14 comments

  • Aurornis 36 minutes ago
    > One tanh call on the right input is a per-OS signature. Claim macOS, return Linux math bits, and you have contradicted your own User-Agent.

    They (or rather the LLM that wrote this) missed that this is possibly fingerprintable to browser version range, which is slightly more interesting. Most users aren't spoofing their user agent headers to be a different operating system. Most fingerprinting solutions aren't trying to infer your operating system, they only care about semi-unique things that show up.

    It's an interesting finding. I wish they had taken some time to have a real person write it up. This is too heavily LLM written to ignore.

    • jeroenhd 31 minutes ago
      > Most users aren't spoofing their user agent headers to be a different operating system.

      The people behind the LLM behind this blog post are. They're trying to pretend their robots are people to sell other websites' data to their customer. It's easier to pass bot detection gates if you pretend to be a physical machine running Windows or macOS than if you honestly admit you're using Linux on a VM.

  • jeroenhd 34 minutes ago
    Kind of a smart move by this company: write up an AI analysis of all fingerprinting techniques in hopes they get fixed after outrage so their scraping company can make more money. If it weren't for companies like this, fingerprinting wouldn't be so ubiquitous and the internet would be a better place in general.

    I prefer articles like this coming from the other side of the battle (fingerprint.js and friends) because at least their motives are clear.

    • codedokode 6 minutes ago
      I disagree, fingerprinting is necessary to track humans and it will be used regardless of scrapers being there or not.
  • sjrd 44 minutes ago
    I guess that's one more good reason to push for correctly rounded transcendental functions. I recently learned that they're basically solved now. [1]

    [1] https://arith2026.org/program.html (2nd keynote)

    • Retr0id 39 minutes ago
      Tangential, but wow do they really register a new domain for each year and renew it in perpetuity?
      • yzydserd 30 minutes ago
        arith2027.org taken, arith2028.org available.
        • Retr0id 29 minutes ago
          Well, there's an arbitrage opportunity if I ever saw one
          • voxl 15 minutes ago
            They would just choose a different domain name, it's not that important and the previous years tend to forward link anyway.
  • torginus 4 minutes ago
    What I don't get is that Chrome is hundreds of megabytes of just executable code, I assumed they statically linked half the userland. Also, I though tanh isn't a function, but an intrinsic emitted by the JS JIt that uses CPU instructions - which might be fingerprintable as well, but it's weird that for a math operation, you need to branch to a 'dlsym()' function.
  • qurren 12 minutes ago
    just inject this with your favorite JS injection plugin

        let oldTanh = Math.tanh;
        Math.tanh = x => oldTanh(x) + Math.random()/10000000;
    • sanxiyn 0 minutes ago
      The article addresses this: search for "No noise".
  • Retr0id 41 minutes ago
    Thanks for the writeup, claude
    • _alternator_ 35 minutes ago
      Yeah, interesting finding in the headline, the rest is just Claude.
  • joahnn_s 54 minutes ago
    We noticed Chromium Math.tanh since v148 returned a different result, so we dig it - it's now a fingerprintable surface to retrieve the OS Chromium run on
  • drnick1 37 minutes ago
    This is interesting, but even without relying on JS, most users are already fingerprintable by the combination of IP + user agent.
  • a-dub 31 minutes ago
    how hardened are modern browsers with respect to detecting underlying os? seems like there would be loads of gaps?
  • amelius 30 minutes ago
    Can't we make fingerprinting illegal, as in, jailtime illegal?

    Would not solve everything but still help a lot.

    • chaboud 21 minutes ago
      I'd rather penalize the application than the technique. Windows was rumored to long have "quirks" that would do better things for apps that had bugs that the OS ended up fixing instead of the app.

      Javascript systems have long had polyfills for varied browser feature comparability gaps.

      Whether you agree with these, making probing detection via fingerprinting illegal would take away this lever. Making surreptitious tracking via fingerprinting illegal? Even for state actors?

      Yeah, that's probably reasonable. If someone is going to wear a tracking collar in exchange for "free" services, a little disclosure makes sense.

      • Terr_ 4 minutes ago
        [delayed]
    • codedokode 4 minutes ago
      Why don't you ask browser developers to stop adding features helping fingerprinting? Browsers even have some API for tracking ad clicks (attribution API or something) and user interests tracking API which nobody of the users needs.
    • akersten 14 minutes ago
      Why should it be illegal for me to recognize the way you walk into my store, even though you're wearing a mask and a trenchcoat? Some vague sense of indignation?

      Yeah, tracking bad, I get it, but are whatever damages that kind of legislation would prevent (probably nothing measurable) really more important than fixing the easy, in our face social problems that politicians could instead be focusing on?

      • thepasch 3 minutes ago
        > Why should it be illegal for me to recognize the way you walk into my store

        If you did it in just your store, that wouldn't be a problem. The correct analogy, however, is "why should it be illegal for me to attach a perfectly traceable and invisible air-tag to you when you enter my store, without your explicit consent, and subsequently follow and document your every movement no matter where you go, as long as that location has a business relationship with my store, and also my store is the most popular chain on the planet that has business relationships with basically any relevant business that exists." And I don't think the answer to this one shouldn't be particularly difficult to arrive at.

      • altcognito 8 minutes ago
        Because you don't have a right to know everything about me, follow me to my home, my purchasing preferences, and so on and so forth.
      • lorecore 6 minutes ago
        > Why should it be illegal for me to recognize the way you walk into my store, even though you're wearing a mask and a trenchcoat?

        If you have that right, the public should have the right to know you're doing this before they enter your store, so they can avoid it.

        Same with the websites, they should, legally, have to say they're about to fingerprint you so that you can close your browser tab and never come back.

    • bloody-crow 12 minutes ago
      I don't think it'd be possible to define fingerprinting narrowly enough to not also outlaw perfectly normal and legitimate usecases.
  • mrsssnake 13 minutes ago
    JavaScript was a mistake.
  • dmitrygr 47 minutes ago
    Interesting reporting, marred by obvious llm-slop-sounding writing. "You are not building..., you are ..."
    • netsharc 8 minutes ago
      Why "slop-sounding"? It's definitely LLM slop.

      Man, why the fuck don't they just make a powerpoint with bullet points if all the sentences are like that.

  • rafeuddaraj 31 minutes ago
    [flagged]