Appendix A Test Sites

Here is a list of various websites in which to test your browser. You should enable Javascript (JS) on these sites for the tests to present a worst-case scenario. In reality, you should control JS and XSS (cross site scripting) on sites with extensions such as NoScript, uMatrix, uBlock Origin, among others, to reduce the possibility of fingerprinting attacks.

🔸 Fingerprinting

These are good sources to grab information on your results in one hit, but do not read too much into their entropy figures as the data is tainted

• Am I Unique? - https://amiunique.org/
• Device Info - https://www.deviceinfo.me/
• Cover Your Tracks - https://coveryourtracks.eff.org/ [formerly Panopticlick]

🔸 Multiple Tests [single page]

• Do I Leak? - https://www.doileak.com/
• HTML5 Test - https://html5test.com/
• IP/DNS Leak - https://ipleak.net/
• IP Duh - https://ipduh.com/anonymity-check/
• Permissions - https://permission.site/
  • GitHub - https://github.com/chromium/permission.site
• Whoer - https://whoer.net/

🔸 Multiple Tests [multi-page]

• BrowserSpy.dk - https://browserspy.dk/
• BrowserLeaks - https://www.browserleaks.com/
• CanvasBlocker Test Pages - https://canvasblocker.kkapsner.de/test/
• Privacycheck - https://privacycheck.sec.lrz.de/index.html
  • ETag - https://privacycheck.sec.lrz.de/passive/fp_etag/fp_etag.php

🔸 Encryption / Ciphers / SSL/TLS / Certificates

• JA3 - https://ja3er.com/
• BadSSL - https://badssl.com/
• DCSec - https://cc.dcsec.uni-hannover.de/
• Qualys SSL Labs - https://www.ssllabs.com/ssltest/viewMyClient.html
• Fortify - https://www.fortify.net/sslcheck.html
• How's My SSL - https://www.howsmyssl.com/
• GRC Fingerprint - https://www.grc.com/fingerprints.htm
  • EV [Extended Validation] / SSL Interception check [Do you see a bright green padlock?]

🔸 Mozilla's Safe Browsing, Tracking Protection ^GitHub

• Attack - https://itisatrap.org/firefox/its-an-attack.html
• Blocked - https://itisatrap.org/firefox/blocked.html
• Malware - https://itisatrap.org/firefox/unwanted.html
• Phishing - https://itisatrap.org/firefox/its-a-trap.html
• Tracking - https://itisatrap.org/firefox/its-a-tracker.html

🔸 Other

• AudioContext - https://audiofingerprint.openwpm.com/
• Cache Fingerprinting - https://cookieless-user-tracking.herokuapp.com/
  • It does this by assigning a unique variable in a cached script (see #436)
  • Article: https://robertheaton.com/2014/01/20/cookieless-user-tracking-for-douchebags/
• CSS Exfil Vulnerability - https://www.mike-gualtieri.com/css-exfil-vulnerability-tester
  • CSS Keylogger with no CSP - https://no-csp-css-keylogger.badsite.io/
• CSS History Leak ¹ - https://earthlng.github.io/testpages/visited_links.html
• CSS Media: disable JS, resize the browser with the tests open
  • @media window size leak - https://demos.traudt.xyz/css/media/index.html
  • screen & inner window measurements - https://arthuredelstein.github.io/tordemos/media-query-fingerprint.html
• DNS Leak - https://www.dnsleaktest.com/
• DNS Spoofability - https://www.grc.com/dns/dns.htm
• Firefox Storage Test - https://firefox-storage-test.glitch.me/
• HSTS [sniffly] - https://zyan.scripts.mit.edu/sniffly/
• HTML5 - https://www.youtube.com/html5
• Intermediate CA Cache Fingerprinting - https://fiprinca.0x90.eu/poc/
• IPv6 Leak - https://ipv6leak.com/
• Keyboard Events - https://w3c.github.io/uievents/tools/key-event-viewer.html
  • Hotkeys Testing - https://rawgit.com/jeresig/jquery.hotkeys/master/test-static-01.html
• Ping Spotter - https://armin.dev/apps/ping-spotter/
• Popup Killer - https://www.kephyr.com/popupkillertest/index.html
• Punycode - https://www.xn--80ak6aa92e.com/ (www . apple . com)
  • Article by author of PoC
• Redirects - https://jigsaw.w3.org/HTTP/300/Overview.html
• Referer Headers - https://www.darklaunch.com/tools/test-referer
• rel=noopener - https://mathiasbynens.github.io/rel-noopener/
• WebRTC - https://browserleaks.com/webrtc

¹ This test is a PoC (proof of concept). You will need layout.css.visited_links_enabled set as true. You will also need a normal window (not a Private Browsing one). The PoC only covers a handful of sites. For best results:

• Open a normal window in a vanilla Firefox. Clear everything (Ctrl-Shift-Del).
• Go to some of the sites in the source: e.g. https://www.cnn.com/ and https://www.foxnews.com/
• Go to the test page and play a game (takes 30 seconds or so)