Privacy Online Test And Resource Compendium© (short: POTARC) project original created under the MIT license (2016 - present) by CHEF-KOCH and community.
Privacy Online Test And Resource Compendium
The list is designed to show all available and useful online/offline tests in order to build strategies to harden your OS/Internet/Browser configuration against fingerprinting methods. Some of those services might collect only data to hand/sell it to 3th-party developer or people which pay for it to use it for 'bad' things, such services are (if known) marked and aren't preferable added - so keep this in mind before you request a site.
POTARC itself is more a community driven project because everyone can contribute to it and no pull request or discussion will be rejected, only with good reasons like spamming, etc. This project does not accept any donations because we all doing this in our free time and it's up to everyone to provide some information or not, from my perspective the information should be available for free.
Keep in mind that reducing the fingerprint doesn't mean you're secured against all attacks (including new upcoming ones) because security is a process and not something you gain by installing the correct extensions, plugins or programs.
See CONTRIBUTING.md .
Before you create a new issue ticket, ensure you read the issue template and check if the things you like to request aren't already on the to-do list.
How to handle these information and test results?
Collection of device fingerprints from web clients such as browser software mostly relies on the availability of JavaScript or similar client-side scripting language for the harvesting of a suitably large number of parameters. Overall this means if only one or a small of things are detectable it not automatically reveals your real identify, but all together can be pretty dangerous in order to expose you or your security setup. Keep in mind that it's not a good idea to share the results or to leak information which setup you exactly use.
The document section is for research and evidence purposes, topics without any proof are not reliable and the project doesn't accept any submissions without any documents or research based on the matter.
Some of the integrated services & pages collect the results and store it offline and some other pages even sell the results to 3rd-parties! I'm not responsible for this behavior, the list added an indicator in order to inform you.
I'm not the original author of any uploaded .pdf file in this repository, nor do I claim I wrote them. The documents are not under any license and the credit goes to the people which orignally written them. The documents are only mirrored here because several search engines (sadly) delete or hiding content behind proxies/VPN's, or the original link simply vanishes. All research documents are untouched. Please contact me via eMail if you don't like it and I'm going to remove them from this repository.
Known Fingerprinting Techniques
CDN Web Cache Deception Attack based attacks . CDN's are in general a security problem, once infected or compromised you have no chance to identify the threat or not before it's already too late. Decentraleyes reduce the attack surface.
Fake identity, identify theft (not fixable) [NETSEC] & fake comments (OPSEC)
Hardware implemented fingerprint methods such as hardware based DRM (wont-fix but can be configured via flags)
Power consumption 'attacks' and wave signal based tests (not fixable without breaking the signals or updating the RFCs).
Several HTTP authorization detection which is not fixable because it's protocol and meta-data depending and would require new metadata less protocols.
Stuff which is documented and mentioned over here or here .
1st-party tracker blocking
AJAX
ASN Squatting Attacks
Acoustic fingerprinting
Audio fingerprint tests (example )
Automatic content recognition
Battery API (fixed, see below)
CORS (ajax)
CPU Fingerprint
CPU Starvation Attacks
CSS based attacks
Caching attacks
Cache-Poisoned Denial-of-Service (CPDoS)
Canvas fingerprinting , see (here )
Captive Portal based attacks
Clickjacking (De-anonymization via Clickjacking in 2019 )
Common Spoofing attacks
Crooked Style Sheets Discussion
Content Security Policy (CSP) is set up incorrectly
Cross-Origin Identifier
DNS Spoofing
DNS cookie attacks
DNS exfiltration over DNS over HTTPS (DoH) with godoh
DNS leakage or bypasses
DOMrect
Database fingerprints
Deep learning fingerprinting attacks on Tor ("Deep fingerprinting")
Digital video fingerprinting
Do not track (DNT) detection & Companies that have implemented Do Not Track
Extension system based attacks
Fetch API
Finger taps eavesdropping
Font detection & vulnerabilities
getClientRects fingerprinting via DOM
High Resolution Timer attacks
IDN homograph attack
ISP throttling checks
Keyboard API fingerprinting
Measuring time (Timezone/NTP )
Multiple browser fingerprinting detection
Memory Starvation Attacks
Mouse & CPU fingerprinting
Network Bandwidth Attacks
NoCoin , prevents background mining via opt-in.
OSI model fingerprints (based on HTTP , Header, User Agent, Firewall, ...)
Password sniffing
Paste-jacking & Backspace variant
Plugin/Extension tracking (Silverlight, Adobe Flash, ...)
Progressive Web Applications (PWA) tracking
Public key fingerprint
PushAPI
RAMBleed
Resource Starvation Attacks
SameSite cookies
SHA-1 based attacks
Screen resolution
Secure Messenger
SensorID
ServiceWorker
Spectre - Allows an attacker to read secret data.
TLS downgrade attacks
TLS fingerprinting attacks
TLS interception attacks (such as HTTPS Interception TLS-SNI )
Tracking Pixel
Tor Node Detection for more information check Tor Browser Security Design
Tracking Users across the Web via TLS Session Resumption
uBeacons
UberCookie /Cookies /EverCookie /Supercookies
Ultrasonic Tracking Frequencies
Urchin Tracking Module (UTM)
User agent detection
User fingerprinting problem (Canvas, IP, ...)
WWW Subdomain on Cookie Security
Web Browser Address Bar Spoofing
WebGL
WebSocket based attacks
Zero With Detection , see here for more information.
Already fixed within the Browser or OS (ensure you use the latest product [always!])
Browser based download attacks by exposing sensible information, there are several anti-fingerprinting techniques to expose you via drive-by.
CPU & Mouse wheel fingerprinting which needs to be fixed also within the OS.
First-party cookies in general, daily pages like e.g. Amazon/Facebook (as an example) need cookies to function probably (addons/filter-lists may help to whitelist/bypass certain restrictions). Some pages like Facebook already started to track user via first-party cookies .
HTML5 based attacks which inclduing stuff like Canvas, fonts & more (will never be fixed, you have to use in order to spoof such data, however "configuration hardening" might help to reduce the surface attack level).
HTTP Public Key Pinning (HPKP) sniffing attacks (removed/fixed in Chrome 72+ & Firefox 56+)
Network layer based leaks (OSI leaks) e.g. MAC address leakage (EUI64). Disabling/blocking IPv6, if not necessary/needed is usually enough. See RFC 3041 & (leak test )
Classic PopUps aren't possible anymore (if not Canvas/JS related). Normally you'll see a permission dialog or can control this behavior directly via Browser settings. Some Browsers also come with their own Ads-blocking feature .
Third-party cookie "isolation" or blocking
Tor network attacks - several fingerprint methods are still possible.
WebRTC since Chrome 48+ and Firefox 42+, both getting an new menu to allow it per-page (whitelist). There exist also for both several addons, workarounds to compile it without WebRTC support). Unofficial Chromium builds also come without WebRTC or sync.
* Detection of incognito mode
Adobe Flash (EOL), replaced by HTML5 (which has it's own weaknesses [see below])
File Transfer Protocol (FTP) - Will be removed soon or later from every Browser.
OpenSSL fixed (HeartBleed,CloudBleed...)
SSL / TLS (ciphers) [if you only browse on pages like GitHub ~ you can even more harden it ] TLS 1.3 (3.0+) is the new common default and most platforms abandoned TLS 1.0/1.1/1.2.
SensorID fingerprinting attacks fixed in iOS 12.2+ and it will be fixed in Android Q.
Coin Mining
BatteryAPI based fingerprinting attacks
Spectre & Meltdown Via OS & BIOS patches. Almost all modern Browser also protecting their memory against exfiltration attacks.
Several timing based attacks are too ineffective for an advertiser/attack to abuse (in the real world).
Obsolete Add-ons & Plugin Tests
Browser Prerender & Feature Test
Page
Description
Collects or sells user data?
