https://abrahamjuliot.github.io/creepjs
The purpose of this project is to shed light on weaknesses and privacy leaks among modern anti-fingerprinting extensions and browsers.
- Detect and ignore API tampering (API lies)
- Fingerprint lie types
- Fingerprint extension code
- Fingerprint browser privacy settings
- Employ large-scale validation, but allow possible inconsistencies
- Feature detect and fingerprint new APIs that reveal high entropy
- Rely only on APIs that are the most difficult to spoof when generating a pure fingerprint
Tests are focused on:
- Tor Browser (SL 1 & 2)
- Firefox (RFP)
- ungoogled-chromium (fingerprint deception)
- Brave Browser (Standard/Strict)
- puppeteer-extra
- uBlock Origin (aopr)
- NoScript
- DuckDuckGo Privacy Essentials
- Privacy Badger
- Privacy Possom
- Random User-Agent
- User Agent Switcher and Manager
- CanvasBlocker
- Trace
- CyDec
- Chameleon
- ScriptSafe
- Windscribe
- data collected: user agent string, encrypted fingerprints and booleans
- data retention: auto deletes 30 days after last visit
- visit tracking: limited to data retention and new feature scaling
- you may optionally sign your fingerprint with 4-64 characters
- signatures can be memorable descriptors
- in low entropy browsers, a signature can signal to others that the fingerprint is shared
- scaling should occur no more than once per week
- new weekly features may render fingerprints anew
- view deploy history
A failing trust score is unique and can be used to connect fingerprints.
- start at
100% - less than 2 loose fingerprints: subtract
0 - less than 11 loose fingerprints: subtract
total*0.1 - *11+ loose fingerprints: subtract
total*0.2 - trash: subtract
total*15.5 - lies: subtract
total*31 - errors: subtract
total*5.2
Bots leak unusual behavior and can be denied service.
- 10 loose fingerprints within 48 hours
- Headless rating > 0
- Stealth rating > 0
- a guess attempt is made to decrypt the browser vendor, version, renderer, engine, and platform
- this guess does not affect the fingerprint
- system is collected from
WorkerNavigator.userAgentand auto matched to fingerprint ids - decoded samples are auto computed and manually reviewed if new
- if the worker scope is blocked and the fingerprint ids exist in the database, the version can still be detected
- js Math implementation
- js engine via console errors
- HTMLElement version
- system styles
- CSS style version
- contentWindow version
- layout rendering engines: Gecko, Goanna, Blink, WebKit
- JS runtime engines: SpiderMonkey, JavaScriptCore, V8
- unusual results
- forgivable lies
- failed calculations that may reasonably occur at random (loose fingerprint metrics)
- prototype tampering
- mismatch in worker scope or iframe
- failed math calculations
- ungracefully blocked features that break the web
- failed executions
- collects as much entropy as possible
- adapts to browsers and distrusts known noise vectors
- aims to ignore entropy unique to a browser version release
- gathers compressed and static entropy