Browser fingerprinting - relevance and countermeasures

Oops, you're right.

I have some questions regarding fingerprinting in Firefox when using "privacy.resistFingerprinting": The window always seems to be one pixel too low. I mean, I have a screen size of 1366x768, unfortunately, but in fullscreen the browser/window size is 1366x767! Also non-maximized windows - that I use to increase entropy, sometimes - are defaulting to 1000x599. Why always one pixel too low?
EDIT: It's this: When privacy.resistFingerprinting = true, set new windows to rounded dimensions [tor 19459] Guess the'll figure that out.
Can I just go there and post this issue or should I do that somewhere else? Is that even an issue with their code? I mean they don't change the fullscreen-size, obviously. So why is it one pixel less there? gaaaah

Also, very important: Newest Firefox totally blocks CanvasBlockers functionality when using "privacy.resistFingerprinting = true". Canvas readout will be blank and fingerprint never changes. I haven't read about that anywhere yet, so I think that is new.
And I have no idea where to report that? In CanvasBlockers GituHub? In the bugzilla for resistFingerprinting? Somewhere else?

 

No, it's not. This has also been the case in previous FF versions. If you enable that setting,
https://browserleaks.com/canvas
reports:

And this makes sense as you want to hide in that crowd.

 

I guess I only need it for the other fingerprinting methods it blocks, or does FF do that too?

 

The setting:

"browser.display.use_document_fonts" set to 0

recommended in the test:

http://ip-check.info/?lang=en

(ip-check.info script allowed)



prevents the display of the trash can in the UBO custom lists.

Same problem for those using the ghacks-user.js.

[SECTION 1400]: FONTS

 

My cans are visible. I checked that I have it set to 0. May be something else on your side.

 

http://sendvid.com/eplmq9o6

Merry Christmas.

 

I can only tell you what I see. I have the newest version of both Firefox and uBlock. (And ghacks-user.js)
Merry Christmas to you too

 

https://www.ghacks.net/2018/12/24/librefox-firefox-with-privacy-enhancements/#comments

Read the comments:

Better to disable this setting if the developer of Libre also recommends it.

 

I HAVE set it to 0. I don't know why it works fine for me.

 

Here's an interesting and lengthy contribution regarding fingerprinting by gHacks user.js maintainer Thorin-Oakenpants.

 

Chrome passes the "HTML5 Canvas Fingerprinting" test:

https://browserleaks.com/canvas

without any countermeasure.

Can someone verify my theory?
TH.

 

For me it does not unless I use the --disable-reading-from-canvas command-line switch.

 

Ping back because I think this matter is worth discussion.
https://www.wilderssecurity.com/thr...d-by-disabled-extensions.424555/#post-2883081
I personally don't recommend to use extensions whose only purpose is defusing browser fingerprint w/ certain technique and NOT blocking tracker URLs, because this in turn makes more fingerprint by itself. Theoretical? Yes, but we already know sometimes advertisers have preceded researchers and they are already using various techniques. Somehow only a few such as canvas attracted attention.

 

I had discussed this already in post #1 and tend to agree. The risk is that those add-ons create inconsistencies which make you more identifiable. For example, it's hardly possible to reliably fake the user-agent of a browser. Nevertheless, I think there is no definitive answer yet if the existing fingerprinting algorithms are intelligent enough to recognize you when you surf a specific site the next day again if those add-ons create enough noise which might be inconsistent but changes from day to day.

 

I'm trying to see how Brave does in these kinds of tests.

And my result from https://hidester.com/browser-fingerprint/

• Adblock enabled: Yes
• Do Not Track enabled (via HTTP headers): No
• Do Not Track enabled (via navigator): No
• Your browser fingerprint: N/A

• Browser fingerprint: N/A
• Time to calculate: N/A
• User agent: N/A
• Language: N/A
• Resolution: N/A
• Timezone offset: N/A
• CPU class: N/A
• Platform: N/A
• Plugins:
• Adblock: N/A
• Has lied languages: N/A
• Has lied resolution: N/A
• Has lied OS: N/A
• Has lied browser: N/A
• Fonts: N/A

Can anyone get any different results from your browser?

 

I'm getting identical results for Safari on my iPad and Firefox on my Linux system (with JS allowed). It seems that this site is not very useful.

 

Thanks

 

Well, a problem is advertisers have too many options. Let's assume a site uses fingerprinting by web accessible resources - now all other counter measures, canvas, fonts, UA, CPU, WebGL, etc. are irrelevant because they are not used at all. According to the papers, it seems even a single extension fingerprinting technique can identify a user uniquely and relatively reliably, tho ofc not perfect.

 

@mirimir
what do you think of the the following addons, are they not necessary with your setup?: 1. csfire for Cross-Site Request Forgery (CSRF) attacks, silverdog for Ultrasonic Cross-Device Tracking (I found this issue in MCDonald app "beaconing", there are several more), CSS Exfil Protection for Cascading Style Sheets (CSS) data exfiltration, I dunno how frequent such techniques can be and if not just confined to academic papers (but CSRF ofc)

I don't care too much about profiling since you can't prevent that but with system wide vpns used in a stack and yet that might be not enough (unique behavior of users) so better to focus on security vs bad actors, ppl with the aim of hurting you, considering advertisers and companies as lesser evil that are dangerous in the long run

 

Sorry, I haven't been paying much attention to this stuff.

I tend to just block scripts and ads.

Although I have come to like DOM Delete for nuking annoying popups.

 

can't find an addon by name DOM Delete, you mean the click to remove elements addons and similar from page or iframe injection?

 

https://addons.mozilla.org/en-US/firefox/addon/dom-delete/

 

I must admit that I haven't tried that add-on. But just one hint: uBlock Origin has a DOM Inspector which serves presumably the same purpose.

 

Well, so does Firefox Web Developer. But with DOM Delete, you just hover on an element and click, and it's gone.

 

That DOM Delete extension does look useful. But for those who are concerned about browser fingerprinting, it could make you think twice. Currently, Mozilla says only about 30 have installed it from the Add-Ons repository--so if someone were interested in including it in their browser fingerprinting algorithm, and had an effective way to do so, using it could make it a lot easier to identify that browser. (On the other hand, probably nobody is going to bother targeting an extension that only 30 people are using--unless they already have some reason to suspect that whomever they might be interested in would be likely to be one of those few users.)

Incidentally, even run-of-the-mill Firefox offers a DOM inspector, like Firefox Developer does. Just right-click on the element and choose "Inspect Element" from the context menu.