HTML5 Canvas Fingerprinting

Discussion in 'privacy general' started by Sampei Nihira, May 30, 2016.

  1. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    461
    Location:
    Far East
    Hi

    Thank you. After setting to 'block readout API' I got the result you posted.

    So either way, block readout API or fake readout API, I'm still safe from canvas fingerprints

    BTW, any ways to protect from other types of fingerprints besides canvas like in ScriptSafe (for Chrome browser)?
     
  2. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    5,607
    Location:
    Among the gum trees
    Blocking fingerprinting is actually a fingerprint itself. Better to fake it.
     
  3. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    3,417
    Location:
    DC Metro Area
    FWIW:

    CanvasBlocker v 0.4.0.2 not working for me in FF 56
     
  4. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    569
    Location:
    usa
    1. This morning, I received an ad from Abelssoft about AntiBrowserSpy 2018 on sale.

    "...we developed the new AntiBrowserSpy 2018. The software disabled every function related to espionage and additionally offers a protection shield for every important place. Thus, no data is divulged anymore."

    Has anybody used it?
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    8,489
    Location:
    Slovenia, EU
    https://nakedsecurity.sophos.com/2017/10/30/firefox-takes-a-bite-out-of-the-canvas-super-cookie/
     
  6. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    4,395
    CanvasBlocker v0.4.1 Released (November 12, 2017)
    Download (AMO)
    changes:
    - improved design of the page action display
    - Enabled Firefox ESR
    - persistent random generator data is always stored in the settings but cleared on restart if the store flag is not set
    - cleaned up the options page

    new features:
    - setting to set an interval to clear the persistent random generator data
    - setting for the ask deny mode
    - ask only once can now also combine the API-types

    fixes:
    - unnecessary check for context type in getImageData broke websites
    - getContext was not asked in ask mode.
     
  7. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,178
    Location:
    Italy
    Immagine.JPG
     
    Last edited: Nov 13, 2017
  8. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    4,395
    Yep, it doesn't work on https://blog.malwarebytes.com/
    I have tested it with Firefox and Firefox ESR and CanvasBlocker 0.4.1 (0.3.8 works)
    Edit: New Version - 0.4.2 and now it works
     
    Last edited: Nov 13, 2017
  9. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,178
    Location:
    Italy
    Last edited: Nov 13, 2017
  10. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,178
    Location:
    Italy
  11. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    4,395
    CanvasBlocker v0.4.2 Released (November 14, 2017)
    Download (AMO)
     
  12. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,178
    Location:
    Italy
    Last edited: Nov 14, 2017
  13. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,178
    Location:
    Italy

    Does not work well:

    https://addons.mozilla.org/en-US/firefox/addon/canvasblocker/reviews/

    the biggest problem is with the images.
    I can not make a direct example to the developer for the content of the images.
    Almost certainly someone will make a report in the future.
    I stay with Canvas Defender.
     
  14. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    4,395
    CanvasBlocker - the issue with https://www.adidas.it/ has been fixed
     
  15. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    4,395
    ScriptSafe v1.0.9.2 Released (December 4, 2017)
    Chrome Web Store / Github
    • Added new "Recent Log" page where you can view all recently blocked or allowed items (the "Log" link can be found in the top-right corner of the ScriptSafe panel)
    • Added the ability to block Browser Plugin Enumeration (under Fingerprint Protection, option is disabled by default so feel free to enable it)
    • Added the ability to block Bluetooth Enumeration (under Fingerprint Protection, option is disabled by default so feel free to enable it)
    • Added ability to control whether or not Remove Possible Hash Tracking applies to whitelisted sites or not (default: disabled)
    • Added ability to control the Keyboard Fingerprinting Protection keypress delay
    • Added the ability to revert to default settings (found under "Import / Restore Settings")
    • Added more browser and operating systems for User Agent Spoofing (thanks nyancat18)
    • Added Polish locale (thanks Galileusz)
    • Improved syncing reliability and added support for handling data compression (to be switched on in an upcoming update)
    • Improved Browser User Agent Spoofing and added ability to enter a custom user agent string
    • Improved WebGL Fingerprint Protection
    • Improved Clipboard Interference Protection
    • Improved domain matching logic
    • Fixed "Trust" option not being available for domains starting with a wildcard match
    • Updated unwanted content providers list
    • Minor updates to German, Japanese, Chinese (Traditional), and Spanish locales
    • Minor panel updates
     
  16. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,178
    Location:
    Italy
    Two problems:

    a) Clipboard Interference Protection is malfunctioning.
    Better not to activate.

    b) "Block Referrer" is malfunctioning.
    Better to use parameter list Peter Beverloo.

    WebGL Fingerprint Protection is OK.
     
  17. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    461
    Location:
    Far East
    Just feedback to the developer and he'll settle the issues
     
  18. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,178
    Location:
    Italy
    True.
    But not me.
    Would be the second in a few days .....


