HTML5 Canvas Fingerprinting

Discussion in 'privacy general' started by Sampei Nihira, May 30, 2016.

  1. lolnothankyou

    lolnothankyou Registered Member

    Joined:
    Jul 29, 2018
    Posts:
    58
    Location:
    DisableLocation
    What does "active support" mean? Does 0.5.3 work properly on FF52?
     
  2. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    10,545
    FF52 is supported but i assume that if there are problems with older versions of (Firefox <60) it will be investigated with lower priority.

    Edit: Announcement: drop active support for Firefox < 60
     
    Last edited: Sep 2, 2018
  3. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,422
    Location:
    Italy
    It's right.
    The support of FF 52 ESR ends on September 5th:


    101.JPG

    102.JPG

    103.JPG
     
  4. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    10,545
    CanvasBlocker v0.5.4 Released (September 23, 2018)
    https://addons.mozilla.org/en-US/firefox/addon/canvasblocker/
    Version 0.5.4:
    changes:
    - converted "API whitelist" to "protected API features" (automatic settings migration)
    - notification details are not stored by default
    - settings page reorganized
    - audio API notifies on every call
    - made audio cache url specific

    new features:
    - added save/load directly to/from file option
    - added protection for DOMRect (getClientRects)
    - added setting to control if notification details should be stored
    - state of the arrow for url specific values is saved
    - browser action icon gets grayed out if the page is whitelisted
    - added search to options page

    fixes:
    - window and audio API were always blocked when using any of the "block ..." modes
    - canvas content was not stored to be displayed when wanted
    - hovering over toolbar icon created error in the browser console
    - canvas content was not shown in ask mode any more

    known issues:
    - if a data URL is blocked the page action button does not appear
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    10,777
    Location:
    .
    After last update I get Domrect blocked on this forum:

    upload_2018-9-24_17-24-51.png

    Does anybody else get this?
     
  6. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    10,545
    Yes.
    Not only on wilderssecurity.com but it is also blocked on other websites (The Register, Startpage, etc.)

    It is a new feature of CanvasBlocker v0.5.4:
    And it mitigates for example the following fingerprint technique:
    getClientRects() provides a persistent fingerprint #236
     
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    10,777
    Location:
    .
    Thnx mood for explanation. I didn't notice it on other sites yet, or maybe just overlooked it.
     
  8. Socio

    Socio Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    304
    The Sphere Browser has a pretty sophisticated anti-fingerprinting system built in;

    https://sphere.tenebris.cc/#home

    It has a steep learning curve however, well maybe not for most here.
     
  9. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    10,545
    CanvasBlocker v0.5.5 Released (October 13, 2018)
    https://addons.mozilla.org/en-US/firefox/addon/canvasblocker/
    Version 0.5.5:
    changes:
    - DOMRect uses double cache (value and complete DOMRect)

    new features:
    - added settings sanitation page
    - added search field to browser action popup

    fixes:
    - Google images did not work for some users
    - page action was not showing on Firefox Android
    - wrong content script does no longer trigger the settings load forcing

    known issues:
    - if a data URL is blocked the page action button does not appear
     
  10. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,422
    Location:
    Italy
    I wrote to Andryou to check "ClientRects Protection" in Scriptsafe:

    Immagine.jpg
     
  11. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,422
    Location:
    Italy
    For Chrome:

    https://www.browserplugs.com/

    Interesting the possibility of randomizing the hashes of the "getclientrects fingerprinting" test.
    Functionality not present in Scriptsafe.


    It remains to be verified if it works correctly (it's beta version).
     
    Last edited: Oct 21, 2018
  12. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    560
    Location:
    Far East
  13. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,422
    Location:
    Italy
    :thumb:
    Works well on Chrome.
    GetClientRects protection not work on Firefox 52 ESR.

    TRACE



    P.S. "Screen Resolution Tracking" is inefficient with default values.
     
    Last edited: Oct 21, 2018
  14. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    560
    Location:
    Far East
    So what values do you recommend?

    Does GetClientRects protection works on FF Quantum v62.x?
     
  15. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,422
    Location:
    Italy
    1000

    I do not know.

    ______________________

    The extension can not be installed on Basilisk.
     
  16. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    560
    Location:
    Far East
    You mean +1000 to -1000? Or +500 to -500? Why this number? Thanks
     
  17. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,422
    Location:
    Italy
    1
    Because with the default values the changes are minimal.
     
  18. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,422
    Location:
    Italy
  19. jacemace

    jacemace Registered Member

    Joined:
    Sep 10, 2009
    Posts:
    76
    Thank you very much for this thread - I got Trace and Browser Plugs to test from it - thank you posters.
     
  20. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,422
    Location:
    Italy
    I recommend users who use Scriptsafe to perform some tests because I think the extension is outdated and does not protect some privacy setting.
     
    Last edited: Nov 5, 2018
  21. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    560
    Location:
    Far East
    But ScriptSafe does block the below tests which TRACE failed

    http://ubercookie.robinlinus.com/faq.html
     
    Last edited: Nov 5, 2018
  22. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,422
    Location:
    Italy
    But it fails the WebRTC test to hide Local IP, spoof Time Zone................
     
  23. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    560
    Location:
    Far East
    That I agreed.

    With proper preferences settings FF does not support WebRTC so it's ok

    Chrome failed so need to use WebRTC Control extension. If you test it at browserleaks.com it'll show the same result as FF. So far I have tested no other extension can do such. But in using this extension and playing Youtube other clips cannot be shown. Ungoogled Chromium don't have this issue
     
  24. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,422
    Location:
    Italy
    Trace.
     
  25. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    560
    Location:
    Far East
    FF and Chrome (with WebRTC Control) give zero readout from browserleaks.com

    TRACE cannot do it
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.