Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
578 lines (414 sloc) 47.4 KB

- POTARC -

Privacy Online Test And Resource Compendium© (short: POTARC) project original created under the MIT license 2016 - 2018 by CHEF-KOCH and community.

Twitter URL Say Thanks! Discord

Privacy Online Test And Resource Compendium

The list is designed to show all available and useful online/offline tests in order to build strategies to harden your OS/Internet/Browser configuration against fingerprinting methods. Some of those services might collect only data to hand/sell it to 3th-party developer or people which pay for it to use it for 'bad' things, such services are (if known) marked and aren't preferable added - so keep this in mind before you request a site.

POTARC itself is more a community driven project because everyone can contribute to it and no pull request or discussion will be rejected, only with good reasons like spamming, etc. This project does not accept any donations because we all doing this in our free time and it's up to everyone to provide some information or not, from my perspective the information should be available for free.

Keep in mind that reducing the fingerprint doesn't mean you're secured against all attacks (including new upcoming ones) because security is a process and not something you gain by installing the correct extensions, plugins or programs.

Contribution

See CONTRIBUTING.md. Before you create a new issue ticket, ensure you read the issue template and check if the things you like to request is not already on the todo list in order to avoid duplicates or already known things.

How to handle the information and test results?

Collection of device fingerprints from web clients such as browser software mostly relies on the availability of JavaScript or similar client-side scripting language for the harvesting of a suitably large number of parameters. Overall this means if only one or a small of things are detectable it not automatically reveals your real identify, but all together can be pretty dangerous in order to expose you or your security setup. Keep in mind that it's not a good idea to share the results or to leak information which setup you exactly use.

The document section is for research and evidence purposes, topics without any proof are not reliable and the project doesn't accept any submissions without any documents or research based on the matter.

Keep in mind

Some of the integrated services & pages collect the results and store it offline and some even sell the results to 3rd-parties! I'm not responsible for this behavior, the list will add an indicator for services which doing it soon.

Known Fingerprinting Techniques

Already fixed within the Browser (ensure you using the latest product [always])

  • SSL / TLS (ciphers) [if you only browsing on pages like GitHub ~ you can even more 'harden' it] TLS 1.3 is the new common default and most platforms abbandoned TLS 1.0/1.1/1.2
  • OpenSSL fixed (heartbleed,...)
  • Tor (several fingerprint methods are still possible, it's on the todo and will be fixed soon (?))
  • Java/Adobe Flash, both are dead and replaced by HTML5 (which has it's own weaknesses)
  • HTML5 which includes stuff like Canvas, Fonts & more (will never be fixed, you have to use in order to spoof such data)
  • Cookies in general are not fixable since your visited page may need it, Amazon for shopping as an example (addons/filter-lists may help to whitelist). But you can disable the cookie collection and work instead with a whitelist, every Browser does support this. Some pages like Facebook already started to track user via first-party cookies.
  • CPU & Mouse wheel fingerprinting which needs to be fixed also within the OS (this is a wontfix!)
  • Network layer based leaks like MAC address leakage. Disabling/blocking IPv6, if not necessary/needed is enough. See RFC 3041.
  • WebRTC since Chrome 48+ and Firefox 42+, both getting an new menu to allow it per-page (whitelist). There exist also for both several addons, workarounds to compile it without WebRTC support). Unofficial Chromium builds also come without WebRTC or sync.
  • PopUps aren't possible anymore, if not Canvas/JS related). You see a permission dialog or can control this behavior directly via Browser settings. Some Browsers also come with their own Ads-blocking feature.
  • Browser based download attacks by exposing sensible information.
  • Third-party cookie "isolation" (blocking)

Obsolete Add-ons & Plugin Tests

Page or Addon Description Collects or sells user data?
Firefox Addon Detector ://URI detection No
Flash Player System Test Checks if and what version or Adobe Flash Player is installed No
Adobe official Flash Player Test Official Adobe Flash Player Test Yes collects statistics and sells them.
Java Test Official Java Browser verification page. Yes collects statistics and sells them.
Unofficial Microsoft Silverlight Test Browserleaks Silverlight Test Page No

