Dear HN, few years ago big news were around about TLS session (resumption) tracking.
I find no current information whether this issue has been fixed or if current browsers mitigate it in private mode; as it seems to basically be a feature I assume any sort of fix can only be in context of private mode (per tab in safari or per-container in firefox) or history-clearing?
Then, could not we a get a trace of the properties it uploads to the server by analyzing what is executed in the javascript? Sure it has some sort of submit endpoint where it throws the individual values to.
I see things hat look like font fingerprinting, CSS, Apple pay detection, ... , msPointerEnabled, ..., webkitResolveLocalFileSystemURL, ... cookie settings...
... used mathematical library (sinus, cosinus, ...)
serviceworkers, ...RTCPeerConnection, hardwareConcurrency,
Maybe we could dissect it and analyze the full list?
At some other place, they documented e.g. you can get the light/dark theme information out of the CSS. Doesn't even need JS to do it.
I observed this too, but I cannot really believe it. For me it finds just german on the iphone. I get 0.88% for it. But if all Apples do it the same, I can hardly believe this provides already such selectivity. The problem with such test sites seems to me that only nerds visit them, and therefore the database is small and biased.
Do these profiles clear their cookies after request? I assume if the service finds a matching cookie, it will prefer it, or at least use as an extra identifier.
Technically one can create this and launch a new profile everytime. It can still detect the device (there are some failures - if I change the screen resolution/dpi). May be after 3 or 4 times, the server may also detect that a certain ip address is trying the same thing.
But how could it distinguish different profile directories, if they use the same settings. I would assume profile id, directories, or others should not be exposed through the browser. I am not used to chromium-browser (is this chrome? forgive my incompetence), but I wonder what kind of profile-specific static identifiers despite cookies could leak out the browser?
I’ve read some related things, which said its the hdmi cable that radiates, but I understand any component might be.
Two questions:
- How many meters do we need to expect our lcd/ips monitors to radiate?
- Do we know about any monitor/cables that prevent the worst radiation and what to buy?
p.s. There are also papers that describe how to pickup keyboard strokes using the same method.
Test grade shielded HDMI connectors would probably mitigate this. They’re generally about $50 for 2 meters.
I’d also expect this attack to only work within a few feet of the target system. The author admits that the quality of transmission is pretty heavily affected by antenna and cable orientation. The bigger concern IMO is proximity - if you’re close enough to pull this off, you’re already at “physical access” levels of threat to a secure system.
Rather old one, where 25m was claimed. (Markus Kuhn).
Some like 200m were claimed by anons in random threads (https://www.mikrocontroller.net/topic/319197, in german), but that might have been related to CRT, not sure. They said they pointed antennas towards an office building.
All in all, the topic seems valid but unfortunately the discussions tend to be trolled.
One takeaway from the original link for me was to prefer displayport cable over hdmi/dvi. Yet, if the shielded connectors you have been referring to are easy to find, sounds good as well.
Absolute security is not possible, they say. Yet I wonder, can we have some sort of it at least outside a horizon of lets say 5 meters? Broadcasting the signals few meters/across the street/100m seem to be quite of a difference.
What about the neighbor above/below your apartment? A ceiling of ferroconcrete is a good blocker (or a good multiplier?)
From my apartment, I can see a telecommunication tower, about 1.2 kilometers away. Wondering what it could pick up with enterprise grade antennas if it wanted to. maybe the other monitors around would disturb the signals?
A telecom tower has orders of magnitude more transmit power than an HDMI cable, by design. It’s also an intentional, rather than unintentional radiator. However, neither of these facts can overcome the fact that radio energy decays with the inverse square of distance, and that the noise local to the receiver on the telecom tower would swamp any fragment of energy radiated by the hdmi cable by the time it got there.
This is about precision of browser fingerprinting.
fingerprint.com generates a hash from browser/os attributes to recognize users without cookies. I tried their demo using iphone and expected (because i use private mode and returned several times with hopefully different cookie) to see some entries from other iphones like my one pop up in my history (from the fuzzy matching; https://www.apple.com/safari/docs/Safari_White_Paper_Nov_201... has some sentence about fingerprint prevention) but there were no other. I was alone and it traced me well. It was immune to private relay on/off (geodata).
They claim 99.5% accuracy for fingerprint pro. From the docs (https://dev.fingerprint.com/docs/understanding-our-995-accur...) it seems to me that 99.5% is overall accuracy for the hosted service and that number might be inflated by all the reference calls generated by devices that never clean their cookies (these count as 100%) The fraction of these is undisclosed, but its most likely very high(?).
I had, so far believed that it is more difficult to fingerprint a mobile safari than a desktop or android, because there is not so much hardware variety. Canvas/audio fingerprint should mainly depend on the phone’s model, and so are the fonts? (can apps bring new fonts to the fingerprint?)
Yet the demo of fingerprint.com performs pretty well for me. I do not know if its a problem of my safari leaking something or whether I am the only current user of the demo and therefore have no other peers to compare against. It seems a general problem also on sites like amiunique.org that almost nobody uses them. amiunique reports current iphone user agent as having a 0.4% fraction in last 15 days; but there are millions of these phones out there?
First I thought its my cookies but safari is indeed in private mode and e.g. samy.pl/evercookie test shows different digits each visit.
Anybody has some link/test tool especially crafted for iphone/ipad fingerprint or has some know-how of the “secret sauce” of fingerprint.com et al and would like to share? i would like to know how my iphone SE is different from other iphone SE. how to find out? Do you see conflicting peers on fingerprint.com demo when using it with iphone?
I tried it on an iPhone and noted that it said I visited several times before even though this was my only time. Previous instances varied in IP, incognito mode, and location.
This was through the demo on their main page fingerprint.com > view live demo using Safari w/ private mode and some ad blocking extension.
Same. There were 4 entries that were not me listed - one was even an incognito visit. They were all from the same date about a month ago. Maybe this service works better on iPhones than Androids?
Edit: Reread your comment and you were on an iPhone.
I don't have an iPhone so i can't test it, but one thing i would be interested in is, if you use another browser like chrome/firefox etc, do you also get the same ID?
On my android different browsers yield different IDs but private mode or clearing browser data doesn't change anything.
there is nothing in their opensource version that would allow them to distinguish between iPhones running the same OS on the same hardware. for example apps can't add fonts globally. but they could be abusing a way of associating data with browsers that is not a cookie or something that is filtered by incognito mode in order to track users.
I find no current information whether this issue has been fixed or if current browsers mitigate it in private mode; as it seems to basically be a feature I assume any sort of fix can only be in context of private mode (per tab in safari or per-container in firefox) or history-clearing?
Neither I can find a "test page".
Do we have any?
Thankyou