HTML5 Canvas Fingerprinting

Discussion in 'privacy general' started by Sampei Nihira, May 30, 2016.

  1. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,983
    Location:
    Italy
    In anticipation of future changes to the conclusions it is that CanvasBlocker is a step above the other extensions.
     
  2. DenMLA

    DenMLA Registered Member

    Joined:
    Jun 6, 2016
    Posts:
    9
    Location:
    Estonia
    We thought about such option but it is essentially useless. To make website lose track of you, at the very least you have to change canvas fingerprint AND destroy all cookies. Even if you had some extension, which would destroy cookies every N minutes or hours, it wouldn't by synced with Canvas Defender. However, there are extensions that destroy cookies upon browser restart.

    Another problem with switching Canvas every N minutes/hours is that it might be changed within a single session, which is a clear signal to the website that you are spoofing fingerprints.
     
  3. DenMLA

    DenMLA Registered Member

    Joined:
    Jun 6, 2016
    Posts:
    9
    Location:
    Estonia
    No offence but this conclusion is very shallow. CanvasBlocker and Canvas Defender have different mechanisms and are meant for achieving different goals. As soon as tracking websites implement a mechanism that will not only track Canvas fingerprint in the present moment but also its change over time within a single user session, constant renewal of Canvas fingerprint will actually start making you more easily trackable. You will become the only user with XYZ browser parameters and IP that changes Canvas on each request.

    CanvasBlocker will only work if it gains the same popularity as say AdBlock, which is quite unlikely because Canvas fingerprinting is no way as annoying as banners and popups. Canvas Defender, on the other hand, will work even if you are the only one using it.

    In approximately 1,5-2 months space we will launch own test similar to Panopticlick, which will showcase vulnerabilities we have found in CanvasBlocker, Random Agent Spoofer and a number of other privacy plugins.
     
  4. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,621
    Location:
    Among the gum trees
    Oh, I see. Then because I use Firefox / Cyberfox > Always use private browsing mode, so no cookies should be saved, I am better off with a new noise each time I start my browser, as per here?
     
  5. Fad

    Fad Registered Member

    Joined:
    Feb 25, 2009
    Posts:
    441
    Location:
    England
    Just testing CanvasDefender (thankyou for making it available)

    I have a question: If my canvas fingerprint, that has been changed by Canvasdefender, stays the same (unless I change it) - wouldn`t that mean I would be tracked with that altered fingerprint instead of my original and real one...

    due to the fact that the fingerprint stays the same, even though it has changed ?

    I realise I can change it but how often should this be done to be effective ?
     
  6. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,983
    Location:
    Italy
    Canvas Defender missing the ability to see which sites are trying to track me via my canvas profile.
    Place this right away and I change extension tomorrow.
    TH.

    _____________________________


    Another blog that makes use of this technique:

    https://blog.mozilla.org/
     
    Last edited: Jun 7, 2016
  7. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,558
    Location:
    North Carolina, USA
    Hello,

    There is something about being anonymous and the use of the Canvas Defender extension that confuses me and part of the confusion is when I test and interpret the results at this site:
    http://www.browserleaks.com/canvas
    With Canvas Defender disabled: Found in DB ✔True (842 of 84558 unique User-Agents has the same signature as yours)
    With Canvas Defender enabled: Found in DB ×False and ? Your Canvas Fingerprint appears to be unique for our database.
    Normally when I think of being anonymous and harder to track, I think of blending in "with the crowd"... When I use Canvas Defender my canvas fingerprint is unique where when I disable Canvas defender I have about 10 % user-agents that have the same signature as mine.
    So here is where my confusion comes in and the questions... From an anonymity, privacy, and tracking point of view, I thought it was better to be 1 in 10 rather than unique. How does being unique better my anonymity and privacy? Is it because being unique means I have no matching user-agents associated to my canvas fingerprint?
    Also, on a side note, is the best time to change my canvas noise hash with Canvas Defender when I do a thorough cleaning of my internet tracks/traces (including histories, caches, cookies and the like)? For example, let's say I usually do a thorough cleaning at the end of each day when I shut down my system. Should this be the best time to change my canvas noise hash? It is a bit confusing as to when (or even if you should) change it. I understand changing too often would be bad as blocking also would be. So when is the best time to change the canvas noise hash?
     
  8. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,024
    Location:
    Slovenia
    It depends. From tracking point of view it would be better to have different fingerprint on different sites or during separate browsing sessions. If you look at it that way it doesn't mater how unique you are if your fingerprint always changes.
     
  9. Cache

    Cache Registered Member

    Joined:
    May 20, 2016
    Posts:
    432
    Location:
    Mercia
    I may be missing something but I have just done a test on panopticlick.eff.org which shows the hash of my canvas fingerprint as f5a794c5b8228efc84276abdfe388ae5. I have canvas Defender enabled and it is showing a noise hash of #90235203cb.

