Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

<link> tags to include CSS and JavaScript on a page can have an integrity property, which is a SHA hash of the resource they link to.

It's intended to ensure that a CDN doesn't change the content they're serving to your users.

But it turns out you can approximate the speed a visiting browser computes those hashes to fingerprint browsers just by including some CSS on a page.



But that hash is a regular, fast hash that takes like 1µs to compute right? Doesn't that get lost in network jitter? Wouldn't averaging the time it takes to run for(i=0;i<Math.pow(2,18);i++); over 10 runs be much more accurate? Or is this meant to spite the 0.01% of visitors that really try not to be tracked and have turned off javascript?


> But that hash is a regular, fast hash that takes like 1µs to compute right?

They use SHA512 which is fast, but noticeable for large enough files.

> Or is this meant to spite the 0.01% of visitors that really try not to be tracked and have turned off javascript?

Yes, the point is that it works with blockers.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: