You get a better result with: (Firefox) CanvasBlocker + No Resource URI Leak + Specific settings in about: config
Start chrome/chromium with: Code: --disable-reading-from-canvas ... No canvas fingerprint at all and no addons/extensions are necessary.
Canvas this and canvas that only deal with canvas fingerprints. And canvas fingerprint is only one type of fingerprints. There are other types like battery, font, audio etc. You'll still need extensions to block the others
Does CanvasBlocker shows up any counters or pop up message that it is working? If not, how do you know it's working?
This thread is about canvas nothing else, people here talking about off-topic and almost all mentioned API's (yes there nothing but apis and in 99% harmless anyway) can be turned off with every modern browser without any addons/extensions. It's in about:config or in chrome://flags and this not since yesterday, why people recommend to install untrusted and outdated addons instead of opening an ticket on googles or mozilla's bugtracker is way beyond me. Threats should always been fixed at lowest level and not run into another danger to install untrusted addons which you think they're not collecting anything .. they all do cause it's hosted by the mother google and mozilla.
It's true addons do collect your privacy data. The use of Chrome and FF also likewise unless you are using Ungoogled Chromium, Epic etc
Ungoogled chromium should be avoided cause it's hobby project from study people and they not maintain changes fast enough to recommend using it daily. Google or Mozilla even if you sync your data not spy on any of your data cause the stream is encrypted, over and over spreading false information without any proof (cause there is none) that they see your real data + abusing it is just a myth. The sync is not more safe or less than visiting wilderssecurity and logging into the page which also exposes your IP and meta-data cause every backend logs by default. - So you only have option to avoid it or use KeePass and trust another provider. - There are so so so many false statements from non experts when it comes to 'spying' I almost gave up on this. The only point when it comes to sync is that Mozilla offers an ability to sync to your own or another server but google not only blocked that because they want to spy on you, more like when something happened like a data breach which one is to blame especially when it comes to insecure server configurations, you see there are always two sides. I do think the mentioned meta-data collection here is useless, cause wilders members are normally smart enough to know already that such example pages are highly depending on permissions/javascript which means you allow the pages to gain access - which then means it's driving against a wall to show that there was a wall. The more dangerous thing is that you not can protect canvas fingerprints or other mentioned api collection when an application outside the browser wants to access the web, like when you use mouse/keyboard software and and and, I consider this as much more problematically cause then we're talking about what is wrong with the protocols - which is the real point here.
How do you know Goggle/Mozilla cannot see into the encrypted stream? Providing free encryption does not mean the provider cannot have backdoor to your encrypted data, right? Sure they can encrypt your data but what if a copy of your data was backed up before the encryption takes place?
Because google uses a passphrase. Google indicates that this data cannot be decrypted without knowledge of your password, and that in fact, when your credentials change, all synced data must be deleted from their systems, and can then be re-synced from your devices (and in the process is re-encrypted with the your new credentials). Of course you can't prove/check if the data are really been deleted but that's why FCF, ACLU, EFF organization fighting for. So, if everything is working correctly, Google themselves can be trusted, and the Google infrastructure is sufficiently secure to keep interested third parties out (read NSA, criminal hackers, etc) then your data is safe. That said, however, Google still has the capability to decrypt your data, though they don't make that known (?). This is simply the result of them being party to the creation of the cipher key (your credentials), leaving them in a position to save and potentially misuse the keys. The point here, is that other password manager offer the same principle and 99% of all people are not able to understand the code (even if there is one) or are able to crack it. Research: https://www.google.com/settings/chrome/sync https://support.google.com/chrome/answer/1181035 https://chromium.googlesource.com/chromium/chromium/ /master/sync/util/nigori.cc https://chromium.googlesource.com/chromium/chromium/ /master/sync/util/nigori.h Own test: * Whether or not you use a passphrase, your synced data is protected by encryption in transit. * Your Chrome sync passphrase is stored on your computer and will never be sent to Google. * Lookup on port 443 -> AES-128 in CBC mode If anyone has more questions contact me via PM/email cause we hitting off-topic now.
https://browserleaks.com/ https://audiofingerprint.openwpm.com/ Just for Chrome: https://pazguille.github.io/demo-battery-api/
Notifications can be shown in this mode: "fake readout API" or "fake at input" If this mode is selected: "ask for readout API permission" = a prompt is shown and the user must answer it:
Code: user_pref("canvas.capturestream.enabled", false); user_pref("gfx.offscreencanvas.enabled", false); user_pref("ui.use_standins_for_native_colors", true); user_pref("dom.battery.enabled", false); user_pref("media.peerconnection.enabled", false); user_pref("media.peerconnection.use_document_iceservers", false); user_pref("media.peerconnection.video.enabled", false); user_pref("media.peerconnection.identity.enabled", false); user_pref("media.peerconnection.identity.timeout", 1); user_pref("media.peerconnection.turn.disable", true); user_pref("media.peerconnection.ice.tcp", false); user_pref("media.peerconnection.ice.default_address_only", true); user_pref("media.peerconnection.ice.no_host", true); user_pref("dom.vr.enabled", false); user_pref("dom.vr.oculus.enabled", false); user_pref("dom.vr.osvr.enabled", false); user_pref("dom.vr.openvr.enabled", false); user_pref("device.sensors.enabled", false); user_pref("dom.webaudio.enabled", false);
The Privacy Settings extension is an easy way to take care of the about:config changes. https://addons.mozilla.org/en-US/firefox/addon/privacy-settings/ Once configured you can disable the extension until next time you want to make another change.
Yes, I have this. However, I'm more interested in blocking of the various types of fingerprints besides canvas fingerprints In Chrome you have ScriptSafe which can handle different types of fingerprints.
Privacy Settings: Edit: Also as mentioned earlier - No Resources URI Leak https://addons.mozilla.org/en-GB/firefox/addon/no-resource-uri-leak/
Another thread worth reading - https://www.wilderssecurity.com/threads/the-paranoiacs-guide-firefox.389903/
Thanks and many thanks I would appreciate if you can just point out the settings to block the different types of fingerprints will do rather than incuding the rest of the pivacy settings which I can use the Privacy Settings addon to handle in FF
Check the below: Just for Windows. "font.system.whitelist" The list below is that in the Tor Browser: The modification makes it similar to those of Tor Browser (JS/CSS font detection) in the AudioContext Fingerprint Test Page.