In anticipation of future changes to the conclusions it is that CanvasBlocker is a step above the other extensions.
We thought about such option but it is essentially useless. To make website lose track of you, at the very least you have to change canvas fingerprint AND destroy all cookies. Even if you had some extension, which would destroy cookies every N minutes or hours, it wouldn't by synced with Canvas Defender. However, there are extensions that destroy cookies upon browser restart. Another problem with switching Canvas every N minutes/hours is that it might be changed within a single session, which is a clear signal to the website that you are spoofing fingerprints.
No offence but this conclusion is very shallow. CanvasBlocker and Canvas Defender have different mechanisms and are meant for achieving different goals. As soon as tracking websites implement a mechanism that will not only track Canvas fingerprint in the present moment but also its change over time within a single user session, constant renewal of Canvas fingerprint will actually start making you more easily trackable. You will become the only user with XYZ browser parameters and IP that changes Canvas on each request. CanvasBlocker will only work if it gains the same popularity as say AdBlock, which is quite unlikely because Canvas fingerprinting is no way as annoying as banners and popups. Canvas Defender, on the other hand, will work even if you are the only one using it. In approximately 1,5-2 months space we will launch own test similar to Panopticlick, which will showcase vulnerabilities we have found in CanvasBlocker, Random Agent Spoofer and a number of other privacy plugins.
Oh, I see. Then because I use Firefox / Cyberfox > Always use private browsing mode, so no cookies should be saved, I am better off with a new noise each time I start my browser, as per here?
Just testing CanvasDefender (thankyou for making it available) I have a question: If my canvas fingerprint, that has been changed by Canvasdefender, stays the same (unless I change it) - wouldn`t that mean I would be tracked with that altered fingerprint instead of my original and real one... due to the fact that the fingerprint stays the same, even though it has changed ? I realise I can change it but how often should this be done to be effective ?
Canvas Defender missing the ability to see which sites are trying to track me via my canvas profile. Place this right away and I change extension tomorrow. TH. _____________________________ Another blog that makes use of this technique: https://blog.mozilla.org/
Hello, There is something about being anonymous and the use of the Canvas Defender extension that confuses me and part of the confusion is when I test and interpret the results at this site: http://www.browserleaks.com/canvas With Canvas Defender disabled: Found in DB ✔True (842 of 84558 unique User-Agents has the same signature as yours) With Canvas Defender enabled: Found in DB ×False and ? Your Canvas Fingerprint appears to be unique for our database. Normally when I think of being anonymous and harder to track, I think of blending in "with the crowd"... When I use Canvas Defender my canvas fingerprint is unique where when I disable Canvas defender I have about 10 % user-agents that have the same signature as mine. So here is where my confusion comes in and the questions... From an anonymity, privacy, and tracking point of view, I thought it was better to be 1 in 10 rather than unique. How does being unique better my anonymity and privacy? Is it because being unique means I have no matching user-agents associated to my canvas fingerprint? Also, on a side note, is the best time to change my canvas noise hash with Canvas Defender when I do a thorough cleaning of my internet tracks/traces (including histories, caches, cookies and the like)? For example, let's say I usually do a thorough cleaning at the end of each day when I shut down my system. Should this be the best time to change my canvas noise hash? It is a bit confusing as to when (or even if you should) change it. I understand changing too often would be bad as blocking also would be. So when is the best time to change the canvas noise hash?
It depends. From tracking point of view it would be better to have different fingerprint on different sites or during separate browsing sessions. If you look at it that way it doesn't mater how unique you are if your fingerprint always changes.
I may be missing something but I have just done a test on panopticlick.eff.org which shows the hash of my canvas fingerprint as f5a794c5b8228efc84276abdfe388ae5. I have canvas Defender enabled and it is showing a noise hash of #90235203cb. I had assumed that the panopticlick test would show the CD noise hash but it obviously doesn't.
