Panopticlick

Discussion in 'privacy problems' started by david banner, Sep 20, 2015.

  1. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,344
    Location:
    Italy
  2. Uitlander

    Uitlander Registered Member

    Joined:
    May 16, 2010
    Posts:
    255
    Location:
    Albany, CA
    I would think that Noscript or Script Defender (or something similar) may be the more important:
    https://restoreprivacy.com/vpn-websites-recording-scripts/
    https://webtransparency.cs.princeton.edu/no_boundaries/session_replay_sites.html
    ...sounds to me like these scripts are going way out of control.
     
  3. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    725
    my latest test at least 20.03 bits of identifying information.Is that good or bad?
     

    Attached Files:

  4. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    Hi,

    I am quite concerned about privacy. That's why I use about six browser addons for chrome, that all do something in order to stop tracking, ads and scripts. Is it enough?
    Currently I use:

    1. uBlock Origin (To block ads and stuff),
    2. ScriptSafe (To block stuff and fingerprinting),
    3. Random User-Agent (To stop fingerprinting using the user-agent by changing it every 30 minutes),
    4. WebAPI Manager, (To block even more stuff),
    5. Nano Defender (To stop detecting my ad-blocker),
    6. and Windscribes browser extension (To use the outrageously slow proxy together with the VPN and change the timezone to a different one).

    Here's the result from panopticlick:

    panopticlick.png

    Ignoring the User-Agent and the Canvas results, which are arbitrary because they change randomly, I still have 22.09 bits of identifying information.
    It seems that even something like language and the platform are all adding up to be enough to identify me. But they are such basic information!

    How can I improve that?
    Or am I already highly unlikely to be tracked because I have two good, important values that are changing randomly?
     
  5. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,344
    Location:
    Italy
    The result of your test is 21.13.
    You can improve by totally blocking javascript during the test.
    The used browser is also important.


    300.JPG


    301.JPG

    :thumb:;)

    With New Moon I can not protect myself from this problem:

    https://forum.palemoon.org/viewtopic.php?f=4&t=20669

    but you too with Chrome + Scriptsafe you can not because I think the extension works badly.
    I reported to the developer but I still have not received an answer.

    Instead I received an answer from KKapsner to my request for the development of a recent legacy version of Canvas Blocker:


     
    Last edited: Oct 16, 2018
  6. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    480
    Location:
    Dallas, TX
    Ok... here's what I don't get about Canvas fingerprinting, maybe a JavaScript / web-developer can explain it to me. If the Canvas element was one-way only, so that it was simply used for drawing... i.e., draw a rectangle 200px wide by 100px tall, draw a line from point x to point y, draw font, etc. Then it doesn't seem that it could be misused for the fingerprint aspect. The problem, as I understand it, comes in with the toDataURL method which returns an encoded version of the drawn image. Why not just remove that method from the standard? How useful / widely-used is that method in "legitimate" web use anyway? Why not just store the drawing commands, and re-draw if required... sure it would likely be slower but it seems that it wouldn't come with the privacy leakage downside. The toDataURL method just seems sort of pointless or overkill or something anyway. I suppose I just don't understand / appreciate the use-case for it.
     
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Although i'm just getting the feet wet sewing things up browser wise- Vilvaldi is my choice and in my sig below are the layered extensions which produced the result in quotes above.

    Appreciate everyone's concern and attention to this area of the PC which connects to websites and finds pros & cons on which matters make for best results in privacy etc. Which also for me improves Performance. And am always about that. Stuffed sites besides sticking their nose in where it don't belong bogging down reading material & end users machinery be it bandwidth or CPU or both is a constant nuisance.
     
  8. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    I'm not sure if that helps. You can always use whatever else you have to convert the image to a data-stream. (Javascript for example) Also there are sometimes HUGE visible differences in the pictures my PC creates. (Well, because it is randomly "enhanced")

    It says "at least" so I assumed it just stops counting them up if it reaches 21.13, for some reason. Anyway, THIS VALUE IS WRONG:
    How could it know how much REAL identifying information it has, if it includes me spoofing the canvas and user-agent results? (which are the two biggest scoring items in the list) The website doesn't know about this.

    I'm not blocking javascript because that blocks the test. (Or, the results page) Also I generally don't block the top-level domain - I found myself whitelisting almost every website anyway because something or everything does not work otherwise. It just does what I would do anyway. ScriptSafe calls it "Respect Same-Domain", so maybe I'm wrong when I call it "top-level domain".
    From your link: http://jcarlosnorte.com/security/2016/03/06/advanced-tor-browser-fingerprinting.html
    Reaction: OH ******!

    At least I beat the test you link about getClientRects due to ScriptSafes "Block client rectangles". (Yes, beaten it: https://browserleaks.com/rects) It results in always the same, but all values are 0 and the hash-function is, of course, using these zeros as data to create a hash. So if everyone blocks their canvas-stuff already, everyone will be "the same" to it and the fingerprint is useless.

    getClientRects.png

    If I deactivate "Block client rectangles" in ScriptSafe, the values appear and I can be tracked. Unfortunately blocking client rectangles results quite often in some errors with websites. But that is OK: Still about 90% of all websites work with it blocked.

    Again, if you think: "But blocking it doesn't protect you from fingerprinting. It will detect that you are blocking it or whatever" - If everyone blocks it I'm not unique. Then everyone has this exact hash.
     
    Last edited: Oct 17, 2018
  9. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,344
    Location:
    Italy
    @ _Nikopol:

    As you can see from my image below is not how you write:

    300.JPG


    The "Client rects test" is not very important for the "browser protected by fingerprinting".
    However, a correctly passed test is with the changing Hash values.

    Test 1 (Basilisk):

    301.JPG

    Test 2 (Basilisk):

    302.JPG

    ;):)


     
    Last edited: Oct 17, 2018
  10. __Nikopol

    __Nikopol Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    630
    Location:
    Germany
    It is totally irrelevant if the test shows spoofed values or none. There just has to be enough people who block it as well, in order make you anonymous. If everyone uses a blocker, everyone has the same fingerprint. There is no issue with that.

    The image show no information about what you block and not block. This doesn't help me since I am using a different browser and a different addon. It would help me if you tell me which script I have to block and which I can let loose.
     
  11. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,344
    Location:
    Italy
    I perform the test with all the blocked scripts.
    Period.

    I do not answer anything else.

    Good luck.


     
    Last edited: Oct 17, 2018
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.