Meet the Online Tracking Device That is Virtually Impossible to Block

Yes, just like every other "attack" that is also boasted as "impossible to block". Complete nonsense.

When you install ABP it gives you the option to enable the "anti-social" list which blocks social sites like AddThis, Facebook, Twitter, etc when you are not directly navigating them.

 

There are so many exceptions in EasyList, EasyPrivacy and Fanboy's that it's just impossible to be sure it will be blocked. For instance it's not blocked when using EasyPrivacy and Peter Lowe's list, even if a plain block filter for `addthis.com`is in there. Some exceptions somewhere.

The only way to block with a 100% certainty is HTTP Switchboard (soon uMatrix if I can find the time).

 

There isn't a single exception for AddThis in EasyList or EasyPrivacy. Please stop outright lieing in order to promote your addon.

Also, exceptions are added to fix broken functionality, not to allow tracking. Whilst a specific script may be allowed to run on a specific website to restore functionality, it's not going to be able to make requests to download tracking pixels.

 

I could not understand yesterday why addthis.com canvas-fingerprinting script wasn't blocked after running benchmarks using EasyList, EasyPrivacy, Peter Lowe's. I had wrongly assumed addthis.com was in EasyPrivacy or Peter Lowe's list, and assumed at time of posting there were exceptions somewhere in there. You're right, there are no exception specifically for addthis.com. Hence why I created a new list yesterday.

Still, there are definitely unexpected holes in the lists, and yes, exceptions where I rather see none: if I expect google-analytics.com to be blocked, I don't want to ping google-analytics.com at all. For instance, a user could reasonably expect to not ping Twitter when using Fanboy's Social, but he will end up downloading a script from Twitter which is quite ubiquitous: platform.twitter.com/widgets.js. I tried all the lists, none blocks it. It's reasonable for a user to expect that this would be blocked by selecting Fanboy Social.

My point is not to denigrate the lists (I consider them the real gems), it's to warn that you can't rely blindly on these, you risk being surprised not in a good way. HTTP Switchboard will show you upfront was is going on, and give a user an easy way to act on the information. There is no guess work or hope that what you think is blocked is really blocked, the matrix show you exactly what went on, without having to dig into lists or dev consoles.

Yes, I tried to promote the add-on because I completely believe it's in the users best interests (informed consent). Claiming EasyPrivacy thwart canvas fingerprinting while it doesn't is not in the users' best interests.

 

Scroll down to the whitelist part and you'll find that it does the exact opposite - even Perez Hilton has been whitelisted.

https://easylist-downloads.adblockplus.org/easyprivacy.txt

 

Indirectly blocking specific threats (canvas based fingerprinting, reading a specific type of device sensor, accessing a specific type of client side storage, whatever) by blocking [whole] scripts is an approach that we frequently use. However, I think we would benefit from security features (built-in preferably, but where necessary through extensions) that provide more granular options. Conceptually, this would seem simple. Create a list of all the coarse grained and fine grained operations we'd want to be able to selectively block, and allow those operations to be individually enabled/disabled for specific contexts via appropriately rich selector rule features. Practically speaking, I suspect we might find such a list of operations to be longer than we expected it to be and due to existing browser limitations we can't control everything with the granularity we would like (unless browsers were improved). Nevertheless, my gut thinks that would be the way to approach it.

I do think ABP's exception rules are a problem, due to its overall design. I believe that exception rules in Subscription A can override a block rule in Subscription B and/or a block rule in your own custom rules. IOW, I believe subscription list maintainer A (who may be very hesitant to break a site even when breaking it is appropriate from a security/privacy oriented user's POV) effectively has veto power over other subscription lists and the end user's own rules as well. There may be optimization/performance related reasons for such an approach, and one can try to work around it by disabling [specific] exception rules. However, some means of prioritizing/compartmentalizing lists (subscription and/or custom) seems attractive to me. For example, a user should be able to create a ||site1.example^ block rule in their own subscription list or custom filters, and not have to worry about some other subscription they use overriding that block rule. Perhaps while also specifying that their own rule should block ALL requests, including top level requests.

Edit: Added /compartmentalizing, fixed typo

 

As I remember, few month ago I got my system fonts shown on Panopticlick site. Now when I scan my browser I get no fonts shown ("No Flash or Java fonts detected"). Did they change anything on that site or did Chrome start to block access to that info after one of updates?

IMO the best approach to this problem would be that developers would make browsers aware of this kind of profiling and let user choose what they want (block, allow, some granular control...). I doubt that Google will develop such browser - they might need that kind of profiling in the future

 

Maybe you should read what I said before going on a tangent. I said ABP can block it, ABP ≠ EasyList.