    ;)
     
  19. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    4,395
    ScriptSafe v1.0.9.3 Released (December 12, 2017)
    Chrome Web Store / Github
    ScriptSafe for Firefox is discussed in this thread: ScriptSafe available for Firefox
     
  20. Emetic

    Emetic Registered Member

    Joined:
    Oct 4, 2011
    Posts:
    73
    I usually run Chrome sandboxed, but today when I ran just the unboxed Chrome I realised that I had WebGL enabled when I tested with doileak. So I did a quick search on how to disable it and found an extension called 'Disable WebGL' - I tested it again and WebGL was now disabled. All good.

    8 hours later and lots of testing done. Total confusion. But I'll keep it simple.

    https://amiunique.org/ can access the WebGL framework to read full canvas fingerprinting, but...
    http://uniquemachine.org/ can not access it at all.

    Obviously I have noscript temporarily turned off for this to work, but still.

    [EDIT: Was confused about using FF when testing. Thanks to Krusty for pointing it out]


    amiunique is giving me a full graphics render with fonts.That shouldn't be happening if WebGL really is disabled.

    I tested it in Tor and it explicitly asks you if you want to allow HTML5 Finger Printing. When you say no, there is no render.

    uniquemachine also gives nothing back when you deny it access. All good.

    So why is it breaking through and reading the API in Chrome here? I guess 'Disable WebGL' is not working so good. I usually do these things by hand rather than trusting a plugin, and in Linux sometimes too, but it's been a while so I thought I'd cheat a bit.

    All these different plugins, different switches for different browsers (try disabling WebGL in Brave! - not something a layman could do)* - and to make it worse all the browsers seem to be converging in to one monolithic mess of sameness. I'm pretty tech savvy, and I was prepared to spend a whole day working it out. I may spend another day or two finishing up. That puts me outside the demographic of 90 percent of other users.

    Canvas fingerprinting is an impenetrable mess. I've got more research done but I'll save it for later. I remember chatting with the chap who took the EU to court and won (or something like that, it was deemed illegal anyway all this CFP stuff) - that was on the Register a few years back in 2014 when this was all the rage, but it all seems to have been forgotten about by all but the most tech minded these days. Nothing really came of it anyway. No one changed their behavior.

    Please excuse the adhoc nature of my post. I've tested six different browsers in two different user accounts switching things on and off and trying to make sense of stuff. That and not being able to make any sense of WinPatrol Firewall, which perversely, has actually helped me understand the bigger picture here a lot more.

    TL:DR: 'Disable WebGL' extension is not working in Chrome. Test it with https://amiunique.org and see for yourself. It does however block the results from http://uniquemachine.org/ - which it didn't do before - so it's half working, I guess.


    EDIT:
    In case you missed the news - the next version of Firefox will have native CFP blocking -

    https://www.forbes.com/sites/leemathews/2017/10/30/firefox-blocks-canvas-tracking/#36a2aa497987

    https://thehackernews.com/2017/10/canvas-browser-fingerprint-blocker.html

    https://news.slashdot.org/story/17/...or-browser-again-blocks-canvas-fingerprinting

    * See: https://www.wilderssecurity.com/threads/html5-canvas-fingerprinting.386179/page-11#post-2724584
     
    Last edited: Dec 12, 2017
  21. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    5,607
    Location:
    Among the gum trees
  22. Emetic

    Emetic Registered Member

    Joined:
    Oct 4, 2011
    Posts:
    73

    Good call! I did mention I'd been juggling half a dozen browsers across 2 user accounts. I guess I got my excuse in early!

    Thanks for pulling me up about it. My bad. I've got pages and pages of notes...

    You can maybe sense my frustration in this recent post of mine covering the subject a little more: https://www.wilderssecurity.com/threads/winpatrol-firewall.390596/page-2#post-2724580

    I should have taken more time to compile my research, but I just dived straight in. I figured it was one of those times if I didn't write it up, I wouldn't do it the next day. Thanks for keeping me straight.

    I don't really want to spend much more time on this. Maybe someone can find something useful in what I've shared.
     
  23. Emetic

    Emetic Registered Member

    Joined:
    Oct 4, 2011
    Posts:
    73
    Before I forget, if you are looking to switch WebGL off in Brave, it's not so easy. I found this though:

    One feature that folks typically don't know about: our executable can accept all of the Chromium / Chrome command line flags (in -- format). For example, if you wanted to disable WebGL, you can do so by appending:
    --disable-webgl


    There are a ton of other commands you can try (all of the ones shown in chrome://flags should work great)


    This is how I did it:

    Type: "--disable-webgl" at the end of the shortcut target for brave:

    C:\Users\__USER_NAME__\AppData\Local\brave\Brave.exe --disable-webgl

    Now when you start brave and run doileak, it will tell you that WebGL is indeed disabled.

    You can't do this in the executable itself, you need to do it for a shortcut on the desktop to the executable file. Right click>Properties>

    It's one of the few things that did work perfectly today. :)

    Easy when you know how...
     
  24. Emetic

    Emetic Registered Member

    Joined:
    Oct 4, 2011
    Posts:
    73
  25. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    5,607
    Location:
    Among the gum trees
    Yep, it appears to block fingerprinting because the spinner never stops spinning in Chrome, unless another extension was blocking something.

    No, that extension doesn't stop fingerprinting without TunnelBear Blocker.
     
Loading...