The Fallacy of Evading Fingerprinting by Disabling JavaScript - Decisimo

Published on: 2024-08-10 18:29:56

Online privacy is a constant battle, and many users often disable JavaScript under the impression that it will shield them from tracking. However, a recent demonstration by researcher Sergey Mostsevenko has debunked this myth.

Even with JavaScript disabled, your digital fingerprint can still be traced thanks to a variety of signals your device emits.

What is Fingerprinting?

Fingerprinting is a technique that tracks and identifies web users without the use of cookies. It employs various device properties such as language settings and installed fonts to create unique identifiers. These identifiers remain effective even when the browser is in incognito mode.

JavaScript: Not the Only Culprit

Disabling JavaScript is often thought to be a safeguard against fingerprinting. However, this is a misconception. Fingerprinting can still occur even if JavaScript is disabled, as demonstrated in a No-JS Fingerprinting Demo.

How Does No-JS Fingerprinting Work?

The No-JS Fingerprinting process involves your browser automatically sending HTTP requests to the server. The server extracts and stores meaningful data from these requests. This data remains consistent across different websites and can be used to reliably identify and track your device over time.

Signal Sources

  • IP Address:Though not used in the demo, IP addresses are typically unique but can change under certain circumstances, such as switching from Wi-Fi to cellular data.
  • HTTP Headers: Containing meta information, HTTP headers facilitate better communication between browsers and servers. Some headers contain information about browser settings, which can be used as signals.
  • Accept - The Accept HTTP header informs servers of the file types supported by the browser.
  • Accept-Language - This header communicates the preferred languages of the client.
  • Accept-Encoding - This header indicates which content encodings (e.g., compression algorithms) the browser understands.
  • User-Agent: Contains information about the browser version and operating system, but considered unstable and not used in the demo.
  • CSS: The demo employs the browser’s CSS engine to collect signals, using CSS code to determine whether to send an HTTP request based on various parameters.
  • Fonts: The presence or absence of specific fonts on a user’s device can be used as signals.

Conclusion

Turning off JavaScript does not shield you from fingerprinting as browsers can still leak ample data. Relying on this method can lead to a compromised web experience. Special browsers like Tor, which ensure anonymity and a consistent fingerprint for all users, may be the only viable option for those extremely concerned about privacy.

Manage antifraud rules
using Decisimo.

Published: 2023-06-26