links2  web 

2024-11-30

No-JS fingerprinting

links2gang presents: fingers and sandpaper. But you don't have to be a links2 user to know of this feature.

nojspfingerprinting in links2 is a headache

Recently I came a cross a fun tracking feature. There is a method in the wild that is able to fingerprint your browser without the use of javascript, seemingly dependant on CSS alone. Maybe you already know of the traditional tactics of fingerprinting your browser through the use of javascript. For the links2 user this is irrelevant, but this no-js method is capable of fingerprinting text-browsers and non-js browsers alike.

https://noscriptfingerprint.com/

Visit the url, get your fingerprint and see the Details of what is supposedly your fingerprint constructed from. (If you're visiting from links, click the IFrame link.

Preliminary discoveries

Somewhat expectedly, running links in text mode and graphical mode returns a different fingerprint. Size of either window seems to play no role. But those two fingerprints remain the same.

Now what?

You're probably already using a fake user-agent with links2, whether it be the check box at the top, or putting in your own into the text field. Note that checking the box will overwrite whatever you wrote in yourself, as well as the extra headers.

However, changing the actual user-agent does not affect the fingerprint. What actually does so in links2 is the extra headers section.

links2 user-agent

If you check the box "Fake firefox", the extra headers are these:

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 \ Accept-Language: en-US,en;q=0.5

The overkill experimentation

Let's say you have your links2 configured to your liking (and have saved that configuration). This is important, because the next step is going to be a bit of a hassle unless you speak all sorts of languages - you see, the simplest way to change the fingerprint is to change the language of links itself (which changes the header).

For the purposes of this experiement let's make a new file in ~/languages and put in the following:

english
danish
slovak
polish
german
greek
romanian
czech
russian

Next we'll run links -g -language "$(cat ~/languages | sort -R | sed 1q)" https://noscriptfingerprint.com/ . The previous code will pick a random language from the file and open the fingerprinting site. Be sure to hard refresh the page with Ctrl-r (otherwise the previous result might be cached) and then click IFrame, then show

Now depending on what language was randomly picked, the fingerprint will be different every time. The problem is that this gives us only 9 potential fingerprints (the number of languages we provided in the ~/languages file). links2 does speak around 30 languages, so at best this can give you 30 unique fingerprints.

HEADER caveats

Obviously there are probably more sane http headers to change, but as an experiment, this is a proof of concept of how to manipulate the fingerprint.

from links(1) man page:

 -http.extra-header <string>
              Extra string added to HTTP header.

A good place to check what your headers currently are (and to subsequently see if the fingerprint has changed) is wtfismyip.com/headers

One could also use a completely arbitrary header - something like links -g -http.extra-header "Accept: $RANDOM/$RANDOM" https://noscriptfingerprint.com/, which will affect the fingerprint, but it seems to make more sense to rotate through real (useless?) headers, which is what the language trick does, as to not to make the browser stand out.

Should you care?

I don't know, you tell me. See how you can combat this nifty invention in the browser of your own choice.