Discussion in 'privacy problems' started by ronjor, Feb 17, 2015.
First off, thanks for this article. Decent read. I have read several like it but I am not sure it will prompt users into action. It sure should though!!
I have given this matter a great deal of attention recently. I don't believe almost any user will even remotely be able to remove the fingerprinting and canvas detection traces from their systems after use. If you forget even one or two things you will stand out to an advanced "attacker". Its just a fact - really. So what to do? As discussed in the article and I will promote it as well: forget trying to anonymize by removing identifying "things in the browser activity", and quite literally blend in! Don't panic by what I just said. Here is my example. Use the TOR browser bundle, and if TOR is too slow for you, do it with TOR turned off. You will still get the amazing protection configuration package the TOR team has setup for you. So what does that do you might ask? Simple: when you surf using the TBB you look EXACTLY the same as every other generic TOR user --- > blend in. You can still sit behind multiple VPN's and/or actual TOR while using this package. Again, can be run well with TOR turned off. I do it once in awhile where blazing speed is needed. That bundle package alerts for canvas fingerprinting attempts and such. Unless you are way better than me, can you really even hope to provide a better "blend in" package than the TBB?
Obviously a simple addition such as working via virtual machines for isolation, would remove the actual physical computer's hardware from being seen as well. It would take a break out to do that and its VERY unlikely if you setup your VM's correctly.
This would be my suggestion for counteracting a very real and significant security weakness.
And also VMs allow snapshot reversion, which is a very beautiful thing. Any traces left from your session disappear (at least from your VM space).
And pedantically, different VMs running different distros have different browser signatures.
This fact makes the TBB's case even more. By placing the TBB inside of ANY distribution their "package" will still appear the same while on the internet. The identical fingerprint no matter where its placed and on what computer (as long as you don't modify something yourself). Now that is blending in.
Has there been any focus or new developments on this since Feb 2015?
I have WinPrivacy installed and just 2 days ago it added two websites to their canvas fingerprinting list . Before that there was nothing on my list. Each site has some items shown as blocked, but I do not know what it is that they blocked. The help screens offer no info as to what 'blocked' means, e.g. does it mean they have blocked sites like Addthis or does it mean they have blocked the sending of collected data back to the website. I am hoping it means that they are blocking info collected so that my info can not be sold to a third party.
There is a list online of the sites that use canvas fingerprinting and I am shocked that government sites participate. I am also surprised that security sites do it too. Kaspersky is on the list !!! Maybe they should explain why.
Never heard of Winprivacy. Looks interesting.
I don't think it is a good idea using tor browser without tor enabled. It has intensive about:config changes. Without tor you would be pretty much uniq.
On the topic, there is also protocol version numbers can be sent to sites. Let's say you modified iceweasel's user agent. They can still know you are on esr with protocol version number. I think finger printing can't be eliminated unfortunately. Only way for this is to using tor browser wihout any manual modifications.
What are peoples thoughts on Panopticlick ? https://panopticlick.eff.org/
I have found that with Icecat and a few add ons I have got my score down to 574.
This score would indicate a very high blend-in-abilty factor, how reliable is this ?
It is just an example. Web sites see much more than that. For example; if you don't change media.peerconnection.enabled to false, websites can see your internal ip.
P.S: 574 bits of identifying information means you are pretty much unique.
574 bits of identifying information would be pretty bad!! I have 9.15 bits of identifying information (using Icecat)
My Icecat also shows - Within our dataset of several million visitors, only one in 570 browsers have the same fingerprint as yours.
As I understand it a lower score on Panopticlick is better. 1 in 574 is far from unique.
Disabling webRTC should be standard operating procedure alongside canvas blocking, blocking scripting ie flash/java/etc and a whole host of other mitigations.
I guess I was just asking how good is Panopticlick, if it says your good are you really good ?
lol my bad. It is pretty much good then. But if you read the article it has a side effect. Lesser identifying bits also makes you unique. The best is the common one. Icecat is far from common one. Sucked situation. There is no escape from getting profiled!
Thanks for the bump on this thread. It reminded me to check back on random agent spoofer. It now appears to be working for the latest firefox.
My browser fingerprint is still unique but at least it is changing every 5 minutes.
According to https://panopticlick.eff.org/, my browser fingerprinting is unique.
How do you avoid being unique in this regard? Is there any chromium extension that would help with that?
I'm currently using:
- ublock origin;
Don't take that site serious. There are much more parameters to consider than that site shows. That site just gives you an example. For example; did you know that? http://www.ghacks.net/2015/10/16/how-to-prevent-hsts-tracking-in-firefox/ i didn't. And i used it long time without knowing that. By thinking "yeah i modified my iceweasel well" They create standarts to track user. I thought switching another browser like dillo or netsurf to protest mozilla. But they were not enough unfortunately.
I've run that test many times and each time I'm unique. So I don't know what exactly this means...
I think there are two main approaches here:
a) use utilities that lie about your user agent; minimise your use of add-ons
b) use Live systems, sandboxes, or vanilla Virtual machines with stock browsers, that you revert to a snapshot.
The latter are good because there will be a large pool of similar systems out there, particularly if you use a popular distro and browser.
I agree with your reasoning. However, doing b) is not a very time friendly behaviour, nor is it practical. I want a solution for everyday use. I'll play around with user-agent add-ons and see if I get anything good out of that. Do you've any suggestions for such an extension?
I don't use those user-agent switchers, and they're browser dependent, but random agent spoofer (FF) and user-agent switcher(Chrome) seem popular.
Compartmentatlisation (using VMs and sandboxes) has benefits way beyond browser fingerprinting and cookie control - for example, there's no way I want a browser being able to "see" my personal data. Once set up, it does become a way of life and very little impediment to use - it's been several years since I browsed from a real machine. The controls I use include Sandboxie (Windows), FireJail (Linux), and various VMs. All of these allow for an unadorned stock browser to be used, and the session wiped every time.
I agree and subscribe to a great majority of your quoted post. Not having your workspace browser on the REAL machine is a pivotal piece of the puzzle. Where I differ is I prefer to use TBB at the end immediately preceding the exit node of a rather long tunnel (TBB functions as the workspace browser). My goal is to look like every other TOR user and of course all is cleared from TBB when the session closes. Further I use separate TBB instances for each site I visit regularly, such as here at Wilders, allowing no unanticipated dirt from another site even by mistake!
Separate names with a comma.