The Top Browser Fingerprinting Techniques Explained
To generate a highly accurate browser fingerprint, many techniques are used to gather information about the user that can differentiate them from millions of others online. In this article, we review some of the most common methods used in a browser fingerprinting script.
Browser fingerprinting can be used to stop fraudsters from attempting to hack, spam, or spoof website owners by accurately identifying site users. Browser fingerprinting is more difficult to circumvent than cookies, as a user’s fingerprint does not change between incognito browsing sessions, or clearing browser data. To generate a browser fingerprint with enough accuracy (or entropy) to uniquely identify a web visitor, the script must use a variety of browser fingerprinting techniques to gather data (called signals) that would vary between visitors. While many visitors to a website may have the same model of iPhone, the software and drivers installed, geolocation, browser and OS version, and even minute variances in the hardware could be different. Each browser fingerprinting technique is able to gather one or more of these signals that aim to identify these small variances between users.
What Information is Gathered?
With browser fingerprinting, a lot of information can be gathered from the browser: the user’s device model, its operating system, its browser version, browser extensions, user timezone, preferred language settings, ad blocker used, screen size and resolution, and all the granular tech specs of his CPU, graphics card, and so on.
Browser fingerprinting technology can capture more than enough specifics about a user’s device and settings to pinpoint them in a sea of internet users. Read our beginner’s guide to learn more about how browser fingerprinting works and how each signal adds to a fingerprint’s overall accuracy and stability.
FingerprintJS’s browser fingerprinting technology employs several cutting-edge browser identification methods to gather over 100 individual signals. These signals are combined with server-side analysis and deduplication to generate a visitorID, providing a persistent and useful abstraction of a browser fingerprint, which can be volatile if a user changes settings or updates software on their device.
What Are Some of the Different Fingerprinting Techniques?
This browser fingerprinting technique takes advantage of the HTML5 canvas element to identify variances in a user’s GPU, graphics drivers, or graphics card. First, the browser fingerprinting script draws an image, often overlaid with text. Then, the script captures how the user’s browser has rendered the image and text. Every device with different hardware and drivers will render the image slightly differently, distorting its color and shape. A hash is then computed using the rendered image’s data, which serves as the ‘canvas fingerprint. ’
Like any other browser fingerprinting technique, the scripts used for canvas fingerprinting operate in the background to keep the user from realizing that the fingerprinting is occurring. This fingerprinting technique is both accurate and not too processing intensive, making it one of the most employed techniques in browser fingerprinting scripts.
Canvas and WebGL rendered images, from AmIUnique. Due to how this visitor’s specific browser and device rendered these images, they can be narrowed down to a pool of fewer than 0. 01% of total visitors.
WebGL fingerprinting is very similar to Canvas fingerprinting as they both use the browser to render text and images off-screen. These images are then used to differentiate users based on their graphics drivers and device hardware.
Media Device Fingerprinting
This technique uncovers a list of all the connected media devices and their respective IDs on a user’s laptop or PC. This includes all internal media components like video cards, audio cards, and all connected or linked devices like headphones.
Media device fingerprinting is not widely used in fingerprinting functions as it requires the user to grant access to their microphone and camera to get a full list of connected devices. As such, this technique is useful for services that innately require webcam or microphone access, such as video chat services.
While other fingerprinting techniques force browsers to render a text or image, this technique checks how their devices play sound. Minute differences in sound waves generated by a digital oscillator are impacted by the browser vendor and version used, as well as differences in CPU architecture.
To learn more about audio fingerprinting, read our in-depth tutorial on how audio fingerprinting works using the Web Audio API.
Putting it all together
Multiple fingerprinting techniques need to be used in conjunction with each other to generate a sufficiently accurate fingerprint for user identification. Each technique generates one or more signals, which are then collectively combined into a visitor hash that serves as an individual identifier.
