Enterprise Software

BrowserSpy.dk: Reveals more than enough information

For various reasons, Web browsers freely pass information to Web host. Lots of information, just ask BrowserSpy.dk.

For various reasons, Web browsers freely pass information to Web hosts. Lots of information, just ask BrowserSpy.dk.

---------------------------------------------------------------------------------

In my last article, I referred to Panopticlick, a Web application that determines how identifiable/traceable a Web browser is, just from the information it passes to Web sites. Using Panopticlick, the Electronic Frontier Foundation (EFF) looks at the following characteristics, ultimately calculating the entropy level of your Web browser:

  • User Agent
  • HTTP Headers
  • Browser Plug-in Details
  • Time Zone
  • Screen Size and Color Depth
  • System Fonts
  • Are Cookies Enabled?
  • Limited super cookie test

In my recent wanderings around the Internet, I found a Web site called BrowserSpy.dk. The Web site is Panopticlick on steroids, performing the same checks that Panopticlick does, plus an additional 64 tests. I had no idea that much information could be obtained from Web browsers.

BrowserSpy.dk

BrowserSpy.dk is the brainchild of Henrik Gemal. The Web site started out as a few JavaScript utilities back in 1999. Henrik describes the Web site as:

"A collection of online tests that show you how much personal information can be collected from your browser just by visiting a Web page.

BrowserSpy.dk can tell you all kinds of detailed information about you and your browser. Information ranging from simple stuff like the name and version of your browser to more detailed stuff like what kind of fonts you have installed and what hardware you're running on."

Some questions

I managed to get in touch with Henrik. During our e-mail conversation, I asked several questions about BrowserSpy.dk and why he was so interested in this particular facet of IT. Here are those questions and his responses:

TechRepublic: What inspired you to devote so much time and effort to BrowserSpy.dk? Henrik Gemal: I mainly use it at work or for support when people have no idea what version of browser or operating system they are running. At a point, the purpose of BrowserSpy.dk changed a bit. Now, it is a challenge for me to find out just how much information I can get out of a Web browser. TechRepublic: If you had to pick just five tests, which ones would you consider the most important? Henrik Gemal: The tests I consider important are:

Browser: This was the very first page I've created in the BrowserSpy.dk suite.

CSS Exploit: A bit scary, since we are able to check which sites you have been visiting.

Fonts via Flash: Yes, we can see your fonts too.

IP Address: Use this page if you have to get the IP address.

Java: I like to stay updated in terms of software and sometimes I check what version of Java I'm running.

TechRepublic: In your experience, do different Web browsers (in default condition) reveal varying amounts of information? Henrik Gemal: Internet Explorer has and still does reveal much more information than the other systems. After IE, they pretty much reveal the same information. TechRepublic: Do you agree with the EFF (Panopticlick), that information provided by a Web browser is sufficient to identify and track the computer/user combination? Henrik Gemal: Yes, I do think that. Not really sure what it can be used for, but we could see someone taking advantage of it. I've heard of a security company that did profiling of PCs using information that Panopticlick and BrowserSpy.dk reveals. Footprints

As I checked out each of the tests, I began to understand how much information specific to my Web browser and computer can be captured by Web sites. Henrik mentioned that he wasn't sure what it could be used for, but the EFF believes it can be used to form an identifiable footprint. That in of itself is enough.

Final thoughts

Knowing what I do now, I will not surf the Internet without my trusty NoScript set to forbid everything. I realize it is a pain to manually allow each JavaScript to run. Yet, that seems less painful than having to rebuild a computer.

I would like to thank Henrik Gemal for his useful and informative Web site, as well taking time to answer my questions.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

53 comments
wilson
wilson

Can you tell me if the browserspy site has gone offline as I cannot access it Thanks Wilson

Ocie3
Ocie3

BrowserSpy certainly shows just how much data that it is [i]possible[/i] to obtain about the computer system which is executing the browser that fetches pages from its web site. It is credited on the Panopticlick results page with "Thanks to browserspy.dk for the font detection code,...". With Firefox NoScript preventing JavaScript from being executed (if that is the right word), apparently both of these data-gathering programs cannot ascertain much that is not disclosed by the HTTP packet headers. That has not been surprising to me, personally. What has been a bit eye-opening is how much the headers do disclose. Then again, it does not, for the most part, seem that the headers disclose data that is not necessary, or at least useful, for the web site to send information that the browser is capable of displaying. In that respect, the Firefox User Agent Switcher extension seems to have more potential for harm than good. It also does not have the interface and options that are shown on the What's My Agent? web site. Panopticlick seems to return a different result almost every day that I pay a visit with Firefox and use the "Test Me" button (which does not require JavaScript to function). Currently my Firefox configuration is 1 in 28,943 and the entropy is 14.82 bits. Whether that will be the same tomorrow is anybody's guess. I've been wondering whether the Panopticlick results are skewed if someone makes multiple visits to the web site, especially if they have made a change that results in a different fingerprint, but one which has been found before. The program appears to be creating a database of "fingerprints" and the calculated bits of entropy for each one. It also appears to tally the number of unique fingerprints on record. So, I have sent an e-mail message to ask the Panopticlick personnel whether someone who makes repeated tests with the same configuration will skew the contents of the Panopticlick database. Which is another way of asking whether the program tallies the number of tests that have been made which produce the same fingerprint. I don't see how they could calculate how common my Firefox fingerprint is without making such a tally.