    I had assumed that the panopticlick test would show the CD noise hash but it obviously doesn't.

    CD test.PNG
     
  10. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,024
    Location:
    Slovenia
    I doubt that you can control how hash will be calculated on servers' side. You would have to know what hash algorithm is used, all variables that are included in calculation and I doubt that this is purpose of Canvas Defender. It will only change canvas noise hash which will also change hash of canvas fingerprint. Value of this hash is not important.
     
  11. Cache

    Cache Registered Member

    Joined:
    May 20, 2016
    Posts:
    432
    Location:
    Mercia
    Thank you Minimalist. I am a bit new to all this but I think I understand your reply. :cautious:
     
  12. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    224
    Im no expert, but I think the way to think of it is that you can "break up" how you are tracked. As long as you are on a fingerprint, you can be tracked across services (if a singular set of eyes can access those services). If you change a fingerprint every request, you can be tracked as the guy whos canvas fingerprint constantly changes with all other factors remaining the same. If you change both the canvas and the profile data (user agent, reported fonts, etc), then you can be tracked as that "crazy privacy seeker whos crap always changes" especially since other techniques can determine whether you are reporting the actual browser used, etc.

    By keeping the user agent as the most popular version number of the browser you use on the OS you use, you are being as obscure as you can be. This means you are least trackable (by browser data) using Windows with Chrome. You are much more trackable using Firefox on Linux (like I am). At the same time, Linux software and the OS itself sends out little to no telemetry, as does Firefox communicate much less with Google than Chrome (especially since you can turn all communication with them off in about:config).

    Keeping all that in mind, you remember to change the canvas hash whenever you wish to "disconnect" past browsing "history" with where you intend to browse next. Once the new hash is generated, you appear as another user who also has {whatever OS/browser combo you use}.

    Frankly, while I use ublock origin, have firefox stripped of geolocation/webgl/webrtc, third party cookies blocked, and canvas defender, I assume all browsing I do is tracked. Ive heard it said that "in an arms race between commercial entities trying to gather tracking information for profit and the users trying to remain private, the users will inevitably lose." We are witnessing the infancy of web tracking- we are entering a Brave New World and some browser addons arent going to stop it.
     
  13. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,112
    Location:
    Slovakia
    It as about combination of various techniques, which makes you unique, like canvas + mouse movement + sound + info about computer and so on.
     
  14. Cache

    Cache Registered Member

    Joined:
    May 20, 2016
    Posts:
    432
    Location:
    Mercia
    Thank you so much Anonframe1 - that is a brilliant explanation and has helped me a lot and I am clear now how to make use of Canvas Defender.

    Incidentally, I am using Firefox on Win 7 Pro and have taken similar measures to those you have listed to try and prevent tracking (uBo, FF tweaks etc) but was not entirely clear where Canvas Defender fitted into the arsenal of defenses. Your post has rectified that nicely. Brave New World indeed!
     
  15. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,809
    Location:
    .
    +1
     
  16. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    True. That is why compartmentalization is important. Using VMs, VPNs and Tor. You are maybe 5-10 personas, each with your own signature. Mouse movement is problematic. Perhaps switch between trackpad and mouse. Even dig up a trackball, maybe.
     
  17. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    A really nasty threat would be someone who gains access to the public's fingerprints and impersonates them. Uniqueness wouldn't matter then, you'd be affecting some innocent.

    Since the fingerprint data will be held in (careless) corporate servers, it will be breached and may by used by the malicious.
     
  18. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,983
    Location:
    Italy


    https://blog.malwarebytes.org/cyber...-malvertising-leverages-latest-flash-exploit/
     
  19. DenMLA

    DenMLA Registered Member

    Joined:
    Jun 6, 2016
    Posts:
    9
    Location:
    Estonia
    Guys, I have read through all your comments and questions. First of all, I wanted to copy here one of my reddit posts, which kind of sets the big picture context to all questions you have:

    ====================================
    I believe that in modern world general privacy is no longer possible. We are being fingerprinted and analyzed from so many avenues that trying to counteract all of those attempts would be as wise as trying to attack on all theaters of war. Fighting virtually unlimited threats would require virtually unlimited resources, which is not the case. Likewise, companies are limited in what they analyze. They have much more data now that they are capable of analyzing. So they are also forced to choose their focus.

    For these reasons I believe that privacy became fully instrumental now. Any answer regarding privacy maintenance should start with the question: "what goal are your trying to achieve?".

