How Browser Fingerprinting Works and How to Defend Against It

If you think IP addresses, cookies, and HTTP headers are the only ways to uniquely identify and track users on the web, you are mistaken.

Modern fingerprinting techniques rely on a wide range of signals, including:

IP address

Cookies

Language

Time zone

HTTP headers (user‑agent, referer, etc.)

HTML5 APIs (WebRTC, Battery API, etc.)

HTML5 and CSS3 feature detection

CSS media queries

WebGL

Browser plugins (Flash, Silverlight, Java, etc.)

Browser extensions

Browser options that block tracking

Browser storage

System fonts

TLS/SSL session IDs

Hardware detection (camera, microphone, touch screen, etc.)

Screen characteristics (resolution, color depth, pixel density)

Audio/video codecs

Assembly features

Recent W3C HTML standards allow developers to communicate with user devices, creating many APIs that can be abused for more precise identification.

What Is a Fingerprint?

Imagine a high‑resolution camera at a store entrance scanning your body shape, height, skin tone, clothing, shoes, gait, and voice, then hashing this data into a unique profile. When you return, the system can match you even if your appearance changes.

Web browsers perform a similar process automatically, linking users to a fingerprint without any explicit action, though the technique is not yet 100 % accurate.

The Electronic Frontier Foundation’s paper “How Unique Is Your Web Browser?” and resources on WebKit Wiki and Wikipedia detail these tracking methods.

Client‑Side JavaScript

For deeper insight, developers can explore the JavaScript library Fingerprintjs2 . To block fingerprinting scripts, you can disable global JavaScript execution or use extensions such as NoScript or uMatrix , though many other factors still expose identifying information.

HTML5 APIs

New HTML5 standards grant permission‑less access to certain device information, which can be misused. The most common mitigation is to disable JavaScript or use specialized extensions.

Canvas

Canvas fingerprinting draws a hidden graphic, converts it to a token, and uses differences in browsers, operating systems, and graphics hardware to create a unique identifier.

Mitigations include:

Allowing global JavaScript (to monitor scripts)

Using NoScript , uMatrix , or CanvasFingerprintBlock (Chrome only)

Using the Tor Browser

Battery

The Battery Status API reveals charging and discharge times, which can be combined into a device‑specific fingerprint.

Research on Linux Firefox users showed privacy leaks; a Chrome extension called Battery Info Blocker can block this API.

WebRTC

WebRTC can expose local and VPN IP addresses. To protect privacy, disable WebRTC in Firefox via about:config by setting media.peerconnection.enabled to false, or install a WebRTC‑blocking extension in Chrome.

Resource Timing

APIs that expose resource timing data can be used to infer visited third‑party sites. In Firefox, set dom.enable_resource_timing, dom.enable_user_timing, and dom.performance.enable_user_timing_logging to false via about:config. In Chrome, the only effective method is to block JavaScript.

Geolocation

When enabled, geolocation reveals physical location. Disable it in Firefox via about:config by setting geo.enabled to false, or in Chrome through the Privacy > Content Settings > Location menu.

Hardware Fingerprinting

Research titled “Hardware Fingerprinting Using HTML5” shows that hardware components such as GPU, camera, speaker, microphone, motion sensors, GPS, and battery can be accessed without explicit permission, providing additional fingerprinting vectors.

References

Device fingerprinting – https://en.wikipedia.org/wiki/Device_fingerprint

EFF – How unique is your browser? (PDF) – https://panopticlick.eff.org/browser-uniqueness.pdf

Persistent tracking mechanisms – https://securehomes.esat.kuleuven.be/~gacar/persistent/

Battery API privacy analysis – https://eprint.iacr.org/2015/616.pdf

Resource Timing API draft – http://www.w3.org/TR/resource-timing

Hardware fingerprinting with HTML5 – http://arxiv.org/abs/1503.01408

BrowserLeaks – http://browserleaks.com

FingerprintJS2 library – https://github.com/Valve/fingerprintjs2

Source: Open Source China