Add-ons e10s check

Page or Addon Description Collects or sells user data?
Firefox Compatible check Checks if your Firefox Browser is e10s compatible N/A

eMail

Page or Addon Description Collects or sells user data?
Email IP Leak Test Checks if your email provider shows your real IP address to its recipients. N/A
Email Privacy Tester Checks email addresses Yes see here
Email Trace Checks email addresses Yes
Have I Been Pwned? Database which checks if you affected by several holes No
Pwnedlist Database which checks if you affected by several holes Yes - Currently down
Check Your GPG Fingerprints Check if your GPG key is leaked or not No
Have I Been Sold? Quickly check if your email has been sold. No, database lookup needs JS

Phishing

Page Description Collects or sells user data?
KnowBe4 Login to get your phishing test template Yes
Are you leaking Windows/VPN Login-Data? Understanding the Windows Credential Leak Flaw and How to Prevent It No

Browser Prerender & feature Tests

Page Description Collects or sells user data?
Prerender test Prerender resource test No
Web platform's features check Test which Web Feature your Browser supports Yes, StatCounter & caniuse.com

Window Measurements

Page or Addon Description Collects or sells user data?
Inner Window Measurements Detects the Browser Window Size No

Certificate

Page or Addon Description Collects or sells user data?
Revocation Awareness Test Certificate based revocation test No
Check Provider-TLS Check provider TLS certificates N/A
Intermediate CA Cache Fingerprinting Intermediate CA Cache Fingerprinting No

Crypto-mining detection and Malware

Page or Addon Description Collects or sells user data?
MALWARE DETECTED WITH THREAT EMULATION Check if your security setup is ready against crypto mining and other threats Yes

DNS Rebinding

Page or Addon Description Collects or sells user data? Requires activated JavaScript
DNS Rebinding Demo Checks if you're vulnerable to DNS rebinding attacks Partial, the source code is given but the demo page collects open statistics, they don't sell the data Yes

DNS-over-HTTPS (DoH)

Page or Addon Description Collects or sells user data? Requires activated JavaScript
Cloudflare's Browsing Experience Security Check page The web page will now perform a variety of tests to see if you are using Secure DNS, DNSSEC, TLS 1.3, or Encrypted SNI. Yes Yes

HTML5 based features test

Page or Addon Description Collects or sells user data? Requires activated JavaScript
Basic HTMl5 Video and Audio tester HTMl5 Video and Audio tester No No
Battery Status API Checks if you browser supports Battery Status API No No
Battery Status API Another Battery Status API Test No Yes
Canvas Fingerprinting Checks your Canvas Fingerprint N/A Yes
Canvas.toBlob test Checks your Canvas Blob Fingerprint N/A Yes
Canvas Blocking Detection Detects if you block Canvas No No
get.Image Canvas test Checks your get.Image Fingerprint N/A Yes
HTML5 Features Detection Detects which HTML5 features your Browser is capatible of N/A Yes
Hard Drive Fill Test Hard Drive Fill Test (local Storage) Yes Yes
HTML5 Geolocation Test HTML5 based Geolocation Test No Yes
HTML5 Test Official HTML5 test landing page No Yes
HTML5 Security Cheatsheet HTML5 Security checklist N/A Yes
WebRTC Leak Test Perfect Privacy WebRTC Leakage Test Yes Yes
WebRTC Leak Test WebRTC Leak Test No Yes
WebRTC Test WebRTC Official test N/A Yes
WebRTC What's My IP Check WebRTC IP Check Yes Yes
WebRTC check by PrivacyTools.io WebRTC IP Check No, source code is here. No
Web RTC Chrome vulnerability check See (Bug 709952) No No
Anonymster WebRTC check Another WebRTC check No Yes

CSS Fingerprint Test

Page or Addon Description Collects or sells user data? Requires activated JavaScript
Crooked Style Sheets Crooked Style Sheets fingerprinting test page No Yes (Source Code)

