Browser Entropy Sources for Fingerprinting
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

Comment only
 
ABCDEFGHIJKLMNOPQRSTUVWXYZAA
1
Entropy SourceAccessDescriptionRelevant Pref(s)Firefox BugTor BugIn FingerprintJS2?In AmIUnique?In Panopticlick?
2
3
Deterministic Device Information
4
Browser Pluginsnavigator.pluginsLists installed plugins and version numbers (now just Flash)YYY
5
navigator.mimeTypesReveals installed plugins.[DOM] navigator.mimetypes.length = 0
6
7
System FontsJS/CSSHTMLElement.offsetWidth
HTMLElement.offsetHeight
https://bugzilla.mozilla.org/show_bug.cgi?id=1336208
https://bugzilla.mozilla.org/show_bug.cgi?id=1121643
https://trac.torproject.org/projects/tor/ticket/18097
https://trac.torproject.org/projects/tor/ticket/13313
YYY
8
Canvas APIcanvasRenderingContext2D.measureText
canvasRenderingContext2D.font
https://bugzilla.mozilla.org/show_bug.cgi?id=1336208
https://bugzilla.mozilla.org/show_bug.cgi?id=1121643
https://trac.torproject.org/projects/tor/ticket/18097
https://trac.torproject.org/projects/tor/ticket/13313
9
10
OS Vendor/Versionnavigator.platformOS vendor
https://bugzilla.mozilla.org/show_bug.cgi?id=1333651
https://bugzilla.mozilla.org/show_bug.cgi?id=1383495
YYY
11
navigator.oscpuOS vendor and version number
https://bugzilla.mozilla.org/show_bug.cgi?id=1333651
12
navigator.appVersionOS vendor
https://bugzilla.mozilla.org/show_bug.cgi?id=1333651
13
System Color SchemeSystem colors are discoverable via CSS and canvas (https://developer.mozilla.org/en-US/docs/Web/CSS/color_value#System_Colors)
http://browserspy.dk/colors.php
ui.use_standins_for_native_colors = true
https://trac.torproject.org/projects/tor/ticket/6786
14
Toolbar, Titlebar, Widget SizeOSs have different size UI widgets/chrome. This is discoverable through "inner" size queries
https://bugzilla.mozilla.org/show_bug.cgi?id=1397996
15
navigator.userAgentUser agent contains vendor and version
https://bugzilla.mozilla.org/show_bug.cgi?id=1333651
16
resource://https://browserleaks.com/firefox#more
https://bugzilla.mozilla.org/show_bug.cgi?id=863246
https://bugzilla.mozilla.org/show_bug.cgi?id=503221
https://trac.torproject.org/projects/tor/ticket/8725
17
Math routinesHigh-precision mathematical functions have small differences between OSs
https://bugzilla.mozilla.org/show_bug.cgi?id=531915
https://trac.torproject.org/projects/tor/ticket/13018
18
JS Date ObjectCalls like new Date().toLocaleFormat() produce different Date formatting, depending on the platform
https://bugzilla.mozilla.org/show_bug.cgi?id=1409973
https://trac.torproject.org/projects/tor/ticket/15473
19
Canvas Emoji Detectionhttps://www.bamsoftware.com/papers/fontfp.pdf
20
Network connection APIhttps://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkabilitydom.network.enabled
21
Sensor APIhttps://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkabilitydevice.sensors.enabled
22
CSS line-heightLine height is different on different platforms
https://bugzilla.mozilla.org/show_bug.cgi?id=1397994
https://trac.torproject.org/projects/tor/ticket/23104
23
Media SupportDifferent OSes may have differing support for HTML5 media.
https://trac.torproject.org/projects/tor/ticket/13543
24
25
Browser Vendor/Versionnavigator.userAgentUA string contains version information
https://bugzilla.mozilla.org/show_bug.cgi?id=1333651
YYY
26
navigator.buildIdBuild identifier for the browser
https://bugzilla.mozilla.org/show_bug.cgi?id=1333651
https://bugzilla.mozilla.org/show_bug.cgi?id=583181
27
resource://https://browserleaks.com/firefox#more
https://bugzilla.mozilla.org/show_bug.cgi?id=863246
https://bugzilla.mozilla.org/show_bug.cgi?id=503221
https://trac.torproject.org/projects/tor/ticket/8725
28
supported APIsThe set of APIs exposed to JS will vary by Browser version (https://browserleaks.com/features)
29
30
Screen Propertieswindow.screenwidth, height, colorDepthYYY
31
CSS Media QueriesCSS query can be used to query the window size and screen size.