I doubt that you can control how hash will be calculated on servers' side. You would have to know what hash algorithm is used, all variables that are included in calculation and I doubt that this is purpose of Canvas Defender. It will only change canvas noise hash which will also change hash of canvas fingerprint. Value of this hash is not important.
Im no expert, but I think the way to think of it is that you can "break up" how you are tracked. As long as you are on a fingerprint, you can be tracked across services (if a singular set of eyes can access those services). If you change a fingerprint every request, you can be tracked as the guy whos canvas fingerprint constantly changes with all other factors remaining the same. If you change both the canvas and the profile data (user agent, reported fonts, etc), then you can be tracked as that "crazy privacy seeker whos crap always changes" especially since other techniques can determine whether you are reporting the actual browser used, etc. By keeping the user agent as the most popular version number of the browser you use on the OS you use, you are being as obscure as you can be. This means you are least trackable (by browser data) using Windows with Chrome. You are much more trackable using Firefox on Linux (like I am). At the same time, Linux software and the OS itself sends out little to no telemetry, as does Firefox communicate much less with Google than Chrome (especially since you can turn all communication with them off in about:config). Keeping all that in mind, you remember to change the canvas hash whenever you wish to "disconnect" past browsing "history" with where you intend to browse next. Once the new hash is generated, you appear as another user who also has {whatever OS/browser combo you use}. Frankly, while I use ublock origin, have firefox stripped of geolocation/webgl/webrtc, third party cookies blocked, and canvas defender, I assume all browsing I do is tracked. Ive heard it said that "in an arms race between commercial entities trying to gather tracking information for profit and the users trying to remain private, the users will inevitably lose." We are witnessing the infancy of web tracking- we are entering a Brave New World and some browser addons arent going to stop it.
It as about combination of various techniques, which makes you unique, like canvas + mouse movement + sound + info about computer and so on.
Thank you so much Anonframe1 - that is a brilliant explanation and has helped me a lot and I am clear now how to make use of Canvas Defender. Incidentally, I am using Firefox on Win 7 Pro and have taken similar measures to those you have listed to try and prevent tracking (uBo, FF tweaks etc) but was not entirely clear where Canvas Defender fitted into the arsenal of defenses. Your post has rectified that nicely. Brave New World indeed!
True. That is why compartmentalization is important. Using VMs, VPNs and Tor. You are maybe 5-10 personas, each with your own signature. Mouse movement is problematic. Perhaps switch between trackpad and mouse. Even dig up a trackball, maybe.
A really nasty threat would be someone who gains access to the public's fingerprints and impersonates them. Uniqueness wouldn't matter then, you'd be affecting some innocent. Since the fingerprint data will be held in (careless) corporate servers, it will be breached and may by used by the malicious.
Guys, I have read through all your comments and questions. First of all, I wanted to copy here one of my reddit posts, which kind of sets the big picture context to all questions you have: ==================================== I believe that in modern world general privacy is no longer possible. We are being fingerprinted and analyzed from so many avenues that trying to counteract all of those attempts would be as wise as trying to attack on all theaters of war. Fighting virtually unlimited threats would require virtually unlimited resources, which is not the case. Likewise, companies are limited in what they analyze. They have much more data now that they are capable of analyzing. So they are also forced to choose their focus. For these reasons I believe that privacy became fully instrumental now. Any answer regarding privacy maintenance should start with the question: "what goal are your trying to achieve?". Don't want to see targeted ads? Block them all with AdBlock. Don't want to buy something on your name? Pay in cash or use fake identity. Want to surf internet anonymously? Create an online identity separated from your main identity. Or use Tor or I2P. Want to avoid movement tracking? Leave smartphone at home, buy Nokia 5110 and fake mustache. Want to download pirated movies? Crypt your drive with TrueCrypt or other software of your choice. etc etc I want to stress this again: there is no such thing as "general privacy". It is an illusion. Even if you somehow manage to block all trackers, your behavior will still remain probabilistically predictable based on how other people similar to you behave. This is the case, where you have to "think globally but act locally". ==================================== And to support this claim, there are tons of methods to track you down besides User-agent and Canvas fingerprint. There is audio fingerprinting, which utilizes mechanics similar to Canvas), there is fonts fingerprinting, which is at least as effective as Canvas. There's IP address, evercookies, Flash API, JS API and lots more. Add here all services that you use and their interconnectedness. Even Google Analytics blocking with extensions like AdBlock or Ghostery can be EASILY bypassed by any mid-level developer. Thinking that you can win all these battles (with free browser add-ons ) is borderline insane. What I urge you to do is to first ask yourself: "What I am really trying to achieve?". Then, starting from that point pick your fights and achieve your goals. You cannot be "generally safe" but you can disguise your activity wherever it is actually needed and protect yourself from certain attacks that are most likely to happen. If you still cherish the idea of general crowd fighting government oppression with technological means, then avoiding social networks and encrypting your hard drive is a good start.
Came back to add something here. If you ever took interest in war strategy, you already know that no war can be won purely by defense. Any war is a right combination of defense and offense. Likewise, direct approach in strategy is inferior to indirect approach. The ultimate goal of any war is to win without engaging in battle at all. Like Sun Tzu wrote: "to win one hundred victories in one hundred battles is not the acme of skill. To subdue the enemy without fighting is the acme of skill." Speaking about companies employing unethical fingerprinting technologies, trying to block tracking with technological means is not only a defensive strategy but also an absolutely direct response. What could be an indirect response? Exposing misbehaving companies to public, shaming them and making them lose customers through it. Making them choose between gaining customers trough tracking and loosing customers' loyalty because of tracking. There's a group of developers and PR specialist already working on such solution. It will be transparent and open-source. It will allow the community to finally strike back at companies who feel they can get away with anything happening in the web. This solution will be soon announced to public.
Often the extensions do a great job. Advisable for Firefox users install the extension below: No Resource URI Leak Test: https://www.browserleaks.com/firefox
I think his post pivots around this point: "What I am really trying to achieve?". Then, starting from that point pick your fights and achieve your goals." Your resources are limited. So should Snowden invest time not letting Google know he likes pizza and Green Acres re-runs? Maybe. Should he consider buying a long-distance antenna or renting covert uplinks when trading internal NSA docs--perhaps. Choose your battles wisely and fight them appropriately. Think of it this way. Tracking by browser occurs for a few major reasons: ads, LEO surveilance, and antisec. So owners of infection pages don't want their pages and payloads analysed by researchers. They can use fingerprints (unique or otherwise) to target users or remove suspects. However, this gives the coomon user an advantage. If you appear like a honeypot you won't get infected like you otherwise would. Meanwhile, malware researchers can use user forensics to grab payloads and note infected pages. LEO would love to scrape your fingerprint. They would set up or control a wateringhole like heroinsale.onion. They would intercept traffic from global resources or targeted attacks. Erowid.org seems like a good targeted compliment between users of heroinsale.onion and where you could have the same fingerprint to visit both, but not always under a TOR route. You just blew your cover. Solution goes to Mirimir: segregate your usage into personas. Use a burner computer and matching anon-IPs when expecting deep anonymity. Don't use the same computer/fingerprint to order pizza. Ad tracking. The hardest because it is widespread but less critical. As mentioned, an ad-blocker is quite effective. Why? In order to correlate all that data or be usable ACROSS sites, you need to be pretty obvious. Go to a Gawker website then to NYTimes etc. See something in common? Ah, Google, Twitter, Facespace and similar CDNs, chat apps, and beacons. That's their weakness. In order to track you they need to also be omnipresent. The EFF has an extension which correlates these trackers in similar ways they correlate us. But we are also tracked by face, loyalty cards, CCs, email, zip codes, logins, IP etc. Why? And how does that affect you? Using cash or not using loyalty cards may end up with you losing value. Choose wisely.