IP, DNS & Magnet Leak Tests

Page or Addon Description Collects or sells user data? Requires activated JavaScript
GeoTek Datentechnik - Web Privacy Check Basic Web Privacy Check No Yes
DoiLeak Checks if you real IP is leaking behind Proxy/VPN N/A Yes
IP Leak Most well-known IP leak check Yes Yes
Tenta-Test Browser Privacy Test by Tenta VPN Browser Yes Yes
DNS Leak Test Most well-known DNS leak check Yes Yes
Content Filters and Proxy Test Check your filter list and Proxy configuration N/A Yes
DNS Spoofability Test Is your DNS spoofed? Yes Yes
IPv4/IPv6 Discovery / Detection Test Checks your current IPv4/IPv6 configuration N/A Yes
Whois Test Basic Whois Test for Windows Users No Yes
Mirai Vulnerability Scanner Basic Network Vulnerability Scanner N/A Yes
Galhi US Test Simple IP check No No
Check your current IP Yet another IP checker alternative N/A No
ipx.ac Offers IPv6, Geo, DNS, WebRTC FlashIP, Battery, user-Agent and more tests No No

Account Management

Page or Addon Description Collects or sells user data? Requires activated JavaScript
Google Account History View, manage or delete your Google Account History N/A No
Facebook Activity Log View, manage or delete your Facebook Account History N/A No
YouTube Video History / Search History Check your YouTube Account Feed History N/A Yes
Microsoft Account Credentials Leak vulnerability check Microsoft Account Credentials Leak vulnerability check Yes Collects and stores the results Yes
Webbkoll Checks website reputation and additional security related infos No No
Browser Extension and Login-Leak Experiment Browser Web Beacon test Yes see here No
Hide my Footprint Checks your Browser footprint Yes Yes
Browsers leak installed extensions PoC Detect installed Extensions No No
Information Disclosure on IE Check if Internet Explorer leaks sensible Information Yes No
ETag ETAG (Cookieless Cookies) Test Yes stores results in an offline database Yes
Overview of all supported Two-Factor Auth (2FA) pages Lists all 2FA supported pages N/A No
ASN Blocklist Lists and shows ASN Providers N/A No
Nextcloud Security Scan Nextcloud Security Scan Yes Yes
Test your IPv6 connectivity Open Source IPv6 test No No
IP Duh eTag, Ip and other checks Yes N/A
Zscaler Security Check Yes Yes
GRC GRC Fingerprints check N/A No
CSS Keylogger with no CSP This site has no Content Security Policy to protect against CSS injections, and demonstrates a keylogger using only injected CSS with React as the controlled JavaScript framework. N/A No
HTTP Request & Response Service Check eTAg N/A No
Browser Audit Several browser tests N/A Yes
FP Central Statistics to Fingerprints (global), Tor, JavaScript tests etc No, it's open source. Yes
PoC for cookieless tracking via cache It can't be defeated except by periodically clearing your Browser cache. Original Article No No, source code.
Third-Party redirection test Check for enable-framebusting-needs-sameorigin-or-usergesture Chrome flag (third-party redirection) No No

Resource:// URIs leak checks

Page or Addon Description Collects or sells user data? Requires activated JavaScript
Arthured Elstein resource:// URIs leak information page resource:// URIs leak information test page N/A No
Resource://URI Resource://URI check for Firefox N/A No

Web API Test

Page or Addon Description Collects or sells user data? Requires activated JavaScript
Permission Site A site to test the interaction of web APIs and browser permissions. No Partial, source code

SSL/TLS, RSA & SSH Test

Page or Addon Description Collects or sells user data? Requires activated JavaScript
Bad SSL Check against Bad SSL attack N/A No
FREAK Attack - Client Check Client-side FREAK attack check N/A No
Heartbleed Test Heartbleed attack Test N/A No
RC4 Fallback Test Is you browser still using obsolete and weak RC 4? N/A No
How's My SSL Check your SSL or anothers page SSL configuration Yes Yes
SSL Cipher Suite Details SSL Cipher Suite Check which also shows lots of Details N/A No
Weak Diffie-Hellman and the Logjam Attack Diffie-Hellman attack Test N/A No
The ROBOT Attack ROBOT Attack Test and Tool No No ROBOT Attack checking tool (Open Source)
SSH Audit Check your SSH configuration and audit it No No (Open Source)
Fortify SSL / TLS check Yes, 1 week. Yes
Symantec Symantec SSL Check Yes, 1 month. Yes

Do Not Track (DNT), Evercookie, Headers, Javascript,...

