-
Notifications
You must be signed in to change notification settings - Fork 526
Appendix A Test Sites
Thorin-Oakenpants edited this page Aug 13, 2021
·
22 revisions
Here is a list of various websites in which to test your browser. You should enable Javascript (JS) on these sites for the tests to present a worst-case scenario. In reality, you should control JS and XSS (cross site scripting) on sites with extensions such as NoScript, uMatrix, uBlock Origin, among others, to reduce the possibility of fingerprinting attacks.
These are good sources to grab information on your results in one hit, but do not read too much into their entropy figures as the data is tainted
- Am I Unique? - https://amiunique.org/
- Cover Your Tracks - https://coveryourtracks.eff.org/ [formerly Panopticlick]
- Device Info - https://www.deviceinfo.me/
-
DuckDuckGo - https://privacy-test-pages.glitch.me/privacy-protections/fingerprinting/ [GitHub repo]
- there are also additional various privacy tests on the landing page
- Do I Leak? - https://www.doileak.com/
- HTML5 Test - https://html5test.com/
- IP/DNS Leak - https://ipleak.net/
- IP Duh - https://ipduh.com/anonymity-check/
-
Permissions - https://permission.site/
- GitHub - https://github.com/chromium/permission.site
- Whoer - https://whoer.net/
- BrowserLeaks - https://www.browserleaks.com/
- CanvasBlocker Test Pages - https://canvasblocker.kkapsner.de/test/
-
Privacycheck - https://privacycheck.sec.lrz.de/index.html
- ETag - https://privacycheck.sec.lrz.de/passive/fp_etag/fp_etag.php
- JA3 - https://ja3er.com/
- BadSSL - https://badssl.com/
- DCSec - https://cc.dcsec.uni-hannover.de/
- Qualys SSL Labs - https://www.ssllabs.com/ssltest/viewMyClient.html
- Fortify - https://www.fortify.net/sslcheck.html
- How's My SSL - https://www.howsmyssl.com/
-
GRC Fingerprint - https://www.grc.com/fingerprints.htm
- EV [Extended Validation] / SSL Interception check [Do you see a bright green padlock?]
🔸 Mozilla's Safe Browsing, Tracking Protection GitHub
- Attack - https://itisatrap.org/firefox/its-an-attack.html
- Blocked - https://itisatrap.org/firefox/blocked.html
- Malware - https://itisatrap.org/firefox/unwanted.html
- Phishing - https://itisatrap.org/firefox/its-a-trap.html
- Tracking - https://itisatrap.org/firefox/its-a-tracker.html
- AudioContext - https://audiofingerprint.openwpm.com/
-
Cache Fingerprinting - https://cookieless-user-tracking.herokuapp.com/
- It does this by assigning a unique variable in a cached script (see #436)
- Article: https://robertheaton.com/2014/01/20/cookieless-user-tracking-for-douchebags/
-
CSS Exfil Vulnerability - https://www.mike-gualtieri.com/css-exfil-vulnerability-tester
CSS Keylogger with no CSP - https://no-csp-css-keylogger.badsite.io/
- CSS History Leak 1 - https://earthlng.github.io/testpages/visited_links.html
- CSS Media: disable JS, resize the browser with the tests open
- @media window size leak - https://demos.traudt.xyz/css/media/index.html
- screen & inner window measurements - https://arthuredelstein.github.io/tordemos/media-query-fingerprint.html
- DNS Leak - https://www.dnsleaktest.com/
- DNS Spoofability - https://www.grc.com/dns/dns.htm
- Firefox Storage Test - https://firefox-storage-test.glitch.me/
- HSTS [sniffly] - https://zyan.scripts.mit.edu/sniffly/
- HTML5 - https://www.youtube.com/html5
- IPv6 Leak - https://ipv6leak.com/
-
Keyboard Events - https://w3c.github.io/uievents/tools/key-event-viewer.html
- Hotkeys Testing - https://rawgit.com/jeresig/jquery.hotkeys/master/test-static-01.html
- Ping Spotter - https://armin.dev/apps/ping-spotter/
- Popup Killer - https://www.kephyr.com/popupkillertest/index.html
-
Punycode - https://www.xn--80ak6aa92e.com/ (www . apple . com)
- Article by author of PoC
- Redirects - https://jigsaw.w3.org/HTTP/300/Overview.html
- Referer Headers - https://www.darklaunch.com/tools/test-referer
- rel=noopener - https://mathiasbynens.github.io/rel-noopener/
- WebRTC - https://browserleaks.com/webrtc
1 This test is a PoC (proof of concept). You will need layout.css.visited_links_enabled set as true. You will also need a normal window (not a Private Browsing one). The PoC only covers a handful of sites. For best results:
- Open a normal window in a vanilla Firefox. Clear everything (Ctrl-Shift-Del).
- Go to some of the sites in the source: e.g. https://www.cnn.com/ and https://www.foxnews.com/
- Go to the test page and play a game (takes 30 seconds or so)