You could also try reading the very bottom of the blog you linked to:

I also explicitly stated that it's the anti-social list from Fanboy that outright blocks AddThis entirely. When you install ABP you're prompted with the option to install this list.

You can also outright block it yourself.

 

There is no whitelist for Perez Hilton, it seems you don't understand the ABP API. The only Perez Hilton entries in EasyPrivacy are block entries.

 

I don't see any such whitelisting. You may think of EasyList where there is:

@@||perezhilton.com/included_ads/
@@||perezhilton.com^*-without-ads-$object,object-subrequest,subdocument

But I am assuming it's to prevent breakage, or if not, they could just be obsolete filters.

Like I said, these lists are everything, I actually highlight that to users in the extension description. It's that after running benchmarks I am often surprised to see things that I thought would have been blocked. I use pretty much use all the lists for uBlock, and where I think some domains are all blocked, I will often find that because of an exception one particular requests was not. So my point is uMatrix is definitely a needed complement for people like me who don't like that kind of surprise.

Edit: For each of my benchmarks, I will publish the spreadsheet of the data. So it is available as a link at the top in the lastest benchmark. As an example of what I am trying to say, I expected google-analytics.com to be completely blocked with uBlock (because Peter Lowe's), and yet, there was one hit, which can be explained only because of an exception (with ABP, there were 3 hits).

 

Yes, as always. These lists are made to prevent breakage or to prevent anti-ABP nags.

https://hg.adblockplus.org/easylist/rev/c43007619a01
https://hg.adblockplus.org/easylist/rev/7627fb7529ed

From 2012 and 2011 respectively, so they may no longer be needed.

 

Canvas Fingerprinting URLs.

Related: Clear Your Cookies? You Can’t Escape Canvas Fingerprinting.

-- Tom

 

This thing is completely overblown as gorhill and Palant correctly point out.

 

Yes that was my point. This is just like browser fingerprinting. Nothing much new. And if you sandbox and delete your sandboxed browser after each use, there is nothing to collect. For instance, when I quit my posting here at Wilders, I will delete my sandbox before I go to another web page.

 

Alternately, you can create different browsers to go with different identities. Or you can go that extra step and create multiple VMs like Mirmir does, which of course is better. I don't think that browser fingerprinting works with the TBB though unless you do something to it, which is not advised.

 

Deleting sandbox won't help you. There is no cookies or anything saved on your computer that they use to identify you. Your browser will draw the same image using canvas no matter what you do with Sandboxie. Using different browsers, hardware or VMs might help but it would be really impractical. Script control might help you if you know all domains that need to be blacklisted.

 

• 'Canvas fingerprinting' tracking method is sneaky but easy to halt

http://www.infoworld.com/d/security/canvas-fingerprinting-tracking-method-sneaky-easy-halt-247011

TPL's and other methods can block web based widget sharing services.

 

My stadistics panopticlick´s test:

Tor : 482 computers
Safari : 218,854 computers
Firefox with Johndofox (no proy of JDF) : 125060 computer

Enought ?

 

Enough unique to identify you...

 

So ...all Tor users are indentified, as unique user ... The question if the machine is indentified as unique ... even if you change your location real or virtual, you are always the same guy. They know always what are saying the same guy.
I doubt about facebook ... they usual blocks with the changes of ip... Now , i cannt get blocked ....so...

 

This might be useful for testing HTML5 Canvas.
I suspect that "canvas" is just the tip of the iceberg with HTML5 features that can be used for unique identification purposes. More on HTML5 and CSS3 features here.
Proxomitron will defeat HTML5 canvas fingerprinting without disabling javascript. The filtersets linked in this thread already have the necessary filters.

 

LOL... I am slow sometimes. But now I understand. But I also came up with an idea. If the picture that is drawn is made unique by multiple aspects of the computer, does it seem possible that using something like MADMAC might defeat this, with little effort? Evidently it randomly assigns a different MAC address and computer name every time you restart. Would this be enough of a change to draw he picture a little differently?

http://www.irongeek.com/i.php?page=security/madmacs-mac-spoofer

 

After trying the test site with a different filterset, I've determined that it's the ProxBlox filter that is defeating the canvas fingerprinting. The ProxBlox filter can be merged with any other Proxomitron filterset. The ProxBlox filter allows the user to whitelist entire hosts, specific subdomains, or specific paths only on a per item basis. Proxomitron works with all browsers that can be configured to use a localhost proxy.

 

I don't know if changing those thing will effect canvas picture. You can check information your browser and other browser components 'leak' on this site: http://www.browserleaks.com/