by card_zero
8 subcomments
- * I'm not in that city.
* It's running a kind of Chrome on a kind of Linux, at a stretch.
* Nobody can infer when I work and when I sleep. That includes me.
* The recent, high-end display is the screen of a low-end tablet I bought in a supermarket five years ago.
* But yes, browser fingerprinting is annoying.
* Since you can detect light mode, would it kill you to honor it?
by noelsusman
5 subcomments
- I am once again asking privacy advocates to try sounding normal for once. Trying to make a browser accessing your timezone sound nefarious isn't going to convince anyone of anything.
by karmakaze
5 subcomments
- Whether or not the information is accurate isn't really the point. It's that it serves as a way to identify you even without cookies. I looked for better websites, the EFF one[0] is informative.
My browser fingerprint was unique among the visitors in the past 45 days.
[0] https://coveryourtracks.eff.org/
- Visiting without JS: "With JavaScript off, the page cannot tell you what your browser disclosed. The data is still there. The disclosure still happened. Only the telling of it stops."
I find this hyper dramatic LLM language extremely off putting, but appreciate the signal that allows me to completely disregard it.
by cortesoft
13 subcomments
- Maybe it's just because I am old, or have worked on internet software for almost 30 years, but none of this seems surprising or even concerning?
Someone sets up a server that accepts connections to it and then someone sends a connection request to it.
There has been no agreement on anything, no expectations or rules established. No one forces the server to accept any connection request it gets, and no one forces someone to make a connection request to that server. What the server returns and what the client does with that are completely up to each side.
I feel like this agreement (or lack thereof?) works both ways. I don't think users should get mad if a website decides to use information about your connection request in anyway it chooses, but I also don't think a website should be able to get mad if I do whatever I want with the data it sends to me.
In other words, websites can choose to remember whatever they want about my IP address and my request details, and I can choose to do whatever I want with what they send back to me (i.e. I can block ads or refuse to make followup requests that the site tells me to make, and i can choose to display the response in whatever way i want to) I asked for data, they sent me data.
If I don't want them knowing stuff about me, I shouldn't send that stuff in my request. If they don't want me to have that data unless I also display ads, then they should make me agree to that before sending me the data.
Of course, I know in practice most people don't understand what their browsers are doing, and there aren't a ton of practical choices for people around what their browser sends, and the internet is no longer an optional thing for a lot of our lives. I also know that things like DDOS attacks and the like make a completely 'anything goes' setup impractical.
However, I still have this gut feeling that we shouldn't expect too much from either side when we make an internet request.
- A vibe-coded EFF Cover Your Tracks. The fact this made it to front-page is spookier than its contents
- The website is pretty & the overdramatic copy is fun, but there's much better fingerprinting demos out there.
The number of data points shown here is low - there's plenty more it could be checking - & a good number of them seem to be wrong (it's only detecting one as explicitly "withheld" but I believe a few of them actually are, leading to garbled output).
Needs some QA.
- There's really a lot more you can look at here. Lot's a prior art on super-cookies and fingerprinting:
https://coveryourtracks.eff.org/
https://amiunique.org/
- Wow! Somebody with ChatGPT discovered the concept of browser headers, then for some odd reason made the verbiage really ... weird "We chose not to tell you"... okay...
Anyway, if you really want to know what your browser is sending:
https://browserleaks.com/
https://coveryourtracks.eff.org/
- > We did not ask for your location. Your address arrived before you did.
Bunk. You asked a geolocation api/service to map my ip address back to a location. You _did_ ask for my location, using my IP as a key. And my IP is pretty much required in order for communication on the internet to work (outside of using services to hide it, but then _they_ have your info instead).
- I love that the very first thing it showed was wrong
> San Pablo, California, United States
> You appear to be in San Pablo, United States. Your internet provider is AT&T Enterprises, LLC. We know this because your IP address — 108.xxx.xxx.233 — was the first thing your device sent us
I am in San Francisco. IPs are not a reliable location identifier and never have been. Especially on mobile. Thank you for coming to my ted talk
- > Your graphics processor identified itself as or similar.
That checks out. I think what I have is similar to a graphics card but isn't quite.
by chrisweekly
1 subcomments
- I appreciate the intent here, so this is constructive feedback:
- Some of the numbers are off, eg
"Your browser allocated 39322 MB of storage to this page alone" - low contrast in dark mode makes text hard to read
- An instant loading page without animations and more contrast would have been more fun.
The fact that it begins with my IP address reminds me of those dubious VPN ads.