jkameleon
jkameleon

... nothing special showed up, except Windows Media Player GUID. Damn! :-@ I think I'm going to uninstall the bloody thing, and start using something else.

santeewelding
santeewelding

Like I'm standing in front of a terahertz detector.

seanferd
seanferd

I see OpenDNS detection has also been added.

Michael Kassner
Michael Kassner

BrowserSpy.dk is a one-stop Web site where you can find out what your Web browser is telling the rest of the Internet about you and your computer. Edit: Spelling

Michael Kassner
Michael Kassner

It appears to be down. I emailed Henrik and will post with the answer.

Michael Kassner
Michael Kassner

I guess I don't see your point about skewing the results in the grand scheme of things. The data base has almost half a million tests. Think about the number of tests required to become .01 percent of the total results.

Michael Kassner
Michael Kassner

Which part of the electro-magnetic spectrum terahertz referred to. Oddly enough, I just read an article about those detectors on our favorite PhysOrg web site. Edit: Spelling

Michael Kassner
Michael Kassner

I would be extremely paranoid if it wasn't for NoScript.

AnsuGisalas
AnsuGisalas

Browserspy that is... I just get this :"Fatal error: require_once() [function.require]: Failed opening required 'HTML/Menu.php' (include_path='/home/gemal/php:.:/usr/lib/php:/usr/local/lib/php') in /home/gemal/public_html/inc/gmenu.php on line 9" I wonder if it's an on their end or mine... The panopticlick says unique among 829,326 tested, and 19.66 bytes.

Slayer_
Slayer_

Is as you would expect normally, but I turned on orcas built in script blocking (works same as Avant) It grabbed almost no information at all It figured out my user agent and header, thats it.

Tony Hopkinson
Tony Hopkinson

I enabled scripting on the site and allowed it to set a cookie.... ... :D And not that much after that :D :D Local IP, though I'm not seeing a lot of use for it, was a bit of a surprise though.

Ocie3
Ocie3

repeatedly alters characteristics of the browser(s) that they use and have Panopticlick conduct the test after each change, then that would not matter at all. The problem is that it is not likely to be just one person who does that, whether a few times or many. Few members of the general public are likely to hear much about Internet privacy issues, let alone visit the Panopticlick web site to test whether their browsers have unique "fingerprints" with which their browsing can be tracked. But they are exactly the sort of Internet users that the EFF needs to do that. Instead, most of the visitors are likely to be "tech savvy", and some will experiment with changing their browser(s) to see what the test reports afterward. Peter Eckersley replied to my e-mail message to point out that my conjecture has been addressed in the FAQ, and in the Panopticlick Privacy Policy, by setting a persistent cookie that expires after 90 days. He also acknowledged that there is "quite a lot of double-counting in the live data" because some people do not let the browser accept cookies, and others will delete cookies (e.g., just before the browser exits) and return to Panopticlick. He concluded with "We're running some statistical analyses where we try to adjust for those effects, and we'll publish those when they're ready." FAQ: https://panopticlick.eff.org/faq.php Privacy policy: https://panopticlick.eff.org/privacy.php The FAQ is, in fact, a quite interesting discussion of the Panopticlick test and why it was designed and implemented to function as it does.

Neon Samurai
Neon Samurai

One user visiting daily with a different signature might not make a difference but statistically, there must be other's out there doing the same. There could be potential for gaming the system much like the old Google bombs.

jkameleon
jkameleon

the previous test was from work. Well, what do you know. Browserspy was unable to get Windows Media Player GUID this time, neither from Firefox, nor from IE. I got to speak with our security gal about that. Results for Panopticlick from my home computer: Your browser fingerprint appears to be unique among the 605,983 tested so far. Currently, we estimate that your browser has a fingerprint that conveys at least 19.21 bits of identifying information. Results are nearly identical for IE, mozilla, and even my daughter's ubuntu box.

seanferd
seanferd

I am so very glad that NoScript exists. I think of the "old-days" and shudder.

Michael Kassner
Michael Kassner

I emailed Henrik and will pass on any information I get.

Michael Kassner
Michael Kassner

Is to go to panopticlick now and see what your entropy is. That will tell you how anonymous you really are.