Page or Addon Description Collects or sells user data? Requires activated JavaScript
BrowserRecon (Header/HTTP) Test Browser Header Check N/A No
What Is My Referer? Check your Browser Referer Yes Yes
Browser Referer Headers Another Browser Referer Check N/A No
Do Not Track Test Does my Browser sends DNT? No Yes
Evercookie Test Evercookies Test N/A No
JavaScript Browser Information Basic JavaScript Browser check Yes collects an offline database Yes
Popup Blocking Tests Test your Browser against popups N/A Yes
Redirect Page Test Redirect Page Test Yes collects an offline database Yes
System Fonts Detection Test Detect which Fonts your Browser sends away No Yes
FluxFonts Browser Font Test Page N/A No
JavaScript/CSS Font Detector CSS and JavaScript based Font Detector N/A Yes
Universal Plug n'Play (UPnP) Internet Exposure Test Detect UPnP based leaks No No
JavaScript: PasteJacking PasteJacking Test No No
Punycode converter Punnycode Converter Tool No No
Unique Machine Is your Machine unqiue? No No Source Code
Mozilla Observatory Yes Mozilla collects all tests in a database 'to improve their products' they also use their findings in Ghostery (Clicks) and other products No
PrivacyScore Which Score has your privacy setup? Yes Yes
CryptCheck Simple Domain, TLS, SSH checks No No
Qualys SSL Labs SSL Test, eMail and Domain tools N/A No
securityheaders.io URL/Domain Scan sponsored by Sophos N/A No
Hardenize Header, Browser check Yes collects data and shares them No
Google Chrome drive-by exploit tester Drive-by test for Chrome weakness No No
The Privacy.net Analyzer Basic Header check which also provides several other tools Yes collects an offline database No
Spectre Vulnerability Check Spectre Vulnerability Check No but holes a offline database it's unclear if it's sold or shared No
Are You Trackable? How trackable is your Browser? No No Source Code
Ubercookie Test Ubercookie test Yes collects an offline database No
CSS Exfil Vulnerability Tester The page tests to see if your browser is vulnerable to Cascading Style Sheets (CSS) data leakage. If you are vulnerable, one way to protect yourself is to install the CSS Exfil Protection plugin for your browser. No No
CSS History Leak CSS History Leak check N/A No

DNSSEC Test

Page or Addon Description Collects or sells user data? Requires activated JavaScript
DNSSEC Resolver Test Test the Resolver if it supports DNSSEC N/A No
DS Algorithm Test Check if DNSSEC is weak against DS N/A No

Government Internet Speed Test

Page or Addon Description Collects or sells user data? Requires activated JavaScript
Breitbandmessung Official German Internet Speed Test Yes collects an online database shares and sells them to ISP's and others you need to agree in everything before you can use it Yes

Mouse Rate/Fingerprint Check

Page or Addon Description Collects or sells user data? Requires activated JavaScript
Enotus mouse test Original Tracking speed and polling rate test No No Page down but mirrored here under /Offline
Outerspace's Max IPS logger Tracking speeds and will show if theres negative/positive acceleration when you hit a certain speed N/A No
Mouse Rate Checker Simple polling rate detection N/A Yes
Mouse reaction time tester Online mouse reaction test Yes collects an online statistic database No

Keyboard

Page or Addon Description Collects or sells user data? Requires activated JavaScript
Javascript Key Event Test Script Basically a JS keylogger check N/A Yes
JavaScript Event KeyCode Test Page Another keystroke test N/A Yes
Keyboard Event Viewer N/A No

