I’ve posted some notes about browser fingerprinting back in March, and noted how easy it is to identify a given user across requests just by the few passive scans that are possible without even having to have Flash enabled. Indeed, EFF’s Panopticlick considers my browser unique even with Flash disabled.
But even if Panopticlick is only counting it among the people who actually ran it, which means it’s just a percentage of all the possible users out there, it is also not exercising the full force of fingerprinting. In particular it does not try to detect the installed Chrome extensions, which is actually trivial to do in JavaScript for some of these extensions. In particular in my case I can easily identify the presence of the Readabily extension because it injects an “indicator” as an iframe with a fixed ID. Similarly it’s relatively easy to identify adblock users, as you probably have noticed in a bunch of different sites already that beg you to disable the adblocker so that they can make some money with the ads.
Given how paranoid some of my readers are, I’m looking forward for somebody to add Chrome and Firefox extensions identification to Panopticlick, it’ll be definitely interesting going forward.
As an employee of Opera Software and the author of Fluxfonts and several browser extensions; I am embarrassed to admit that I have never considered browser extensions to be a source of fingerprint entropy. O.O I guess there is a reason why they are disabled by default when in private browsing mode.
Heh, I’m sorry for the embarrassment, but at least now I feel less n00b — LISA 13 was a good thing for my impostor syndrome, but not for me.I think there are a couple more reasons to disable the extensions during private browsing, but that one is definitely one of them.