fingerprintjs / fingerprintjs Goto Github PK

Or the project looks funny

Like this: https://github.com/gabriel/font-detect-js

You readme suggests:
14. Full list of installed fonts (maintaining their order, which increases the entropy), implemented with Flash.

But this sucks, cause some browsers (firefox at least) use "click-to-play" behavior for flash of older versions and you can`t get font list from flash reliably, because of this.
Tested this stuff on at least 1m DAU site, produces 1-3 % errors rates (font list not being collected for "same"(with same cookie) user, thus different fingerprints)

my test result:
time1:zoom to 100%
Serif"[100 … 141]
136: "Vijaya"137: "Vrinda"138: "Webdings"139: "Wingdings"140: "Wingdings 2"141: "Wingdings 3"

time2:zoom to 110%
Serif"[100 … 140]
136: "Vrinda"137: "Webdings"138: "Wingdings"139: "Wingdings 2"140: "Wingdings 3"

Considered you already have some good features here! And more can be added according to this stackoveflow discussion. I could have listed but not doing it as it is huge reading. & it also given some good solution!

Currently various browser vendors are trying to mitigate browser fingerprinting.
Firefox does so called "plugin cloaking" - https://wiki.mozilla.org/Fingerprinting#Plugins, i.e. only allows to enumerate the most popular plugins (like Flash and QuickTime), while others are hidden from enumeration. It's still possible to get the availability of the plugin by trying to get it by name:

navigator.plugins["Unity Player"].name // get cloaked plugin by name
"Unity Player"

Some other browsers, like Pale Moon, do plugin randomization to always return plugins in a different order:
https://forum.palemoon.org/viewtopic.php?f=26&t=4406

One way to find randomization is to sort the list of plugins. But this will not solve the issue of cloaking.

So I suggest we need to expand the plugin detection code to:

1. Get a list of available plugins calling navigator.plugins and then sort this list.
2. Probe additional plugins having a predefined list of plugins. This list should be compiled in this issue.
3. Combine two lists.

For now, I'm including the starting list of plugins to work with:

          "AcroPDF.PDF", // Adobe PDF reader 7+
          "Adodb.Stream",
          "AgControl.AgControl", // Silverlight
          "DevalVRXCtrl.DevalVRXCtrl.1",
          "MacromediaFlashPaper.MacromediaFlashPaper",
          "Msxml2.DOMDocument",
          "Msxml2.XMLHTTP",
          "PDF.PdfCtrl", // Adobe PDF reader 6 and earlier, brrr
          "QuickTime.QuickTime", // QuickTime
          "QuickTimeCheckObject.QuickTimeCheck.1",
          "RealPlayer",
          "RealPlayer.RealPlayer(tm) ActiveX Control (32-bit)",
          "RealVideo.RealVideo(tm) ActiveX Control (32-bit)",
          "Scripting.Dictionary",
          "SWCtl.SWCtl", // ShockWave player
          "Shell.UIHelper",
          "ShockwaveFlash.ShockwaveFlash", //flash plugin
          "Skype.Detection",
          "TDCCtl.TDCCtl",
          "WMPlayer.OCX", // Windows media player
          "rmocx.RealPlayer G2 Control",
          "rmocx.RealPlayer G2 Control.1"

If native ES6 promise available.
Open questions:

1. What should happen if any polyfill is available.
2. If the fingerprint returning method will be ok to implement as promise-returning, callback-accepting to handle both presence and absence of the promise impl.

I try to get two fingerprint with different options, but only "fp2" has value in chrome(IE 9 is same).
And It's run well in Firefox.
I debug the code, following code at line:688 is not run in first time calling.

      window[hiddenCallback] = function(fonts) {
        done(fonts);
      };

Html

<script src="js/fingerprint2.js" ></script>
<script src="http://ajax.googleapis.com/ajax/libs/swfobject/2.2/swfobject_src.js"></script>
... ...
<td id='fp1'></td><td>excludeUserAgent, excludeDoNotTrack</td>
... ...
<td id='fp2'></td><td>excludeUserAgent, excludeDoNotTrack, excludeWebGL</td>
... ...
<script type="text/javascript">
var options = { excludeUserAgent: true, excludeDoNotTrack:true};
var fp = new Fingerprint2(options);
  fp.get(function(result) {
    console.log("result:"+result);//zzz
      document.getElementById('fp1').innerHTML = result;
  });

    options = { excludeUserAgent: true, excludeDoNotTrack:true, excludeWebGL:true};
    fp = new Fingerprint2(options);
  fp.get(function(result) {
      console.log("result:"+result);//zzz
        document.getElementById('fp2').innerHTML = result;
  });

</script>

Need to try to embed the SWF in the fp2 code itself

we can detect support of various battery related APIs, like special monitoring events.
http://davidwalsh.name/javascript-battery-api

Cause using navigator.userAgent is a bad idea - every browser restart can cause it to change (modern browsers(firefox/chrome/mobile) use auto-update). Thanks for your work =)

including:
pixel depth
working area
aspect ratio

as per https://www.browserleaks.com/javascript

Only a question.