    Don't want to see targeted ads? Block them all with AdBlock.
    Don't want to buy something on your name? Pay in cash or use fake identity.
    Want to surf internet anonymously? Create an online identity separated from your main identity. Or use Tor or I2P.
    Want to avoid movement tracking? Leave smartphone at home, buy Nokia 5110 and fake mustache.
    Want to download pirated movies? Crypt your drive with TrueCrypt or other software of your choice.
    etc etc

    I want to stress this again: there is no such thing as "general privacy". It is an illusion. Even if you somehow manage to block all trackers, your behavior will still remain probabilistically predictable based on how other people similar to you behave. This is the case, where you have to "think globally but act locally".
    ====================================

    And to support this claim, there are tons of methods to track you down besides User-agent and Canvas fingerprint. There is audio fingerprinting, which utilizes mechanics similar to Canvas), there is fonts fingerprinting, which is at least as effective as Canvas. There's IP address, evercookies, Flash API, JS API and lots more. Add here all services that you use and their interconnectedness. Even Google Analytics blocking with extensions like AdBlock or Ghostery can be EASILY bypassed by any mid-level developer.

    Thinking that you can win all these battles (with free browser add-ons :)) is borderline insane. What I urge you to do is to first ask yourself: "What I am really trying to achieve?". Then, starting from that point pick your fights and achieve your goals. You cannot be "generally safe" but you can disguise your activity wherever it is actually needed and protect yourself from certain attacks that are most likely to happen.

    If you still cherish the idea of general crowd fighting government oppression with technological means, then avoiding social networks and encrypting your hard drive is a good start.
     
  20. DenMLA

    DenMLA Registered Member

    Joined:
    Jun 6, 2016
    Posts:
    9
    Location:
    Estonia
    Came back to add something here. If you ever took interest in war strategy, you already know that no war can be won purely by defense. Any war is a right combination of defense and offense. Likewise, direct approach in strategy is inferior to indirect approach. The ultimate goal of any war is to win without engaging in battle at all. Like Sun Tzu wrote: "to win one hundred victories in one hundred battles is not the acme of skill. To subdue the enemy without fighting is the acme of skill."

    Speaking about companies employing unethical fingerprinting technologies, trying to block tracking with technological means is not only a defensive strategy but also an absolutely direct response. What could be an indirect response? Exposing misbehaving companies to public, shaming them and making them lose customers through it. Making them choose between gaining customers trough tracking and loosing customers' loyalty because of tracking.

    There's a group of developers and PR specialist already working on such solution. It will be transparent and open-source. It will allow the community to finally strike back at companies who feel they can get away with anything happening in the web. This solution will be soon announced to public.
     
  21. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,983
    Location:
    Italy
  22. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,621
    Location:
    Among the gum trees
    So are you saying we should just give up trying and that your extension is useless?
     
  23. Sordid

    Sordid Registered Member

    Joined:
    Oct 25, 2011
    Posts:
    235
    I think his post pivots around this point:
    "What I am really trying to achieve?". Then, starting from that point pick your fights and achieve your goals."

    Your resources are limited. So should Snowden invest time not letting Google know he likes pizza and Green Acres re-runs? Maybe. Should he consider buying a long-distance antenna or renting covert uplinks when trading internal NSA docs--perhaps. Choose your battles wisely and fight them appropriately.

    Think of it this way. Tracking by browser occurs for a few major reasons: ads, LEO surveilance, and antisec.

    So owners of infection pages don't want their pages and payloads analysed by researchers. They can use fingerprints (unique or otherwise) to target users or remove suspects. However, this gives the coomon user an advantage. If you appear like a honeypot you won't get infected like you otherwise would. Meanwhile, malware researchers can use user forensics to grab payloads and note infected pages.

    LEO would love to scrape your fingerprint. They would set up or control a wateringhole like heroinsale.onion. They would intercept traffic from global resources or targeted attacks. Erowid.org seems like a good targeted compliment between users of heroinsale.onion and where you could have the same fingerprint to visit both, but not always under a TOR route. You just blew your cover. Solution goes to Mirimir: segregate your usage into personas. Use a burner computer and matching anon-IPs when expecting deep anonymity. Don't use the same computer/fingerprint to order pizza.

    Ad tracking. The hardest because it is widespread but less critical. As mentioned, an ad-blocker is quite effective. Why? In order to correlate all that data or be usable ACROSS sites, you need to be pretty obvious. Go to a Gawker website then to NYTimes etc. See something in common? Ah, Google, Twitter, Facespace and similar CDNs, chat apps, and beacons. That's their weakness. In order to track you they need to also be omnipresent. The EFF has an extension which correlates these trackers in similar ways they correlate us.

    But we are also tracked by face, loyalty cards, CCs, email, zip codes, logins, IP etc. Why? And how does that affect you? Using cash or not using loyalty cards may end up with you losing value. Choose wisely.
     
  24. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Just. Compartmentalize. At. All. Levels.
     
  25. DenMLA

    DenMLA Registered Member

    Joined:
    Jun 6, 2016
    Posts:
    9
    Location:
    Estonia
    Depends on your goal. It is useful in some particular cases.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.