HTML5 Canvas Fingerprinting

Discussion in 'privacy general' started by Sampei Nihira, May 30, 2016.

  1. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    869
    Location:
    Italy
    You get a better result with:

    (Firefox)

    CanvasBlocker + No Resource URI Leak + Specific settings in about: config
     
  2. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    395
    Location:
    Swiss
    Start chrome/chromium with:
    Code:
    --disable-reading-from-canvas
    ... No canvas fingerprint at all and no addons/extensions are necessary.
     
  3. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    428
    Location:
    Far East
    Canvas this and canvas that only deal with canvas fingerprints. And canvas fingerprint is only one type of fingerprints. There are other types like battery, font, audio etc. You'll still need extensions to block the others
     
  4. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    428
    Location:
    Far East
    Does CanvasBlocker shows up any counters or pop up message that it is working? If not, how do you know it's working?
     
  5. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    395
    Location:
    Swiss
    This thread is about canvas nothing else, people here talking about off-topic and almost all mentioned API's (yes there nothing but apis and in 99% harmless anyway) can be turned off with every modern browser without any addons/extensions. It's in about:config or in chrome://flags and this not since yesterday, why people recommend to install untrusted and outdated addons instead of opening an ticket on googles or mozilla's bugtracker is way beyond me. Threats should always been fixed at lowest level and not run into another danger to install untrusted addons which you think they're not collecting anything .. they all do cause it's hosted by the mother google and mozilla.
     
    Last edited: Jul 27, 2017
  6. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    428
    Location:
    Far East
    It's true addons do collect your privacy data. The use of Chrome and FF also likewise unless you are using Ungoogled Chromium, Epic etc
     
  7. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    395
    Location:
    Swiss
    Ungoogled chromium should be avoided cause it's hobby project from study people and they not maintain changes fast enough to recommend using it daily.

    Google or Mozilla even if you sync your data not spy on any of your data cause the stream is encrypted, over and over spreading false information without any proof (cause there is none) that they see your real data + abusing it is just a myth. The sync is not more safe or less than visiting wilderssecurity and logging into the page which also exposes your IP and meta-data cause every backend logs by default.
    - So you only have option to avoid it or use KeePass and trust another provider. -

    There are so so so many false statements from non experts when it comes to 'spying' I almost gave up on this. The only point when it comes to sync is that Mozilla offers an ability to sync to your own or another server but google not only blocked that because they want to spy on you, more like when something happened like a data breach which one is to blame especially when it comes to insecure server configurations, you see there are always two sides.

    I do think the mentioned meta-data collection here is useless, cause wilders members are normally smart enough to know already that such example pages are highly depending on permissions/javascript which means you allow the pages to gain access - which then means it's driving against a wall to show that there was a wall.

    The more dangerous thing is that you not can protect canvas fingerprints or other mentioned api collection when an application outside the browser wants to access the web, like when you use mouse/keyboard software and and and, I consider this as much more problematically cause then we're talking about what is wrong with the protocols - which is the real point here.
     
  8. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    428
    Location:
    Far East
    How do you know Goggle/Mozilla cannot see into the encrypted stream? Providing free encryption does not mean the provider cannot have backdoor to your encrypted data, right? Sure they can encrypt your data but what if a copy of your data was backed up before the encryption takes place?
     
  9. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    395
    Location:
    Swiss
    Because google uses a passphrase. Google indicates that this data cannot be decrypted without knowledge of your password, and that in fact, when your credentials change, all synced data must be deleted from their systems, and can then be re-synced from your devices (and in the process is re-encrypted with the your new credentials). Of course you can't prove/check if the data are really been deleted but that's why FCF, ACLU, EFF organization fighting for.

    So, if everything is working correctly, Google themselves can be trusted, and the Google infrastructure is sufficiently secure to keep interested third parties out (read NSA, criminal hackers, etc) then your data is safe. That said, however, Google still has the capability to decrypt your data, though they don't make that known (?). This is simply the result of them being party to the creation of the cipher key (your credentials), leaving them in a position to save and potentially misuse the keys.

