alt Hacker NewsA web page that shows you everything the browser told it without asking
Comments
Wow! Somebody with ChatGPT discovered the concept of browser headers, then for some odd reason made the verbiage really ... weird "We chose not to tell you"... okay...
Anyway, if you really want to know what your browser is sending:
* I'm not in that city.
* It's running a kind of Chrome on a kind of Linux, at a stretch.
* Nobody can infer when I work and when I sleep. That includes me.
* The recent, high-end display is the screen of a low-end tablet I bought in a supermarket five years ago.
* But yes, browser fingerprinting is annoying.
* Since you can detect light mode, would it kill you to honor it?
I am once again asking privacy advocates to try sounding normal for once. Trying to make a browser accessing your timezone sound nefarious isn't going to convince anyone of anything.
Visiting without JS: "With JavaScript off, the page cannot tell you what your browser disclosed. The data is still there. The disclosure still happened. Only the telling of it stops."
I find this hyper dramatic LLM language extremely off putting, but appreciate the signal that allows me to completely disregard it.
Whether or not the information is accurate isn't really the point. It's that it serves as a way to identify you even without cookies. I looked for better websites, the EFF one[0] is informative.
My browser fingerprint was unique among the visitors in the past 45 days.
The website is pretty & the overdramatic copy is fun, but there's much better fingerprinting demos out there.
The number of data points shown here is low - there's plenty more it could be checking - & a good number of them seem to be wrong (it's only detecting one as explicitly "withheld" but I believe a few of them actually are, leading to garbled output).
Needs some QA.
A vibe-coded EFF Cover Your Tracks. The fact this made it to front-page is spookier than its contents
There's really a lot more you can look at here. Lot's a prior art on super-cookies and fingerprinting:
I love that the very first thing it showed was wrong
> San Pablo, California, United States > You appear to be in San Pablo, United States. Your internet provider is AT&T Enterprises, LLC. We know this because your IP address — 108.xxx.xxx.233 — was the first thing your device sent us
I am in San Francisco. IPs are not a reliable location identifier and never have been. Especially on mobile. Thank you for coming to my ted talk
> We did not ask for your location. Your address arrived before you did.
Bunk. You asked a geolocation api/service to map my ip address back to a location. You _did_ ask for my location, using my IP as a key. And my IP is pretty much required in order for communication on the internet to work (outside of using services to hide it, but then _they_ have your info instead).
Tell me what kind of smell my last fart had. Now this will be scary.
> Your graphics processor identified itself as or similar.
That checks out. I think what I have is similar to a graphics card but isn't quite.
The gyroscope and battery should not be getting exposed without permission. That seems unexpectedly invasive, and I'm in tech.
Also we should disable referrer field.
So if they can figure out whether I have an expensive laptop/computer based on my graphic card, then they can adjust the prices I see on the page (e.g.higher prices for game devs/players and lower prices for plumbers). Not fair.
I appreciate the intent here, so this is constructive feedback:
- Some of the numbers are off, eg - low contrast in dark mode makes text hard to readWould be nice if more people were focus on fixing these issues instead of just a bunch of "we already know", and making fun up the tone of the site.
Thanks op for reminding us of the privacy issues with our browsers. The EFF and others already told us, but the issues remain. Lets hope you're hear to stay and fight for our privacy alongside us.
An instant loading page without animations and more contrast would have been more fun.
The fact that it begins with my IP address reminds me of those dubious VPN ads.
City is wrong, I may speak English but it's not my native language.
As other people said, there are much better pages showing you your browser fingerprint.
> We know this because your IP address was the first thing your device sent us.
First paragraph, and I don't like this wording already. It's as if "my device" has any choice in the matter.
And actually, it's the reverse! Often enough your own device does not know your _actual_ public IP address without asking some kind of public service to snitch on your internet connection.
Aren't LLMs smart enough to choose better color contrast by now?
It seems like they know I have an iPhone with dark mode enabled, that I speak English, and that I'm in the USA (but wrong city wrong state). I am kinda unimpressed, I'm pretty sure they can get a lot more info than that.
Happy to say that my browser didn't tell anything that I didn't expect it to. It even identified my IP from a location 1000km away from me.
Firefox on Android with ublock
> Where you were before
> news.ycombinator.com
This has always bothered me the most. I disabled the 'Referer' header once, but it breaks many websites.
Access to the available font list might be useful for identifying devices likely issued by a particular organization. Unusual fonts that are part of an org's branding usually are installed as part of a standard device image. This allows employees to produce brand-compliant presentations, etc. I was an intern at GE in the mid-90's and we had a custom font with just one character defined - the "meatball" corporate logo.
I guess I shouldn't be surprised that it gives my exact GPU, but that was surprising to me. Just so everyone knows, its an AMD Radeon RX 6900 XT and I paid way too much for it during the covid/crypto price explosion when they were sold out everywhere. Still a bit raw about that, but it is an excellent card on Linux (fedora)
My battery is at NaN%, the site is cool but it should probably change the text if I’m not actually exposing that information.
It got the city wrong but close to where I live. This stuff would be wildly wrong if I fired up my VPN. Although its annoying when I connected to a VPN to Steam it’ll often show my prices in Canadian dollars instead of USD.
> Your screen is 320 by 568 pixels, rendered at 2x density — which means it is almost certainly a recent, high-end display.
It’s been a long time my 2016’ iPhone as been called recent or high-end but I’ll take the compliment, thank-you.
They forgot to add timing attack on images load time which can be used to tell if you visited X website.
https://www.ieee-security.org/TC/SP2011/PAPERS/2011/paper010...
> Your device carries these typefaces, of the seventeen commonly probed by fingerprinting checks. The specific combination of fonts on your device is nearly unique
The set of fonts available in stock iOS is hardly going to be unique now is it?
