Accurate cross-browser fingerprinting is possible, researchers show

Discussion in 'privacy problems' started by Minimalist, Jan 17, 2017.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
  2. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    Never, never allow canvas to be turned on and use the TBB. The article is pretty clear about that. My TOR browser "canvas fingerprinting" alarm goes off all the time. Its amazing how many sites try this method on YOU!
     
  3. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,363
    Location:
    Oz
    What is you use noscript, canvas defender, and ublock origin?
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    I use Canvas Defender. And NoScript.
     
  5. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    Good questions and good answers. I sort of flock to TBB because it allows me to appear like any other TOR browser user. A general FF browser with a couple of addon's is somewhat identifiable because its is somewhat unique. However; to me a generic TBB with nothing changed just leaves me as one of the millions of generic TOR users. Also, don't overlook "static" hardware issues, which are easily manipulated and changed daily in a VM surfing environment. Static physical hardware ID components are not ever your friend! Use your actual hardware for a host but surf from VM's and rotate their MAC's, and other ID's often. Its easy stuff but often overlooked.
     
  6. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    What kind of sites are trying this on?
     
  7. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    725
    Unique mahine cannot read mine as webgl is diabled? Is it that easy , if so why need add on?
     
    Last edited: Jan 19, 2017
  8. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    I will start keeping a mental note on specific sites where the canvas fingerprinting "allowance" flag pops up as a question. Several/many times a day. In general when I am surfing around on clearnet (via TOR bundle behind VPN's) and attempting to read articles of interest on things like BitCoins, or various news group types of places. The canvas flag is only a minor annoyance because my workspace is always on a VM that disappears at the end of the session. A new workspace enviroment is created every session. In many ways the TBB functions like a VM within a VM; because the desktop of the bundle is isolated from the actual VM, which is solidly isolated from the host a couple links up in the chain. I find it fairly dependable to operate multiple TBB's from the same VM desktop. Each bundle only goes to one site, such as here at Wilder's. Even with a leak in this fashion only Wilder's activity will ever exist inside this bundle, and its snapshot'd every day.
     
  9. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
    beyond "specific sites", exact URLs so that others can confirm.
    Otherwise the claim may be dismissed as "just FUD", eh
    (not by me, just sayin')
     
  10. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    @Palancar - thanks very much - have you also considered using TBB within Firejail, does that work?

    With the Canvas aspect, I suppose I was wondering whether any of the more popular sites or ad networks had started to use it, because they should at least be named and shamed. And, also, any sites relating to privacy or where people would be wanting anonymity.
     
  11. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402

    OK I just noticed your post. This happened just a few minutes ago on another machine. I am working on some U2F technology as relates to website access. I am researching a generic Yubi device for the purpose. Nothing super secret just a generic website for buying the device and/or reading about one. This is a clearnet site and not onion of course.

    I was on TOR in a VM and went to the url below. Once there I temporarily allowed Scripting by clicking that option in the upper left hand corner of the bundle control panel. Often times you need to enable scripting/java to gain full access to what various sites offer. Immediately upon disabling TOR's normal blocking of this, a pop up jumps up stating that the website is attempting canvas fingerprinting. TOR's pop flag states very clearly that if I were to allow that canvas image to be created I could compromise my identity. The site would have just made a canvas image without me ever knowing if I was using a regular browser. That means that sitting behind a one hop VPN I would still have offered up a very unique canvas image as a user of their site. How convenient for them? Don't know what they would do with it, but lets just say that I'ld rather they didn't have it so I don't have to worry about it, ever.

    https://www.yubico.com/support/knowledge-base/categories/faq/


    ps - this would be a tedious project but I could easily find scores of examples of this. The practice is now so common place. I believe this one clear example (since the site is so generic) makes my point with enough substance. If you look around, you'll have them popping up all day long. Peace.
     
    Last edited: Jan 22, 2017
  12. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    This is Princetown's 1M top website analysis of just the home page from start of 2016 (about 14k were found):

    https://webtransparency.cs.princeton.edu/webcensus/canvas_scripts.html

    Top sites seem to be a lot of news sites (including bbc.com) and dropbox. The ad/verify networks seems to be:

    doubleverify.com, lejit.com (leads to sovrn.com) and others.

    Apparently, the number of websites continues to go up, but the main advertisers have drawn back from it following the initial exposure.

    It'd be nice to auto-complain to all these sites. At least this sort of thing should be highlighted in Tos or whatever.
     
  13. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    Is that European cookie disclosure/consent regulation still in effect? If so, that is one thing that could... theoretically... be expanded to force fingerprinting disclosures.
     
