2024-11-30
No-JS fingerprinting
links2gang presents: fingers and sandpaper. But you don't have to be a links2 user to know of this feature.
Recently I came a cross a fun tracking feature. There is a method in the wild that is able to fingerprint your browser without the use of javascript, seemingly dependant on CSS alone. Maybe you already know of the traditional tactics of fingerprinting your browser through the use of javascript. For the links2 user this is irrelevant, but this no-js method is capable of fingerprinting text-browsers and non-js browsers alike.
https://noscriptfingerprint.com/
Visit the url, get your fingerprint and see the Details of what is supposedly your fingerprint constructed from. (If you're visiting from links, click the IFrame link.
Preliminary discoveries
Somewhat expectedly, running links in text mode and graphical mode returns a different fingerprint. Size of either window seems to play no role. But those two fingerprints remain the same.
Now what?
You're probably already using a fake user-agent with links2, whether it be the check box at the top, or putting in your own into the text field. Note that checking the box will overwrite whatever you wrote in yourself, as well as the extra headers.
However, changing the actual user-agent does not affect the fingerprint. What actually does so in links2 is the extra headers section.
If you check the box "Fake firefox", the extra headers are these:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 \ Accept-Language: en-US,en;q=0.5
The overkill experimentation
Let's say you have your links2 configured to your liking (and have saved that configuration). This is important, because the next step is going to be a bit of a hassle unless you speak all sorts of languages - you see, the simplest way to change the fingerprint is to change the language of links itself (which changes the header).
For the purposes of this experiement let's make a new file in ~/languages
and put in the following:
english danish slovak polish german greek romanian czech russian
Next we'll run links -g -language "$(cat ~/languages | sort -R | sed 1q)" https://noscriptfingerprint.com/
. The previous code will pick a random
language from the file and open the fingerprinting site. Be sure to hard refresh the page with Ctrl-r (otherwise the previous result might be cached) and then click IFrame, then show
Now depending on what language was randomly picked, the fingerprint will be different every time. The problem is that this gives us only 9 potential fingerprints (the number of languages we provided in the ~/languages file). links2 does speak around 30 languages, so at best this can give you 30 unique fingerprints.
HEADER caveats
Obviously there are probably more sane http headers to change, but as an experiment, this is a proof of concept of how to manipulate the fingerprint.
from links(1) man page: -http.extra-header <string> Extra string added to HTTP header.
A good place to check what your headers currently are (and to subsequently see if the fingerprint has changed) is wtfismyip.com/headers
One could also use a completely arbitrary header - something like links -g -http.extra-header "Accept: $RANDOM/$RANDOM" https://noscriptfingerprint.com/
, which will affect
the fingerprint, but it seems to make more sense to rotate through real (useless?) headers, which is what the language trick does, as to not to make the browser stand out.
Should you care?
I don't know, you tell me. See how you can combat this nifty invention in the browser of your own choice.