links2  web 

2024-12-21

NO-JS Fingerprinting (slight return)

...this is a continuation of the previous NO-JS fingerprinting article.

ema stares at a fingerprint

Some surprises can be pleasant.

In the previous article I've explored how Javascriptless fingerpriting works in simple browsers. The preliminary discovery was that all that particular method can do without any CSS is fingerprint your browser based on HTTP headers. I presented a rather rudimentary way of manipulating the fingerprint - what did not occur to me at the time was that links2 is infact already equipped with counter-measures against this nifty feature of the modern web.

Fake Firefox

links2 setup

In links' Setup - Network options - HTTP options - Header options resides the option to spoof the user-agent of the browser, as well as the option to add extra headers. At the time, and up until very recently, I thought all that option did was spoof the user-agent of a firefox browser. What has been revealed to me however, is an important discovery that checking the Fake Firefox checkbox, makes links2 do one thing specifically - it simulates headers and the user-agent of a tor browser.

links2 headers

The following are the headers and user-agent of links2 with the default configuration and only the Fake Firefox option checked. Note that the referer settings make no difference in the fingerprint in this case.

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate 
Connection: keep-alive 
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0

What does affect the fingerprint though, are the other links2's HTTP options. So for the sake of this experiment, I leave them in their default state.

links2 http setup

682fd9a0ec1eb5e26869a72310258745

The last notable thing that seems to affect the fingerprint is the actual version of links2 itself, despite the setup. To have the test site return this specific fingerprint, all one has to do is use the default links2 configuration with the Fake Firefox option checked. You can test this yourself, if you're running links 2.30. Delete/move/backup your current config, the ~/.links directory, run fresh graphical links links -g (in some cases xlinks, or links2 -g, depending on your OS), hit Escape, go to Setup - Network options - HTTP options - Header options and check the box next to Fake Firefox. Visit the noscriptfingerprint.com site, click IFrame and Show fingerprint. Your fingerprint should be the same as the header of this paragraph.

The same steps apply to TUI links, where the fingerprint is different from its graphical counterpart, but should still be the same for users of the same links2 version on other platforms. In this case d12df83b60a9278a7207cef9174c2049.

What this means is, that as long as you use the most up-to-date version of links2 (currently 2.30), with the default HTTP configuration and the Fake Firefox (improves privacy) box checked, your links2 becomes indistinguishable from other links2 browsers of the same version as yours in the wild.

Keep in mind that customizing the appearance of how links2 renders html (Escape - View - {Html options,color}), colors, font size, etc, does not affect the fingerprint.

Special thanks to Reid, who helped me test this on a different OS and discovered what the Fake Firefox checkbox does. In both cases, as long as our version of links2 was the same, the fingerprint was also the same for both of us as long as our configurations matched, independent of our platform.