Prerender test
Cosmetic filtering: Test your blocker
No
Crypto-mining detection and Malware
Mozilla (Firefox) specific test
Page or Addon
Description
Collects or sells user data?
Requires activated JavaScript
DNS Rebinding Demo
Checks if you're vulnerable to rebinding attacks
Partial
, the source code is given but the demo page collects open statistics, they don't sell the data
Yes
HTML5 based features test
IP, DNS & Magnet Leak Tests
Resource:// URIs leak Test
Page or Addon
Description
Collects or sells user data?
Requires activated JavaScript
Permission Site
A site to test the interaction of web APIs and browser permissions.
No
Partial
, source code
Browser Storage Abuser
Experiment for your browser storage limitation on LocalStorage, SessionStorage, WebSQL Database, IndexedDB API and FileSystem API.
No
+ source code
Yes
PWA.rocks
Test if your Browser supports Progressive Web Apps (PWA)
No
Partial
Permission Site
Test if your Browser supports specific permissions such as Camera, Location, Fullscreen and other privacy critical APIs
No
Yes
Realtime detection of XSS with Casper
Csper will help guide you through the process of installing a simple report-only CSP policy (HTTP Header). (addon/test maybe planned )
No
No
Do Not Track (DNT), Evercookie, Headers & Javascript bases tests
Page or Addon
Description
Collects or sells user data?
Requires activated JavaScript
Demo
Copy-paste the example line and run it into a terminal window to check if you're vulnerable
No
No
Another demo
See here for more details.
No
No
Government Network measurement software
Page or Addon
Description
Collects or sells user data?
Requires activated JavaScript
Austria
Official Austria Internet Speed Test Yes
collects an online database shares and sells them to ISP's and others you need to agree in everything before you can use it
Yes
Croatia
Official Croatia Internet Speed Test
Yes
collects an online database shares and sells them to ISP's and others you need to agree in everything before you can use it
Yes
Cyprus
Official Cyprus Internet Speed Test
Yes
collects an online database shares and sells them to ISP's and others you need to agree in everything before you can use it
Yes
Czech Republic
Official Czech Republic Internet Speed Test
Yes
collects an online database shares and sells them to ISP's and others you need to agree in everything before you can use it
Yes
Breitbandmessung
Official German Internet Speed Test
Yes
collects an online database shares and sells them to ISP's and others you need to agree in everything before you can use it
Yes
Denmark
Official Denmark Internet Speed Test
Yes
collects an online database shares and sells them to ISP's and others you need to agree in everything before you can use it
Yes
France
Official France Internet Speed Test
Yes
collects an online database shares and sells them to ISP's and others you need to agree in everything before you can use it
Yes
Greece
Official Greece Internet Speed Test
Yes
collects an online database shares and sells them to ISP's and others you need to agree in everything before you can use it
Yes
Hungary
Official Hungarian Internet Speed Test
Yes
collects an online database shares and sells them to ISP's and others you need to agree in everything before you can use it
Yes
Italy
Official Italian Internet Speed Test
Yes
collects an online database shares and sells them to ISP's and others you need to agree in everything before you can use it
Yes
Lativa
Official Lativa Internet Speed Test
Yes
collects an online database shares and sells them to ISP's and others you need to agree in everything before you can use it
Yes
Lithuania
Official Lithuania Internet Speed Test
Yes
collects an online database shares and sells them to ISP's and others you need to agree in everything before you can use it
Yes
Norway
Official Norway Internet Speed Test
Yes
collects an online database shares and sells them to ISP's and others you need to agree in everything before you can use it
Yes
Poland
Official Poland Internet Speed Test
Yes
collects an online database shares and sells them to ISP's and others you need to agree in everything before you can use it
Yes
Portgual
Official Portugal Internet Speed Test
Yes
collects an online database shares and sells them to ISP's and others you need to agree in everything before you can use it
Yes
Romania
Official Romania Internet Speed Test
Yes
collects an online database shares and sells them to ISP's and others you need to agree in everything before you can use it
Yes
Slovak Repualic
Official Slovak Repualic Internet Speed Test
Yes
collects an online database shares and sells them to ISP's and others you need to agree in everything before you can use it
Yes
Slovenia
Official Slovenia Internet Speed Test
Yes
collects an online database shares and sells them to ISP's and others you need to agree in everything before you can use it
Yes
Sweden
Official Sweden Internet Speed Test
Yes
collects an online database shares and sells them to ISP's and others you need to agree in everything before you can use it
Yes
Netherlands
Official Netherlands Internet Speed Test
Yes
collects an online database shares and sells them to ISP's and others you need to agree in everything before you can use it
Yes
United Kingdom
Official UK Internet Speed Test
Yes
collects an online database shares and sells them to ISP's and others you need to agree in everything before you can use it
Yes
Mouse Rate/Fingerprint Check
Page or Addon
Description
Collects or sells user data?
