[tor-talk] Spoofing a browser profile to prevent fingerprinting

Mirimir mirimir at riseup.net
Thu Jul 31 18:01:36 UTC 2014

On 07/31/2014 11:44 AM, Joe Btfsplk wrote:
> Wow, I'm surprised no one has questioned this before or has a reasonable
> explanation.
> Why Panopticlick's total estimated entropy, *reported in the sentence
> _above_ their results table,* is much less than the sum of individual
> parameters' entropies - shown in the table:
> "_Currently, we estimate that your browser has a fingerprint that
> conveys *nn.nn bits* of identifying information_."
> To arrive at a total *"bits of identifying information"*, do they ignore
> characteristics with entopies < certain values?
> Because, in a typical test - w/ JS ENabled, the sentence may show total
> entropy of *13.xx bits.*
> In the same test,  the sum of entropies from their included table may be
> *34.xx* bits identifying information.
> Why is there such a huge difference?  To arrive at their "total," what
> do they ignore - and WHY?
> Or, do they take the results in the table & apply additional
> algorithms?  If so, do they detail that?
> Thanks.

I gather that entropy isn't always additive. I'd need to learn a lot
before saying much more about that. There's probably something useful in

Having Javascript blocked is itself information, but I don't think that
Panopticlick is including that in the result.

> On 7/30/2014 9:12 AM, Joe Btfsplk wrote:
>> On 7/29/2014 4:35 PM, Ben Bailess wrote:
>>> But here are some numbers that I just collected that
>>> perhaps could be of use to you. This test was done with the latest TBB
>>> (3.6.3) and Firefox versions on Linux (Fedora), with both JS on and off:
>>> FF (private browsing) / JS disabled = 16 bits (not "unique" - one in
>>> 65,487)
>>> FF (private browsing) / JS enabled = 22 bits ("unique" out of >4M
>>> samples)
>>> FF (normal browsing) / JS disabled = 15.98 bits (not "unique" - one in
>>> 64,524)
>>> FF (normal browsing) / JS enabled = 21.07 bits (not "unique" but one in
>>> 2,193,824 [roughly 2 matching entries in the sample]... so the other
>>> data
>>> point may well have been me...)
>>> TBB / JS enabled = 12.06 bits (not "unique" - one in 4,260)
>>> TBB / JS disabled = 9.05 bits (not "unique" - one in 529 are same)
>> Thanks to all for your input.
>> OK, I slept & revisited Panopticlick fingerprinting results
>> https://panopticlick.eff.org.  Silly me - I was looking at the values
>> listed for each parameter, then assessing the total entropy for all
>> parameters shown.
>> Yes, if I look at the value they report *in a sentence* above the
>> results table, that total is far < than the sum of "bits of identifying
>> information" for all browser characteristics measured, as shown in their
>> results table.
>> For those that haven't looked at the site (or anything similar), the
>> total entropy that Panopticlick arrives at is far < than the sum of
>> individual values.
>> ("The total is less than the sum of its parts" ??)
>> Like when it says,
>> "_Currently, we estimate that your browser has a fingerprint that
>> conveys *13.72 bits* of identifying information_*,*" but the sum of all
>> parameters in that same test is *far* > than 13.72 bits.
>> Maybe someone more familiar w/ their algorithm to arrive at the grand
>> total "*bits of identifying information," *(that they state in a
>> sentence, above the results table) can explain why their stated total
>> entropy for the browser tested is *so much lower* than the total of all
>> parameters shown in the table of test results.
>> I read their paper, https://panopticlick.eff.org/browser-uniqueness.pdf,
>> but missed any explanation of why that is so.
>> I have an idea why that may be true, but no (generic) mathematical
>> explanation.

More information about the tor-talk mailing list