In full version
https://github.com/Valve/fingerprintjs2/blob/master/fingerprint2.js
you can find the variable "NODEBUG" or the string:
this.log("Skipping flash fonts detection per excludeFlashFonts configuration option");

in minimized version
https://github.com/Valve/fingerprintjs2/blob/master/dist/fingerprint2.js
this is missing...

is this really the minimized version of full?

From http://valve.github.io/blog/2013/07/14/anonymous-browser-fingerprinting/, it notes:
browser fingerprinting is not good with mobile browsers, unless you want to distinguish Android users from iPhone ones.

From https://gitter.im/Valve/fingerprintjs2/archives/2015/03/09, it notes:
This library will try to make every effort to work well on mobile.

What is the accurate in mobile inlucde android and ios now?
I'm not sure whether to use fingerprintjs2 on mobile or not, thanks.

It needs to be responsive (use some micro responsive CSS framework).
It should also start the FP process when button is clicked, not on page load.

window.screen.availWidth and window.screen.availHeight maybe useful
when
windows taskbar in defferent place or taskbar's height changes

Adopt semver versioning.

Currently almost every release breaks backwards compatibility by changing the resulting fingerprint.
The version change should reflect that. Instead of going from 0.1.3 to 0.1.4, we should go to 0.2.0, if output FP changes.

the chrome version is : 41.0.2272.101 m
http://browserleaks.com/fonts has the same problem.

but maybe it is a way to detect whether user in incognito mode or not.

maybe we can do it like that:
NoFlashFontskey = "f8e9592befd6dcb2337f6ac5d0beca77"
FlashFontskey = "2a4d643f" or "00000000"
Key = NoFlashFontskey+FlashFontskey

if we had key1 and key2:

if (key1===key2){
then user1 is user2 (strongly)
}else{
if (key1.substr(32,8)==="00000000" || key2.substr(32,8)==="00000000"){
if(key1.substr(0,32)===key2.substr(0,32)){
then user1 is user2 (not strongly) and user maybe in incognito mode
}else{
then user1 is not user2 (strongly)
}
}else{
if (key1.substr(32,8)!=="00000000" && key2.substr(32,8)!=="00000000")
&& key1 !== key2
then user1 is not user2 (strongly)
}
}

a new technique named "HSTS supercookie" seems to be able to fingerprint iOS devices pretty well

like maximum touch points, etc

http://device.maxmind.com/js/device.js

We should also look at the plugin list.

Some errors related to WebGL detection. Looking into it.

I have 2 identical android devices (latest os and chrome version) , so I get the same fingerprint to both.

Thanks

I am in the middle of rolling out fingerprinting via this lib to about a million odd users. During testing we have been seeing a lot of collisions (upwards of 15%). Interestingly these collisions are across geographies - which means that the underlying values are different (at least the language and timezone will be different). Any ideas?

I'm running Safari (Version 8.0.7 (10600.7.12)) without Flash it seems to alternate between 3 different fingerprints for the same browser in the same session.

I'm using the example code from the README.md:

(function () {
  new Fingerprint2().get(function(result){
      console.log(result);
  });
})();

Didn`t have time to test if stuff like this
https://github.com/kmowery/canvas-fingerprinting.git
(https://github.com/kmowery/canvas-fingerprinting/tree/master/static/experiments/webgl-teapot)
correlates with canvas fingerprint.

Both fingerprints (canvas/webgl) produce hash for [graphic_card, current_driver_version, browser_wrapper_code] vector. So there should be some sort of correlation, so maybe a separate option for "webgl" fingerprint should exist.

When set the font as "no-real-font-123", the canvas will paint the text as default font, is that right?
But I found the default font could be changed by CSS, and also "\ud83d\ude03" will become □□ sometimes.

Then I got different fingerprint on two page with same browser, because CSS of two page are different they got different font in canvas.

I'm not good at CSS, so I'm not find out the reason.

Is there have a remind list like "Don't do it in your CSS"?

And here is one thing that I found can't do.
If set style of span like:

span  {
 //some thing
}

That will make jsFontsKey get nothing, because it use span to detect fonts.
Following way is OK.

<style>
.style-of-span {
  //something
}
</style>
<span class='style-of-span'> Bili</span>

The jsFontsKey should store its' result in a cookie and check and return the value stored in that cookie if it exists, before doing the Font detection again. The jsFontsKey is performing a lot of Layout and rendering operation that takes for IOS UIWebview about 5 sec to perform, the following makes the page load very sluggish and effect battery life.

