A web page that shows you everything the browser told it without asking

Posted by mwheelz 1 day ago

A web page that shows you everything the browser told it without asking(sinceyouarrived.world)

573 points | 284 commentspage 2

RHSeeger 20 hours ago|

> We did not ask for your location. Your address arrived before you did.

Bunk. You asked a geolocation api/service to map my ip address back to a location. You _did_ ask for my location, using my IP as a key. And my IP is pretty much required in order for communication on the internet to work (outside of using services to hide it, but then _they_ have your info instead).

ygjb 20 hours ago||

Nah. The browser has a mechanism to request geolocation. This is the ask that was not performed. The user was not asked, which is the important piece.

If I have a dictionary, I don't have to ask the meaning of a word I hear from someone I am speaking to, I can look it up in the dictionary. I may infer an incorrect meaning because the word has multiple meanings or is a colloquialism.

If I need to clarify that inaccuracy, I need other data points (for example, the context of the conversation), or I can ask my conversational partner for clarification).

nozzlegear 16 hours ago||

> Nah. The browser has a mechanism to request geolocation. This is the ask that was not performed. The user was not asked, which is the important piece.

The geolocation API requires prompting the user for permission before it can be used: https://developer.mozilla.org/en-US/docs/Web/API/Geolocation...

ygjb 15 hours ago||

Yes, that would have tripped the prompt asking the user, which would have had explicit user acceptance or refusal. The point is you don't need consent to do a fuzzy match usibg other data in most jurisdictions.

nozzlegear 13 hours ago||

Ah I see what you're saying. I think the website's wording is just confusing, which made me think you, in turn, were saying something you weren't.

cortesoft 19 hours ago|||

I think you are misreading this. It isn't saying they didn't ask ANYONE, they are saying they never asked YOU as a user for it.

Also, though, of COURSE your address arrived first... how else are they going to send back the data you are requesting?

mmooss 20 hours ago||

> my IP is pretty much required in order for communication on the internet to work (outside of using services to hide it, but then _they_ have your info instead).

Tor and similar multi-hop proxies, depending on construction, supposedly can't match source to destination IPs.

amarant 19 hours ago||

It has.. Shall we say tradeoffs.. In terms of latency mostly, but I suspect bandwidth is likely affected too

Swizec 18 hours ago||

I love that the very first thing it showed was wrong

> San Pablo, California, United States > You appear to be in San Pablo, United States. Your internet provider is AT&T Enterprises, LLC. We know this because your IP address — 108.xxx.xxx.233 — was the first thing your device sent us

I am in San Francisco. IPs are not a reliable location identifier and never have been. Especially on mobile. Thank you for coming to my ted talk

troyvit 21 hours ago||

> Your graphics processor identified itself as or similar.

That checks out. I think what I have is similar to a graphics card but isn't quite.

wlesieutre 20 hours ago|

My GPU identification is off by about a decade but it did get the brand right

Sohcahtoa82 20 hours ago||

Seriously. My laptop was manufactured last year, and the site identified it as a Radeon R9 200 series. That was a top-of-the-line GPU...back in 2014.

wlesieutre 19 hours ago||

Same ID for mine. Are you running Firefox? Maybe that's a lie it tells to fingerprinters.

mrguyorama 19 hours ago||

I am running Firefox. Firefox does not report you GPU according to the site, instead returning a generic "Mozilla" GPU.

More of you should be running current Firefox. It actually has serious engineering work going into protecting you from web tracking.

I work for a team entirely dependent on web tracking for Fraud prevention. The things Firefox does work to protect you and make our job harder. They genuinely make it harder for websites to track you.

