20 comments

  • Aurornis 1 hour ago
    > One tanh call on the right input is a per-OS signature. Claim macOS, return Linux math bits, and you have contradicted your own User-Agent.

    They (or rather the LLM that wrote this) missed that this is possibly fingerprintable to browser version range, which is slightly more interesting. Most users aren't spoofing their user agent headers to be a different operating system. Most fingerprinting solutions aren't trying to infer your operating system, they only care about semi-unique things that show up.

    It's an interesting finding. I wish they had taken some time to have a real person write it up. This is too heavily LLM written to ignore.

    • jeroenhd 1 hour ago
      > Most users aren't spoofing their user agent headers to be a different operating system.

      The people behind the LLM behind this blog post are. They're trying to pretend their robots are people to sell other websites' data to their customer. It's easier to pass bot detection gates if you pretend to be a physical machine running Windows or macOS than if you honestly admit you're using Linux on a VM.

      • acters 58 minutes ago
        It's sometimes easier to lie than to tell the truth, and being on Linux telling the truth gets me more scrutiny than those pretending to be legit.
      • reactordev 1 hour ago
        The Internet is a cesspool of scams now
        • d1ss0nanz 1 hour ago
          Always was.
        • pocksuppet 52 minutes ago
          scraping, however, is not intrinsically a scam.
          • mplewis 49 minutes ago
            It is when you're doing it like the LLM companies are: at scale, to the degree that you're taking down my site, without my consent by masking your user-agent, for the purpose of stealing data I didn't authorize you to have.
            • VorpalWay 25 minutes ago
              Something like Anubis in front of the server to protect it might be an option. It sucks that we have to resort to that yes, but it seems the least bad option currently (better than the entire internet going through Cloudflare at least).
            • lsaferite 32 minutes ago
              Unfortunately the response to that right now is to nuke everything that isn't within a strict set of constraints. That helps with the bad bulk-scrapers, but hits everyone else as well as collateral damage.
            • userbinator 19 minutes ago
              The idiotic "stealing" argument again? At least use "piracy" if you want to be correct...

              The moment you openly publish information on the Internet, you have already given consent. There are other solutions to bandwidth usage.

              User-agent discrimination should be illegal. All it does is further the control that Big Tech has, and help authoritarian governments with their control too.

              • pdpi 12 minutes ago
                As with anything IP-related, the data is licensed under whatever terms you choose to impose. That’s the extent of the consent you’ve provided.
    • joahnn_s 50 minutes ago
      You can only assert >148 at the moment, but there are better vectors to strictly assert the version by simply checking the addition of v8/blink on each chromium version (and since ~120 it's the case), so by checking if xxx is present and yyy is not present in js userland or css feature, the inference is 100% for the major version

      And for the LLM writing, yes, it's written in the article and blog, it's not hidden or pretending, otherwise I would never publish an article due to lack of time, and I stand by it

      • georgemcbay 17 minutes ago
        > otherwise I would never publish an article due to lack of time, and I assume

        Didn't even have time to finish their HN reply.

    • comex 44 minutes ago
      This can be used to fingerprint version range, but so can a million other things. Browsers are constantly adding new features and fixing bugs, most of which can be detected from JavaScript.
    • userbinator 25 minutes ago
      The LLM has a good point. I personally don't care what or who wrote it if it's true.
  • jeroenhd 1 hour ago
    Kind of a smart move by this company: write up an AI analysis of all fingerprinting techniques in hopes they get fixed after outrage so their scraping company can make more money. If it weren't for companies like this, fingerprinting wouldn't be so ubiquitous and the internet would be a better place in general.

    I prefer articles like this coming from the other side of the battle (fingerprint.js and friends) because at least their motives are clear.

    • codedokode 1 hour ago
      I disagree, fingerprinting is necessary to track humans and it will be used regardless of scrapers being there or not.
      • coldbrewed 28 minutes ago
        I work at a CDN that provides bot detection services. I agree that there's baseline necessity in terms of fraud detection, and if not necessity then definitely financial motivation to fingerprint. But these days, abusive scraping is far and way the the main driver for fingerprinting.

