https://abrahamjuliot.github.io/creepjs
The purpose of this project is to shed light on weaknesses and privacy leaks among modern anti-fingerprinting extensions and browsers.
- Detect and ignore API tampering (API lies)
- Fingerprint lie types
- Fingerprint extension code
- Fingerprint browser privacy settings
- Employ large-scale validation, but allow possible inconsistencies
- Feature detect and fingerprint new APIs that reveal high entropy
- Rely only on APIs that are the most difficult to spoof when generating a pure fingerprint
Tested:
- Tor Browser (SL 1 & 2)
- Firefox (RFP)
- ungoogled-chromium (fingerprint deception)
- Brave Browser (Standard/Strict)
- uBlock Origin (aopr)
- Privacy Badger
- Privacy Possom
- Random User-Agent
- User Agent Switcher and Manager
- CanvasBlocker
- Trace
- CyDec
- Chameleon
- ScriptSafe
- Windscribe
- data collected: user agent string, encrypted fingerprints and booleans
- data retention: auto deletes 30 days after last visit
- visit tracking: limited to data retention and new feature scaling
- you may optionally sign your fingerprint with 4-64 characters
- signatures can be memorable descriptors
- in low entropy browsers, a signature can signal to others that the fingerprint is shared
- scaling should occur no more than once per week
- new weekly features may render fingerprints anew
- view deploy history
A failing trust score is unique and can be used to connect fingerprints.
- start at
100%
- less than 2 loose fingerprints: subtract
0
- less than 11 loose fingerprints: subtract
total*0.1
- *11+ loose fingerprints: subtract
total*0.2
- trash: subtract
total*15.5
- lies: subtract
total*31
- errors: subtract
total*5.2
Bots leak unusual behavior and can be denied service.
- 10 loose fingerprints within 48 hours
- a guess attempt is made to decrypt the browser vendor, version and platform
- this guess does not affect the fingerprint
- fingerprints with lies are ignored
- system is guessed only when
WorkerNavigator.userAgent
system is an exact match to the current samples - decoded samples are auto gathered and manually reviewed
- js Math implementation (SpiderMonkey, JavaScriptCore, V8)
- js engine via console errors
- HTMLElement version
- system styles
- CSS style version
- contentWindow version
- unusual results
- forgivable lies
- prototype tampering
- failed math calculations
- invalid results
- blocked features
- collects as much entropy as possible
- adapts to browsers and distrusts known noise vectors
- aims to ignore entropy unique to a browser version release
- gathers compressed and static entropy