Michael Kassner
Michael Kassner

I was surprised by the internal IP addr showing up as well. My main concern is that you disable JavaScript and I do as well. Most members in fat do, but what about the millions that don't.

Michael Kassner
Michael Kassner

I should have pointed them out in the article. I think you are correct about the people that are running tests as well. It will be interesting to see what they turn up.

Michael Kassner
Michael Kassner

I struggled trying to remember what "Google bombing" was.

Neon Samurai
Neon Samurai

With google bombing there was at least the result of redirecting search results.

Michael Kassner
Michael Kassner

For not much gain, other than to mess up test results.

Michael Kassner
Michael Kassner

I thought you stumbled onto something that you did not tell me about.

Neon Samurai
Neon Samurai

That would be my brainfart today. I meant "the EFF website" but FSF is what ended up getting typed. Been a long few days at work.

Neon Samurai
Neon Samurai

I'm actually an article behind in this discussion as my scoring was from the FSF's tool rather than the topic of this article. But yes, the bit strength (anonymity) would be far better a measure than the number of tests one ran.

Michael Kassner
Michael Kassner

I am asking them about that. I just suggest using the number of bits as a reference, not the number of tests.

Neon Samurai
Neon Samurai

My head is stuck in hardware world today so I might be missing it. So potentially, the lack of script support causes invalid results because the audit tools can not run rather than the audit tools running but returning a far more identifiable browser because of the lack of script support? hm.. I should hit it with Lynx to see what that returns.

Michael Kassner
Michael Kassner

Disabling JavaScripts may be messing up the results. You get two different sentences. Here is the one with JS enabled: Your browser fingerprint appears to be unique among the 609,761 tested so far. Now with JS disabled: Within our dataset of several hundred thousand visitors, only one in 520 browsers have the same fingerprint as yours.d I think you have to ignore this and just use the number of bits as an indicator of entropy reduction, less bits being better.

Neon Samurai
Neon Samurai

One can either be protected from the inside or anonymous from the outside it seems. Sadly, this would indicate that many people are not protecting themselves from scripts.

Neon Samurai
Neon Samurai

The three big browsers where all around 1 in 604,000. Before enabling scripts, Firefox was ranking about 1 in 95,000 though.

Neon Samurai
Neon Samurai

I've been using it aprehensively for testing but checking regularily in hopes that NoScript turns up. In terms of plugins, if you install Flash there are two seporate files. One is the ActiveX for IE's use. The other is a generic plugin which works for both Firefox and Chrome. Both chromium and mozilla browser engines inside Google Chrome and Firefox are able to use the same Flash plugin. I believe the Flash download site actually says "plugin for Mozilla or Chrome". This leads me to believe that the plugin system for either browser is not different enough to make porting NoScript from Firefox/mozilla over to GoogleChrome/chromium. I was thinking in terms of engines rather than brand names and also remembering the way it was worded on Adobe's site the last time I went to get updates.

Neon Samurai
Neon Samurai

I'm still looking for a good script blocker though an am really waiting to see if NoScript gets ported over. The plugin system seems to be fairly compatible with the same Flash blob working under mozilla and chrome.

Michael Kassner
Michael Kassner

I don't try Chrome. I am anxious to try it, but no way.

Michael Kassner
Michael Kassner

I think disabling JS makes us more unique in this respect, but safer in every other.

Slayer_
Slayer_

Oh well. There are far more effective methods of personal data mining than this.

Michael Kassner
Michael Kassner

Is the amount entropy is reduced. The site mentions that approximately 33 bits are required to identify a person. In the case of a Web browser the more bits the more unique it is, thus lower entropy. Unless I am mistaken the bit count is what you should pay attention to. The amount of tests is just the total number ran.

Slayer_
Slayer_

Said I was unique out of 600k people or so. I don't see where on that site it says the entropy. Your browser fingerprint appears to be unique among the 609,680 tested so far. Currently, we estimate that your browser has a fingerprint that conveys at least 19.22 bits of identifying information. And with scripts turned off I get. Your browser fingerprint appears to be unique among the 609,685 tested so far. Currently, we estimate that your browser has a fingerprint that conveys at least 19.22 bits of identifying information. Same score, but all the detections below it failed. How can I be unique if I keep retesting myself? Something seems flawed here.

Michael Kassner
Michael Kassner

Flash/LSO cookies too. I found that BetterPrivacy seems to miss a few once and awhile.

Neon Samurai
Neon Samurai

I don't allow anything by default. The temporarily allow feature resets the sites script permission when the browser is closed. For TR, if you temporarily allow com.com, you'll get the news articles and forums displayed without needing "temporarily allow all on techrepublic.com.com"

Michael Kassner
Michael Kassner

Allows you to pick and choose what is allowed. I look at that as the best scenario/option.

Slayer_
Slayer_

99% of sites, including TR, don't work with scripting disabled...

Editor's Picks