        We don't fingerprint for ad purposes, and we destroy PII for humans as fast as we can because PII should be treated as radioactive. But we see customers that are constantly burned by abusive scrapers and the scrapers aren't slowing down.

        The current approach to scraping is strip mining the Internet and is having the corresponding pollution effects that you'd expect. I'm fine with individuals doing whatever weird automation they want, more power to you, but it's this industrial scale crawling and extraction that's degrading the Internet from all angles.

  • sjrd 1 hour ago
    I guess that's one more good reason to push for correctly rounded transcendental functions. I recently learned that they're basically solved now. [1]

    [1] https://arith2026.org/program.html (2nd keynote)

    • Retr0id 1 hour ago
      Tangential, but wow do they really register a new domain for each year and renew it in perpetuity?
      • yzydserd 1 hour ago
        arith2027.org taken, arith2028.org available.
        • Retr0id 1 hour ago
          Well, there's an arbitrage opportunity if I ever saw one
          • voxl 1 hour ago
            They would just choose a different domain name, it's not that important and the previous years tend to forward link anyway.
    • torginus 1 hour ago
      I never understood why fixed precision, and integer math isn't more popular. In engineering, we used fixed point all the time, it ran on much simpler hardware and the error is mathematically easy to model. IEEE 754 floats are not only suspect when it comes to theory, but are often outperformed with integers smaller than the mantissa (so less than 24 bits of int can beat a 32 bit float), when it comes to things like loss of precision.
      • AlotOfReading 40 minutes ago
        I recommend pretty much everyone avoid fixed point and other float alternatives, barring exceptional cases after you've done your own numerical analysis, or you lack floating point hardware (rare these days).

        Yes, fixed point can use simpler hardware. That's also a completely irrelevant consideration for software. The vast majority of processors are optimized for floats now and some operations (e.g. division) are actually faster.

        The precision argument also falls apart. Any float with mantissa >= X+Y can get exactly the same results as a QX.Y fixed point. The float will actually perform better across the same range because you have to round it to perform like the fixed point. That means more precision, lower error, automatic normalization, better overflow behavior, a larger working range, etc. And it'll probably be just as fast, unless you're bottlenecked on memory bandwidth of inputs (unlikely). When you inevitably want an exp() or another special function, it's a heck of a lot easier to call libm than implement your own and it will perform better.

        Floats are also much easier to get right for your coworkers that aren't numerical analysts.

        • hilariously 22 minutes ago
          fixed-point provides uniform precision, exact integer-scaled arithmetic, is deterministic whereas floating point is more convenient but its not a panacea
          • AlotOfReading 6 minutes ago
            As I said, floats can provide results that are no worse than a specified fixed point type. So if you want uniform absolute precision, just round down to the required precision.

            Floating point is generally deterministic in practice with a fairly minor amount of effort, the major remaining issue being library rounding. I actually wrote a library that guarantees this for arbitrary code, with some small, obvious caveats like standard library precision. And the conference talks linked above note, the standard library issues are an increasingly solved problem for modern toolchains. The remaining cases are mostly things you won't do in fixed point. Let me know if you're aware of anyone computing erfc in fixed point for determinism though.

            I'm not saying there aren't any situations where other systems are justified, but you probably won't know if you fall into any of them without the kind of numerical analysis that most codebases will never receive.

        • applfanboysbgon 9 minutes ago
          Floats, however, are not deterministic. Every CPU can bungle floating point operations however it wants and get different results, meaning your software does something different on your users' computers than it does on yours. This is a premium source of bugs that developers cannot reproduce themselves.

          Multiplayer video games particularly benefit especially from being able to communicate player inputs + trivial metadata over the network and letting each client deterministically simulate the correct state themselves vs. sending much larger state packets to keep players in sync.