https://bugzilla.mozilla.org/show_bug.cgi?id=418986
https://trac.torproject.org/projects/tor/ticket/2875
32
Touch APIScreen size: Touch.screenX/Y, Touch.clientX/Y
Device touch support: if screen supports touch, if screen can sense pressure
https://bugzilla.mozilla.org/show_bug.cgi?id=1382499
https://trac.torproject.org/projects/tor/ticket/10286
33
window.devicePixelRatioReveals screen pixel ratio
https://trac.torproject.org/projects/tor/ticket/13875
34
35
Input DevicesGamepad APIQuery videogame controllers and extract their USB device IDs and other vendor info strings, without user interactiondom.gamepad.enabled = false
https://bugzilla.mozilla.org/show_bug.cgi?id=1337161
https://trac.torproject.org/projects/tor/ticket/13023
NNN
36
Touch API
37
navigator.maxTouchPointsReturns the maximum number of touch points supported by the device
38
Pointer EventsReveals if user is using a mouse, pen, or touch input -- plus additional detail on geometry of device (e.g. pointer size)
https://bugzilla.mozilla.org/show_bug.cgi?id=1363508
NNN
39
40
Media DevicesMedia Devices API
(enumerateDevices() -- no permission)
Gives the number of camera & mic devices. Devices have per-top-level-origin unique IDs which reset after cookie clears or when the browser is rebooted.
media.peerconnection.enabled = false
media.navigator.enabled = false
https://bugzilla.mozilla.org/show_bug.cgi?id=1372073
https://trac.torproject.org/projects/tor/ticket/16328
NNN
41
Media Devices API
(getUserMedia() -- requires permission)
Once permission is granted, all device information is available (e.g., device resolution). See: https://bugzilla.mozilla.org/show_bug.cgi?id=1372073#c65
https://bugzilla.mozilla.org/show_bug.cgi?id=1372073
NNN
42
43
Graphics StackCanvas APICanvasRenderingContext2D
Canvas renderings appear to be tied to underlying drivers and graphics cards. See: http://w2spconf.com/2012/papers/w2sp12-final4.pdf
https://bugzilla.mozilla.org/show_bug.cgi?id=967895
https://trac.torproject.org/projects/tor/ticket/12684
YYY
44
WebGL APIgetParameter(), getSupportedExtensions(), getExtension()
WebGL capabilities and supported extensions reveal the device's graphics processor, properties of the processor, and properties of the webgl context.
webgl.disable-extenstions = true
webgl.min_capability_mode = true
webgl.disable-fail-if-major-performance-caveat = true
https://bugzilla.mozilla.org/show_bug.cgi?id=1217290
https://trac.torproject.org/projects/tor/ticket/6370
https://trac.torproject.org/projects/tor/ticket/16005
YYY
45
WebGL APICanvasRenderingContext3D
http://w2spconf.com/2012/papers/w2sp12-final4.pdf
https://bugzilla.mozilla.org/show_bug.cgi?id=1217290
https://trac.torproject.org/projects/tor/ticket/6370
https://trac.torproject.org/projects/tor/ticket/16005
YYY
46
47
Keyboard LayoutKeyboardEvent.code
KeyboardEvent.keyCode
KeyboardEvents provide a way for a website to find out information about the keyboard layout of its visitors. There are several dimensions to this fingerprinting vector. https://developers.google.com/web/updates/2016/04/keyboardevent-keys-codes
https://bugzilla.mozilla.org/show_bug.cgi?id=1222285
https://trac.torproject.org/projects/tor/ticket/15646
https://trac.torproject.org/projects/tor/ticket/17009
NNN
48
49
Audio APIAudioContext
OfflineAudioContext
Audio context seems to roughly correspond to OS, but more research is needed.dom.webaudio.enabled = false
https://bugzilla.mozilla.org/show_bug.cgi?id=1288359
https://trac.torproject.org/projects/tor/ticket/13017
NNN
50
51
Localeresource://https://browserleaks.com/firefox#moreYYY
52
navigator.language
navigator.languages
intl.accept_languages = "en-us, en"
intl.accept_charsets = "iso-8859-1,*,utf-8"
intl.charsetmenu.browser.cache = "UTF-8"
javascript.default_locale = "en-US"
53
Date ObjectDate().toLocaleString()
Date().toLocaleFormat()
Intl.DateTimeFormat().format(new Date()))
https://bugzilla.mozilla.org/show_bug.cgi?id=1330890
https://bugzilla.mozilla.org/show_bug.cgi?id=1409973
54
Accept-LanguageHTTP Header