City is wrong, I may speak English but it's not my native language.
As other people said, there are much better pages showing you your browser fingerprint.
by IdiotSavage
4 subcomments
- > Where you were before
> news.ycombinator.com
This has always bothered me the most. I disabled the 'Referer' header once, but it breaks many websites.
- > We know this because your IP address was the first thing your device sent us.
First paragraph, and I don't like this wording already. It's as if "my device" has any choice in the matter.
And actually, it's the reverse! Often enough your own device does not know your _actual_ public IP address without asking some kind of public service to snitch on your internet connection.
- Aren't LLMs smart enough to choose better color contrast by now?
- Happy to say that my browser didn't tell anything that I didn't expect it to. It even identified my IP from a location 1000km away from me.
Firefox on Android with ublock
by freedomben
6 subcomments
- I guess I shouldn't be surprised that it gives my exact GPU, but that was surprising to me. Just so everyone knows, its an AMD Radeon RX 6900 XT and I paid way too much for it during the covid/crypto price explosion when they were sold out everywhere. Still a bit raw about that, but it is an excellent card on Linux (fedora)
- My battery is at NaN%, the site is cool but it should probably change the text if I’m not actually exposing that information.
It got the city wrong but close to where I live. This stuff would be wildly wrong if I fired up my VPN. Although its annoying when I connected to a VPN to Steam it’ll often show my prices in Canadian dollars instead of USD.
- It seems like they know I have an iPhone with dark mode enabled, that I speak English, and that I'm in the USA (but wrong city wrong state). I am kinda unimpressed, I'm pretty sure they can get a lot more info than that.
by aziaziazi
1 subcomments
- > Your screen is 320 by 568 pixels, rendered at 2x density — which means it is almost certainly a recent, high-end display.
It’s been a long time my 2016’ iPhone as been called recent or high-end but I’ll take the compliment, thank-you.
by Gualdrapo
1 subcomments
- Text is so dim is really hard to read.
by looneysquash
1 subcomments
- Would be nice if more people were focus on fixing these issues instead of just a bunch of "we already know", and making fun up the tone of the site.
Thanks op for reminding us of the privacy issues with our browsers. The EFF and others already told us, but the issues remain. Lets hope you're hear to stay and fight for our privacy alongside us.
by Multicomp
1 subcomments
- Mine told me my graphics card was "or similar" so my stock Firefox is doing at least okay.
While I still follow the general privacy first tenets, I have ended up backing off on some tools (noscript and librewolf) at the extremes of privacy because if every site is going to track everything by my IP or by my ASN or browser fingerprint, I do have a happy medium of being private enough while not being utterly broken in my browsing.
Roughly that looks like email aliases on demand via sieve rules, ublock origin with liberal use of filter lists, different handles and a password manager, frozen credit ratings, and Tailscale exit nodes or Mozilla(Mullvad) VPN for uncontrolled WiFi access points for my jnrootabke android device and mostly signal for comms.
I'm getting to old to be a privacy extreme enthusiast when all of my family side channels everything straight to Facebook, so this is the impure level of privacy I can sustain.
- > Your device carries these typefaces, of the seventeen commonly probed by fingerprinting checks. The specific combination of fonts on your device is nearly unique
The set of fonts available in stock iOS is hardly going to be unique now is it?
That it is even possible to install fonts onto iOS would be news to most users.
- Aside from the fingerprinting methods, the graphics processor string seems to be the most immediately personal data given up (other than location, which was incorrect for me). I could see sites tailoring ads around an assumed class, income, and level of digital literacy based on this data point alone.
by nick49488171
0 subcomment
- The gyroscope and battery should not be getting exposed without permission. That seems unexpectedly invasive, and I'm in tech.
Also we should disable referrer field.
- Access to the available font list might be useful for identifying devices likely issued by a particular organization. Unusual fonts that are part of an org's branding usually are installed as part of a standard device image. This allows employees to produce brand-compliant presentations, etc. I was an intern at GE in the mid-90's and we had a custom font with just one character defined - the "meatball" corporate logo.
by moritzwarhier
0 subcomment
- https://coveryourtracks.eff.org/
does the same or better, without AI regurgitation and a WordPress theme.
- Dunno what it is with the wording but my brain started reading it in a bit of a "Hello Clarice" Hannibal Lecter style lol
>The specific combination of fonts on your device is nearly unique — like a fingerprint made of letters
Is this one true? I've not made any changes to fonts on my phone that I know of, wouldn't it just be bog standard iPhone fonts?