Advanced Fingerprint Tests

Page or Addon Description Collects or sells user data? Requires activated JavaScript
Am I Unique? Is your Machine / Browser unique? N/A Yes
Browser Spy Multiple Browser Tests N/A Yes
Cross Browser Fingerprinting Test Multiple Browser Test N/A Yes User must to disable its ad-blocker!
Jondonym Full Anonymity Test The first and original anonymity test No Yes
Panopticlick The most well-known Browser Fingerprint check by EFF Yes collects stats and stores them in a database Yes
Browserprint.Info Another JavaScript based Fingerprinting Test Yes collects stats and stores them in a database Yes
Browserprint check Another advance fingerprinting check No Yes - Currently (?) Offline
PC Flank Random Browser Check N/A Yes
Onion Leak Test Check your .onion N/A Yes
Whoer Advance Browser check Yes Sells the results Yes for advance informations/tests
Popup Test Check how good your Browser performs against Popups N/A Yes
Privacy Check Another overall Browser header/leak test Yes Yes
Audio Fingerprint Test The original audio fingerprint test No Yes (Source Code)
Browser 'auto-download' Security Vulnerability Check Chrome, IDM and other Downloader against a security attack N/A No
Check2IP One of the oldest advance Browser/IP tests No Yes only for advance tests but also works without
HTML5 Canvas Fingerprinting Canvas HTML5 API Browser Test N/A Yes
5who Multiple tests N/A Yes
Punycode See the Article N/A No
FingerPrintJS2 Check your Browser fingerprint N/A Yes
BrowserPlugs Check your Browser fingerprint with 3 different test scenarios N/A Yes, for the first test

HTTP Strict Transport Security (HSTS)

Page or Addon Description Collects or sells user data? Requires activated JavaScript
Chromium's HSTS preload list submission website Chromium's HSTS preload list submission website N/A N/A
HSTS sniffly A practical timing attack to sniff browser history using HSTS in Chrome and Firefox. Please disable HTTPS Everywhere for best results. N/A N/A

Tor Network & Fingerprint Test

Page or Addon Description Collects or sells user data? Requires activated JavaScript
TorCheck at Xenobite.eu Advance Tor Network Check No Yes
Tor Fingerprint Test Basic Tor Network Check N/A No

Cryptography Test

Page or Addon Description Collects or sells user data? Requires activated JavaScript
Shattered SHA1 attack SHA1 collusion attack example No No

ISP Throttling check

Page or Addon Description Collects or sells user data? Requires activated JavaScript
Internet Health Test Test if your ISP is throttling you N/A No
BitTorrent Traffic Shaping Check if your ISP is throttling BitTorrent Traffic N/A No
The Internet Health Test Test if your ISP is throttling you Yes collects an database and possible sells it (needs confirmation) No
Switzerland Tool from EFF to check if your ISP blocks or interfering into VOIP traffic No No

Web Search Engine which can show & Inspect the Source Code

Page or Addon Description Collects or sells user data? Requires activated JavaScript
Source Code Search Engine Inspect the Page Source Code Yes logs and collect databases Yes

Firewall Test

Page or Addon Description Collects or sells user data? Requires activated JavaScript
Test your Metal Check your firewall online against known ports Yes logs and collect databases Yes
Port Checker Check your Firewall against known or custom ports Yes logs and collect databases Yes
ShieldsUp! Check your Firewall against known or custom Ports No No
PenTest yourself. Don't get hacked Check your Firewall against a pre-made list N/A No
HackerWatch Check your Firewall against a pre-made list Yes collects an statistic offline database Yes
Hacker Target Check your Firewall against a pre-made list Yes collects an statistic offline database Yes
CanYouSeeMe.org Basic Firewall test N/A No

Torrent Leak Test

Page or Addon Description Collects or sells user data? Requires activated JavaScript
ipMagnet Magnet IP expose check N/A No
Check My Torrent IP Check which IP your Torrent Network sees Yes collects a statistic database No
I know what you downloaded Check what your peer sees about you N/A No
IP Magnet Test Allows you to see which IP address your BitTorrent Client is handing out to its peers and trackers! No No

Ransomware Decrypter

Page or Addon Description Collects or sells user data? Requires activated JavaScript
NoMoreRansom Official against Ransomware page for help, decrypter and information N/A No
Free Ransomware Decryptors - Kaspersky Lab Kaspersky's Ransomware Help Page N/A N/A
Avast Free Ransomware Decryption Tools Free Ransomware Decryption Tools by Avast N/A N/A
Emsisoft Decrypter Tools Emsisoft Decrypter N/A N/A
Trend Micro Ransomware File Decryptor Tool Several decrypter powered by TrendMicro N/A N/A
Heimdal Decrypter Tools Bunch of decrypter utilities N/A N/A
Free Ransomware Decryption Tools Decrypter tools by Avast N/A N/A
Download All Known Ransomware Decryption Tools MDS collection of all known Ransomware decryoter N/A N/A

