Having a battle with Reddit's fingerprinting schemes

Hello,
Lately it has come to my knowledge that Reddit is using some very strong fingerprinting tool to mark it’s users. They have upped they game since August 2022 tremendously.

So far I’ve been using a built in VPN in Chrome, autodelete cookies, fingerprint defender and user agent extensions and according to privacy checking websites, I’m still easily recognisable.

Can anyone suggest a new approach to this with a list of extensions in any other browser that won’t get me shadowbanned the moment I log in? (looking at you, Tor browser)

You cannot really defend against fingerprinting, esp. not when some big company puts a lot of money and effort into the tools to fingerprint you. Your best bet would be Tor browser and unsurprisingly they will block that, too.

Consider to stop using a service that treats their users like that … or go read-only via teddit.net

1 Like

Teddit is a read-only solution. I need the comment function.

What about mobile apps, alternative to the official one? Apollo and such, they claim to not give away Device Info, what else is there for e mobile phone?

Apollo is a good option. However, it will not prevent Reddit from accessing usage data.

privacy checking websites are often misleading as it can only check against people who are also checking on that website.

I am curious tho how you came to the conclusion that “Reddit is using very strong fingerprinting tool to mark its users”.

Also, hiding in plain sight is more effective. Using VPNs and extensions might make you unique among the average people accessing a site.

This is what I’m talking about:
https://www.reddit.com/r/modnews/comments/wrnnvb/piloting_a_new_ban_evasion_tool/

It basically flags certain users to mods with the label “suspicious of ban evading”.
The goal here is to confuse it, or have a new “profile” on every alt account.

I’ve been having a duel with it since September with 10ish accounts every month. First couple of months it got 20% at best, these last two months it’s flagging more than 50%.

Consider taking a look at Stealth Third-party (open-source) client for Reddit.

For some reason, which is unknown to me, my first post mentioning this app with link was hidden by community flags? I’m new here, so if someone could clarify what I did wrong, I’m more than happy to learn from my mistakes.

Anyway you can look it up yourself, but treat it with caution, I don’t know if it’s secure, but if I will be able to share this app in manner that is within the rules of this website, there could be discussion about it’s security.

Yes, it should work well with Tor, considering it has .onion address as an option of connection, but I didn’t test it for having an account/logging in.

https://www.reddittorjg6rue252oqsxryoxengawnmo46qy4kyii5wtqnwfj4ooad.onion/

I think your first step should be getting rid of some of those extensions. More extensions can make you more fingerprintable, even if they say they’re “privacy” extensions. Also chrome isn’t the best for anti-fingerprinting, Brave and Firefox have built-in functionality to fight fingerprinting, but Tor browser is the king of anti-fingerprinting (of course you might have trouble with that as you mentioned). You should check out our browser recommendations and see if they pique your interest.

2 Likes

Yeah don’t do this, you cannot change your fingerprint with those tools without making it very obscure and invalid. If a site requires JavaScript you should assume that it can tell your real platform, and other properties.

I’m actually working on an article about fingerprinting, based on some discussions here Fingerprinting FAQ · Issue #1834 · privacyguides/privacyguides.org · GitHub and elsewhere. People get it so wrong, and install so much rubbish hoping to improve things, and it has the opposite effect.

4 Likes

Would you consider having a look at this extension, and perhaps include it in your article?

A UA-switcher does nothing against sophisticated fingerprinting tools. There are literally thousands of other ways to identify/fingerprint your browser.

1 Like

Further it will cause your fingerprint to then be unique, as there will be a mismatch between the user agent, and results of various JS APIs. This is why we do not recommend any such extensions.

1 Like

Firefox already changes the user agent to make all users of RFP look the same. Safari in lockdown mode also does this. You don’t want a Chrome user agent when you’re on Firefox, that will make you stand out like sore thumb.

Okay, to summ it all up,

Firefox
Multi-account containers extension (for multiple account usage)
VPN

Sounds like I’m either missing something or it was all too easy to begin with.

Anything specific I should disable, like JavaScript?

Also, any recommendations on in-browser VPN? Sadly I use the PC for other stuff too and just can’t have a VPN for the whole PC.

Turning off JS would help against fingerprinting, I think https://old.reddit.com works without JS. As for in browser VPN, I know Mozilla sells one and it’s supposed to integrate well with Firefox but I haven’t tried it.

Interesting. Thank you for sharing this information (Daniel Gray & Valynor). But main reason I use this extension is to change what the website thinks is my OS, I make them think it’s Windows, one of the reasons, is to perhaps confuse malware on websites, because there are few malwares that work on all OS system. So let’s say I will go to a website as “Windows” user (in disguise), so it will try to attack me as Windows user, but it won’t work, because I use Linux. Is that a good way, of thinking about this?

Only partially, obviously stuff like videos require it. I think posting does as well.

Doesn’t work, because you can find it out easily enough through JS APIs. It is impossible to spoof OS, and engine.

Yeah don’t bother. Assuming there was some vulnerability that was platform specific, why wouldn’t they just try all, worst it would do is nothing and not work.

All you’re doing is making your browser agent more unique.

RFP only changes the user agent in a few parts per platform. RFP does not aim to make everyone look the same, and neither does Tor Browser.

Even Mullvad (and by extension TOR Browser, I guess?) does a terrible job at this. It shows Win10 as OS, but only once on a Linux or a Mac have I ever been offered to download the .exe version of a software. Sites always figure out the real OS.

This isn’t really a test of anything, they’re simply looking at the platform in the user agent to try to offer you the correct download without doing anything clever.