HTML5 Canvas Fingerprinting

Discussion in 'privacy general' started by Sampei Nihira, May 30, 2016.

  1. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    By now the Panopticlick test has lost its validity.
    The AmIUnique test remains fairly valid:


    https://www.amiunique.org/

    Here is my test
    Amiunique.org script allowed:


    100.JPG
    100a.JPG
    100b.JPG
    100c.JPG
    100d.JPG
    100e.JPG
    100f.JPG
    100g.JPG

    As you can see I pass some tests with the result is poor, the background in the percentage is red.
    And although there is no "unique" value the website claims that I am tracked.
    I feel sorry for them, but:


    My browser is New Moon and I'm with Windows XP, I have 1 plugin, and I have Flash installed:

    200.JPG
     
  2. guest

    guest Guest

    CanvasBlocker v1.3 Released (June 7, 2020)
    https://addons.mozilla.org/firefox/addon/canvasblocker/
    changes:
    - added canvas cache to isPointInPath and isPointInStroke

    new features:
    - added link to FAQ
    - added offscreen canvas protection
    - new translations

    known issues:
    - if a data URL is blocked the page action button does not appear
     
  3. guest

    guest Guest

  4. Callender

    Callender Registered Member

    Joined:
    Jan 9, 2015
    Posts:
    172
    Location:
    London UK
    Sorry to bother you but I have a question. Are you still using Trace? The reason for asking:

    I used the free version for a while before upgrading to Trace Premium in April 2019. It still works including the premium blocklists and premium features with Vivaldi, Brave and Firefox browsers. (I use the same license for each browser). I've never been asked to renew my subscription so I wonder how long the license is valid for.
     
  5. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Hi @Callender ,

    I have the free version only in Brave and Chromium Edge. Can't help you with licensing issues, sorry.
     
  6. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    Considering the features Brave has gotten over time, I have my doubt Trace would be useful in it now.
     
  7. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Yeah, you're probably right. I've just disabled Trace in Brave, may remove it completely.
     
  8. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    @Krusty
    @Azure Phoenix

    I don't use Brave.
    Can you post some tests (BrowserLeaks) to verify?

    P.S.
    I have a lot of free time.
    My region (Tuscany) in Italy is red, so we are in lockdown and I don't work.
     
  9. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    https://browserleaks.com/canvas

    With Fingerprint allowed:
    Canvas Support in Your Browser
    Canvas (basic support) ✔True
    Text API for Canvas ✔True
    Canvas toDataURL ✔True
    Database Summary
    Unique User-Agents 528769
    Unique Fingerprints 13830
    Your Fingerprint
    Signature ✔CB19B422
    Uniqueness 99.92% (406 of 528769 user agents have the same signature)

    File Size 4645 bytes
    Number of Colors 198
    PNG Hash 214F8B4F8DF27B68B6AA94322569DDBF
    PNG Headers
    Chunk Length CRC Content
    IHDR 13 477A703E PNG image header: 220x30, 8 bits/sample, truecolor+alpha, noninterlaced
    IDAT 4588 CB19B422 PNG image data
    IEND 0 AE426082 end-of-image marker
    Browser Statistics
    Looking at your signature, it's very likely that your web browser is Chromium and your operating system is Windows.


    Fingerprint blocked:
    Canvas Support in Your Browser
    Canvas (basic support) ✔True
    Text API for Canvas ✔True
    Canvas toDataURL ✔True
    Database Summary
    Unique User-Agents 528769
    Unique Fingerprints 13830
    Your Fingerprint
    Signature ✔EF2A37AE (*This value changes every browser restart)
    Uniqueness 100% (0 of 528769 user agents have the same signature)

    File Size 5094 bytes*
    Number of Colors 220*
    PNG Hash 7E7A5B5A77A8CBA9BB59952B3BF91E88*
    PNG Headers
    Chunk Length CRC Content
    IHDR 13 477A703E PNG image header: 220x30, 8 bits/sample, truecolor+alpha, noninterlaced
    IDAT 5037* EF2A37AE* PNG image data
    IEND 0 AE426082 end-of-image marker

    No Browser statistics

    * Means the value has changed

    Brave Fingerprint Defenses:
    https://brave.com/privacy-updates-4/
     

    Attached Files:

  10. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    @Azure Phoenix

    Thanks.:thumb:
    It is identical to the one I implemented in my daughter's PC W.10 that uses Chrome.

    Except that the values you wrote that in Brave change when the browser is restarted, in Chrome they are obtained when the web page is reloaded.

    100.jpg
    100a.jpg
     
  11. Callender

    Callender Registered Member

    Joined:
    Jan 9, 2015
    Posts:
    172
    Location:
    London UK
    Well here's mine (Panopticlick). Each visit some values change therefore not trackable. A unique fingerprint each visit but that fingerprint changes each time.