  14. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Yep, still in effect, and a royal pain when you're running fresh VMs with snapshots. But as you say, theoretically....
     
  15. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    DeBoetie,

    For those advanced/disciplined enough to contain "matters" in snapshot'd VM's, this isn't much of a danger. Just imagine Mr. Windows user on a generic browser running bare metal (> 95% of all users) within their workspace environment! Sends chills down my spine at the thought. LOL!
     
  16. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Ah, I just meant having to click the cookie acceptance every time!
     
  17. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
    I checked the yubico..faq page and the external scripts it loads, and found nothing offensive.
    Possibly, based on user-agent and or platform, we're being served different content.
    More likely, IMO, TorBrowser is throwing up kneejerk "false positive" warnings.
    Warning stated "page wants to create a canvas image"?
    Okay, but I see no timings being recorded, no canvas-related details stored to cookie, nor exfiltrated.
     
  18. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    I haven't taken the time today to go back and tear this site apart. Frankly, I don't have the time or inclination to determine whether or not the "warning pop ups" that TOR flags are overly protective. I run my TBB at high settings with Scripting and Java off unless I determine to temporarily drop the guards. I do that with NO exceptions unless running in a snapshot'd VM and then I revert back to clean after running in that mode.

    I do appreciate other members holding my "feet to the fire". I mean this in a good way. I try to be accurate and on this thread and issue, I have presented why I don't like running with a configuration where canvas fingerprinting (by any name) is allowed. I take my anonymity very seriously.
     
  19. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    https://arstechnica.co.uk/security/...u-online-even-when-you-use-multiple-browsers/

    Cao et al. (2017) (Cross-)Browser Fingerprinting via OS and Hardware Level Features
    http://yinzhicao.org/TrackingFree/crossbrowsertracking_NDSS17.pdf
     
  20. Balthazar

    Balthazar Registered Member

    Joined:
    Nov 8, 2013
    Posts:
    166
    Location:
    Earth
    I guess, disabling JavaScript should make it harder for these techniques to work.
    Running different browsers in different VMs with different VPN or at least different servers or Whonix should make it difficult to apply these methods. I guess Qubes is the best OS for helping to avoid tracking, don't you think?
     
  21. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Even that can be vulnerable. Browsers in all Debian-based VMs have the same HTML5 canvas fingerprint on given hardware. The fingerprint is based on both the VM's graphics driver and the host's graphics hardware. To avoid that, you can use unrelated OS in your VMs. In my experience, Windows, OSX, Fedora, PC-BSD and Debian VMs have distinct HTML5 canvas fingerprints on given hardware.

    Tor browser seems resistant, and using it in Whonix is even better. However, Tor browser is based on Firefox, and Whonix uses Debian VMs. So if something can pwn Tor browser, it might enable cross-tracking with Firefox in a Debian VM on the same host. So even using Whonix, it's safer to use non-Debian VMs for compartmentalization.
    I don't know how well Qubes resists cross-VM tracking. If I remember correctly, there have been vulnerabilities from directly using host hardware. And so I think that Qubes has been moving (moved?) to total paravirtualization. Perhaps someone who uses Qubes heavily could comment on that. Or maybe even, run some tests ;)
     
  22. Balthazar

    Balthazar Registered Member

    Joined:
    Nov 8, 2013
    Posts:
    166
    Location:
    Earth
    Thanks for your answer!
    Does that mean this technique does not necessarily rely on JavaScript ? Would be too easy to just use NoScript, I guess.
    I use several OS but moved mainly to Debian because it offers the best overall experience. Damn. [Edit: I am talking about Qubes]

    Not yet. This applies for the next release candidate 4.0, which should be released in the near future.
     
  23. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    :)
    Yes, I believe that it does. Most of HTML5 depends on JS, I think.
    Yes, me too :(
    OK, cool. Thanks.
     
  24. Balthazar

    Balthazar Registered Member

    Joined:
    Nov 8, 2013
    Posts:
    166
    Location:
    Earth
    I am sorry I mixed up the virtualization technologies Qubes 4.x is planning to use.

    See here for the full description:
    https://www.qubes-os.org/news/2016/07/21/new-hw-certification-for-q4/

    I had the feeling that something was wrong. It is the opposite of what I was saying.
     
  25. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    OK, thanks :) I was confused too :(

    So now I must say that I don't know how Qubes handles cross-VM HTML5/JS-based tracking. I'm guessing that VM diversity would prevent it, just as in VirtualBox. But o_O
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.