Requires activated JavaScript
Enotus mouse test
Original Tracking speed and polling rate test
No
No
Page down but mirrored here under /Offline
Outerspace's Max IPS logger
Tracking speeds and will show if theres negative/positive acceleration when you hit a certain speed
N/A
No
Mouse Rate Checker
Simple polling rate detection
N/A
Yes
Mouse reaction time tester
Online mouse reaction test
Yes
collects an online statistic database
No
Advanced Fingerprint Tests
Page or Addon
Description
Collects or sells user data?
Requires activated JavaScript
5who
Multiple tests
N/A
Yes
Am I Unique?
Is your Machine / Browser unique?
N/A
Yes
Are you anonymous?
Similar like Am I Unique? but open source
N/A
Yes
(Source Code )
Audio Fingerprint Test
The original audio fingerprint test
No
Yes
(Source Code )
Browser 'auto-download' Security Vulnerability
Check Chrome, IDM and other Downloader against a security attack
N/A
No
Browser Spy
Multiple Browser Tests
N/A
Yes
BrowserPlugs
Check your Browser fingerprint with 3 different test scenarios
N/A
Yes
, for the first test
Browserprint check
Another advance fingerprinting check
No
Yes
- Currently (?) Offline
Browserprint.Info
Another JavaScript based Fingerprinting Test
Yes
collects stats and stores them in a database
Yes
Check2IP
One of the oldest advance Browser/IP tests
No
Yes
only for advance tests but also works without
Cross Browser Fingerprinting Test
Multiple Browser Test
N/A
Yes
User must to disable its ad-blocker!
Device Info
Canvas, Battery Status, ActiveX, City, CPU, Country, Connection type, Device detection & more.
N/A
Yes
FingerPrintJS2
Check your Browser fingerprint
N/A
Yes
HTML5 Canvas Fingerprinting
Canvas HTML5 API Browser Test
N/A
Yes
Jondonym Full Anonymity Test
The first and original anonymity test
No
Yes
Onion Leak Test
Check your .onion
N/A
Yes
Panopticlick
The most well-known Browser Fingerprint check by EFF
Yes
collects stats and stores them in a database
Yes
PC Flank
Random Browser Check
N/A
Yes
Popup Test
Check how good your Browser performs against Popups
N/A
Yes
Privacy Analyzer
IP, browser fingerprinting test
N/A
Yes
Privacy Check
Another overall Browser header/leak test
Yes
Yes
Punycode
See the Article
N/A
No
Tenta-Test
Browser Privacy Test by Tenta VPN Browser
Yes
Yes
Whoer
Advance Browser check
Yes
Sells the results
Yes
for advance information and tests
What's my fingerprint
Similar like amiunique.org but FOSS.
Data collection but they are used for a school project only
Yes
(Source code )
Luminous: JavaScript events blocker test
Demo website to test Luminous addon/extension but also works to test other addons/extension
No
Yes
HTTP Strict Transport Security (HSTS)
Page or Addon
Description
Collects or sells user data?
Requires activated JavaScript
Chromium's HSTS preload list submission website
Chromium's HSTS preload list submission website
N/A
N/A
HSTS sniffly
A practical timing attack to sniff browser history using HSTS in Chrome and Firefox. Please disable HTTPS Everywhere for best results.