Fingerprinting and Online Fraud Detection
When you’re dealing with fraud, take note that only a small number of your site visitors are responsible for fraudulent activities. Hence, your developer team has to find a way to isolate these site users, identify them, verify them through authentication, and add them to your site blacklist. However, you need to keep these security layers away from your trusted traffic since extra authentication steps can cause an unpleasant user experience. More strict site security can also slow down account accessibility, purchase making, and overall site engagement.
Browser fingerprinting techniques are incredibly useful to identify visitors with a pattern of fraudulent behavior, and then target only these visitors for additional security. Fraudsters often use identity concealing techniques like disabling cookies, surfing through a VPN, or using browsers in incognito mode. These are all areas where fingerprinting proves to be at its best since it identifies users quickly without the reliance on IP addresses and site cookies.
One of the most common fraud use cases is account takeover, where malicious users will try to hack a legitimate user’s account and make purchases or steal their identity. With browser fingerprinting and related user identification technologies, additional security can be added to the login process for suspicious traffic only. This makes it more difficult for untrusted traffic to log in and take over trusted users’ accounts.
If your website is experiencing brute force or bot attacks, a best practice is to ask users to solve a CAPTCHA after each unsuccessful login attempt. After three to five unsuccessful login attempts, set your system to lock out the user for a period of time.
If your users are often the target of phishing scams, you can require email or two-factor authentication when a new fingerprint attempts to log in. And if such fingerprints repeatedly visit your site, you can also blacklist them.
For virtually all types of fraud, the first step in stopping the malicious activity on your website is accurate user identification technology. That way, you can accurately single out the bad apples while keeping your trusted users satisfied with your website performance.
Whether you have a newly-built website or you’ve been in the online industry for years, you can safeguard your leads, clients, and business if you can stop fraud at the source. Start a 30-day trial to see what accurate user identification technology can do for you.
Is it possible to defend against browser fingerprinting?
Is it possible to defend against browser fingerprinting?
Browser fingerprinting is quite a powerful method of tracking users around the
Internet. There are some defensive measures that can be taken with existing
browsers, but none of them are ideal.
Try to use a “non-rare” browser
The most obvious way to try to prevent browser fingerprinting is to pick a
“standard”, “common” browser. It turns out that this is surprisingly hard
to do. It appears that the most
likely candidate would be the latest version of Firefox
running on a modern Windows version. But even so, many of those Firefox on
Windows browsers can be distinguished from one another by the enourmous
range of plugin versions and fonts that can be installed with them.
Pending the results of the Panopticlick experiment, the only browsers
which we believe really meet the conflicting criteria of being common but
not accompanied by high-entropy
plugin and font configurations are the browsers in smartphones. This is not
intuitive, since these browsers tend to be less common than desktop
browsers. But, importantly, there are few other variables beyond the user
agent. Current versions of the iPhone, Android, and Blackberries do not
vary much with respect to plugins, installed fonts, or screen size. This
situation may well change in the future, but until it does, most of these
devices are far less fingerprintable than any sort of desktop PC.
because it cuts off the methods that websites can use to detect plugins and
fonts, as well as preventing the use of most kinds of supercookie.
allowing others to use it are available. One, NoScript, tends to be overprotective: it will
sites. This is a lot of work, and requires good intuitions about when a
underprotective. AdBlock Plus tends to be quite good at blocking ads,
because users can instantly see when they’re present. Tracking or
fingerprinting scripts are generally invisible, so even the AdBlock Plus
subscriptions that focus on
privacy will tend to miss a lot of tracking sites.
Modern versions of TorButton “standardize”
various browser charcteristics like the User Agent string, in order to
prevent them from being used to track Tor users. TorButton is also quite
measures make TorButton a strong defense against fingerprinting.
Unfortunately, browsing through Tor is currently a lot slower than browsing
A Better Solution: Browsers’ “Private Browsing” Modes
There is a lot that browser and plugin developers could do to protect
their users against fingerprint tracking. In general, it might not be a
good engineering decision to remove all of the version-number entropy from
browsers, since knowing the precise version of flash, quicktime, or
whatever, is occasionally useful for debugging.