Curiosity not challenge
Would be cool if you actually did track just to prove the point like "you've opened this page 6 times now, 2 of those were via VPN and one time was using the Firefox Focus browser. Have you found any flaws in the data yet?"
by mikeocool
1 subcomments
- As far as this website reports, I'm undistinguishable from most other Mac users in Brooklyn, New York. Seems like it's not actually highlighting the frightening aspects of fingerprint.
by D2OQZG8l5BI1S06
0 subcomment
- AI really has a problem picking proper fonts, this is barely readable...
by 1vuio0pswjnm7
1 subcomments
- Perhaps this illustrates the ridiculous level to which website operators make assumptions about website visitors
This phenonemon is much older than "browser fingerprinting"
- They forgot to add timing attack on images load time which can be used to tell if you visited X website.
https://www.ieee-security.org/TC/SP2011/PAPERS/2011/paper010...
- > You came here from news.ycombinator.com. Your browser told us the address of the page you were reading before this one. Every link you follow tells the destination where you were. The page you just left knows you left. This page knows where you came from. Neither was asked.
I thought this didn't work anymore and browsers left out the referer in the case of https, is that not so then?
by ____tom____
0 subcomment
- I doubt the fonts on my iPhone identify me. As far as I know, they would be the fonts it came with. Or can apps install fonts?
by kbigdelysh
0 subcomment
- So if they can figure out whether I have an expensive laptop/computer based on my graphic card, then they can adjust the prices I see on the page (e.g.higher prices for game devs/players and lower prices for plumbers). Not fair.
by mcintyre1994
1 subcomments
- > Your device carries these typefaces, of the seventeen commonly probed by fingerprinting checks. The specific combination of fonts on your device is nearly unique
Is this actually true? Because I don’t even know if I have any control over this on iOS, and if I do then I’d guess almost nobody diverges from the default?
by YeGoblynQueenne
0 subcomment
- Huh? The user mwheelz seems to have been [dead]'d in the time this post has been on the front page. If I look at their comments page, those posted more than 46 minutes ago (at the time of writing) are normally visible and the rest are [dead].
https://news.ycombinator.com/threads?id=mwheelz
Mods, is there something we should know? Is there maybe a reason to stay away from the linked website?
by nathanmills
1 subcomments
- You can't gaurentee any of this is fingerprintable without checking twice (i.e. give the user a unique url, then ask them to restart the browser and visit it). In privacy browsers like LibreWolf or Mullvad Browser this is almost all spoofed, save for things like the IP which needs to be hidden/changed independently of the browser.
by shepherdjerred
0 subcomment
- How did you prompt Claude to be so paranoid but also bad at fingerprinting?
Of course the browser knows my IP and language. Nothing on this page is really surprising
- It seems to have a little trouble with lynx...
https://en.wikipedia.org/wiki/Lynx_(web_browser)
- Most of this is pretty standard stuff but one thing I did learn is some of the fingerprinting techniques I wouldn't've thought of. Like Mozilla/Apple not sharing GPU or battery information being used to confirm which browser I use even if I fake the User Agent String.
- "With JavaScript off, the page cannot tell you what your browser disclosed. The data is still there. The disclosure still happened. Only the telling of it stops."
This is surely only partially true.
- I thought the referer was not available under https anymore
- Its mixing confidential info. For example, you know I'm connected from a location, but you do not know my precise location. I connected from a tower that is from Odido, but I am not paying Odido for a subscription.
- Cute detail: if you switch to another tab and then back again it shows a banner at the top:
> You left for 6.3 seconds. We noticed.
by yakkomajuri
0 subcomment
- DuckDuckGo browser helped mask some stuff, but definitely a fair amount still goes through.
Annoyingly the web is becoming a bit more annoying to browse as a DuckDuckGo (mobile) and Brave (desktop) user. With a VPN on top it gets even worse.
- Trying this in Lynx I'm surprised it didn't at least get some information from me in the request headers. You don't need JavaScript to pull things out of them.
by GMoromisato
0 subcomment
- Someone should do a demo where they take all the info from the browser and feed it to an LLM to describe the person as accurately as possible. I bet it would be 10x better than any horoscope.
by deferredgrant
0 subcomment
- Browsers are stuck between compatibility and privacy. Every bit of environment detail has some site that claims to need it, and every extra bit makes users easier to distinguish.
by Cider9986
1 subcomments
- I prefer https://fingerprint.com/demo
Terrible company-at least you know you are testing what is being used.