N/A
N/A
Tor Network & Fingerprint Test
Page or Addon
Description
Collects or sells user data?
Requires activated JavaScript
Shattered SHA1 attack
SHA1 collusion attack example
No
No
Page or Addon
Description
Collects or sells user data?
Requires activated JavaScript
Internet Health Test
Test if your ISP is throttling you
N/A
No
BitTorrent Traffic Shaping
Check if your ISP is throttling BitTorrent Traffic
N/A
No
The Internet Health Test
Test if your ISP is throttling you
Yes
collects an database and possible sells it (needs confirmation)
No
Switzerland
Tool from EFF to check if your ISP blocks or interfering into VOIP traffic
No
No
Web Search Engine which can show & Inspect the Source Code
Page or Addon
Description
Collects or sells user data?
Requires activated JavaScript
Source Code Search Engine
Inspect the Page Source Code
Yes
logs and collect databases
Yes
Page or Addon
Description
Collects or sells user data?
Requires activated JavaScript
Test your Metal
Check your firewall online against known ports
Yes
logs and collect databases
Yes
Port Checker
Check your Firewall against known or custom ports
Yes
logs and collect databases
Yes
ShieldsUp!
Check your Firewall against known or custom Ports
No
No
PenTest yourself. Don't get hacked
Check your Firewall against a pre-made list
N/A
No
HackerWatch
Check your Firewall against a pre-made list
Yes
collects an statistic offline database
Yes
Hacker Target
Check your Firewall against a pre-made list
Yes
collects an statistic offline database
Yes
CanYouSeeMe.org
Basic Firewall test
N/A
No
Page or Addon
Description
Collects or sells user data?
Requires activated JavaScript
ipMagnet
Magnet IP expose check
N/A
No
Check My Torrent IP
Check which IP your Torrent Network sees
Yes
collects a statistic database
No
I know what you downloaded
Check what your peer sees about you
N/A
No
IP Magnet Test
Allows you to see which IP address your BitTorrent Client is handing out to its peers and trackers!
No
No
Page or Addon
Description
Collects or sells user data?
Requires activated JavaScript
Have I Been Pwned
Check if your identiy (email etc.) was used/stolen by someone else
Yes
collects an database (need confirmation if sold to 3rd-parties)
Partial
Shodan.io
Search for devices, vuln. etc
Yes
collects an database (need confirmation if sold to 3rd-parties)
Yes
New York Attorney General Eric Schneiderman tool
Tool which check fake comments based on a database of known fakers
Yes
collects an database (need confirmation if sold to 3rd-parties)
N/A
Censys.io
Get the information you need to prevent threats and improve overall security.
N/A
Partial
ZoomEye
Cyberspace Search Engine
No
Partial
Keep in mind that a Browser Benchmark doesn't reflect the real-world performance of a website, as explained over here .
Page or Addon
Description
Collects or sells user data?
Requires activated JavaScript
Speedometer
JavaScript based Browser Benchmark
Yes
collects an database (need confirmation if sold to 3rd-parties)
Yes
ARES 6
JavaScript based Browser Benchmark
Yes
collects an database (need confirmation if sold to 3rd-parties)
Yes
Motion Mark
JavaScript based Browser Benchmark
Yes
collects an database (need confirmation if sold to 3rd-parties)
Yes
JetStream
JavaScript based Browser Benchmark
Yes
collects an database (need confirmation if sold to 3rd-parties)
Yes
Lite Brite
JavaScript based Browser Benchmark
Yes
collects an database (need confirmation if sold to 3rd-parties)
Yes
Octane
JavaScript based Browser Benchmark
Yes
collects an database (need confirmation if sold to 3rd-parties)
Yes
Dromaeo
JavaScript based Browser Benchmark
Yes
collects an database (need confirmation if sold to 3rd-parties)
Yes
Acid 3
JavaScript based Browser Benchmark
Yes
collects an database (need confirmation if sold to 3rd-parties)
Yes
Sandboxes Virus/Malware/HTTP Analyzer
Page or Addon
Description
Collects or sells user data?