  • Retr0id 1 hour ago
    Thanks for the writeup, claude
    • isiahl 33 minutes ago
      What I think is crazy are the links at the top to summarize the article with your preferred AI provider. The prompt asks it to summarize the article along with an advertisement for their product. This is the prompt I got when clicking the Claude link:

      > summarize+this+article+and+explain+how+scrapfly+helps+me+scrape+any+website+at+scale+and+bypass+anti-bot+systems+for+my+use+case:+https://scrapfly.dev/posts/browser-math-os-fingerprint/

    • _alternator_ 1 hour ago
      Yeah, interesting finding in the headline, the rest is just Claude.
      • userbinator 32 minutes ago
        Using AI to fight back against Big Browser is delightful.
    • ddtaylor 38 minutes ago
      I haven't been active on HN as much in the last few months. The community seems really fixated on calling content slop and detecting LLM usage in a paranoid way.
      • Retr0id 36 minutes ago
        And the other half of the community seems fixated on upvoting AI slop.
        • ddtaylor 20 minutes ago
          Sounds needlessly divisive.

          Why not criticize the content instead of the source or medium?

          • queenkjuul 2 minutes ago
            "The content is AI slop and not worth reading"
  • coppsilgold 57 minutes ago
    Even Tor Browser (/mullvad-browser) gave up trying to obscure the operating system though arguably they shouldn't have. There appear to be too many fingerprinting vectors.
  • IvanK_net 17 minutes ago
    I think the screen resolution is also fingerprintable. That is why a browser should resize your window to a random size each time you visit a website.
  • qurren 1 hour ago
    just inject this with your favorite JS injection plugin

        let oldTanh = Math.tanh;
        Math.tanh = x => oldTanh(x) + Math.random()/10000000;
    • chjj 1 hour ago
      it's elegant, but i prefer:

          Math.tanh = Math.random;
    • Klonoar 16 minutes ago
      Multiple anti-bot vendors will detect that replacement and use it as part of their fingerprinting process.
    • sanxiyn 1 hour ago
      The article addresses this: search for "No noise".
    • gruez 48 minutes ago
      Great, now you'll be outed as "hides fingerprint", which is probably more identifying than if you returned a normal value.
  • jmward01 13 minutes ago
    Is this even a fight that is possible to win here? Run enough functions and between timing comparisons (x takes 2.5 y) and rounding (things like this) and I suspect you can nail os/exact machine and possibly even other tasks running on that machine. I'm not sure there is a viable way to stop this. At best just make it a little harder? Society and legislation need to catch up here. It is like a lock on my door. Locks don't stop people. They just deter a few people and delay a couple more but a determined person can (likely very easily) break into my house. That is why we need society to call it out that it isn't right (people avoiding buying things they think are stolen, shunning those that do it, etc etc) and laws that step in (it is a crime to break into my house. real resource dedicated to tracking down and stopping people that do it, etc). A similar approach needs to happen here. It should be illegal to track a person like this and people that get hired at a place using the gains of it should shun those companies and society should shun those companies.
  • fweimer 38 minutes ago
    Recent glibc uses the correctly rounded tanh from CORE-MATH, so it returns different values than what's quoted in the article. It's unclear today if it's possible to achieve reasonable performance for other transcendental functions with correct rounding, so other functions have their own unique fingerprints.
  • torginus 1 hour ago
    What I don't get is that Chrome is hundreds of megabytes of just executable code, I assumed they statically linked half the userland. Also, I though tanh isn't a function, but an intrinsic emitted by the JS JIt that uses CPU instructions - which might be fingerprintable as well, but it's weird that for a math operation, you need to branch to a 'dlsym()' function.
    • pocksuppet 40 minutes ago
      The x87 FPU implemented transcendental functions in microcode. Most instruction sets don't implement them. Mmicrocode is actually slower than software, since it doesn't get the benefit of things like branch prediction.
  • joahnn_s 1 hour ago
    We noticed Chromium Math.tanh since v148 returned a different result, so we dig it - it's now a fingerprintable surface to retrieve the OS Chromium run on
  • andai 44 minutes ago
    I am not the NSA, but on an unrelated note, this delights me!
  • drnick1 1 hour ago
    This is interesting, but even without relying on JS, most users are already fingerprintable by the combination of IP + user agent.
  • a-dub 1 hour ago
    how hardened are modern browsers with respect to detecting underlying os? seems like there would be loads of gaps?
  • mrsssnake 1 hour ago
    JavaScript was a mistake.
  • amelius 1 hour ago
    Can't we make fingerprinting illegal, as in, jailtime illegal?

