-
Notifications
You must be signed in to change notification settings - Fork 530
Appendix A Test Sites
Here is a list of various websites in which to test your browser. You should enable Javascript (JS) on these sites for the tests to present a worst-case scenario. In reality, you can control JS and XSS (cross site scripting) on sites with extensions such as uBlock Origin to reduce the possibility of fingerprinting attacks
🟪 Browser Comparison [Defaults]
- PrivacyTests.org - https://privacytests.org/ github
🟪 Fingerprinting
These are good sources to grab information on your results in one hit, but do not read too much into their entropy figures as the data is tainted, and don't assume you are a fingerprint expert, see Testing your fingerprint
- Am I Unique? - https://amiunique.org/
- Cover Your Tracks - https://coveryourtracks.eff.org/ [formerly Panopticlick] github
-
CreepJS - https://abrahamjuliot.github.io/creepjs/index.html github
- Additional tests listed in the footer
- Device Info - https://www.deviceinfo.me/
-
DuckDuckGo - https://privacy-test-pages.glitch.me/privacy-protections/fingerprinting/ github
- there are also additional various privacy tests on the landing page
- FingerprintJS Basic Version - https://fingerprintjs.github.io/fingerprintjs/
- Vytal - https://vytal.io/
🟪 Multiple Tests [multi-page]
- BrowserLeaks - https://www.browserleaks.com/
- CanvasBlocker Test Pages - https://canvasblocker.kkapsner.de/test/
-
Privacycheck - https://privacycheck.sec.lrz.de/index.html
- ETag - https://privacycheck.sec.lrz.de/passive/fp_etag/fp_etag.php
🟪 Multiple Tests [single page]
- Do I Leak? - https://www.doileak.com/
- HTML5 Test - https://html5test.com/
- IP/DNS Leak - https://ipleak.net/
- IP Duh - https://ipduh.com/anonymity-check/
-
Permissions - https://permission.site/
- GitHub - https://github.com/chromium/permission.site
- Whoer - https://whoer.net/
🟪 Encryption / Ciphers / SSL/TLS / Certificates
- JA3 - https://ja3er.com/
- BadSSL - https://badssl.com/
- Qualys SSL Labs - https://www.ssllabs.com/ssltest/viewMyClient.html
- Fortify - https://www.fortify.net/sslcheck.html
- How's My SSL - https://www.howsmyssl.com/
🟪 Mozilla's Safe Browsing, Tracking Protection github
- Attack - https://itisatrap.org/firefox/its-an-attack.html
- Blocked - https://itisatrap.org/firefox/blocked.html
- Malware - https://itisatrap.org/firefox/unwanted.html
- Phishing - https://itisatrap.org/firefox/its-a-trap.html
- Tracking - https://itisatrap.org/firefox/its-a-tracker.html
🟪 Other
- AudioContext - https://audiofingerprint.openwpm.com/
-
Cache Fingerprinting - https://cookieless-user-tracking.herokuapp.com/
- It does this by assigning a unique variable in a cached script (see #436)
- Article: https://robertheaton.com/2014/01/20/cookieless-user-tracking-for-douchebags/
- CSS Exfil Vulnerability - https://www.mike-gualtieri.com/css-exfil-vulnerability-tester
- CSS History Leak 1 - https://earthlng.github.io/testpages/visited_links.html
- CSS Media: disable JS, resize the browser with the tests open
- @media window size leak - https://demos.traudt.xyz/css/media/index.html
- screen & inner window measurements - https://arthuredelstein.github.io/tordemos/media-query-fingerprint.html
- DNS Leak - https://www.dnsleaktest.com/
- DNS Spoofability - https://www.grc.com/dns/dns.htm
- Firefox Storage Test - https://firefox-storage-test.glitch.me/
- HTML5 - https://www.youtube.com/html5
- IPv6 Leak - https://ipv6leak.com/
-
Keyboard Events - https://w3c.github.io/uievents/tools/key-event-viewer.html
- Hotkeys Testing - https://rawgit.com/jeresig/jquery.hotkeys/master/test-static-01.html
- Ping Spotter - https://armin.dev/apps/ping-spotter/
- Popup Killer - https://www.kephyr.com/popupkillertest/index.html
-
Punycode - https://www.xn--80ak6aa92e.com/ (www . apple . com)
- Article by author of PoC
- Redirects - https://jigsaw.w3.org/HTTP/300/Overview.html
- Referer Headers - https://www.darklaunch.com/tools/test-referer
- rel=noopener - https://mathiasbynens.github.io/rel-noopener/
- WebRTC - https://browserleaks.com/webrtc
- XSinator - https://xsinator.com/testing.html
1 This test is a PoC (proof of concept). You will need layout.css.visited_links_enabled set as true. You will also need a normal window (not a Private Browsing one). The PoC only covers a handful of sites. For best results:
- Open a normal window in a vanilla Firefox. Clear everything (Ctrl-Shift-Del).
- Go to some of the sites in the source: e.g. https://www.cnn.com/ and https://www.foxnews.com/
- Go to the test page and play a game (takes 30 seconds or so)