    The point here, is that other password manager offer the same principle and 99% of all people are not able to understand the code (even if there is one) or are able to crack it.

    Research:
    https://www.google.com/settings/chrome/sync
    https://support.google.com/chrome/answer/1181035
    https://chromium.googlesource.com/chromium/chromium/ /master/sync/util/nigori.cc
    https://chromium.googlesource.com/chromium/chromium/ /master/sync/util/nigori.h

    Own test:
    * Whether or not you use a passphrase, your synced data is protected by encryption in transit.
    * Your Chrome sync passphrase is stored on your computer and will never be sent to Google.
    * Lookup on port 443 -> AES-128 in CBC mode


    If anyone has more questions contact me via PM/email cause we hitting off-topic now.
     
  10. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,882
    Location:
    Among the gum trees
    All very interesting but not really about HTML5 Canvas Fingerprinting.
     
  11. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    869
    Location:
    Italy
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,100
    Notifications can be shown in this mode: "fake readout API" or "fake at input"
    Canvas_malwaretips.png
    If this mode is selected: "ask for readout API permission" = a prompt is shown and the user must answer it:
    Canvas_question.png
     
  13. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    428
    Location:
    Far East
    Thanks
     
  14. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    428
    Location:
    Far East
    Hi

    What specific settings in about: config for FF can you set?

    Thanks
     
  15. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,882
    Location:
    Among the gum trees
    Here's a start.

    dom.battery.enabled to false
    media.peerconnection.enabled to false
     
  16. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    395
    Location:
    Swiss
    Code:
    user_pref("canvas.capturestream.enabled", false);
    user_pref("gfx.offscreencanvas.enabled", false);
    user_pref("ui.use_standins_for_native_colors", true);
    user_pref("dom.battery.enabled", false);
    user_pref("media.peerconnection.enabled", false);
    user_pref("media.peerconnection.use_document_iceservers", false);
    user_pref("media.peerconnection.video.enabled", false);
    user_pref("media.peerconnection.identity.enabled", false);
    user_pref("media.peerconnection.identity.timeout", 1);
    user_pref("media.peerconnection.turn.disable", true);
    user_pref("media.peerconnection.ice.tcp", false);
    user_pref("media.peerconnection.ice.default_address_only", true);
    user_pref("media.peerconnection.ice.no_host", true);
    user_pref("dom.vr.enabled", false);
    user_pref("dom.vr.oculus.enabled", false);
    user_pref("dom.vr.osvr.enabled", false);
    user_pref("dom.vr.openvr.enabled", false);
    user_pref("device.sensors.enabled", false);
    user_pref("dom.webaudio.enabled", false);
     
  17. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    428
    Location:
    Far East
    Thanks
     
  18. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    428
    Location:
    Far East
    Thanks
     
  19. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,882
    Location:
    Among the gum trees
  20. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    428
    Location:
    Far East
    Yes, I have this. However, I'm more interested in blocking of the various types of fingerprints besides canvas fingerprints

    In Chrome you have ScriptSafe which can handle different types of fingerprints.
     
  21. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,882
    Location:
    Among the gum trees
    Privacy Settings:
    Edit: Also as mentioned earlier - No Resources URI Leak

    https://addons.mozilla.org/en-GB/firefox/addon/no-resource-uri-leak/
     
  22. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,882
    Location:
    Among the gum trees
  23. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    428
    Location:
    Far East
  24. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,882
    Location:
    Among the gum trees
    I tried my best. ;)
     
  25. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    869
    Location:
    Italy
    Check the below:

    Just for Windows.


    "font.system.whitelist"

    The list below is that in the Tor Browser:

    The modification makes it similar to those of Tor Browser (JS/CSS font detection) in the AudioContext Fingerprint Test Page.