    Would not solve everything but still help a lot.

    • chaboud 1 hour ago
      I'd rather penalize the application than the technique. Windows was rumored to long have "quirks" that would do better things for apps that had bugs that the OS ended up fixing instead of the app.

      Javascript systems have long had polyfills for varied browser feature comparability gaps.

      Whether you agree with these, making probing detection via fingerprinting illegal would take away this lever. Making surreptitious tracking via fingerprinting illegal? Even for state actors?

      Yeah, that's probably reasonable. If someone is going to wear a tracking collar in exchange for "free" services, a little disclosure makes sense.

      • Terr_ 1 hour ago
        Yeah, the problem is how the data is kept and abused afterwards.
    • bloody-crow 1 hour ago
      I don't think it'd be possible to define fingerprinting narrowly enough to not also outlaw perfectly normal and legitimate usecases.
    • akersten 1 hour ago
      Why should it be illegal for me to recognize the way you walk into my store, even though you're wearing a mask and a trenchcoat? Some vague sense of indignation?

      Yeah, tracking bad, I get it, but are whatever damages that kind of legislation would prevent (probably nothing measurable) really more important than fixing the easy, in our face social problems that politicians could instead be focusing on?

      • thepasch 1 hour ago
        > Why should it be illegal for me to recognize the way you walk into my store

        If you did it in just your store, that wouldn't be a problem. The correct analogy, however, is "why should it be illegal for me to attach a perfectly traceable and invisible air-tag to you when you enter my store, without your explicit consent, and subsequently follow and document your every movement no matter where you go, as long as that location has a business relationship with my store, and also my store is the most popular chain on the planet that has business relationships with basically any relevant business that exists." And I don't think the answer to this one shouldn't be particularly difficult to arrive at.

        • akersten 58 minutes ago
          Well it's not really an airtag, I don't "attach" anything to your browser when I check what its GPU can do.

          That's just a description of you that I share with my other stores. Casinos, Target, Burger King, etc all do this when you get 86'd, for example.

      • kaladin-jasnah 49 minutes ago
        Isn't fingerprinting used across many different websites? Then the analogy would be a number of stores colluding to recognize the same person across all stores?

        (I have no idea, I don't know too much about this)

        • charcircuit 42 minutes ago
          Which is famously done by casinos. But in practice many businesses big and small do share intelligence with each other about problematic customers who shoplift etc.
      • altcognito 1 hour ago
        Because you don't have a right to know everything about me, follow me to my home, my purchasing preferences, and so on and so forth.
      • lorecore 1 hour ago
        > Why should it be illegal for me to recognize the way you walk into my store, even though you're wearing a mask and a trenchcoat?

        If you have that right, the public should have the right to know you're doing this before they enter your store, so they can avoid it.

        Same with the websites, they should, legally, have to say they're about to fingerprint you so that you can close your browser tab and never come back.

    • codedokode 1 hour ago
      Why don't you ask browser developers to stop adding features helping fingerprinting? Browsers even have some API for tracking ad clicks (attribution API or something) and user interests tracking API which nobody of the users needs.
  • dmitrygr 1 hour ago
    Interesting reporting, marred by obvious llm-slop-sounding writing. "You are not building..., you are ..."
    • netsharc 1 hour ago
      Why "slop-sounding"? It's definitely LLM slop.

      Man, why the fuck don't they just make a powerpoint with bullet points if all the sentences are like that.

  • WarOnPrivacy 29 minutes ago
    [dead]
  • rafeuddaraj 1 hour ago
    [flagged]