- pretty interesting but why's this website so dramatic, like it thinks it's making me uneasy and paranoid or something
by internet2000
1 subcomments
- Yes, I'm on a MacBook Air in Eastern Time and I speak English. I'd have told the website that myself if they had asked it.
- The text legibility of the gray on black is a serious problem. My eyes aren't that bad but I can barely read this.
by amarcheschi
0 subcomment
- You could have used show hn since you made it
- Tell me what kind of smell my last fart had. Now this will be scary.
- With javascript off it just stalls at "reading" forever. There are certainly some viewport properties and other things it does know even without JS execution, but the mitigation is significant. And the page itself (the JS application) cannot act on that data or communicate it. Instead it has to be processed by some other application on the backend or wherever. Not in my browser by my computer.
- If the color scheme weren’t so atrocious, it would almost be possible to read what it says.
- How do we get our browser to stop sending all this information? It's really maddening.
- Something attacked my computer.
I shut the page, and some old one popped up.
I shut it, and they popped up again
I shut my browser, and Notepad++ was filling with <cr><lf>
I closed Notepad++, closed every open app, and restarted.
- I'm not worried about my privacy. No one can read the dark text on that page anyhow.
- Update: I pushed two rounds of fixes for things people caught.
1. GPU "or similar" stranded prose. Firefox returns "Mozilla, or similar" as the masked renderer string and my parser was grabbing the second half. Masked-GPU case now gets its own observation.
2. Desktop battery showing NaN/100%. Chromium reports a phantom 100%-charging battery on machines without one; my filter was too narrow. Stricter check, falls through to "kept back."
3. Storage quota of 39+ GB reading as implausible. Now expressed in GB, and the prose was reworded ("would let this page write up to" rather than "allocated to").
4. Screen size matching window size (Firefox letterboxing / Brave farbling). Page now names it: "your browser appears to be returning the viewport in place of the real screen — anti-fingerprinting at work."
5. "Recent, high-end display" being claimed on old retina devices (iPhone 5-class). Tightened the heuristic.
6. No-JS hangs at "reading." <noscript> block added.
Worth saying directly since it came up. The prose is hand-written. Each observation has a small set of templated registers and the code selects among them based on what the data returns. There is no LLM in the runtime path. AI helped me iterate on the spec like it does for most projects now. The sentences on the page are mine. If that's not the kind of work you're in the mood for, fair, but the slop charge is wrong.
by joshstrange
3 subcomments
- It's somewhat interesting but over half of what it talked about is just silly.
- Reverse IP/geocode (while be cute about "we won't show your IP", oh no, not my IP!)
- Timezone - Ok, yeah, lots of websites need/make use of that for completely legit tasks
- Browser/OS/Screen size - boring, again mostly needed or historical
- GPU - Again, not super interesting IMHO
- Battery - Ok, this is the first one I think should be behind a permission dialog
- Language - Come off it, that's just table stakes
- Fonts - Again, not sure how else this should work in a "perfect" world
- Cookies/dark mode/DnT/etc - Ehh, again aside from fingerprinting (which ruins everything) these are all QoL improvements IMHO
- Referrer - Again, this is just how the web works
I think the websites that take all of that and show you a fingerprint or show the data in a more data-oriented way are way more compelling.
This, almost certainly vibe-coded, website doesn't do anything novel and hits on a huge pet peeve of mine: using low-quality arguments for a legit issue (fingerprinting). By mixing in stuff like your IP/Language on the same level as Battery/GPU/other-fingerprinty-things it makes the whole argument less compelling.
by praveen4463
0 subcomment
- good stuff but useful for non tech ppl. We already knew those things are exposed by the browser. probably worth putting in x/reddit
- > This volume requires JavaScript. That is part of the point — your browser is what is being read.
> With JavaScript off, the page cannot tell you what your browser disclosed. The data is still there. The disclosure still happened. Only the telling of it stops.
What? When I enable JS it shows me a lot of stuff that is only queriable with JS.
by crazygringo
1 subcomments
- This is just... silly. Everything it told me, while browsing on my iPhone, seems entirely reasonable.
> Every page you have ever visited knows at least this much. Most of them know more. None of them told you.
So? Why would I want the news site I'm visiting to "tell me" it knows my preferred language, that I'm using light mode, or the estimated location of my IP address...?
It's not surprising that a browser which renders text can be used to identify which fonts are available. It's not surprising that a browser which allows calculation with your GPU will identify your type of GPU.
