HTML5 Canvas Fingerprinting

Discussion in 'privacy general' started by Sampei Nihira, May 30, 2016.

  1. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,795
    Location:
    Slovakia
    Anyone knows Canvas blocking extension for Opera? I use Yandex, which keeps moving towards Opera, so Chrome extensions keep stopping working, like CanvasFingeprintblock now. :(
     
  2. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    749
    Location:
    Italy
  3. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,554
    Location:
    Among the gum trees
  4. jacemace

    jacemace Registered Member

    Joined:
    Sep 10, 2009
    Posts:
    63
    Hi, I got %100 on https://browserleaks.com/canvas - "0 user agents have the same signature"; is this a good outcome or not? Is it easier to identify etc.?
     
  5. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,087
    I'd say, that depends. :shifty: Quite generally this result means that you're perfectly identifiable. However, if you're using an add-on like Canvas Defender which creates noise by creating a new fingerprint with every browsing session or even every x minutes this result is basically meaningless, IMHO.
     
  6. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,795
    Location:
    Slovakia
    By any chance, is your signature 5820BEE4 ? Just thinking, that maybe blocking canvas displays some default signature/file.
     

    Attached Files:

  7. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,698
    The webExtension version of CanvasBlocker is available (Beta):
    Version 0.4.0:
    changes:
    - switched to webExtension
    - notifications are now done via page action
    - minimal and maximal fake size are now respected in all fakeable functions
    - fake readout now fakes one pixel at once and no longer one single channel
    - new icon (special thanks to Thorin-Oakenpants)

    new features:
    - information of all fake events in one tab are visible
    - settings page now only shows settings that are useful within the given settings set
    - new preferences:
    * minimal fake size
    * setting to enable the inspection of the content of the faked canvas
    * new random number generator "constant"
    * setting to not fake the most frequent colors in a canvas
    * setting to enable canvas cache
    * setting to hide expert settings
    * setting to control if the alpha channel should be faked as well

    fixes:
    - ask mode did not work for input types
    - allow page scripts to overwrite the faked funtions
    - getImageData also faked when using fakeInput mode
     
    Last edited: Sep 24, 2017
  8. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    2,249
  9. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,554
    Location:
    Among the gum trees
    I checked Chrome @ https://browserleaks.com/ and it shows that WebGL is enabled, which is correct I guess, but should we disable it? I've found Disable WeGL in the Chrome store which works, but I don't know what the implications of disabling WeGL are?

    Any advice appreciated.
     
  10. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    325
    Location:
    Far East
    I disabled it using the Disable WebGL extension

    What is WebGL and why it’s dangerous?

    WebGL (Web-based Graphics Library) is a collection of code for JavaScript that makes it possible for a website to access your video card in order to display interactive 3D-graphics using the HTML5 Canvas element—without using any third-party plug-ins.

    WebGL can be a threat to your device security and online anonymity.

    http://ipleak.com/articles/what-is-webgl-and-how-to-disable
     
  11. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,554
    Location:
    Among the gum trees
    Cool, thanks!

    So does disabling WebGL only stop the fingerprinting or does it disable part of the browsers capability and function too.
     
  12. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    325
    Location:
    Far East
    I don't see my browser affected in any way since I'm not using any 3D software
     
  13. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,554
    Location:
    Among the gum trees
    Ah, gotcha. :thumb:
     
  14. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,698
    After disabling it i don't see any negative effects too.
    :thumb:
     
  15. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,698
    The webExtension version v0.4.0.1 of CanvasBlocker has now been released:
    Download (AMO)
    https://github.com/kkapsner/CanvasBlocker/releases/tag/0.4.0.1-Release
    fixes:
    - some web pages are broken (e.g. twitch.tv)
    https://github.com/kkapsner/CanvasBlocker/releases/tag/0.4.0-Release
    Version 0.4.0:
    changes:
    - switched to webExtension
    - notifications are now done via page action
    - minimal and maximal fake size are now respected in all fakeable functions
    - fake readout now fakes one pixel at once and no longer one single channel
    - new icon (special thanks to Thorin-Oakenpants)

    new features:
    - information of all fake events in one tab are visible
    - settings page now only shows settings that are useful within the given settings set
    - new preferences:
    * minimal fake size
    * setting to enable the inspection of the content of the faked canvas
    * new random number generator "constant"
    * setting to not fake the most frequent colors in a canvas
    * setting to enable canvas cache
    * setting to hide expert settings
    * setting to control if the alpha channel should be faked as well

    fixes:
    - ask mode did not work for input types
    - allow page scripts to overwrite the faked funtions
    - getImageData also faked when using fakeInput mode
    Edit: New version v0.4.0.1
     
    Last edited: Oct 7, 2017
  16. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,554
    Location:
    Among the gum trees
    Hi mood.

    I have 0.3.8 installed and it isn't updating, so I guess I need to remove the older version, then install 0.4.0?

    Thanks.

    Edit: Never mind, it just updated.

    Cheers!
     
  17. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,287
    Location:
    The etherlands
    :thumb:
     
  18. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,554
    Location:
    Among the gum trees
    CanvasBlocker v0.4.0.1 Released.

     
  19. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    749
    Location:
    Italy
    The latest version is no longer compatible with Firefox ESR:

    1.JPG
     
  20. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,087
    Yes, as it is a webextensiosn since v. 0.4.0.
     
  21. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    2,249
    Webextension are usable since v48 - not compatible means that there is code working which is not applicable in firefox 52.

    current is 0.4.0.1
    https://addons.mozilla.org/en-US/firefox/addon/canvasblocker/versions/
    (0.3.8 was latest for older versions <v57)

    #edit
    had to switch from canvas defender to canvas blocker because router interface is blocked
    (firefox showing yellow slowing down message)
     
    Last edited: Oct 10, 2017
  22. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,698
  23. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    325
    Location:
    Far East
    Hi

    I just installed FF 57b7 but the https://browserleaks.com/canvas test is no good as compared to my chrome browser which shows a pretty clean sheet

    It shows fingerprints despite having.

    CanvasBlocker
    Shape Shifter

    See test result below

    Canvas (basic support) ✔ True
    Text API for Canvas ✔ True
    Canvas toDataURL ✔ True
    Database Summary
    Unique User-Agents 177962
    Unique Fingerprints 6250
    Your Fingerprint
    Signature ✔ 16896AAD
    Uniqueness 100% (0 of 177962 user agents have the same signature)
    Image File Details
    [​IMG]
    File Size 4820 bytes
    Number of Colors 323
    PNG Hash 98E7312913AF3A35617B04A4F174421F
    PNG Headers
    Chunk
    Length
    CRC
    Content
    IHDR 13 477A703E PNG image header: 220x30, 8 bits/sample, truecolor+alpha, noninterlaced
    IDAT 4763 16896AAD PNG image data
    IEND 0 AE426082 end-of-image marker

    In Chrome browser I'm getting the below

    Canvas (basic support) ✔True
    Text API for Canvas ✔True
    Canvas toDataURL ×False
    Database Summary
    Unique User-Agents 177962
    Unique Fingerprints 6250
    Your Fingerprint
    Signature n/a
    Uniqueness n/a


    Anyway to minimize the fingerprints further? Thanks again
     
  24. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,698
    CanvasBlocker: The default is to fake the signature (fake readout API). If you want to block it, you have to go into the settings and change the mode (block readout API)
    Now (Firefox):
    CanvasBlocker_Block-API.png
     
  25. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,698
    I forgot... even if you choose to fake it, your real signature is not shown on browserleaks. It is showing the (fake) signature which was generated by CanvasBlocker.