https://bugzilla.mozilla.org/show_bug.cgi?id=1039069
55
<isindex> HTML ElementInserts form with label that contains locale
https://bugzilla.mozilla.org/show_bug.cgi?id=1330892
https://trac.torproject.org/projects/tor/ticket/18914
56
57
Connection Statusnavigator.onLineBoolean value if machine is online/offlinenetwork.manage-offline-status = falseNNN
58
navigator.connectionExposes network type (cellular, wifi, etc) and estimated speed (4g, 3g, 2g, etc). See Network Information API.dom.netinfo.enabled = false
https://bugzilla.mozilla.org/show_bug.cgi?id=1372072
59
60
Device Sensors(Generic)Sensors readouts may have fingerprintable differences. Sensor data can be used to fingerprint a user's motion and surroundings.device.sensors.enabled = false
https://bugzilla.mozilla.org/show_bug.cgi?id=1369319
https://trac.torproject.org/projects/tor/ticket/21609
NNN
61
Ambient Light Sensor
62
Accelerometer
63
Device Orientation
64
65
Speech Synthesis VoicesspeechSynthesis.getVoices()May a fingerprinting vector through computer-specific speech packages which are exposed in an enumeratable fashion through speechSynthesis.getVoices().media.webspeech.synth.enabled = false
https://bugzilla.mozilla.org/show_bug.cgi?id=1333641
https://bugzilla.mozilla.org/show_bug.cgi?id=1233846
https://trac.torproject.org/projects/tor/ticket/10283
NNN
66
67
Geolocationnavigator.geolocation objectAllows a site to request fine grained geolocation (latitude and logitude). Has a permission prompt.geo.enabled = false
https://bugzilla.mozilla.org/show_bug.cgi?id=1372069
NNN
68
69
CPUnavigator.hardwareConcurrencyReveals the number of cores/threads of a CPUdom.maxHardwareConcurrency
https://bugzilla.mozilla.org/show_bug.cgi?id=1360039
https://trac.torproject.org/projects/tor/ticket/21675
YNN
70
71
Network Attacks
72
Open PortsWebSockets or XHRBy using either WeSockets or XHR, remote content could enumerate the list of TCP ports open on 127.0.0.1, which can provide a very unique fingerprint of a machine.network.proxy.no_proxies_on = ""
73
74
NTLM/SPNEGO Leak
hostname/username
Both NTLM and SPNEGO can leak the hostname, and current username.
https://bugzilla.mozilla.org/show_bug.cgi?id=1046421
http://torpat.ch/12974
75
76
HTTP2
77
78
p0f Features
79
80
Local IP AddressWebRTC dataChannelThe local IP address can be revealed by WebRTC data channels without user permission. For some users this will be globally unique.
81
mDNS/Presentation APIThe DoListAddresses() methods return local IP addressesdom.presentation.enabled = false
https://bugzilla.mozilla.org/show_bug.cgi?id=1382533
https://trac.torproject.org/projects/tor/ticket/22165
82
83
OS Vendor/VersionTCP/IPReveals vendor and possibly version, despite spoofing in the application layer. (See: https://browserleaks.com/ip)N/A
https://bugzilla.mozilla.org/show_bug.cgi?id=1409269
https://bugzilla.mozilla.org/show_bug.cgi?id=1404608
84
85
86
Timing Attacks
87
88
JavaScript Timing PrecisionPrecising timing can enable device feature discovery through timing sidechannels
https://bugzilla.mozilla.org/show_bug.cgi?id=1369303
89
90
JavaScript PerformancePerformance APITor spoofs performance timing API, and disables resource timing API and user timing API for preventing timing analysis fingerprinting.
dom.enable_performance = false,
dom.enable_resource_timing = false
91
Video Statistics APImedia.video_status.enabled = false
https://bugzilla.mozilla.org/show_bug.cgi?id=1369309
https://trac.torproject.org/projects/tor/ticket/15757
92
Animation APIHigh-res timestamp exposed
https://bugzilla.mozilla.org/show_bug.cgi?id=1382545
https://trac.torproject.org/projects/tor/ticket/16337
93
94
CPU Benchmarkhttp://jcarlosnorte.com/security/2016/03/06/advanced-tor-browser-fingerprinting.html
95
96
Network SpeedMeasure the amount of time it takes to load a large, remote resource.
97
98
User behavior / settings attacks
99
100
Per-site Zoom LevelCSS and JavaScript have access to information about the zooming level.browser.zoom.siteSpecific = false
https://bugzilla.mozilla.org/show_bug.cgi?id=1369357
Loading...