Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The problem is that the API layer of the browser is now so complex that even without cookies, just your config yields a completely unique signature whether or not you're in incognito.

This site gives you the details: https://amiunique.org/fp

Basically unless you use a completely different computer for incognito browsing, any site you visit can link your logged-in identity to your browser fingerprint and then track you regardless of mode/cookies.



The fact that a web site can query all those things in that site is utterly ridiculous. Web technology is out of control.


I was "unique" on two different session tabs, and also in a Private window; reloads, however, were stable. That means that the browser is not recognizable, just the session.


And this isn’t theoretical, your fingerprint is stable between normal and private browsing mode on the same browser.


My fingerprint varied from session to session to this website. So it's not easily demonstrable.


Did you look at the actual fields that diffed compared to what doesn't?

It's likely only things like referrer and device groupIDs which are easily excluded if the goal is to track a user across browser modes.


I didn't, but if it's trivial to ignore those fields, then why isn't the proof of concept doing that? I think because you don't know, in advance, which fields to ignore. Demonstrating tracking like that is the point of the page, and it failed to do so, so my conclusion is that it's not that straightforward after all.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: