Browser fingerprinting - relevance and countermeasures

Discussion in 'privacy general' started by summerheat, Jul 15, 2018.

  1. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    In various threads here browser fingerprinting has been discussed, e.g. in the thread about HTML5 Canvas Fingerprinting.

    I'm questioning the relevance of most of those discussions. Here's why:

    I think we have to differentiate 3 aspects:
    1. Third-party fingerprinting. This is done by third-party trackers, pegged into many websites, which try to follow and identify you all over the internet. This is certainly the predominant kind of fingerprinting and a real threat for your privacy. However, it can be easily avoided: For example, Noscript blocks javascript by default. A more rigorous approach is using uMatrix and/or uBlock Origin which block any network requests to all those trackers which are included in the big hosts files (in addition to lists like EasyPrivacy) used in those add-ons.
      Conclusion: Third-party fingerprinting is irrelevant for all knowledgable users (and hence for all Wilders Security members :thumb: ). Block the trackers - and you block any 3rd-party fingerprinting. It's that simple.
    2. First-party fingerprinting - part1: Once you surf various sites within the same domain, the webmaster can always track you.
      Conclusion: Irrelevant, too, because unavoidable.
    3. First-party fingerprinting - part 2: You don't want to be recognized if you surf the same websites every day. This does certainly not apply to your bank site and, e.g., Wilders Security or other trustworthy sites. It does probably apply to, say, Google sites, though. So the first advice would be: avoid them. But this may not always be possible. This begs the question: How widespread is 1st-party fingerprinting, and is, e.g., Google using it?
      I've often used Google Maps in Google Chrome (!) to find the way from my location to an address in another city. So they should know where I live. However, every time I open Google Maps anew they locate me at a place which is about 150 km away from my home (obviously by using the IP address assigned by my provider). It seems that even Google is not able or willing to fingerprint me in order to recognize me (needless to say that I delete cookies at the end of every session).

      Nevertheless, it's possible that 1st-party fingerprinting might gain momentum in the future. How to handle it?

      a) You can use add-ons like user-agent changers and canvas blockers. The problem with those add-ons is that they are not always reliable, and that they might create (random) noise which is not consistent with other data used for fingerprinting. You might answer, that, e.g., a unique canvas fingerprint created by Canvas Blocker or Canvas Defender today is no harm as the one created tomorrow will be a different unique one. But it might be possible that exactly this characteristic inconsistency with other data will make you trackable more easily - depending on the quality of the fingerprinting algorithm.

      b) A more reliable strategy might be to enable privacy.resistFingerprinting in Firefox. This applies anti-tracking measures used in the Tor browser. This helps to "hide" in the crowd of Tor browser users. Needless to say, that this is not available in Chromium-based browsers (and probably never will).
    Bottom line: In my opinion, the discussion about fingerprinting is overblown. 3rd-party fingerprinting is the big privacy problem - but the solution is easy. I doubt that 1st-party fingerprinting is very relevant today - but this may change.

    So - what do you think?
     
    Last edited: Jul 15, 2018
  2. Fad

    Fad Registered Member

    Joined:
    Feb 25, 2009
    Posts:
    456
    Location:
    England
    I`m in agreement and already recently removed CanvasBlocker - judiciously managed cookies and blocking were already in place before and will continue to be after.

    I`ve almost got 'privacy fatigue' with so many articles & reports about one thing or another, I needed to step back and reassess.
     
  3. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hello,

    I am in agreement also. If you use Firefox, here is a good page to read: Firefox Privacy – The Complete How To Guide. I do not use Firefox's tracking protection since I use uBlock origin (along with HTTPS Everywhere and Decentraleyes). I also do not enable the "Do Not track" request as it really does not do much good imho and it is not set as default in browsers anymore (setting it may make you stand out more). Other than those two items, I have been using that set-up for a while now with no side effects.
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    That seems like a good idea. I'd forgotten that they added it. You need to set "true".

    But it doesn't seem to work very well vs Panopticlick, however :( But I've left it active.

    Re canvas fingerprint, the best strategy seems to be Canvas Defender, set to change every minute. But eventually, more sites will implement the published workaround. I've set dom.storage.enabled to "false" to block DOM storage. I've dealt with fonts by setting browser.display.use_document_fonts to "0". That reduces installed font uniqueness hugely. And also makes sites look more similar, which has good and bad aspects. And for screen resolution, I run workspace VMs full-screen. My active add-ons: NoScript (blocking WebGL), Canvas Defender, Disable WebRTC, Privacy Badger, and RefControl (spoofing site root).

    So Panopticlick:
    Code:
    NoScript: all scripts blocked except root eff.org
    
    Browser Characteristic        bits of        one in x         value
                                  identifying    browsers have
                                  information    this value
    Limited supercookie test      3.41           10.6             DOM localStorage: No, DOM sessionStorage: No, IE userData: No
    Hash of canvas fingerprint    20.8           1825748.0        a57f4004ccab712913c3c6c15f2f5697
    Screen Size and Color Depth   2.47           5.55             1920x1080x24
    Browser Plugin Details        1.22           2.32             undefined
    Time Zone                     4.12           17.39            420
    DNT Header Enabled?           0.78           1.72             True
    HTTP_ACCEPT Headers           2.01           4.02             text/html, */*; q=0.01 gzip, deflate, br en-US,en;q=0.5
    Hash of WebGL fingerprint     2.54           5.83             00000000000000000000000000000000
    Language                      0.92           1.89             en-US
    System Fonts                  3.61           12.21            Wingdings 2, Wingdings 3 (via javascript)
    Platform                      3.26           9.59             Linux x86_64
    User Agent                    6.35           81.31            Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
    Touch Support                 0.6            1.52             Max touchpoints: 0; TouchEvent supported: false; onTouchStart supported: false
    Are Cookies Enabled?          0.22           1.17             Yes
    
    NoScript: all scripts allowed
    
    Browser Characteristic        bits of        one in x         value
                                  identifying    browsers have
                                  information    this value
    [all same]
    Hash of canvas fingerprint    20.8           1825759.0         688be22371c8028465ff31753b468dae
    [all same]
    
    NoScript: all scripts allowed; and dom.storage.enabled set to "true"
    
    Browser Characteristic        bits of        one in x         value
                                  identifying    browsers have
                                  information    this value
    Limited supercookie test      0.38           1.3              DOM localStorage: Yes, DOM sessionStorage: Yes, IE userData: No
    Hash of canvas fingerprint    20.8           1825811.0        6c721337e251ecfa4be5f1b7cde2430a
    [all same]
    
    So blocking DOM storage increases uniqueness. But it reduces trackability, I suspect.
     
    Last edited: Jul 16, 2018
  5. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    By "site scripts", I meant all scripts, including trackersimulator.org etc.

    So I've edited the post, to just say "all scripts allowed".

    But wait, most of your results are "no javascript".

    With no scripts allowed, the test won't complete for me.

    I'm confused :(
     
    Last edited: Jul 16, 2018
  7. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    It doesn't matter thanks the same.:thumb:
    My current priority:

    https://www.wilderssecurity.com/threads/tls-1-1-and-browser-upgrades.404679/page-2#post-2768819

    ;):)
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Well OK, but I know nada about Chrome :)

    And I am very curious how you got that result with all those "no javascript" values :)

    Edit: OK, never mind. Just turn off Javascript, and disable NoScript.
     
  9. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Okay, but we agree that all this is relevant only for 1st-party fingerprinting as outlined in my post above, don't we?

    I also performed some Panopticlick tests with a new "naked" profile. (However, I'm using Steven Black's hosts file in unbound so some stuff is probably blocked without adblocker). Javascript was enabled. Some tests were done with webGL disabled.

    So if you compare the results you'll notice that RFP dramatically improves the canvas fingerprint and the user agent while the screen size and color depth value was worse. But overall there was always enough data to make the browser unique. Remember, though, that JS was enabled.
     

    Attached Files:

    Last edited: Jul 16, 2018
  10. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Thanks for the thread. A couple of thoughts:

    Repeat visits to a single website is going to be hard to reliably resist fingerprinting unless javascript is disabled as you observe. Even things like keystroke/typing patterns could be used if javascript is running. This raises the importance of Opsec and being aware of behavioural and cultural tells.

    Rather obviously, javascript is also a potential vector for Meltdown/Spectre even if those have been mitigated as far as we know.

    This also implies there is a problem with back-end collusion between sites (which you cannot control) within your opsec boundary, and being sure that boundary is tight.
     
  11. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Absolutely. I have javascript disabled by default and allow it in uMatrix only if really necessary. Besides - as I've often mentioned in other threads: One of the big advantages of uMatrix over Noscript is that it uses big hosts files (and you can add more if you want), and the sites therein are explicitly blacklisted and distinctly displayed at the lower part of the matrix separated from other 3rd-party sites. This makes it much less likely (compared to Noscript) that you accidentally allow such a site.

    Two more tests on Panopticlick. The first one with RFP + disabled webGL + browser.display.use_document_fonts=0, and the second one with RFP + disabled webGL + browser.display.use_document_fonts=0 + 3rd-party cookies blocked + tracking protection enabled. The latter makes a big difference, definitely caused by blocking 3rd-party cookies (I don't think that tracking protection did it as it surely doesn't block more than my hosts file in unbound).

    Performing the test with javascript disabled failed.
     

    Attached Files:

  12. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    4,208
    right on. and another great aspect of um's that it allows you to see how many & what sorts of elements by 3rd party domains are on a certain page.
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    No, also for third-party fingerprinting. If the canvas fingerprint changes every minute, it's not so likely that any two sites will see the same fingerprint. And if it really matters to you, you can just generate a new canvas fingerprint before browsing the new site.
    Interesting. Thanks :)

    [​IMG]
    That has a canvas fingerprint, so you must not have blocking enabled in Canvas Blocker.

    [​IMG]
    Sure, but canvas fingerprint can change every minute, so it's useless for tracking.

    [​IMG]
    RFP does dramatically reduce canvas fingerprint uniqueness. Maybe it's pushing a relatively common one? However, I can't reproduce that, even with Canvas Blocker and Canvas Defender disabled. Maybe they've made irreversible changes?
     
  14. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Yes, also for 3rd-party fingerprinting in principle. What I meant: As written in my first post, if you block those 3rd-party trackers, you also block 3rd-party fingerprinting thus making it irrelevant. So the question remains if all those countermeasures are worth it only for fighting 1st-party fingerprinting.

    Right, I chose spoofing the canvas API.

    That's the question. If the canvas fingerprint is inconsistent with other data used for fingerprinting or if it changes while you are on the same site, this might make you even more unique. As said, this depends on the quality of the fingerprinting algorithm.

    From your previous post it seems that you're using FF 52 ESR. Since then RFP has improved, I guess.
     
  15. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
  16. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    Hi to all.:)
    Does anyone have an explanation for the curious behavior at the test below?


    https://forum.palemoon.org/viewtopic.php?f=17&t=20582
     
  17. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    480
    Location:
    Dallas, TX
    I agree with the answer provided by doofy on that forum. Each test run is probably viewed as a unique visitor, so each time you run the test you are adding another entry with your specific set of fingerprints reducing your overall uniqueness within the test. The test should probably simply ask you, or place a cookie on your system saying whether they've tested you before, so that they don't record the hashes a second, third, fourth, etc time.
     
    Last edited: Oct 1, 2018
  18. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    480
    Location:
    Dallas, TX
    You may be correct, the concern may be overblown... but somehow I doubt it. If anything I suspect the concern is not taken as seriously it often should. I am admittedly not an expert in browser fingerprinting and tracking capabilities, but it seems to me that the devil is very deep in the details... and I have a hunch that some technicians at Google, Facebook, and Acxiom are way ahead of the vast majority of us on this one. We shouldn't have to be experts on the esoteric nature of the uniqueness of our display configuration, the fonts we have installed, or the set of browsers we have installed.

    Yes, it's true that for any site that I willing log into for security and authentication reasons... i.e., my bank account, my insurance company, my auto loan provider, my investment company, etc... I obviously can't expect anonymity. Having said that I also would not expect or want my bank to utilize some tracking mechanism that correlated my specific browser with Internet activity unrelated to their site. I do have uBlock Origin installed and I do, in general, try to not allow 3rd-party trackers or cookies or script... but I have nagging doubts about the "completeness" of the 3rd-party tracker lists. There just seem to be far too many avenues to leak unique data. There are too many usability vs security tradeoffs, and your average end-user is ill-equipped to make such decisions in most cases.

    My browser habits are pretty tame, so honestly its not that I care about anonymity that much. In fact, I am sort of against Internet anonymity in many cases as it seems to breed poor manners and disrespect. But, the thought of direct marketing associations building up vast databases on every consumer and their habits really sort of pisses me off. I guess that horse is out of the barn though, and there is no going back. C'est la vie.
     
  19. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    Thanks for your opinion.:thumb:
     
  20. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    I just switched from Google to Firefox. Does anyone know how to spoof what JS reads in resolution or screens size? I can resize my window, but I want it to be fullscreen.

    Also, here's the newest stuff about font fingerprinting: https://github.com/pyllyukko/user.js/issues/286, https://trac.torproject.org/projects/tor/ticket/18097, https://trac.torproject.org/projects/tor/ticket/20842. As always the Tor browser devs are on the front.
    "browser.display.use_document_fonts=0" looks like it could help against fingerprints. I hope "font.system.whitelist" will be finished and implemented in mainstream Firefox soon.
     
  21. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    It's hard to get a good privacy setting with Chrome.
    Some extensions do not keep their promises over time.
    In the images below some minimum settings that I like:


    199.jpg 200.jpg
    201.jpg 202.jpg

    203.jpg 206.jpg
    204.jpg 204a.jpg
     
  22. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    You do not get privacy with Chrome. What do you expect? It's a browser from Google!
    Everything you do is already sent to Google in order to safe you from malicious sites. I'm sure if you deactivate safe-browsing, other things come into play.
    They are in the information-business and you expect them to respect your privacy?

    You could use ungoogled-chrome, though.

    Anyway, how did you get it to report zero fonts? AFAIK there is no extensions that does anything against this.
     
  23. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    I do not use Chrome.
    I share this information only for those I like to use this browser.



    Error, there are, but only one extension works well.

    https://www.wilderssecurity.com/threads/html5-canvas-fingerprinting.386179/page-14#post-2788399

    https://chrome.google.com/webstore/detail/bp-privacy-block-all-font/bfoidacjeobbnkpoemlfllfmmnbogcig?hl=en
     
  24. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    ~ Off Topic Remarks Removed ~

    Anyway, asking all others, how did he got that result in fonts-fingerprinting? this
     
    Last edited by a moderator: Oct 22, 2018
  25. 142395

    142395 Guest

    Tho I don't oppose overall argument, "Everything you do is already sent to Google in order to safe you from malicious sites" is wrong. There're 2 types of safe browsing APIs and what is used in Chrome is Update API which does not send any of URL you visited. It periodically downloads hash of bad URLs and check against this.

    There're some chrome extensions claiming to prevent font fingerprint but I haven't used and won't. Interestingly, I found Firefox Android gives 0 fonts too, but not sure if it's due to tweaks or everyone get the same result. Brave Android w/ fingerprint protection enabled gives 4 fonts FWIW.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.