ANSWERED Matching VPN server language and time?

[yoyall 5]

I noticed that the website https://whoer.net/ checks whether your system language and time match those of the VPN server. If they don't match, it remarks that " You are possibly trying to hide your current location by anonymity means."

And this got me thinking, how important is this? Do websites check this? 😕

And if it is important for security and anonymity, is it recommended to change your time and browser language based on the server you regularly connect to? Do people actually do this? Should we do this?

Or is it more of an academic kind of thing??? 🤔

[OpenSourcerer 1359]

1 hour ago, yoyall said:

And this got me thinking, how important is this? Do websites check this? 😕

Regarding this specific data point, it doesn't say anything. I can be on vacation in Poland and use the de-DE language setting, or I as a German live in Poland but don't want to use pl-PL. A block based on this data point doesn't make sense, you'd hurt the normal users much more than VPN users.

Keep in mind though that websites have access to all sorts of info on the browser and system simply by using JavaScript. A tiny fraction of that is extracted and shown to you by IPLeak. If you combine some of these exposed data points, you might get restricted access. But usually the only websites doing that are those that have something to lose if people pretend to be somewhere else, such as VoD.

[yoyall 5]

@OpenSourcerer As always, really informative and I very much appreciate your explanation. Thanks again! 👍

[OpenSourcerer 1359]

8 hours ago, OpenSourcerer said:

Keep in mind though that websites have access to all sorts of info on the browser and system simply by using JavaScript. A tiny fraction of that is extracted and shown to you by IPLeak. If you combine some of these exposed data points, you might get restricted access. But usually the only websites doing that are those that have something to lose if people pretend to be somewhere else, such as VoD.

Just to add to this: In contrast, a really strong point would be a time (zone) mismatch: Your OS reporting CEST as your system time zone while your IP seems to be US is kind of a strong indicator that something's not right. It could mean that you simply forgot to change it, but most OSes do that automatically based on your location (if they get to read your location, the setting of which the overwhelming majority of people doesn't care about). So, the point still stands: A combination of all this info is needed for a more precise detection.

[yoyall 5]

Thanks for this and this is interesting. 🧐 So, would you think that as a rule it would be a good idea - as best practice - to change my time zone if I am in Switzerland but am regularly logged into either a UK or a US based server.

Or would you say that is one step too far down the path to paranoia? 😱

[OpenSourcerer 1359]

2 hours ago, yoyall said:

So, would you think that as a rule it would be a good idea - as best practice - to change my time zone if I am in Switzerland but am regularly logged into either a UK or a US based server.

As a rule it would be a good idea to disable JavaScript where it's possible.

[yoyall 5]

35 minutes ago, OpenSourcerer said:

As a rule it would be a good idea to disable JavaScript where it's possible.

Fair point, but in reality and practicality, how do you do that and still manage to surf the web?

For example, I can install NoScript in Firefox but then every website will stop working.

How then do you identify which scripts to allow and which might have a more nefarious purpose? 🤔

[yoyall 5]

@OpenSourcerer Okay - got it - learning how NoScript works and have answered my own question. But just to clarify, you'd recommend the NoScript route, no? I know I'm going off-topic but are there any other essential addons you'd recommend?

[OpenSourcerer 1359]

2 hours ago, yoyall said:

How then do you identify which scripts to allow and which might have a more nefarious purpose? 🤔

That's exactly the reason I simply don't install NoScript any more. It got old trying to find out which script sources provide functionality and which ones provide analytics. Sometimes one doesn't work without the other, that's where uMatrix usually came in handy, but that's an even bigger source of work. And I don't want to work, I want to surf the web.

So my current approach is to simply let them eat cake. Use Librewolf with a slightly different policy config, periodically purge website data and cookies, things like that.

2 hours ago, yoyall said:

But just to clarify, you'd recommend the NoScript route, no? I know I'm going off-topic but are there any other essential addons you'd recommend?

Don't know about "essential" but if you're all about sending as little data as possible:

• uBlock Origin as your AdBlock Plus-compatible, open source request blocker. Obviously.
• uMatrix if you want absolute and unyielding control of all requests. Keep in mind, this is work everytime you visit a website.
• CanvasBlocker, so you can enjoy Canvas without having a unique signature. Sends a random one everytime it's used.
• Some may suggest Decentraleyes or similar so you don't use Google APIs everytime a website needs jQuery or such. Caused more problems than it solved for me.
• SmartReferer which lets you define global and per-site rules which referer is sent to websites (aka where you came from). Some websites need you to come from the same site, like driver downloads from AMD, they prevent direct linking to the files with that.
• Privacy Redirect, to use Invidious for YouTube, Nitter for Twitter, Bibliogram for Instagram and other substitutes. Only ever worked with YouTube and Twitter for me, almost all Bibliogram instances are permablocked by Instagram.
• SkipRedirect, maybe. Some websites direct you to an intermediate page before directing you to your actual destination (I'm also looking at you, AirVPN). This addon skips this. It's possible because most intermediate pages are like "https://my.page/intermediate.php?url=https://the.actual.page/destination.php". Addon extracts the url= parameter and connects you there instead.
• NeatURL, which removes common (and your custom) URL parameters like campaign trackers (utm_* and others) before the request is sent.
• Hundreds more, probably.

[yoyall 5]

Thank you very much for this. I look forward to doing a deep dive into these!  Again much appreciated!