Show HN: Explore what the browser exposes about you (opens in new tab)

I'm really frustrated with these types of websites because they tell me nothing.

What I'd love for these sites to do is help me understand where I am distributionally. How unique am I? On what? Help me understand what needs to be fixed and what my threat vector is.

The problem with these is that I'm always unique. Doesn't matter what browser I'm on or what. If I am unique on a clean Apple laptop in either Safari or Chrome then it is essentially meaningless. I got controlled hardware and vanilla software, how else do you blend into the crowd?

But in the wild sites aren't always implementing all these features. So I want to see if I'm unique to standard site or even one that is a bit more heavy. Importantly HOW unique am I? What things am I not unique, how unique am I, and what are the most unique things about me?

Having that information gives me the ability to do something about it. Without that information then this is just like any other website where essentially the message is "be scared! People can track you on the internet and there's nothing you can do about it!"

Hi, thank you for going through the trouble of putting this together. This sort of service is invaluable as it allows us clueless people to be mindful about something that negatively impacts our life.

Here's a suggestion: it's important to show us that our browser footprint allows us to be positively identified and tracked, but it only alerts us to a problem. It would be very useful if the site also provided some tips to improve anonymity, particularly if it's low-effort changes such as tweaking a couple of config changes.

There's a mis-understanding of at least the Graphics part. For example WebGPU features. It looks like lots of info

https://webgpureport.org/

But, they are bucketed

https://www.w3.org/TR/webgpu/#privacy-considerations

It's not zero pieces of info but it's also not close to as bad as it looks. Effectively, everyone who has, say an NVidia GPU, will likely have the same list of features and limits.

As a more general example: The number is just a flat out wrong

> Unique to 1 in 2,147,483,648+ devices.

No, I have an iPhone Pro and am in the PST time zone, set to English. It has the exact same finger print as millions of other devices among the 40 million people in the PST time zone. In general, The only things different between 2 iPhones of the same model are time-zone, laguange setting, and font size.

Please STOP EXAGGERATING!

> This is kind of like a lighter, more thorough version of CreepJS

you walked right by the chance to call it WeirdoJS

It's highly unlikely they obtained 17 billion samples, so they're likely guesstimating it by assuming each attribute is independent, and summing the entropy of all attributes. That's obviously incorrect, both because attributes are inevitably going to be correlated (eg. ip geolocation correlated with time zone), and that two identical devices (eg. 2 iPhones) will have identical fingerprints.

It's unique but changes on each reload. While the details are interesting, the fingerprint itself is not useful.

And I get a different id every time I reload.

I have the exact same, Unique to 1 in 17,179,869,184+ devices. actually slightly different. hmmm... ,'s vs .'s

I believe Cloudflare has this product already https://www.cloudflare.com/zero-trust/products/browser-isola...

Great idea! How to make sure that the users data stays private without the cloud knowing where the user is surfing. And I wonder how to monetise it? Subscription?

Didn't Stallman himself write and use something in the same vein to browse the internet?

So basically VNC?

The same applies to macOS. Safari produces a unique fingerprint ID every time, and Firefox also has a different fingerprint ID with every visit.

If the fingerprint ID is unique every time, there is zero possibility of using it for identification.

I think it might be because the performance fingerprints need to be bucketed. If they're too specific you'll never get the same fingerprint twice.

Fwiw, I use Tailscale/wireguard and take care to ensure the source IP gets fed to apps properly. This makes it easy to guarantee I have a reliable way to identify myself on my webapps and auto-auth.

Isn't that what webauthn was made for?

Or did I misunderstand you?

How about mTLS?

There is a couple of hardware/software independent data points: time zone, currency, locale.

And if every option cuts the user base in half, becoming unque is a matter of 33 such options.

The fingerprint is comprised of more than device and OS:

Browser type and version

Screen resolution

Installed fonts

Browser plugins and extensions

Canvas fingerprinting data

WebGL (graphics hardware info)

Time zone

Language settings

IP address

HTTP headers

Touch support

Device type

AudioContext

I'm unaware of how other platforms work, but for Google you can just see what buckets have been associated with your account:

https://myadcenter.google.com/controls

I'm not sure how that would work from an ad-buying perspective, from what I understand you essentially choose which buckets you'd like to show ads to? Like I don't think ad-buyers get the whole dossier for the person they're showing ads to, the platform just decides "from what you've told us, this person seems likely to like your ads"

You mean something like https://consumer.risk.lexisnexis.com/request?

Or more like "on ad network X you match for keywords A, B, F, G"?

Seems right, I'm on "Mozilla/5.0 (X11; Linux x86_64; rv:145.0) Gecko/20100101 Firefox/145.0" and reloading the page I get a new fingerprint each time. "Unique Fingerprint ID" seems to be the only attribute that changes each reload, but it isn't clear how that's derived.

Edit: Ah, turns out "Unique Fingerprint ID" is just the same fingerprint ID printed at the top, it isn't one of the attribute used for calculating the ID, it is the ID. Guess I got confused by the placement of it.

Yeah, I made the mistake of including all features, even ones that change on every refresh like canvas or audio.

The fingerprint should really only use stable features that don’t fluctuate between reloads. That way it’s consistent for the same device.

I would love to be able to toggle an attribute off/on to see what affect each has on the uniqueness of my fingerprint. My guess is that there are a handful of _very_ unique things, that if obscured, would make one less recognisable.

It looks AI-assisted, based on these two commits: * https://github.com/neberej/exposedbydefault/commit/503bd6519... * https://github.com/neberej/exposedbydefault/commit/16693ba17...

But to what extent should we care for such a small website? The AI witch hunt won't get us too far, and this new way of producing is only getting started. The loss of control to a non-deterministic black box is worrysome, but at some point non-vibe coded (hard coded? brain coded?) software might become less error-prone that vibe-coded

The main "Fingerprint ID" on this site seems to be a direct combination of all values, so if even a single one changes it'll act like the only conclusion is this is an entirely different fingerprint. Actual fingerprinting is a bit smarter, but it's not really possible to demonstrate that in a single clientside scripted static web page.

The more important bit to see from this tool is probably "this is an example of how much information which can aid in identification your browser exposes".

Do you know what user agent the browsers send?

I tried with Windows 7 (Firefox 115) and it reports Windows 7.

It seems though that it cannot distinguish between Windows 10 and Windows 11, so, without looking further, I suppose the detection is based on the User-Agent string? (The OS version browsers report on Windows is frozen, so Windows 10 and Windows 11 have the same version there.)

Every load, and more.

I believe this comes from the (browser self-reported) navigator.platform, which is reported as MacIntel on all Chrome for Mac versions including Apple Silicon.

Thanks! The Unique Fingerprint ID is basically a hash of all the collected fingerprint fields. [1]

The Canvas Deep Fingerprint Hash is higher entropy and includes baseline shapes, emoji rendering, winding rules etc. [2]. It’s meant to capture subtle rendering differences between systems.

1. https://github.com/neberej/exposedbydefault/blob/main/src/mo...

2. https://github.com/neberej/exposedbydefault/blob/main/src/mo...

Maybe it's my WARP connection but it's showing almost no useful info. "Unknown" for almost everything.

Wdym, the thing that lists how many speech synthesis voices are available?

Thanks for pointing this out. At first, I was concerned – “Unique to 1 in 2,147,483,648+ devices” – but, my fingerprint ID changes with each page refresh, so there's no tracking possible. I'm using Brave on iOS.

No, visiting a URL does not automatically expose your exact latitude and longitude.

I just get approximate location from your public IP address via an external IP geolocation API (ipapi.co), which usually gives city-level accuracy.

This sounds good bit miss one thing and you are extremely unique again