Identify theft check

Page or Addon Description Collects or sells user data? Requires activated JavaScript
Have I Been Pwned Check if your identiy (email etc) was used/stolen by someone else Yes collects an database (need confirmation if sold to 3rd-parties) Partial
Shodan.io Search for devices, vuln. etc Yes collects an database (need confirmation if sold to 3rd-parties) Yes
New York Attorney General Eric Schneiderman tool Tool which check fake comments based on a database of known fakers Yes collects an database (need confirmation if sold to 3rd-parties) N/A

Browser Benchmarks

Keep in mind that a Browser Benchmark doesn't reflect the real-world performance of a website, as explained over here.

Page or Addon Description Collects or sells user data? Requires activated JavaScript
Speedometer JavaScript based Browser Benchmark Yes collects an database (need confirmation if sold to 3rd-parties) Yes
ARES 6 JavaScript based Browser Benchmark Yes collects an database (need confirmation if sold to 3rd-parties) Yes
Motion Mark JavaScript based Browser Benchmark Yes collects an database (need confirmation if sold to 3rd-parties) Yes
JetStream JavaScript based Browser Benchmark Yes collects an database (need confirmation if sold to 3rd-parties) Yes
Lite Brite JavaScript based Browser Benchmark Yes collects an database (need confirmation if sold to 3rd-parties) Yes
Octane JavaScript based Browser Benchmark Yes collects an database (need confirmation if sold to 3rd-parties) Yes
Dromaeo JavaScript based Browser Benchmark Yes collects an database (need confirmation if sold to 3rd-parties) Yes
Acid 3 JavaScript based Browser Benchmark Yes collects an database (need confirmation if sold to 3rd-parties) Yes

Sandboxes Virus/Malware/HTTP analyzer

Page or Addon Description Collects or sells user data? Requires activated JavaScript
BitBlaze The BitBlaze Binary Analysis Platform No, it's open source No
Hybrid Analysis + Mirror Free Malware analysis service for the community that detects and analyzes unknown threats using a unique Hybrid Analysis technology N/A Yes for the WebInterface.
Jevereg Jevereg analyses the behavior of potential malicious executables N/A No
Sunbelt Sandbox Dig Deep with Malware Analysis Yes Tracks IP, collects data and sells them. Yes
ThreatExpert ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode. N/A N/A
ViCheck Advanced Detection Tools to Stop Malware N/A No
detux Multiplatform Linux Sandbox N/A No
Nviso Nviso APK scan N/A Yes
Java Script Beatify Beautify, unpack or deobfuscate JavaScript and HTML, make JSON/JSONP readable, etc. N/A Yes
PDF Examiner Scan PDF files N/A No
Rex Swain's HTTP Viewer See exactly what an HTTP request returns to your browser N/A N/A
JSUNPACK jsunpack was designed for security researchers and computer professionals N/A N/A
Google VirusTotal Analyze suspicious files and URLs to detect types of malware, automatically share them with the security community. Yes, see privacy policy. N/A
Jotti Jotti's malware scan is a free service that lets you scan suspicious files with several anti-virus programs. Yes, see Privacy Policy. N/A

Online Link Checkers

Page or Addon Description Collects or sells user data? Requires activated JavaScript
Dr.Web Online Scanner URL link checker Yes Yes
Google Safe Browsing Change putyourlinkhere.com to url you want to check! Yes, see here. Yes
Norton Safe Web Look up a site. Get our rating. Yes, see privacy policy Yes
URL Void Website Reputation Checker Tool Yes, see terms and privacy Yes
vURL Online Quickly and safely dissect malicious or suspect websites Yes, IP address of the requesting computer is recorded along with the URL accessed. Stored for 1 week. No
Online Link Scan Prevent infection and data theft with Online Link Scan. N/A N/A

Online IP Scanner

Page or Addon Description Collects or sells user data? Requires activated JavaScript
GreyNoise Visualizer Tracks every IP + mass scanning/attacking the Internet and Visalize them No No
TCPIPUtils now DNSLytics One of the biggest and oldest IP/Domain tracking service Yes Yes