    Visits.jpg

    Then BrowserLeaks - two consecutive visits without clearing any browser data.

    BrowserLeaks 1.jpg

    BrowserLeaks 2.jpg

    What I find most interesting:

    If visiting certain file sharing websites - on some you can only download one file then if you try to download another you get a message stating that you just downloaded a file and must wait x number of hours/ minutes or days before you can download another.

    However with proxy ip header spoofing enabled you just close the tab, open a new tab and visit the site again to download - no problem.
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Thanks for sharing the better testing linky
     
  13. Callender

    Callender Registered Member

    Joined:
    Jan 9, 2015
    Posts:
    172
    Location:
    London UK
    My amiunique test. 2 visits. All values remain the same for both visits except these:

    AmIUnique.jpg
     
  14. Bertazzoni

    Bertazzoni Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    652
    Location:
    Milan, Italia
    https://fingerprintjs.com/ is a good test, but all these tests have relatively limited value.

    Brave is probably best used in its vanilla configuration using its built-in features and not a load of extensions. If a user wants anonymity then Tor is a must, along with other measures.
     
  15. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
  16. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    Interesting test:

    https://webbrowsertools.com/canvas-fingerprint/

    Not like the stupid test (EFF) recently appeared in gHacks.
    My result with New Moon 28 in Windows XP:


    100.JPG


    No dedicated extension.
    I remind the members of W. that the blocking of javascripts prevents the detection of many fingerprinting techniques, including the Canvas.
     
  17. guest

    guest Guest

    CanvasBlocker v1.5 Released (January 18, 2021)
    https://addons.mozilla.org/firefox/addon/canvasblocker/
    new features:
    - added {empty}, {false} and {undefined} to webGL preference parameters (i.e. VENDOR, RENDERER, UNMASKED_VENDOR_WEBGL and UNMASKED_RENDERER_WEBGL)
    - added {disabled} to UNMASKED_VENDOR_WEBGL and UNMASKED_RENDERER_WEBGL to disabled the WEBGL_debug_renderer_info extension
    - improved performance for protected canvas part "input"

    fixes:
    - protection of DOM manipulations on unloaded windows may break websites

    known issues:
    - if a data URL is blocked the page action button does not appear
     
  18. monkeylove

    monkeylove Registered Member

    Joined:
    Dec 10, 2013
    Posts:
    226
    Probably another way is to use Firefox hardened or Icecat Weasel with the Multi-Account Containers and Cookie Autodelete addons (whitelist only for logins). Put social network accounts in separate containers, and use fake Google accounts in any of them if needed to access Youtube videos, etc. Run any personal or business Google account in another browser, like Iridium.
     
  19. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    I agree with Sven Taylor of the unnecessary presence of Cookie Autodelete:

    https://restoreprivacy.com/firefox-privacy/
     
  20. guest

    guest Guest

    CanvasBlocker 1.6 Released June 20, 2021)
    https://addons.mozilla.org/firefox/addon/canvasblocker/
    changes:
    - periodical persistent rnd clearing does not clear in active tabs
    - added paypal.com to the convenience preset
    - improved whitelist inspection
    - use proxy to hide changed functions
    - whitelisting now uses "allowEverything" instead of "allow"

    new features:
    - try to not break tabs when updating
    - setting to postpone updates until browser restart or extension is reloaded
    - added status button in browser action to see and set the whitelist status
    - if the current block mode is set to blocking you can chose between faking and allowing if you whitelist an URL

    fixes:
    - fix message canvasBlocker-unload
    - convenience preset did not work properly
    - random supply was not set properly on a fresh new tab

    known issues:
    - if a data URL is blocked the page action button does not appear
     
  21. guest

    guest Guest

  22. guest

    guest Guest

    CanvasBlocker 1.8 Released (February 17, 2022)
    Download - Firefox AMO
    new features:
    - added SVG protection
    - added notice when dom.webAudio.enabled is set to false
    - added {random vendor} and {random renderer} to UNMASKED_VENDOR_WEBGL and UNMASKED_RENDERER_WEBGL to use a random value from a given list
    - added <option1|option2|...> syntax to UNMASKED_VENDOR_WEBGL and UNMASKED_RENDERER_WEBGL

    fixes:
    - errors in URL regular expressions broke CB

    known issues:
    - if a data URL is blocked the page action button does not appear
     
  23. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    I tried after a long time to do the BrowserLeaks Canvas Fingeprinting Test with my Edge without any particular dedicated extension.
    My score is 100%

    https://browserleaks.com/canvas


    2.jpg
     
  24. Bertazzoni

    Bertazzoni Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    652
    Location:
    Milan, Italia
    I don't know about fingerprinting specifically but Edge seems to have improved its Tracking Protection significantly, though I can't find any current documentation to support this.
     
  25. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.