Requires activated JavaScript
BitBlaze
The BitBlaze Binary Analysis Platform
No
, it's open source
No
Hybrid Analysis + Mirror
Free Malware analysis service for the community that detects and analyzes unknown threats using a unique Hybrid Analysis technology
N/A
Yes
for the WebInterface.
Jevereg
Jevereg analyses the behavior of potential malicious executables
N/A
No
Sunbelt Sandbox
Dig Deep with Malware Analysis
Yes
Tracks IP, collects data and sells them.
Yes
ThreatExpert
ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode.
N/A
N/A
ViCheck
Advanced Detection Tools to Stop Malware
N/A
No
detux
Multiplatform Linux Sandbox
N/A
No
Nviso
Nviso APK scan
N/A
Yes
Java Script Beatify
Beautify, unpack or deobfuscate JavaScript and HTML, make JSON/JSONP readable, etc.
N/A
Yes
PDF Examiner
Scan PDF files
N/A
No
Rex Swain's HTTP Viewer
See exactly what an HTTP request returns to your browser
N/A
N/A
JSUNPACK
jsunpack was designed for security researchers and computer professionals
N/A
N/A
Google VirusTotal
Analyze suspicious files and URLs to detect types of malware, automatically share them with the security community.
Yes
, see privacy policy .
N/A
Jotti
Jotti's malware scan is a free service that lets you scan suspicious files with several anti-virus programs.
Yes
, see Privacy Policy .
N/A
Online IP Scanner Visualizer
Page or Addon
Description
Collects or sells user data?
Requires activated JavaScript
GreyNoise Visualizer
Tracks every IP + mass scanning/attacking the Internet and Visalize them
No
No
TCPIPUtils now DNSLytics
One of the biggest and oldest IP/Domain tracking service
Yes
Yes
Opt-Out of targeting based Ads
Page or Addon
Description
Collects or sells user data?
Requires activated JavaScript
Stop Targeting Ads at Me
Helps you turn off targeted ads on 41 websites, apps, and devices
No
Yes
Your Online Choice
Take control over your ad choices
Yes
Yes
YourAdChoices
WebChoices checks whether your browser can set opt out requests
Yes
Yes
Simple Opt-Out
A (HTTP only) website which allows you to out of data sharing by 50+ companies
No
No
Page or Addon
Description
Collects or sells user data?
Requires activated JavaScript
RIDL and Fallout: MDS attacks
Information & utility for Windows/Linux to check against MDS attacks
No
No, it's a info website + tool (Source Code )
Progressive Web Applications (PWA) Tracking Test
Page or Addon
Description
Collects or sells user data?
Requires activated JavaScript
Persistent Web Apprehension
Cookie respawn which makes it impossible to clear website identifiers
No
Page or Addon
Description
Collects or sells user data?
Requires activated JavaScript
Browser Audit Test
Test your Browser for known holes
N/A
Yes
Page or Addon
Description
Collects or sells user data?
Requires activated JavaScript
HTTP/3 test servers
Documentation for early HTTP/3 testing (with curl and more)
No
No, the URL however do require JavaScript unless you use curl
Page or Addon
Description
Collects or sells user data?
Requires activated JavaScript
SmartScreen Test
Test if SmartScreen and Safe-browsing are working (the website is not malware )
No
No
Check if a website is disguising third-party trackers as first-party trackers
Page or Addon
Description
Collects or sells user data?
Requires activated JavaScript
TrackingTheTrackers
A free analysis tool to check if a website is disguising third-party trackers as first-party trackers.
No
No
Page or Addon
Description
Collects or sells user data?
Requires activated JavaScript
Terms of Service; Didn't Read
Rate and label website terms & privacy policies, from very good Class A to very bad Class E, also provides Browser extensions.
No
No
PrivacySpy
Aims to track privacy, which rates, annotate and archive privacy policies
No
Yes
I2P based Fingerprint Test