HTML5 Canvas Fingerprinting

Discussion in 'privacy general' started by Sampei Nihira, May 30, 2016.

  1. DenMLA

    DenMLA Registered Member

    Joined:
    Jun 6, 2016
    Posts:
    9
    Location:
    Estonia
    TOR is well protected from fingerprinting but this protection comes for the price of usability. I don't see how accessing Tor honeypot via tor and ordering pizza using normal browser from the same machine could lead to identifying you.
     
  2. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,983
    Location:
    Italy
    Last edited: Jun 13, 2016
  3. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,306
    Location:
    Under a bushel ...
    Nice. Thanks.

    I get the following with both CB and CD. I do have Adguard, and uBlockO in medium mode mainly to control 3rd party scripts (Request Policy) and frames.
    Also have NoScript (but scripts globally allowed) to cover XSS and click-jacking.
     

    Attached Files:

  4. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,865
    I tried both Canvas Blocker and Canvas Defender. I'm not yet sure which is the "better" one. However, one annoying thing with Canvas Defender is that loading PDF files with the built-in Firefox PDF reader becomes extremely slow whenever it's enabled. This doesn't happen with Canvas Blocker.
     
  5. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,983
    Location:
    Italy
    All that is highlighted with an exclamation mark not is fine.
    At the level of privacy.
     
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    Even with scripts allowed = Nothing :D
    B-leaks.png
    FF v3.6.14
     
  7. Sordid

    Sordid Registered Member

    Joined:
    Oct 25, 2011
    Posts:
    235
    I assume you mostly mean Tor Browser and hope you realise I speak of cross-browser hardware/bio fingerprints and even possibly malware-based tracking that are surely not solely tied to singular instances of Tor. While Tor/Browser does quite a good job versus tracking, they haven't even implemented mitigation against all known bugs as we sit. TorB solutions trail discovery. It hasn't, isn't, and can't ever be exhaustively freed of tracking problems nor has it claimed to be:

    "To date, the Tor Browser team has concerned itself only with developing defenses for APIs that have already been standardized and deployed. Once an API or feature has been standardized and widely deployed, defenses to the associated fingerprinting issues tend to have only a few options available to compensate for the lack of up-front privacy design. In our experience, so far these options have been limited to value spoofing, subsystem modification or reimplementation, virtualization, site permissions, and feature removal."

    Never use Tor/Browser as a sole tool for deep anonymity. Usage and external policy trumps all.

    But we are getting off topic, and I never intended on my loose examples to be scrutinized.
     
  8. liba

    liba Registered Member

    Joined:
    Jan 21, 2016
    Posts:
    344
    https://github.com/andryou/scriptsafe/releases

    • Added a new Fingerprinting Protection section with 8 new options (disabled by default):
      • Canvas Fingerprint Protection - protect against fingerprinting attempts through <canvas> elements, with the following options:
        • Disabled
        • Blank Readout (serve an empty canvas with the original dimensions)
        • Random Readout (serve an empty canvas with random dimensions)
        • Completely Block Readout (refuse to serve any data)
      • Block Audio Fingerprinting - prevent fingerprinting via the AudioContext API
      • Block WebGL Fingerprinting - prevent fingerprinting via the WebGL API
      • Block Battery Fingerprinting - prevent fingerprinting via the Battery API
      • Block Device Enumeration - prevent having hardware devices detected via the WebRTC API
      • Block Gamepad Enumeration - prevent having hardware devices detected via the Gamepad API
      • Block Canvas Font Access - prevent system fonts from being enumerated through <canvas> elements
      • Reduce Keyboard Fingerprinting (for advanced users) - make keypress timings more random to increase anonymity (note: adds a random delay between keypresses))
      • I recommend enabling all of the above options (except the last) for increased privacy, and based on your needs disable the options that interfere with your usage.
    • Added new option: "Prevent Clipboard Interference" (under "Behavior Settings") - prevent pages from interfering with clipboard actions (disabled by default)
     
  9. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,983
    Location:
    Italy
    Work

    1.jpg

    Not Work?

