https://www.whonix.org/wiki/Browser_Tests#FingerprintJS
Documented just now:
https://fingerprintjs.com [archive]
Non-Issues:
- Different fingerprint in different VMs.
- Tor Browser’s new identity function results in different fingerprint.
Issues:
- Tor Browser per-tab isolation has same fingerprint.
See Unsafe Tor Browser Habits for mitigations.
Related, see also schemeflood.com.
I saw a user post the following on Qubes forum, it is a more advanced form of fingerprinting that does not need js at all. It was nasty. The user said the following:
I recently saw a post about fingerprintjs, which attempted to fingerprint using javascript, as the user who made the post pointed out, it wasnt very effective and could be dealt with by using some basic measures he and others described.
However the same developers of fingerprintjs later released a demo of another tool -noscriptfingerprint- which does not user cookies, js or ips and it is extremely effective. I did some basic tests and was hoping others could do them as well so we could compare and discuss our results and ways to deal with this. Here is what I found:
Test 1: I used 2 smasung galaxys, same exact model, same browser and same browser settings. JS and cookies disabled,different IPs, browser hardened to the extent the GUI options enabled it. Both phones received different fingerprints which remained constant throught different visists to the aforementioned website. I eventualy found out that the difference was the dark/light mode of the phones, which was different, when I changed it to be the same, the fingerprint also became the same.
Test 2: This one is more concerning. I tested Tor browser (only change I made was setting it to safest) on both an intel based mac and on fedora and the fingerprints were different and constant to each device (as in the remained the same upon browser restart). They are able to differentiate firefox on mac vs firefox on others platforms so that was how they fingerprinted me. This is extremely concerning, I wonder if other macs with different hardware would provide the same fingerprint or not. Based on the parameters they use probably not.
Test 3: I then used a qubes machine, Tor Browser on a anon-whonix dispvm and compared the fingerprint I got with the one from my fedora machine and they were different, despite using Tor Browser on both of them and only having changed the security level to safest. The Qubes machine and the fedora machine are quite different in terms of hardware so maybe that was it. Regardless, this was not at all the expected behavior and is very worrisome, the fingerprint should be the same in all instances of Tor Browser.
It would be great if others could test different machines running Tor so we can beter understand this. Perhaps we should post the fingerprints we get.