Hi!
Can you explain, why you do this and how to detect screen orientation, if you sort available resolutions?

       if(this.options.detectScreenOrientation) {
          available = (screen.availHeight > screen.availWidth) ? [screen.availHeight, screen.availWidth] : [screen.availWidth, screen.availHeight];
        } else {
          available = [screen.availHeight, screen.availWidth];
        }

And maybe you can add separate method to detect device orientation availability? (but i dunno how to detect it, maybe you know :-))

implement

Sometimes different fingerprints appear when plugins are taken into account. Currently almost every option can be disabled, except plugin. I could solve it by adding an "expludePlugins" option and changing pluginsKey() to the following, could you maybe merge it?
//-----
pluginsKey: function(keys) {
if (!this.options.excludePlugins) { // only when not excluded
if(this.isIE()){
keys.push(this.getIEPluginsString());
} else {
keys.push(this.getRegularPluginsString());
}
}
return keys;
},
//---
Thanks,
wfR ChrisA

Current code was broken, (see #62), so I removed it. Need to develop more robust detection code + a way to enumerate supported blending modes (including non-standard). Watch out for false positives and inconsistencies in Chrome 27 and Safari 8.

I try to pass the option to change the swfpath but it does not seem to work.

Thank for the plugin.

When i'm trying to use i get this error
TypeError: this.userAgentKey is not a function

Anyone has an idea of what i can do?

Best

There are tools out there, that replace Canvas#toDataURL and thus make FPing useless.
Example of these tools: https://chrome.google.com/webstore/detail/canvasfingerprintblock/ipmjngkmngdcdpmgmiebdmfbkcecdndc/related

We need to learn how to avoid being blocked by them. For example, create a canvas in an iframe might help.

<iframe id="iframe" sandbox="allow-same-origin" style="display:none"></iframe>;
<script>
var canvas = document.getElementById("iframe").contentDocument.createElement('canvas');
...
</script>

When trying to log the results of the fingerprint (Fingerprintjs2 0.7.4), I see an error in both Chrome 44.0.2 and Firefox 40.0.3:

"Uncaught ReferenceError: keys is not defined(anonymous function) @ index.html:83(anonymous function) @ fingerprint2.js:108(anonymous function) @ fingerprint2.js:389"

Hi and thx for this beautiful piece of software :-)
I'm playing around with fingerprinting libs quite some time know and really like your approach.
Apart from adding more fingerprinting methods the only thing that I would like like to improve is the consistency of fingerprints during a device lifecycle.

For example there are some params that won't change over time, some that will but in a given direction (plugin versions) and some that are highly fluctuating.
With the current hash method we always end up with a new fingerprint and need to "fuzzy match" them server-side.

Maybe we could introduce a more intelligent way of building our fingerprint by things like: https://github.com/ethanlim/ccmf#locality-sensitive-hashing-lsh
and therefore reduce the server-side effort?

5-15 times slower on FF for android than on Chrome for android.
Investigate.

It looks like only v1 is available there.

Hello.
Is it possible to do something that the fingerprint was the same in different browsers?
Because these settings do not help:

var fp = new Fingerprint2({excludeUserAgent: true});

Hi, I am trying to determine why a fingerprint generated by two different tabs in the same browser would be different.

I have a javascript heavy web app and a basic HTML page both generating a fingerprint in the same browser but different tabs. I cannot for the life of me have the tabs create the same fingerprint.

What in the current tab would dictate a different fingerprint being generated? I did not see anything that was dependent on what was currently rendered.

Any insights are appreciated. I have played with disabling various options in both to no avail.

I got two different fingerprints in my Safari 8. When I loaded fingerprintjs2 the first time the fingerprint was 4a6fd73681de95e22d6021eddb0ea2a3, if I clicked btn again i got 66a9c3707479d6f532dc5959f8da0f72.

This is diff of these two cases https://www.diffchecker.com/rw0vf5cy.

  result.push("canvas fp:" + canvas.toDataURL());

If I comment canvas.toDataURL() fingerprints are identical.

On the phone QQ and WeChat browser unable to execute the following code ：

 
fp.get(function(result) { 
      alert(result); 
});

Well, I just scrolled in your project & yes it's a cool project dude.

Need some more identification options for unique identification.

1. IMEI detection,
2. WLAN MAC address detection,
3. Serial number detection,
4. SIM detection

The best way to unique identification!

I am getting different fingerprints after say 2-3 hours for the same browser. Can anybody let me know what the issue is?

Well, there is another great option could be added. Well, as you read in title "Hardware based Key". Like detecting Security keys which is also available in Google Security Solution.

Though there is security risks. As JS file runs on client side so anyone can bypass it with simple browser based developer extensions.

There is a good reading here.

Is there somewhere we can discuss the status of v2 and ideas related to it?

For now, I don't find out why.
That happens in different pages with one browser.
I compare all values, all of them is same, except "§" -> "§".

Could I ask why not use some normal character?
Is there has special reason? Thank you very much.