HackerTrans
TopNewTrendsCommentsPastAskShowJobs

throwaway202302

no profile record

Submissions

Current state of TLS session resumption tracking

ssl.com
2 points·by throwaway202302·3 lata temu·1 comments

Ask HN: Is fingerprint.com reading your forename?

7 points·by throwaway202302·3 lata temu·2 comments

Why is fingerprint.com browser fingerprint working so well with iPhones?

fingerprint.com
30 points·by throwaway202302·3 lata temu·14 comments

[untitled]

1 points·by throwaway202302·3 lata temu·0 comments

comments

throwaway202302
·3 lata temu·discuss
Dear HN, few years ago big news were around about TLS session (resumption) tracking.

I find no current information whether this issue has been fixed or if current browsers mitigate it in private mode; as it seems to basically be a feature I assume any sort of fix can only be in context of private mode (per tab in safari or per-container in firefox) or history-clearing?

Neither I can find a "test page".

Do we have any?

Thankyou
throwaway202302
·3 lata temu·discuss
Is someone here working at apple?

https://niespodd.github.io/webrtc-local-ip-leak/ still? leaks local IP in mobile safari. On browserleaks local ip check fails, giving false feeling of safety.
throwaway202302
·3 lata temu·discuss
Oh, finally I found an element of distinguation for the Iphone:

The zoom settings in the display/brightness section of the iphone seem quite relevant for fingerprint.com algorithm.

Toggling between standard/bigger text toggles the fingerprint value.

This could be because the visible area in the screen size changes, as well as some value of the CSS-fingerprint.
throwaway202302
·3 lata temu·discuss
Scrolling a bit through the mess it seems, it is for exampling, trying to detect the used ad-blockers.

.... adGuardGerman:[u("LmJhbm5lcml0ZW13ZXJidW5nX2hlYWRfMQ==") ....

I see things hat look like font fingerprinting, CSS, Apple pay detection, ... , msPointerEnabled, ..., webkitResolveLocalFileSystemURL, ... cookie settings... ... used mathematical library (sinus, cosinus, ...) serviceworkers, ...RTCPeerConnection, hardwareConcurrency,

Maybe we could dissect it and analyze the full list?

At some other place, they documented e.g. you can get the light/dark theme information out of the CSS. Doesn't even need JS to do it.
throwaway202302
·3 lata temu·discuss
POST https://fpa.fingerprint.com/?ci=js/3.8.10&ii=fingerprintjs-p...

It looks like it is using heavy obfuscation.
throwaway202302
·3 lata temu·discuss
Then, could not we a get a trace of the properties it uploads to the server by analyzing what is executed in the javascript? Sure it has some sort of submit endpoint where it throws the individual values to.
throwaway202302
·3 lata temu·discuss
That there are os-level identifiers is I think a different discussion. I wonder why these were cited in context of fingerprint.com discussion.
throwaway202302
·3 lata temu·discuss
But how could it distinguish different profile directories, if they use the same settings. I would assume profile id, directories, or others should not be exposed through the browser. I am not used to chromium-browser (is this chrome? forgive my incompetence), but I wonder what kind of profile-specific static identifiers despite cookies could leak out the browser?

Maybe these? https://browserleaks.com/webrtc But at least FF in private mode should randomize these IDs on restart.
throwaway202302
·3 lata temu·discuss
Did you check amiunique.org as well with these?
throwaway202302
·3 lata temu·discuss
Websites can access machine-id?
throwaway202302
·3 lata temu·discuss
I observed this too, but I cannot really believe it. For me it finds just german on the iphone. I get 0.88% for it. But if all Apples do it the same, I can hardly believe this provides already such selectivity. The problem with such test sites seems to me that only nerds visit them, and therefore the database is small and biased.
throwaway202302
·3 lata temu·discuss
Do these profiles clear their cookies after request? I assume if the service finds a matching cookie, it will prefer it, or at least use as an extra identifier.
throwaway202302
·3 lata temu·discuss
https://www.lightbluetouchpaper.org/2006/03/09/video-eavesdr...

Rather old one, where 25m was claimed. (Markus Kuhn).

Some like 200m were claimed by anons in random threads (https://www.mikrocontroller.net/topic/319197, in german), but that might have been related to CRT, not sure. They said they pointed antennas towards an office building.

All in all, the topic seems valid but unfortunately the discussions tend to be trolled.

One takeaway from the original link for me was to prefer displayport cable over hdmi/dvi. Yet, if the shielded connectors you have been referring to are easy to find, sounds good as well.

Absolute security is not possible, they say. Yet I wonder, can we have some sort of it at least outside a horizon of lets say 5 meters? Broadcasting the signals few meters/across the street/100m seem to be quite of a difference.
throwaway202302
·3 lata temu·discuss
What about the neighbor above/below your apartment? A ceiling of ferroconcrete is a good blocker (or a good multiplier?)

From my apartment, I can see a telecommunication tower, about 1.2 kilometers away. Wondering what it could pick up with enterprise grade antennas if it wanted to. maybe the other monitors around would disturb the signals?

https://www.usenix.org/legacy/events/sec09/tech/full_papers/...
throwaway202302
·3 lata temu·discuss
I’ve read some related things, which said its the hdmi cable that radiates, but I understand any component might be.

Two questions: - How many meters do we need to expect our lcd/ips monitors to radiate? - Do we know about any monitor/cables that prevent the worst radiation and what to buy?

p.s. There are also papers that describe how to pickup keyboard strokes using the same method.
throwaway202302
·3 lata temu·discuss
Dear HN, maybe you know.

This is about precision of browser fingerprinting.

fingerprint.com generates a hash from browser/os attributes to recognize users without cookies. I tried their demo using iphone and expected (because i use private mode and returned several times with hopefully different cookie) to see some entries from other iphones like my one pop up in my history (from the fuzzy matching; https://www.apple.com/safari/docs/Safari_White_Paper_Nov_201... has some sentence about fingerprint prevention) but there were no other. I was alone and it traced me well. It was immune to private relay on/off (geodata).

They claim 99.5% accuracy for fingerprint pro. From the docs (https://dev.fingerprint.com/docs/understanding-our-995-accur...) it seems to me that 99.5% is overall accuracy for the hosted service and that number might be inflated by all the reference calls generated by devices that never clean their cookies (these count as 100%) The fraction of these is undisclosed, but its most likely very high(?).

I had, so far believed that it is more difficult to fingerprint a mobile safari than a desktop or android, because there is not so much hardware variety. Canvas/audio fingerprint should mainly depend on the phone’s model, and so are the fonts? (can apps bring new fonts to the fingerprint?)

Yet the demo of fingerprint.com performs pretty well for me. I do not know if its a problem of my safari leaking something or whether I am the only current user of the demo and therefore have no other peers to compare against. It seems a general problem also on sites like amiunique.org that almost nobody uses them. amiunique reports current iphone user agent as having a 0.4% fraction in last 15 days; but there are millions of these phones out there?

First I thought its my cookies but safari is indeed in private mode and e.g. samy.pl/evercookie test shows different digits each visit.

Anybody has some link/test tool especially crafted for iphone/ipad fingerprint or has some know-how of the “secret sauce” of fingerprint.com et al and would like to share? i would like to know how my iphone SE is different from other iphone SE. how to find out? Do you see conflicting peers on fingerprint.com demo when using it with iphone?

Thanks a lot.