Other things that genuinely help: Apple private relay. Some VPNs. Generated unique credit cards.

doondoob 2 hours ago||

The biggest annoying thing was the clearly AI written doom-voice. Why did this make the front page?

chrisweekly 22 hours ago||

I appreciate the intent here, so this is constructive feedback:

  - Some of the numbers are off, eg

"Your browser allocated 39322 MB of storage to this page alone"

  - low contrast in dark mode makes text hard to read

mwheelz 21 hours ago|

The 39 GB number is a bug. I was reading quota (browser allow-up-to ceiling) and calling it "allocated." Fixed; pushing now. Contrast is intentional but I hear you. not changing it but noted, and a cleaner reading mode is on the to-do later.

topham 21 hours ago||

Contrast is a violation of accessibility guidelines.

warkdarrior 18 hours ago||

This site is already violating your privacy. Do you think they care about your accessibility needs?

topham 16 hours ago||

The site isn't violating your privacy.

nottorp 20 hours ago||

An instant loading page without animations and more contrast would have been more fun.

The fact that it begins with my IP address reminds me of those dubious VPN ads.

City is wrong, I may speak English but it's not my native language.

As other people said, there are much better pages showing you your browser fingerprint.

mrguyorama 19 hours ago|

And like most people discussing these things, you entirely miss the point.

It doesn't matter whether you actually speak english natively or not, nobody cares about the actual values. Web sites don't actually care whether you have a robust font package in some way to discern whether you are a font hipster or something, they are just collecting signals.

What matters is that your physical machine and web browser combo report these values about the same way every single time they are probed, and that is used to reliably track YOU, uniquely, with great accuracy, with EVERYTHING you do on the internet, every site you visit, every mouse movement, every purchase linked back to you.

Everything.

The actual values don't have to match "reality" in any way. It's just about generating bits of signal about your setup.

nottorp 16 hours ago||

> It doesn't matter whether you actually speak english natively or not

So don't you think presenting the info as it's a great uncovered secret and then getting it wrong will lead the layman to disbelieveing everything?

Of course, the other extreme is the EFF site that says "Currently, we estimate that your browser has a fingerprint that conveys at least 18.33 bits of identifying information.".

There must be some middle ground to present this info.

IdiotSavage 21 hours ago||

> Where you were before

> news.ycombinator.com

This has always bothered me the most. I disabled the 'Referer' header once, but it breaks many websites.

mwheelz 21 hours ago||

The Referer header is the one that's hardest to opt out of cleanly, strip it at the network level and too many things break. Referrer-Policy lets the origin set the rule, but the visitor doesn't get to choose. There's a quiet move toward Referrer-Policy: strict-origin-when-cross-origin as a sane default in modern browsers but it's still origin-dictated, not visitor-dictated.

pessimizer 19 hours ago||

I strip/forge it with a old, probably outdated firefox extension (Referer Control.) But you still got news.ycombinator.com. How? I thought the extension was broken, but it's not.

That was actually my only surprise, everything else I was expecting.

edit: ignore this, looks like I just needed to save my preferences again. Thanks for showing me that I have been leaking my referer for some mysterious amount of time.

IdiotSavage 5 hours ago|||

I just found a new(?) setting in Firefox, to spoof the Referer header, instead of omitting it. Will try that for a while and see how it works.

  about:config -> network.http.referer.spoofSource

al_borland 18 hours ago|||

It's interesting that this breaks things. When trying to link to an internal password vault at work it would always break. People would have to click the link on my site, then reload it to get the page to load. This wan an issue for years, across multiple versions and despite many people offering up ideas to help solve it. One day I thought maybe it was a referrer issue, so I had it open with noopener,noreferrer, and that fix it.

It seems odd that any site would require a user come from somewhere.

exe34 19 hours ago||

Hah I remember the picture of the scrotum.

carimura 21 hours ago||

Aren't LLMs smart enough to choose better color contrast by now?

nosioptar 15 hours ago|

Not when they've been trained on low contrast garbage.

mrpopo 22 hours ago||

Happy to say that my browser didn't tell anything that I didn't expect it to. It even identified my IP from a location 1000km away from me.

Firefox on Android with ublock

skerit 20 hours ago|

> We know this because your IP address was the first thing your device sent us.

First paragraph, and I don't like this wording already. It's as if "my device" has any choice in the matter.

And actually, it's the reverse! Often enough your own device does not know your _actual_ public IP address without asking some kind of public service to snitch on your internet connection.

More comments...