HTML5 Canvas Fingerprinting

Discussion in 'privacy general' started by Sampei Nihira, May 30, 2016.

  1. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    6,277
    Location:
    Among the gum trees
    Has anyone tried this extension lately? It seems to have been updated regularly.

    https://addons.mozilla.org/en-US/firefox/addon/webapi-manager/versions/
     
  2. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,422
    Location:
    Italy
    Last edited: Apr 5, 2018
  3. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,642
    Last edited: Apr 6, 2018
  4. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    10,545
    CanvasBlocker v0.4.5b Released (May 2, 2018)
    CanvasBlocker v0.4.5a Released (May 2, 2018)
     
  5. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    10,545
    Privacy-Addon which might be worth a try:
    Trace
    Website
    Chrome: https://chrome.google.com/webstore/detail/trace/njkmjblmcfiobddjgebnoeldkjcplfjb
    Firefox: https://addons.mozilla.org/en-US/firefox/addon/absolutedouble-trace
     
  6. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,088
    Location:
    Slovakia
    I wonder, what are the limitation of the free version? Well, obviously it is 15000 domains vs 3000, but I wonder what are those for? 3 bucks are worth paying for, even if it is just for a support.

    EDIT: OK, it seems, that is also blocks google ads, that is no good for me.
     
  7. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,422
    Location:
    Italy
    https://www.ghacks.net/2018/05/12/trace-blocks-multiple-tracking-techniques-in-firefox-and-chrome/
     
  8. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,535
  9. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    10,545
    CanvasBlocker v0.4.5c Released (May 26, 2018)
     
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,460
    https://antoinevastel.com/tracking/2018/07/01/eval-canvasdef.html

    They can 1) detect that it's being used; 2) extract the noise vector; and 3) get the original canvas value.

    OK, we know that simply blocking doesn't work: https://multiloginapp.com/how-canvas-fingerprint-blockers-make-you-easily-trackable/

    So how does one interfere with canvas fingerprinting?
     
  11. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    704
    Location:
    Member state of European Union
    If many would use spoofed canvas fingerprint, it will mean almost nothing.
     
  12. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,460
    Sure, but see 3 :(
     
  13. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    10,777
    Location:
    .
    Even if site can get to original canvas value, they probably won't bother with doing it until a lot of visitors start using it. You're a high-hanging fruit so why bother with you if there are 99%+ visitors that are easier to track. Costs of doing it would probably be larger than benefits.
     
  14. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,460
    One can hope :)

    But I would like a solution that works against all sites.

    OK, so what happens when you uninstall and reinstall the browser? Do you get the same canvas fingerprint?

    I could fire up a fresh VM, and test that. Maybe I will. And I'll let y'all know.
     
  15. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,559
    Well, it seems that Canvas Blocker is not affected.

    That said, I think that fingerprinting is overrated. Unless proven otherwise, I still think that fingerprinting is predominantly done by 3rd-party trackers/adservers. If you block them, e.g. with uMatrix, uBlock Origin or a hosts file, this problem is simply irrelevant. There are certainly sites which are doing 1st-party fingerprinting. But this can't be used to track you across the internet, and the known countermeasures - like setting privacy.resistFingerprinting=true or a combination of, say, User-Agent Switcher and Canvas Blocker - should be sufficient.
     
  16. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    10,777
    Location:
    .
    I liked this from reply on GitHub: Against privacy defeatism: why browsers can still stop fingerprinting.

     
  17. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,422
    Location:
    Italy
  18. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    6,277
    Location:
    Among the gum trees
  19. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,460
    Good to know. But the post was about Canvas Defender. So anyway, it seems that blocking canvas detection is secure. But that makes one rather unique, unless most browsers do that. However, Mozilla and Apple reportedly plan to block canvas detection, so it will become a lot more common.
     
  20. Fad

    Fad Registered Member

    Joined:
    Feb 25, 2009
    Posts:
    427
    Location:
    England
    I`m now wondering if the use of a canvas blocking addon is strictly necessary, after having used CanvasBlocker since it first appeared.

    If appropriate filter lists and cookie management is used, would it matter so much even if they got the 'real' canvas fingerprint rather than a spoofed one ?

    If it`s main purpose is to serve targeted ads and ad blocking is already in place - doesn`t that nullify the effect without even taking specific canvas blocking measures ?
     
  21. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,460
    It depends what you're after. Fingerprints enable identification. So if you don't want that, you don't want to be fingerprinted. Just as with meatspace fingerprints :)
     
  22. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    10,545
    CanvasBlocker v0.5.1.1b Released (July 21, 2018)
    Version 0.5.0:
    changes:
    - Changes in the random supply API
    - Added grouping to API white list
    - Show page action when API is blocked

    new features:
    - Can protect Audio API
    - Settings can be hidden

    fixes:
    - make function replacements not detectable
    - "protect" data URL pages by blocking all requests from them

    removed fixes:
    - display of about:blank broken in Waterfox
    reason: it should help protect data URL pages in the future

    known issues:
    - if a data URL request is blocked the page action button appears but shown no content
    Version 0.5.1:
    changes:
    - instead of blocking requests from data URLs they are blocked themselfes

    new features:
    - new setting: session white list that is cleared on addon load (= browser start)

    fixes:
    - Changes made in the page action were not saved in all Firefox versions
    - Blocking requests data URLs blocked too much

    known issues:
    - if a data URL is blocked the page action button does not appear
     
    Last edited: Jul 21, 2018
  23. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,109
    Location:
    USA
    So, does this mean that without JavaScript enabled, most fingerprinting techniques don't workare ineffective -- or just that JavaScript needs to be enabled in order to run this fingerprinting test?
     
  24. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    6,277
    Location:
    Among the gum trees
    I think that means that unless you allow JavaScript they can't fingerprint you, but I stand to be corrected.
     
  25. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    10,545
    CanvasBlocker v0.5.3 Released (September 02, 2018)
    Version 0.5.3:
    changes:
    - removed active support for Firefox < 60
    - maximal 250 notifications per domain and type will be rendered

    new features:
    - display version in options page
    - added link to open options page in separate tab
    - added option "Don't show again on update." for options page
    - added option to highlight page action icon
    - added option to control browser action icon on notifications
    - added theme for browser and page action popup
    - added badge
    - added option to ignore APIs
    - added protection for history length
    - added protection for window name and opener

    fixes:
    - CSP did not work properly for worker-src
    - detection if the options page was displayed in a separate tab did not work reliably
    - popup text not readable in some dark themes
    - display conditions for notification settings
    - page action not useable with a lot of notifications
    - blocking of blob-worker broke some pages

    known issues:
    - if a data URL is blocked the page action button does not appear
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.