Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
View your browser's TLS fingerprint (tlsfingerprint.io)
93 points by jonatron on Aug 20, 2021 | hide | past | favorite | 22 comments


I click through and it isn't immediately obvious how to View my browser's TLS fingerprint, it doesn't show it.

Update: Works - Brave users - you need to disable Shields for it to show your fingerprint.


I had to disable uBlock for the site to see it.


Accidental advertisement for both?


The TLS fingerprint uri it's blocking doesn't collect any information from the browser, sites can still use it as a fingerprint on noscript-disabled browsers.


Similar: https://ja3er.com/ which is formed by taking a bunch of (stable) attributes from your TLS handshake, appending them into a string, and hashing it.

They've also done the correlation with User Agent and it's surprisingly accurate.

Original post by Salesforce security team: https://engineering.salesforce.com/tls-fingerprinting-with-j...


Nice tool. Reminds me a bit of amiunique.org, which provides similar browser diversity and fingerprinting details.


New to me, thanks.

https://amiunique.org


Interestingly, fingerprint changes after you reload that page. It went from #2 most common upon opening to #5 after subsequent reload.


They say they're doing the clienthello message. That would change depending on if its your first visit to that domain or second because your second would use session resumption.


I get this with a new tab / window

Your browser generates the fingerprint 133e933dd1dfea90 (from Cluster #8), which is seen in 17.13% of connections, making it ranked #2 by popularity.

And this after a reload:

Your browser generates the fingerprint 833fb25fb38a093b (from Cluster #8), which is seen in 4.11% of connections, making it ranked #5 by popularity.

macOS safari


It did that for me then changed back.


This seems... kind of pointless? You'd expect the fingerprint to be fully determined by the OS/browser combination, since TLS is implemented entirely in software. But you can already get both pieces of information through the user-agent, so what's the point?


For those exposing a lot of fingerprintable data it doesn't help much but that's not really a problem since there is already plenty of fingerprintable data.

For those trying to hide/fake fingerprintable data the mismatch between spoofed user agent and detected browser/OS combo creates a strong fingerprint in itself.

This is the general premise of fingerprinting: if you throw enough data points at it trying to escape fingerprinting itself creates a unique fingerprint.


It can be used to detect scrapers/bots that don't use a browser.


The point is that there are many many ways to fingerprint even if people spoof their user agent.


> determined by the OS/browser combination

And by browser settings; at least Firefox has quite a few TLS related knobs in about:config (and settings like spdy disable affect TLS hello too).


You can observe it without being the server.


Can this be used to track me? By ad networks and others?


Its probably not unique enough to give the type of tracking that an ad network would want unless combined with something else.

So, not by itself, but its might be part of a tracking solution.


Oh, the irony of not being able to see one of your browser's fingerprints without opening up to all kinds of other js based data collection techniques


https://tlsfingerprint.io/static/fingerprint.js is only a few lines and readable if you don't want to enable javascript.


That JS just fetches the below, which seems to perform the interesting stuff serverside, and displays the data.

https://client.tlsfingerprint.io:8443/




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: