created my browser/scraper [1] and forked WebKit into a webview [2] that doesn't support anything that can be used for tracking; with the idea that those tracking features can be shimmed and faked.

    I personally think this is the only way to be untrackable these days. Because let's be honest, nobody uses Firefox with ETP in my town anymore :(

    WebKit was a good start of this because at least some of the features were implemented behind compiler flags...whereas all other browsers and engines can't be built without say, WebRTC support, or say, without Audio Worklets which are for themselves enough to be uniquely identified.

    [1] https://github.com/tholian-network/stealth

    [2] https://github.com/tholian-network/retrokit

    (both WIP)

  • brave-browser

    Brave browser for Android, iOS, Linux, macOS, Windows.

    So what? There are plenty of stars in the sky, and if you are farbling [1] your star shimmers differently every time the surveillance-monster glances skyward:

    The comment above is a misconception I see over and over on HN, assuming that the only defense against fingerprinting is to look exactly identical to everybody else. That is incredibly shortsighted.

    [1] https://github.com/brave/brave-browser/issues/12069

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts