upvote

points

by ranger_danger19 hours ago |
comments
upvoteby Springtime18 hours ago|
next
[-]
> Disabling JavaScript actually greatly increases your fingerprint as not many users turn it off, so that instantly puts you in a much smaller bucket that you need to be unique in.

I've heard a handful of people say this but are there examples of what I would imagine would have to be server-side fingerprinting and the granularity? Since most fingerprinting I'm aware of is client-side, running via JS. While I expect server-side checks to be limited to things like which resources haven't be loaded by a particular user and anything else normally available via server logs either way, which could limit the pool but I wonder how effective in terms of tracking uniqueness across sites.

reply
upvoteby ranger_danger14 hours ago|
parent|
[-]
In addition to server-side bits like IP address, request headers and TLS/TCP fingerprints, there are some client-side things you can do such as with media queries, either via CSS styles or elements that support them directly like <picture>. You can get things like the installed fonts, screen size/type or platform/browser-specific identifiers.

https://fingerprint.com/blog/disabling-javascript-wont-stop-...

There is also a method of fingerprinting using the favicon: https://github.com/jonasstrehle/supercookie

reply
upvoteby throwawayqqq1118 hours ago|
prev|
next
[-]
I have my problems with that argument. Yes, less identifying bits means a smaller bucket but for the trackers, it also means more uncertainty, doesnt it? So when just a few others without JS join your bucket eg. via a VPN, profiling should become harder.
reply
upvoteby hypeatei17 hours ago|
prev|
[-]
> increases your fingerprint as not many users turn it off

We're talking about users of the Tor browser, and I'd be very surprised if this was the case (that a majority keep JS turned on)

Basically every Tor guide (heh) tells you to turn it off because it's a huge vector for all types of attacks. Most onion sites have captcha systems that work without JS too which would indicate that they expect a majority to have it disabled.

reply