    2.jpg
     
    Last edited: Jun 21, 2016
  10. liba

    liba Registered Member

    Joined:
    Jan 21, 2016
    Posts:
    344
  11. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,983
    Location:
    Italy
    :confused::confused:

    To improve....
     
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
  13. FangJoker

    FangJoker Registered Member

    Joined:
    May 12, 2016
    Posts:
    3
    1. Download the source code archive (zip).
    2. Unzip the archive.
    3. Go to Chrome settings.
    4. Click on extensions located on the left side of settings.
    5. Click on the box for developer mode on the upper right.
    6. Click load unpacked extension on the upper left.
    7. Select the directory of unzip archive and click open.
    OR you can install from the Chrome Web Store (https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf) to avoid the developer mode warning when you restart the browser.
     
  14. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,621
    Location:
    Among the gum trees
    :thumb: Nice!
     
  15. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,621
    Location:
    Among the gum trees
    I had to disable this one to allow youtube videos to play. :(
     
  16. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    Are all versions of Firefox susceptible to this type of fingerprinting?
     
  17. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,621
    Location:
    Among the gum trees
    Not just Firefox, but all browsers.
     
  18. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    @ FangJoker

    Thanx for registering & the info :thumb:
     
  19. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,112
    Location:
    Slovakia
    That depends, what you consider not good. They clearly state the difference:
    It is like with flashblock, webpages can detect it, but can not run flash or webrtc leak, it blocks leaked info, but not webrtc to avoid breaking webpages.
     
  20. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    @Krusty 13
    So what are you currently using for your blocker?
     
  21. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,621
    Location:
    Among the gum trees
    I am probably not the best person to ask, but I use Canvas Defender in Firefox and Chrome. I've just added ScriptSafe in Chrome but leave Canvas Fingerprinting Protection disabled and enable the other Fingerprinting Protection.

    Canvas Defender creates a fake Canvas Fingerprint that lasts until you change it, where ScriptSafe can block or create a fake Canvas Fingerprint but the fake one changes every time it is called, which in itself can be used to track you.

    ScriptSafe also works similar to NoScript in Firefox so it takes a bit more work to get sites to work properly.

    I'm sure others with more knowledge have other ideas how they do things.

    Cheers!
     
  22. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    I was going to ask about CanvasDefender. I also noticed another FF add-on -- CanvasBlocker. It looks like they each operate a little differently, so don't know which might be the better of the two. I wonder if with either (or both) of these, it's possible to turn them off if necessary.

    At one point, I remember trying a little add-on called SecretAgent. I worked great and did what it was supposed to do, but it definitely screwed-up my ability to access some sites -- particularly banking and financial sites. So it would be nice to have a 'disable' feature.
     
  23. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,621
    Location:
    Among the gum trees
    CanvasBlocker can also create a fake fingerprint but it creates a new one each time it is called, and as I posted above, this in itself can be a way to track you, so for now I'll stick with Canvas Defender.
     
  24. liba

    liba Registered Member

    Joined:
    Jan 21, 2016
    Posts:
    344
    v1.0.7.16 BETA - Help Test!

    What's changed from v1.0.7.15 to aid in beta testing:

    • Added Spoof Timezone - spoof or randomize your timezone; useful if you use VPN (disabled by default)
    • Added Remove Google Analytics (UTM) Tracking option (under Privacy Settings) - remove Google Analytics (UTM) tracking tokens before they're actually passed to the server (disabled by default)
    • Added option under User-Agent Spoof to apply spoofing to whitelisted domains as well (default behavior: bypass spoofing on whitelisted domains to avoid issues)
    • Anti-Fingerprinting code consolidation (this means all fingerprinting options should also be tested)
    https://github.com/andryou/scriptsafe/issues/54
     
  25. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,621
    Location:
    Among the gum trees
    Did you see my post above? Will this mean it is all or nothing, or will each fingerprint protection still be separate and still allow each to be enabled or disabled separately?

    Thanks.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.