One solution would be to add a “debugging” mode to browsers, and to round
version numbers off when the browser is not in debugging mode. Another
solution would be to improve the “private browsing”
modes that are already present in most modern browsers, so that when the
mode is active, User Agent, ugins and font lists take
on standardized values (or, perhaps, normalized values).
All You Need to Know About Browser Fingerprints – DZone Security
Unlike the static websites of the past, today’s websites are honed to be able to identify your device through a set of parameters and using a range of sophisticated techniques. This allows the website owners to limit your activities on the website, collect information about your system, or feed you the information deemed appealing in your particular case.
A fingerprint or sometimes a footprint is a digital representation of a user’s device consisting of information about your operating system, settings, active browsers, installed plug-ins, etc. Such a fingerprint is generated as a unique code or image.
If you use proxies to increase your browsing anonymity, you need to match your proxy-related parameters with the current fingerprint attributes.
In this article, we will cover some of the most useful practices shedding some light on the type of fingerprints that your browser leaves on the web and ways to successfully increase your anonymity.
Types of Fingerprints
The way fingerprinting works is through collecting information on your system that increases its ‘entropy’ (i. e. uniqueness), so it becomes easily identifiable by the website. The fingerprints your browser and computer leave on a website reveal a surprising amount of information about the user. It includes a whole number of parameters ranging from the browser user agent, operating system version, and browsing history to screen resolution, WebGL renderer, device IDs, network IPs, WebRTC, and even battery info.
Browser headers (User-Agent, HTTP, ACCEPT, Do Not Track).
Information about cookies and “super” cookies enabled or disabled in the browser.
Installed browser plug-ins, their versions, and updates.
In addition to browser-based fingerprints, you should also be aware of the cross-browser fingerprinting. Modern fingerprint trackers will collect and analyze information from different browsers using the same hardware and easily identify the end-user.
Cross-Browser Fingerprinting allows tracking the following:
Number of cores in the processor.
List of fonts and installed languages.
Analysis of responses to operations performed by the browser involving the operating system and hardware components (2D and 3D rendering of shapes and pictures, creating shadows, etc. ).
Such data is browser-independent.
In the section below, we describe all features of your system that leave fingerprints tracing back to your software and hardware settings.
User agents are obvious fingerprints of your system. The browser user-agent is intended to facilitate end-user interaction with web content, and it is part of the request header that contains more information, such as the accepted language and accepted text/html.
The user-agent format in HTTP consists of a list of product names and versions.
For example: Mozilla 5. 0 and layout engine and version, e. g. Geko 1. 0
Сookies are only relevant within the same domain. All cookies, including evercookies, can be easily cleared or blocked through a set of easy actions. From the perspective of fingerprinting, standard cookies can be easily deleted from the system once you set your browser into the ‘incognito’ mode.
There are two types of web storage: local storage and session storage. An item of local storage is visible across all tabs of all windows and persists even after the browser is closed. It behaves somewhat like a cookie with an expiration date very far in the future. An item of session storage, on the other hand, is only visible within the tab where it was created, and it disappears when the tab is closed.
When you visit a website a special fingerprinting script draws a sample text with font and size of choice and adds a background. This text may contain 2D objects and emojis. Then, the script reads the rendered image data back to compare pixel precision.
The same shape or text will be rendered in different ways on different computers, depending on the operating system, font libraries, graphic card, graphics card driver, and the browser.
WebGL works in a way similar to Canvas but renders interactive 3D objects in the browser without the use of plugins.
The website may gain info on your graphics card vendor and model. This indirectly leaks the operating system as Windows or Mac OS.
The WebRTC (or web real-time communication) nodes are used for collecting info on IP addresses for providing the best routes between two peers in the network. If leaked, this info can be easily used for fingerprinting.
If you use to test your system, you will be able to see your network IP and below the webRTC detecting the ethernet address in your office, along with device IDs. Make sure to turn-off your webRTC to avoid IP leaks when using a proxy through a browser.
Below, we have listed common ways to overcome the problem of digital fingerprinting to ensure anonymous browsing.
