What Secrets Does Your Browser Know (and Reveal) About You?

Your browser is generally a tattletale, willing to divulge many secrets it knows about you or can find out, just for the asking. It’s not really the browser’s fault; that’s just how most browsers are made. We’ll show you how to find out what your browser is willing to tell about you, and how to keep it quiet.

JavaScript and HTML Headers
Most of the information a browser divulges is sent either as data embedded in the HTML headers that are transmitted between your browser and the web server hosting the site you’re visiting, or by the use of JavaScript embedded in the webpage you’re viewing.

The amount of information that can be gleaned through the use of JavaScript and headers is pretty amazing, so as we take a look at some of the common information websites ask for, we’ll also present possible ways to mitigate the security issues of a blabbermouth browser.

(Panopticlick can test your browser for how well it protects you against tracking.)

Location Information
With a little help from some JavaScript embedded in a webpage, your browser can make a pretty good guess at your current location, and send this information off to a site’s web server.

There are various ways to ask for location information, but one of the common methods is to use a set of APIs used by Google for geolocation. The APIs were developed to allow ads to be tailored for your location; ads for a local pizza shop or a nearby auto dealer are just a couple of examples.

When I tried this out with the Google geolocation API, the result for my location was off by 17 miles. That’s a lot better than a simple IP lookup (more about that later), which can put you pretty far away from your actual location.

Keeping it quiet: The simplest solution is to disable JavaScript in your web browser’s preferences. Safari users will find the option in the Security section of Safari’s preferences.

The problem with disabling JavaScript is that it’s an all-or-nothing solution; disabling it prevents every website you visit from using JavaScript. You’re likely to find most websites will simply stop working correctly. A better choice may be to use one of the many browser extensions available, such as JS Blocker (Safari), NoScript (Firefox), or ScriptSafe (Chrome). JavaScript-blocking extensions can prevent many of the data sniffing code from working on websites you visit.

But it’s not just Google using location information. Your Mac has built-in location services as well. Thankfully, you get to control which apps are allowed to make use of the Location Services. You can find location options in the Security & Privacy preference pane, under the Privacy tab.

(Security & Privacy provides some protection from apps using the built-in location services.)

Internet Connection Information
Whenever you use your browser to access a website, one or more connections to the web server are made. Part of making that connection is to use your public IP as the address to send data to.

Your IP address is also used every time you connect to a service on the Internet. Along with the IP address is a wealth of additional information that can be associated with the IP. This includes the ISP you’re using since IP address blocks are assigned to ISPs, making it a simple matter to look up who has control of an IP address, as well as the location where the IP is being used. Luckily, determining location based only on an IP address usually isn’t very accurate. Based solely on IP-based location, I’m currently in an entirely different county, quite a distance from where I really am.

Keeping it quiet: JavaScript can also be used to discover the IP address, but since it’s a requirement to divulge the IP to make a connection to the web server, turning off JavaScript isn’t the answer. A better method to hide your IP is to make use of an anonymous web proxy service. This type of proxy service is designed to hide your public IP address by routing all traffic through a different public IP, usually located some distance away from you.

Another method is to use a VPN (Virtual Private Network). A VPN, like an anonymous web proxy, will also hide your public IP. The difference is an anonymous web proxy only handles web-based traffic, while a VPN handles all Internet traffic.

Another method is to use the TOR Browser. This browser is designed to use the TOR network to ensure anonymous browsing.

Operating System, Browser, Plugins
The browser you’re using is happy to disclose the operating system you’re using, the browser you’re using (also known as the User Agent), and the browser plug-ins that are currently active.

Most of this type of information is generated via embedded JavaScripts in a webpage you’re visiting, which is then sent on to the web server for its internal use. In many cases, the information is used to customize the webpage to better suit your needs. But the information is just as likely to be used to help create a fingerprint to identify your computer as you move around the web. We’ll talk more about fingerprints in a bit.

Keeping it quiet: Just like our previous Location Information example, disabling or blocking JavaScript execution will help put a stop to the gathering of information about your software.

(Extensions or add-ons such, as JS Blocker, can help prevent embedded tracking scripts from running.)

Hardware
JavaScript can be used to reveal a great deal about you, including the hardware you’re using to visit a website. Most of the time, the type of hardware information requested, and returned by your browser, includes CPU type, the number of processor cores, display resolution, and color depth.

