Comment by aragonite

Comment by aragonite 7 hours ago

25 replies

View on Hacker News

Some time ago I noticed that in Chrome, every time you click "Never translate $language", $language quietly gets added to the Accept-Language header that Chrome sends to every website!

My header ended up looking like a permuted version of this:

  en-US,en;q=0.9,zh-CN;q=0.8,de;q=0.7,ja;q=0.6
I never manually configured any of those extra languages in the browser settings. All I had done was tell Chrome not to translate a few pages on some foreign news sites. Chrome then turned those one-off choices into persistent signals attached to every request.

I'd be surprised if anyone in my vicinity share my exact combination of languages in that exact order, so this seems like a pretty strong fingerprinting vector.

There was even a proposal to reduce this surface area, but it wasn't adopted:

https://github.com/explainers-by-googlers/reduce-accept-lang...

hoofedear 7 hours ago

Is Chrome trying to assume that, since you don’t want it to translate those pages/languages, that you can read them/want them in your header? Interesting

Reply View 0 replies
[removed] 32 minutes ago
[deleted]
Reply View 0 replies
scrollop 6 hours ago

PSA Don't use chrome.

Reply View 14 replies
  • nikcub an hour ago

    don't use the same browser regardless - the key is to compartmentalise.

    Reply View 0 replies
  • SV_BubbleTime 6 hours ago

    Definitely a good STEP1, but it’s not like Firefox and Safari are finger printing secure.

    Reply View 5 replies
    • capitainenemo 6 hours ago

      Firefox does pretty damn well though, especially with privacy.resistFingerprinting set to true

      Reply View 0 replies
    • 8fingerlouie 4 hours ago

      Modern Safari is pretty damned good at randomizing fingerprints with Intelligent Tracking Prevention. With IOS 26 and MacOS 26, it's enabled in both private and non private browser windows (used to be only in private mode).

      All "fingerprint" tests I've run have returned good results.

      Reply View 1 reply
      • SV_BubbleTime 14 minutes ago

        I haven’t tried 26, but I remember it didn’t used to be so great.

        Reply View 0 replies
    • Alive-in-2025 5 hours ago

      what about duck duck go? We need a simple chart: 1. What browsers are good at resisting finger printing 2. tell for each browser, does it work on android ad ios and apple and windows and linux 3. what setting are needed to achieve this

      for bonus points, is there no way to strip all headers on chrome on control it better?

      Reply View 0 replies
  • FridayoLeary 4 hours ago

    That will just make you stand out more.

    Reply View 5 replies
    • 1718627440 3 hours ago

      You can change the reported UA header independently of the UA you use.

      Reply View 4 replies
      • michaelt 2 hours ago

        If I was a fingerprinting company, I'd be cross-referencing signals between browsers for sure.

        If the browser header says windows but the fonts available says linux, that's a very distinctive signal.

        And if the UA says Chrome but some other signal says not-chrome, that's very distinctive as well.

        Reply View 1 reply
      • nativeit 2 hours ago

        The article also mentions this, and suggests the UA is not a silver bullet. That said, they didn’t go into specifics. I’m assuming there are other details that correlate to particular browsers that will betray a false UA. Plus, having a UA that says Chrome while including an extension that’s exclusive to Safari (tor example) will not only contradict the UA, but it will also be a highly distinctive datapoint for fingerprinting, in and of itself.

        Reply View 0 replies
      • [removed] 2 hours ago
        [deleted]
        Reply View 0 replies
fsflover 6 hours ago

Using Chrome and caring about privacy? I thought, after Google killed uBlock Origin, it had become beyond clear these two things were incompatible, https://news.ycombinator.com/item?id=41905368

Reply View 3 replies
  • esseph 6 hours ago

    uBlock origin just got replaced with uBlock lite for most people

    Reply View 2 replies
    • anthk 5 hours ago

      There's a way to enforce loading UBo in Chromium but you need to download the extension by hand (git clone it from GitHub) and load it in "developer mode" in the extension settings. Also, you need to enable some legacy options related to extensions in about:flags.

      Reply View 0 replies
thaumasiotes 5 hours ago

> There was even a proposal to reduce this surface area, but it wasn't adopted:

>> Instead of sending a full list of the users' preferred languages from browsers and letting sites figure out which language to use, we propose a language negotiation process in the browser, which means in addition to the Content-Language header, the site also needs to respond with a header indicating all languages it supports

Who thought that made sense? Show me the website that (1) is available in multiple languages, and also (2) can't display a list of languages to the user for manual selection.

Reply View 2 replies
  • jm4 2 hours ago

    What language do you put that list in? Would you still want to show it to every visitor when you know most of them speak a particular language?

    I use to do some work in this area. The first question is difficult and the second is no. We had the best results when we used various methods to detect the preferred language and then put up a language selector with a welcome message in that language. After they made a selection, it would stick on return visits.

    Reply View 1 reply
    • thaumasiotes an hour ago

      > What language do you put that list in? Would you still want to show it to every visitor when you know most of them speak a particular language?

      Judging by... a large number of websites, you make the list available in a topbar, and each language is named in itself. You don't apply one language to the entire list.

      Here's the first page that popped into my head as one that would probably offer multiple languages (and it does!):

      https://www.dyson.com/en

      They've got the list in a page footer instead of a header, but otherwise it's an absolutely standard language selector. It does technically identify countries rather than languages. The options range from Azərbaycan to Україна. They are -- of course -- displayed to every visitor.

      Why would you want to force someone to consume your website in the wrong language?

      And why would the list be in a single language, again?

      Reply View 0 replies
datavirtue 5 hours ago

Hmmm...YouTube has been getting confused about the language and displaying random languages for the closed captions on videos. This was happening to me across smart TVs but I access YouTube randomly from various devices and browsers...but mostly Chrome when using a browser.

Reply View 0 replies