The "without asking" framing is just silly. I expect to be asked for consent to use my webcam or microphone or exact precise location. But the last thing I want is to be asked for permission around detecting my local time zone or preferred language or my screen resolution or 20 other totally reasonable things for a website to be able to know.
- > Your screen is 1512 by 982 pixels, rendered at 2x density — which means it is almost certainly a recent, high-end display. Your device volunteered all of this in the first milliseconds of the connection.
No it didn't. It was queried by the JS running on the page. It's a fun demo but it could really do without the slop prose.
- the breathless fearmongering but also condescending tone of this really makes it hard to take seriously. yeah, you can "digitally fingerprint" me when i browse the web. do you know when else you can get my fingerprints? literally any time i touch something in the real world, i leave my fingerprints behind. and nobody is making websites telling us all what a risk to privacy that is.
if you want to make me afraid of browser fingerprinting, try explaining how that information can be used to harm me. i'm aware that it's possible, i just don't care because it doesn't seem like it's that big of a deal.
by sitzkrieg
1 subcomments
- dark gray on black text was a terrible choice, virtually unreadable contrast
by thatguy0900
1 subcomments
- Man what a awful looking site. I shouldn't have to crank my brightness to max to kind of read the words
by byhemechi
1 subcomments
- Unreadable and useless vibe coded shit. Submissions like this are why I've all but stopped using HN
- Vibecoded slop with LLM-written copy. When will it stop
by relevant_stats
0 subcomment
- The stats are wrong - on Android my finger has not moved triple digit times, and I haven't tapped double digit times. In 4 seconds.
My general location is also wrong.
This site's theme is barely visible.
And the entire idea for the site is at least couple decades old.
Unoriginal slop.
- None of the information identified for me was surprising using an up-to-date Firefox on Mac w/ a mostly default configuration. I had to unblock Javascript in NoScript for the page to work.
I get the point, but I think the EFF Panopticon page is a better representation of browser fingerprinting and how it works, because most of the things shared are really basic elements of data that aren't personally identifiable. You can absolutely fingerprint Firefox with a default config, so obviously this was vibe-coded and just doesn't do much. Cool, you did a GeoIP lookup, read the user-agent, the referrer header, and the accessibility data, exactly zero of that should be surprising to anyone that knows how you access a website.
- Its pretty scary when you see it like this
by pixel_popping
1 subcomments
- It's really bad, it's not using proper fingerprinting techniques, no network stack fingerprinting, no browser history via DNS poisoning, no narrowing down exact country with timing and so on. I mean this is even inferior from basic tools like amiunique, what's the point?
- "Your screen is 320 by 568 pixels, rendered at 2x density — which means it is almost certainly a recent, high-end display."
Not quite, I'm on a 2016 iPhone SE
- I wish it knows that I absolutely hate dark modes with such low contrast.
- > You have been on this page for 92 seconds. You scrolled 0% of the way down. You never left this tab.
Uhm... how did I get to the bottom if I scrolled 0%?
- I can’t even read this on my phone, the text is too small and the contrast is terrible
- Another vibe-sloped false-integrity derivative. Cmon, OP..
- Wow! A significant amount of that information is wrong. I guess my corporate security is doing their job pretty well.
by quietsegfault
0 subcomment
- Jokes on them, they got the wrong IP address, dummies!!! My IP address is 127.0.0.1!
by josefritzishere
0 subcomment
- This is a great exercise, it's generally accurate on location but it's hard to express how granular they can be Identifying users through browser information. fonts? display size? processor? how unique is that really in laymans terms?
- Your browser discloses a lot more fingerprinting data than this
- hrm. We need a modified browser that just randomly switches the finger prints for linkndin.
by camillomiller
0 subcomment
- Another unreadable piece of slop with Claude fonts and style that this user has already spammed three times here with an account created 21 days ago.
This is out of control, and y'all just comment these threads as if they're made by humans.
- Ok…
Are we supposed to care?
- At least it doesn't know my age
Oh wait
- We've seen tens of pages like this, all done better. Now the vibe coders got into it and completely fuck up the idea.
by hackersnooze1
0 subcomment
- it got both my city and browser wrong i am not too concerned lol
- Lol, the description text is so dramatic.
- [dead]
- [flagged]
- >OH MY GOD WE KNOW STUFF ABOUT YOU
peoples obsession with 100% privacy while operating in a public space is immature. if you're that risk averse dont connect to the internet.
Hacker News