That it is even possible to install fonts onto iOS would be news to most users.
Huh? The user mwheelz seems to have been [dead]'d in the time this post has been on the front page. If I look at their comments page, those posted more than 46 minutes ago (at the time of writing) are normally visible and the rest are [dead].
https://news.ycombinator.com/threads?id=mwheelz
Mods, is there something we should know? Is there maybe a reason to stay away from the linked website?
https://coveryourtracks.eff.org/
does the same or better, without AI regurgitation and a WordPress theme.
> Your device carries these typefaces, of the seventeen commonly probed by fingerprinting checks. The specific combination of fonts on your device is nearly unique
Is this actually true? Because I don’t even know if I have any control over this on iOS, and if I do then I’d guess almost nobody diverges from the default?
Cute detail: if you switch to another tab and then back again it shows a banner at the top:
> You left for 6.3 seconds. We noticed.
Mine told me my graphics card was "or similar" so my stock Firefox is doing at least okay.
While I still follow the general privacy first tenets, I have ended up backing off on some tools (noscript and librewolf) at the extremes of privacy because if every site is going to track everything by my IP or by my ASN or browser fingerprint, I do have a happy medium of being private enough while not being utterly broken in my browsing.
Roughly that looks like email aliases on demand via sieve rules, ublock origin with liberal use of filter lists, different handles and a password manager, frozen credit ratings, and Tailscale exit nodes or Mozilla(Mullvad) VPN for uncontrolled WiFi access points for my jnrootabke android device and mostly signal for comms.
I'm getting to old to be a privacy extreme enthusiast when all of my family side channels everything straight to Facebook, so this is the impure level of privacy I can sustain.
"Your screen is 320 by 568 pixels, rendered at 2x density — which means it is almost certainly a recent, high-end display."
Not quite, I'm on a 2016 iPhone SE
It seems to have a little trouble with lynx... https://en.wikipedia.org/wiki/Lynx_(web_browser)
I doubt the fonts on my iPhone identify me. As far as I know, they would be the fonts it came with. Or can apps install fonts?
Aside from the fingerprinting methods, the graphics processor string seems to be the most immediately personal data given up (other than location, which was incorrect for me). I could see sites tailoring ads around an assumed class, income, and level of digital literacy based on this data point alone.
> You came here from news.ycombinator.com. Your browser told us the address of the page you were reading before this one. Every link you follow tells the destination where you were. The page you just left knows you left. This page knows where you came from. Neither was asked.
I thought this didn't work anymore and browsers left out the referer in the case of https, is that not so then?
Dunno what it is with the wording but my brain started reading it in a bit of a "Hello Clarice" Hannibal Lecter style lol
>The specific combination of fonts on your device is nearly unique — like a fingerprint made of letters
Is this one true? I've not made any changes to fonts on my phone that I know of, wouldn't it just be bog standard iPhone fonts?
Curiosity not challenge
Would be cool if you actually did track just to prove the point like "you've opened this page 6 times now, 2 of those were via VPN and one time was using the Firefox Focus browser. Have you found any flaws in the data yet?"
As far as this website reports, I'm undistinguishable from most other Mac users in Brooklyn, New York. Seems like it's not actually highlighting the frightening aspects of fingerprint.
Perhaps this illustrates the ridiculous level to which website operators make assumptions about website visitors
This phenonemon is much older than "browser fingerprinting"
"With JavaScript off, the page cannot tell you what your browser disclosed. The data is still there. The disclosure still happened. Only the telling of it stops."
This is surely only partially true.
Something attacked my computer. I shut the page, and some old one popped up. I shut it, and they popped up again I shut my browser, and Notepad++ was filling with <cr><lf> I closed Notepad++, closed every open app, and restarted.
You can't gaurentee any of this is fingerprintable without checking twice (i.e. give the user a unique url, then ask them to restart the browser and visit it). In privacy browsers like LibreWolf or Mullvad Browser this is almost all spoofed, save for things like the IP which needs to be hidden/changed independently of the browser.
Most of this is pretty standard stuff but one thing I did learn is some of the fingerprinting techniques I wouldn't've thought of. Like Mozilla/Apple not sharing GPU or battery information being used to confirm which browser I use even if I fake the User Agent String.
Trying this in Lynx I'm surprised it didn't at least get some information from me in the request headers. You don't need JavaScript to pull things out of them.
Maybe it's just because I am old, or have worked on internet software for almost 30 years, but none of this seems surprising or even concerning?
Someone sets up a server that accepts connections to it and then someone sends a connection request to it.
There has been no agreement on anything, no expectations or rules established. No one forces the server to accept any connection request it gets, and no one forces someone to make a connection request to that server. What the server returns and what the client does with that are completely up to each side.
I feel like this agreement (or lack thereof?) works both ways. I don't think users should get mad if a website decides to use information about your connection request in anyway it chooses, but I also don't think a website should be able to get mad if I do whatever I want with the data it sends to me.
In other words, websites can choose to remember whatever they want about my IP address and my request details, and I can choose to do whatever I want with what they send back to me (i.e. I can block ads or refuse to make followup requests that the site tells me to make, and i can choose to display the response in whatever way i want to) I asked for data, they sent me data.
If I don't want them knowing stuff about me, I shouldn't send that stuff in my request. If they don't want me to have that data unless I also display ads, then they should make me agree to that before sending me the data.
Of course, I know in practice most people don't understand what their browsers are doing, and there aren't a ton of practical choices for people around what their browser sends, and the internet is no longer an optional thing for a lot of our lives. I also know that things like DDOS attacks and the like make a completely 'anything goes' setup impractical.
However, I still have this gut feeling that we shouldn't expect too much from either side when we make an internet request.