VPNs and Proxy Servers
VPN or proxy is the easiest method to bypass regional restrictions. It changes your IP to the one available on the service.
However, proxies on their own, do not protect against multiple trackers and don’t affect the cookies already in your system. That’s why it’s important to complement your proxy usage with additional manipulations with your fingerprints.
To make your fingerprint less unique, you might want to tweak the following settings manually.
Change the time zone of your device.
Setting a different language for the device operating system.
Set a different language for your browser.
Change the resolution of the device screen.
Change the viewing scale (zoom in/out) on a web page.
Install or remove browser plug-ins.
Some may find these methods radical and somewhat inconvenient for surfing but, nevertheless, it helps significantly improve your browsing anonymity.
Tips and Recommendations
If you are using Firefox or Chrome, the following recommendations will be right for you to ensure anonymous surfing.
Consider installing the following plug-ins to increase your browser’s anonymity:
User Agent Switcher – swaps the user agent of the browser.
Ghostery – blocks analytics trackers, ads, and other beacons.
Besides the plugins, you should always disable WebRTC on your computer. It is important to prevent the IP leak of your local IP subnet. In most cases, disabling WebRTC will not affect the website behavior and will not block you.
To do that in Firefox, type about:config and search for erconnection. enabled., and set it to false or search for some plugins to do the job.
In Chrome, you can install the extension WebRTC Leak to prevent extension. Or type:
about:config and disable the above attributes. Otherwise, this can be done by adding a noscript plugin to block scripts that run on the browser.
In Chrome, this can be performed by typing chromeflags and going over the list and disabling: Accelerated 2D canvas, Composited render layer borders, Tint GL-composited content, Enable draw occlusion, all options mentioning WebRTC.
There are also some specially assembled browsers for anonymous web surfing such as Pale Moon, an open-source browser based on Firefox, Selenium, or Puppeteer.
When working with automated browsers, you can choose to block some of the fingerprint utilities as some target sites will allow access without any fingerprint data. To do this, you disable Java, remove Flash, disable WebRTC, WebGL, and canvas.
You can also use Multiloginapp, a platform designed to swap different browser fingerprints. The program is designed to work with a large number of browser profiles. Each profile is placed in its own “container” eliminating the risk of leaking browsing history, cookies, and fingerprints between the profiles.
However, some target sites might block you when you remove some fingerprints features and can return null data.
You should also note that when you use some browser automation tools to emulate a desktop or mobile users, it is important to replace the headless browser user-agent. For example, using Puppeteer that utilizes Chromium, the user-agent includes the string “HeadlessChrome”, which is easy to detect.
Replacing the user-agent can be done by adding to your Puppeteer code “setUser-agent” as follows:
For replacing your user-agent data, check out this website:
Testing Your System for Fingerprints
After all the manipulations, you should check all your current fingertips that your browser leaves. We recommend using the following list of websites for this procedure.
When using Multiloginapp, please check each of your profiles individually:
The modern Internet is collecting tons of info on each individual user. To avoid successful fingerprinting of your system, we recommend setting and verifying unique system configuration or using special tools described above. Once you do that, you will have much better chances for safe anonymous browsing with your new proxies.
Frequently Asked Questions about browser fingerprints
Is browser fingerprinting bad?
Fingerprinting is bad for the web The practice of fingerprinting allows you to be tracked for months, even when you clear your browser storage or use private browsing mode — disregarding clear indications from you that you don’t want to be tracked.
How do I check my browser fingerprint?
If you wish to check your browser fingerprint, go to the homepage and click “View my browser fingerprint.” Please note, the website will collect your browser fingerprint and put a cookie on your browser for four months to help with their purpose.Apr 26, 2021
Who uses browser fingerprinting?
Today, browser fingerprinting is commonly used by online advertisers as a next-gen user tracking mechanism. Advertisers run different types of fingerprinting operations, create one or more “fingerprints” for each user, and then use them to track the user as he/she accesses other sites on the internet.Aug 26, 2020