Keeping it quiet: JavaScript is the primary method used to acquire this information, so disabling JavaScript, either in your browser’s preferences or with a browser add-on, is an option.

Additional Details Your Browser Can Reveal
This is a partial list of information your browser can cough up if asked to do so. Most of these make use of JavaScript as the method for gaining the information.

Forwarder: This is the page you were on before you loaded the current page.

Installed software: In some cases, a site will check on specific software that is installed on the computer. One example for this type of use is when a website has embedded content that requires a plug-in or app to be installed.

Browser information and capabilities: The browser’s User Agent contains some information about the browser, but with JavaScript, a website can request more complete information about the browser, including what web features are supported, whether cookies are enabled, as well as the type of cookies that can be used, what HTML headers are supported, and quite a bit more.

Fonts installed: Some browsers will limit this to just fonts available to the browser, while others will list every font installed on your system.

Social media status: If you have set up your browser to work with social media sites, such as Facebook or Twitter, and you’re currently logged in to those sites, it’s possible that some browsers will divulge this information via JavaScript.

Keeping it quiet: Disabling JavaScript or using a plugin to control JavaScript on a site-by-site basis can suppress most of the above information. Another option is to use your browser’s private browsing settings, which can keep some of the data from being revealed.

(Your browser likely has an option for completely disabling JavaScript from running, such as shown here with Safari’s preferences.)

Fingerprinting
We’ve all heard about how cookies can be used to track our movements around the Internet. It’s one of the reasons many web users disable cookies or use some type of cookie management system, to help keep the ad networks at bay and prevent them from tracking us.

But cookies are yesterday’s technology; web tracking makes use of many techniques, including fingerprinting. With fingerprinting, the idea is simple, though complex to actually carry out effectively, but many large ad-based systems are putting it to use. When you visit a website that employs fingerprinting, usually embedded in an ad frame on the site, a fingerprint is extracted. This is done by using JavaScript to gather as much information about the computer as it can. This includes obvious items such as IP address, operating system, and processor configuration, and less obvious items, such as fonts installed, plugins installed, time zone the computer is set to, language, screen size, HTML features supported, and much more.

With enough data gathered, a unique fingerprint is created that can be compared against whenever you access a website. With enough information, the fingerprint becomes unique, allowing your computer to be tracked wherever you go without ever having to set any type of cookie or web tracker locally on your computer.

Keeping it quiet: It’s hard to prevent fingerprinting, but there are some techniques you can use, starting with making your computer seem as common as possible; the less unique you are, the better. There are some plugins designed to reduce the effectiveness of fingerprinting, including Privacy Badger, which works with Chrome, Firefox, and Opera, or Disconnect, which works with Chrome, Firefox, Safari, and Opera.

The TOR browser is another option, as it has been designed to make fingerprinting as difficult as possible.

(The content settings that will let you manage JavaScript in Chrome are stored in the Advanced area of Chrome’s preferences.)

Disable It All
This guide isn’t meant to recommend turning JavaScript off, or even installing the various plug-ins mentioned. These are just suggestions for ways to get around specific issues you may have with browser privacy. In many cases, the loss of properly working websites makes the cure a bit worse than the problem.

Browsers are getting better, adding features to combat some of the top security issues, including disclosing information without asking for permission to do so. One of the easiest weapons you can deploy is a modern, up-to-date browser, and keep it current.

Websites to Check Out How Your Browser Behaves
There are a few websites you can visit to see just what information your browser is willing to reveal. If you would like to test your browser, check out:

  • Panopticlick: Tests your browser for how it responds to online trackers.
  • clickclickclick: Displays how your activity at a website can be monitored. This is an interactive site that includes a voice over that on occasion may use non-work safe phrases.
  • webkay: A demonstration website that displays properties your browser is willing to send to its web server.

LEAVE A COMMENT


  • Fingerprinting is also beneficial: your bank, stock broker, and credit card sites use fingerprinting as an authentication which may free you from some second level screening on login. Ever see “we don’t recognize this computer” from a web site?
    Information sent by the browser seems trivial- just what are you afraid of? What’s the difference if someone knows your CPU? Spend your time and energy on productive activities rather than paranoia.




  • Also recommended is ‘Little Snitch’ (who’s tracking what) and it’s companion ‘Micro Snitch’ (what’s connected to your Mac).

    I have both.




  • bad link to click ^3 :”bad gateway”

    Fingerprint test never seems to end on Panopt. Running directly on its page does nothing.