» · 3.5 · 3.5img · lab8 · ok · qrstuv · sl · subversive

site map

NO-JS fingerprinting

Episode One

links2gang presents: fingers and sandpaper. But you don't have to be a links2 user to know of this feature.

nojspfingerprinting in links2 is a headache

Recently I came a cross a fun tracking feature. There is a method in the wild that is able to fingerprint your browser without the use of javascript, seemingly dependant on CSS alone. Maybe you already know of the traditional tactics of fingerprinting your browser through the use of javascript. For the links2 user this is irrelevant, but this no-js method is capable of fingerprinting text-browsers and non-js browsers alike.

https://noscriptfingerprint.com/

Visit the url, get your fingerprint and see the Details of what is supposedly your fingerprint constructed from. (If you're visiting from links, click the IFrame link.

Preliminary discoveries

Somewhat expectedly, running links in text mode and graphical mode returns a different fingerprint. Size of either window seems to play no role. But those two fingerprints remain the same.

Now what?

You're probably already using a fake user-agent with links2, whether it be the check box at the top, or putting in your own into the text field. Note that checking the box will overwrite whatever you wrote in yourself, as well as the extra headers.

However, changing the actual user-agent does not affect the fingerprint. What actually does so in links2 is the extra headers section.

links2 user-agent

If you check the box "Fake firefox", the extra headers are these:

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 \ Accept-Language: en-US,en;q=0.5

The overkill experimentation

Let's say you have your links2 configured to your liking (and have saved that configuration). This is important, because the next step is going to be a bit of a hassle unless you speak all sorts of languages - you see, the simplest way to change the fingerprint is to change the language of links itself (which changes the header).

For the purposes of this experiement let's make a new file in ~/languages and put in the following:

english
danish
slovak
polish
german
greek
romanian
czech
russian

Next we'll run links -g -language "$(cat ~/languages | sort -R | sed 1q)" https://noscriptfingerprint.com/ . The previous code will pick a random language from the file and open the fingerprinting site. Be sure to hard refresh the page with Ctrl-r (otherwise the previous result might be cached) and then click IFrame, then show

Now depending on what language was randomly picked, the fingerprint will be different every time. The problem is that this gives us only 9 potential fingerprints (the number of languages we provided in the ~/languages file). links2 does speak around 30 languages, so at best this can give you 30 unique fingerprints.

HEADER caveats

Obviously there are probably more sane http headers to change, but as an experiment, this is a proof of concept of how to manipulate the fingerprint.

from links(1) man page:

 -http.extra-header <string>
              Extra string added to HTTP header.

A good place to check what your headers currently are (and to subsequently see if the fingerprint has changed) is wtfismyip.com/headers

One could also use a completely arbitrary header - something like links -g -http.extra-header "Accept: $RANDOM/$RANDOM" https://noscriptfingerprint.com/, which will affect the fingerprint, but it seems to make more sense to rotate through real (useless?) headers, which is what the language trick does, as to not to make the browser stand out.

Should you care?

I don't know, you tell me. See how you can combat this nifty invention in the browser of your own choice.

NO-JS Fingerprinting (slight return)

ema stares at a fingerprint

Some surprises can be pleasant.

In the previous article I've explored how Javascriptless fingerpriting works in simple browsers. The preliminary discovery was that all that particular method can do without any CSS is fingerprint your browser based on HTTP headers. I presented a rather rudimentary way of manipulating the fingerprint - what did not occur to me at the time was that links2 is infact already equipped with counter-measures against this nifty feature of the modern web.

Fake Firefox

links2 setup

In links' Setup - Network options - HTTP options - Header options resides the option to spoof the user-agent of the browser, as well as the option to add extra headers. At the time, and up until very recently, I thought all that option did was spoof the user-agent of a firefox browser. What has been revealed to me however, is an important discovery that checking the Fake Firefox checkbox, makes links2 do one thing specifically - it simulates headers and the user-agent of a tor browser.

links2 headers

The following are the headers and user-agent of links2 with the default configuration and only the Fake Firefox option checked. Note that the referer settings make no difference in the fingerprint in this case.

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate 
Connection: keep-alive 
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0

What does affect the fingerprint though, are the other links2's HTTP options. So for the sake of this experiment, I leave them in their default state.

links2 http setup

682fd9a0ec1eb5e26869a72310258745

The last notable thing that seems to affect the fingerprint is the actual version of links2 itself, despite the setup. To have the test site return this specific fingerprint, all one has to do is use the default links2 configuration with the Fake Firefox option checked. You can test this yourself, if you're running links 2.30. Delete/move/backup your current config, the ~/.links directory, run fresh graphical links links -g (in some cases xlinks, or links2 -g, depending on your OS), hit Escape, go to Setup - Network options - HTTP options - Header options and check the box next to Fake Firefox. Visit the noscriptfingerprint.com site, click IFrame and Show fingerprint. Your fingerprint should be the same as the header of this paragraph.

The same steps apply to TUI links, where the fingerprint is different from its graphical counterpart, but should still be the same for users of the same links2 version on other platforms. In this case d12df83b60a9278a7207cef9174c2049.

What this means is, that as long as you use the most up-to-date version of links2 (currently 2.30), with the default HTTP configuration and the Fake Firefox (improves privacy) box checked, your links2 becomes indistinguishable from other links2 browsers of the same version as yours in the wild.

Keep in mind that customizing the appearance of how links2 renders html (Escape - View - {Html options,color}), colors, font size, etc, does not affect the fingerprint.

Special thanks to Reid, who helped me test this on a different OS and discovered what the Fake Firefox checkbox does. In both cases, as long as our version of links2 was the same, the fingerprint was also the same for both of us as long as our configurations matched, independent of our platform.