Meet the Online Tracking Device That is Virtually Impossible to Block

Is there a Proxomitron for osx to use these rules?

By the way , chromium with hhtps everywhere says me that: www.wilderssecurity.com presented a certificated issue by an entity that is no trusted by your computer´s operating system .... Your connection is not private ... what a nonsense .

This morning I dont have this advice

 

I'm not familiar with OSX. On linux, Proxomitron can be run via Wine. If something similar exists for OSX, it's entirely possible.

 

Wilders is using self signed certificate. You need to add it in certificate store manually. More here: https://www.wilderssecurity.com/thr...new-self-signed-certificate-installed.362478/

 

If Proxomitron is used to filter HTTPS, users will have similar certificate issues.
ProxHTTPSProxy, a Proxomitron SSL Helper Program is being developed to address certificate issues with Proxomitron but is not yet ready.

 

It seems highly unlikely that a MAC address change would affect the way something is graphically rendered and read back via canvas.

Were one to see something like that I think some investigation would be in order. MAC Addresses are unique identifiers that can leave a device during everyday use and which are probably recorded in purchase records. So they are a somewhat attractive piece of information to try to grab and use for correlating data. I don't know how practical it would be, but theoretically speaking, one's MAC Address could be embedded within visually imperceptible digital watermarks when a device renders things. The objective being to make images produced via a user's device back-trackable to that device and related records. That would have the potential to affect canvas based fingerprinting results.

One thing I haven't come across is a test where canvas based fingerprinting is performed on a number of identical systems. Done by, for example, an IT person who has just received a combined order of N machines of the same exact type and configuration. It would be interesting to know how similar the results are when there are no (known) hardware, software, firmware, microcode, etc differences.

 

Canvas Fingerprinting Takes Web Tracking Up a Notch

http://www.pcmag.com/article2/0,2817,2461357,00.asp

 

Browser Fingerprinting and the Online-Tracking Arms Race.

-- Tom

 

This is the biggest problem. Almost you need a different VM for every thing you do online.

 

And the websites just recode to make it impossible to use such thing as Noscript.
If you want to use their site, you have to accept their spying.

 

Indeed

But you can use a VM, and associated connectivity path, for multiple things that can safely be linked.

 

Yes. I have different identities and personalities on the internet. Not a lot, but a few. You could use a different VM for each personality.

 

this would appear to defeat the use of a VPN. If you used the browser in the clear then went on your VPN to the same sites, you are revealed

 

Has anybody checked if using separate virtual systems on the same hardware actually changes what a fingerprinting method like canvas detects? The virtual systems are still using the same physical hardware and often the same virtualized hardware. Does the use of different operating systems and/or browsers change it enough to hide the fact that it's the same hardware?

When the design of a website makes it clear that tracking, spying, and identifying you is their priority, why would you choose to use that site?

 

I thought we already came to the conclusion that this is blockable. No idea why people are taking it to extremes like VMs, or why this thread is still going really.

 

Well, here's a tinker I threw together to privately test a couple of things. Which performs the same fingerprinting operation on two canvases (one visible, one not visible) and compares the results. You can save it as a local html file and play around with it (without having to test against someone else's server).

Code:

<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>Canvas Fingerprinting Test</title>
<style type="text/css">
canvas {
  border: 2px solid red !important;
}
textarea {height:100px; width:300px;}
</style>
<script type="text/javascript">
function modifyAndReadCanvas(canvas) {
  // Ref: http://www.browserleaks.com/canvas
  var rs = "Not Supported";
  if(canvas.getContext) {
    var ctx = canvas.getContext('2d');
    if(ctx) {
      var txt = '@/d#p$Z% aQ0+rh;fK9B T&7*o_{ xU3E.h]Ov';
      ctx.textBaseline = "top";
      ctx.font = "14px 'Arial'";
      ctx.textBaseline = "alphabetic";
      ctx.fillStyle = "#f60";
      ctx.fillRect(125,1,62,20);
      ctx.fillStyle = "#069";
      ctx.fillText(txt, 2, 15);
      ctx.fillStyle = "rgba(102, 204, 0, 0.7)";
      ctx.fillText(txt, 4, 17);
      rs = canvas.toDataURL().replace("data:image/png;base64,","");
    }
  }
  return(rs);
}

function getHash1(str) {
  // djb2 from:
  // http://erlycoder.com/49/javascript-hash-functions-to-convert-string-into-integer-hash-
  var hash = 5381;
  for (var i = 0; i < str.length; i++) {
    char = str.charCodeAt(i);
    hash = ((hash << 5) + hash) + char; /* hash * 33 + c */
  }
  return hash;
}

function getHash2(str) {
  // FNV-1a from:
  // https://gist.github.com/vaiorabbit/5657561
  var FNV1_32A_INIT = 0x811c9dc5;
  var hval = FNV1_32A_INIT;
  for ( var i = 0; i < str.length; ++i )
  {
    hval ^= str.charCodeAt(i);
    hval += (hval << 1) + (hval << 4) + (hval << 7) + (hval << 8) + (hval << 24);
  }
  return hval >>> 0;
}

function getHash(str) {
  return (getHash1(str).toString() + "__" + getHash2(str).toString());
}
</script>
</head>
<body>
<div id="c1Holder"><canvas id="c1"></canvas></div>
<div>Canvas1 Data:</div>
<div><textarea id="ta1"></textarea></div>
<div>Canvas2 Data:</div>
<div><textarea id="ta2"></textarea></div>
<script type="text/javascript">
var c1Data = modifyAndReadCanvas(document.getElementById("c1"));
var c2Data = modifyAndReadCanvas(document.createElement('canvas'));
if((c1Data != "Not Supported") && (c2Data != "Not Supported")) {
  if((c1Data == c2Data))
    document.write("Canvas1 Data is identical to Canvas2 Data<br /><br />");
  else document.write("Canvas1 Data is NOT identical to Canvas2 Data<br /><br />");
  document.getElementById("ta1").value = c1Data;
  document.getElementById("ta2").value = c2Data;
  document.write("Canvas1 Hash: " + getHash(c1Data) + "<br />");
  document.write("Canvas2 Hash: " + getHash(c2Data) + "<br />");
}
else {
  document.write("Canvas method(s) not supported<br />");
}
</script>
<noscript>
This test page requires javascript
</noscript>
</body>
</html>

Edit: modified to dump canvas data

 

That's why using multiple VMs is prudent. Even as a backup, in case ...

 

So does this code implement a "real world" sort of test? Like AddThis is doing, I mean.

 

I've checked http://www.browserleaks.com/canvas from a few VMs on this VirtualBox host. Two Ubuntu VMs with Firefox (one 12.4 and the other 14.4) had the same canvas fingerprint. But two CrunchBang 11 VMs with IceWeasel had different ones (and different from the Ubuntu one). And then there's Tor browser, which is special, because it blocks.

Well, if it has something that I want, I'll use it. And good luck identifying me, whatever "me" happens to be at the time

 

I haven't attempted to learn how AddThis was/is fingerprinting. I saw it reported that https://github.com/Valve/fingerprintjs is being used by some sites, saw it was leveraging canvas code published by BrowserLeaks, and decided a derivative of that would be good enough for my purposes as well.

Were I serious about developing such a thing, I would dig a bit deeper into the subject and try to better understand the variables that cause the canvas data to be different. Perhaps it is possible to tune the canvas manipulations in a way that creates a more reliable fingerprint(?).

Whatever the approach, the canvas fingerprint (or lack thereof) is just one of N possible pieces of information that can be used to arrive at a final unique identifier. I suspect the secret sauce would be how one goes about weighing those N pieces of information, and even less than ideally reliable pieces of information may combine in ways that are helpful trackers.

Check out the link above and, if you want, take that code for a spin.

So what is different?

 

I don't know. The site just spits out a string.

What seems important to me from that test site is that multiple visitors have the same canvas fingerprint code, and different VMs on the same host can have different codes.

But of course, I don't know how that site's test compares to the AddThis approach.

 

I meant: what is different between those two CrunchBang 11 VMs with IceWeasel. Anything you can think of?

 

One VM doesn't have guest additions installed, and its IceWeasel is totally stock. The other VM does have guest additions, its IceWeasel has Adblock Plus and NoScript, and its display and IceWeasel window are much larger. Both Ubuntu VMs that I tested have guest additions installed.

It seems likely that guest additions exposes more information about the host's hardware. Also, all of the VMs have PAE/NX, VT-x/AMD-V and nested paging enabled. Maybe I'll run some more tests, looking at the effects of each. I could even use VBoxManage, which exposes many more parameters to tweaking.

 

From https://www.virtualbox.org/manual/ch04.html:

Vanilla video drivers could produce slightly different rendering than custom video drivers supporting hardware acceleration.

 

Right, but that's just two options. Maybe guest additions with and without 2D and 3D acceleration would be useful too. The main point, though, is that different guest OS yield different fingerprints, even if both have guest additions installed.

 

... when using a fingerprinting method that doesn't leverage all of the techniques discussed in the "Pixel Perfect: Fingerprinting Canvas in HTML5" and "The Web never forgets: Persistent tracking mechanisms in the wild" papers, anyway. Proceed with caution.