Meet the Online Tracking Device That is Virtually Impossible to Block

Discussion in 'privacy problems' started by ronjor, Jul 21, 2014.

Thread Status:
Not open for further replies.
  1. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Yes, just like every other "attack" that is also boasted as "impossible to block". Complete nonsense.

    When you install ABP it gives you the option to enable the "anti-social" list which blocks social sites like AddThis, Facebook, Twitter, etc when you are not directly navigating them.
     
  2. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    864
    Location:
    Canada
    There are so many exceptions in EasyList, EasyPrivacy and Fanboy's that it's just impossible to be sure it will be blocked. For instance it's not blocked when using EasyPrivacy and Peter Lowe's list, even if a plain block filter for `addthis.com`is in there. Some exceptions somewhere.

    The only way to block with a 100% certainty is HTTP Switchboard (soon uMatrix if I can find the time).
     
  3. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    There isn't a single exception for AddThis in EasyList or EasyPrivacy. Please stop outright lieing in order to promote your addon.

    Also, exceptions are added to fix broken functionality, not to allow tracking. Whilst a specific script may be allowed to run on a specific website to restore functionality, it's not going to be able to make requests to download tracking pixels.
     
  4. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    864
    Location:
    Canada
    I could not understand yesterday why addthis.com canvas-fingerprinting script wasn't blocked after running benchmarks using EasyList, EasyPrivacy, Peter Lowe's. I had wrongly assumed addthis.com was in EasyPrivacy or Peter Lowe's list, and assumed at time of posting there were exceptions somewhere in there. You're right, there are no exception specifically for addthis.com. Hence why I created a new list yesterday.

    Still, there are definitely unexpected holes in the lists, and yes, exceptions where I rather see none: if I expect google-analytics.com to be blocked, I don't want to ping google-analytics.com at all. For instance, a user could reasonably expect to not ping Twitter when using Fanboy's Social, but he will end up downloading a script from Twitter which is quite ubiquitous: platform.twitter.com/widgets.js. I tried all the lists, none blocks it. It's reasonable for a user to expect that this would be blocked by selecting Fanboy Social.

    My point is not to denigrate the lists (I consider them the real gems), it's to warn that you can't rely blindly on these, you risk being surprised not in a good way. HTTP Switchboard will show you upfront was is going on, and give a user an easy way to act on the information. There is no guess work or hope that what you think is blocked is really blocked, the matrix show you exactly what went on, without having to dig into lists or dev consoles.

    Yes, I tried to promote the add-on because I completely believe it's in the users best interests (informed consent). Claiming EasyPrivacy thwart canvas fingerprinting while it doesn't is not in the users' best interests.
     
  5. Pinga

    Pinga Registered Member

    Joined:
    Aug 31, 2006
    Posts:
    1,420
    Location:
    Europe
    Scroll down to the whitelist part and you'll find that it does the exact opposite - even Perez Hilton has been whitelisted.

    https://easylist-downloads.adblockplus.org/easyprivacy.txt
     
  6. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    Indirectly blocking specific threats (canvas based fingerprinting, reading a specific type of device sensor, accessing a specific type of client side storage, whatever) by blocking [whole] scripts is an approach that we frequently use. However, I think we would benefit from security features (built-in preferably, but where necessary through extensions) that provide more granular options. Conceptually, this would seem simple. Create a list of all the coarse grained and fine grained operations we'd want to be able to selectively block, and allow those operations to be individually enabled/disabled for specific contexts via appropriately rich selector rule features. Practically speaking, I suspect we might find such a list of operations to be longer than we expected it to be and due to existing browser limitations we can't control everything with the granularity we would like (unless browsers were improved). Nevertheless, my gut thinks that would be the way to approach it.

    I do think ABP's exception rules are a problem, due to its overall design. I believe that exception rules in Subscription A can override a block rule in Subscription B and/or a block rule in your own custom rules. IOW, I believe subscription list maintainer A (who may be very hesitant to break a site even when breaking it is appropriate from a security/privacy oriented user's POV) effectively has veto power over other subscription lists and the end user's own rules as well. There may be optimization/performance related reasons for such an approach, and one can try to work around it by disabling [specific] exception rules. However, some means of prioritizing/compartmentalizing lists (subscription and/or custom) seems attractive to me. For example, a user should be able to create a ||site1.example^ block rule in their own subscription list or custom filters, and not have to worry about some other subscription they use overriding that block rule. Perhaps while also specifying that their own rule should block ALL requests, including top level requests.

    Edit: Added /compartmentalizing, fixed typo
     
    Last edited: Jul 24, 2014
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,382
    Location:
    Slovenia
    As I remember, few month ago I got my system fonts shown on Panopticlick site. Now when I scan my browser I get no fonts shown ("No Flash or Java fonts detected"). Did they change anything on that site or did Chrome start to block access to that info after one of updates?

    IMO the best approach to this problem would be that developers would make browsers aware of this kind of profiling and let user choose what they want (block, allow, some granular control...). I doubt that Google will develop such browser - they might need that kind of profiling in the future ;)
     
  8. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Maybe you should read what I said before going on a tangent. I said ABP can block it, ABP ≠ EasyList.

    You could also try reading the very bottom of the blog you linked to:

    I also explicitly stated that it's the anti-social list from Fanboy that outright blocks AddThis entirely. When you install ABP you're prompted with the option to install this list.

    You can also outright block it yourself.
     
    Last edited: Jul 24, 2014
  9. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    There is no whitelist for Perez Hilton, it seems you don't understand the ABP API. The only Perez Hilton entries in EasyPrivacy are block entries.
     
  10. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    864
    Location:
    Canada
    I don't see any such whitelisting. You may think of EasyList where there is:

    @@||perezhilton.com/included_ads/
    @@||perezhilton.com^*-without-ads-$object,object-subrequest,subdocument

    But I am assuming it's to prevent breakage, or if not, they could just be obsolete filters.

    Like I said, these lists are everything, I actually highlight that to users in the extension description. It's that after running benchmarks I am often surprised to see things that I thought would have been blocked. I use pretty much use all the lists for uBlock, and where I think some domains are all blocked, I will often find that because of an exception one particular requests was not. So my point is uMatrix is definitely a needed complement for people like me who don't like that kind of surprise.

    Edit: For each of my benchmarks, I will publish the spreadsheet of the data. So it is available as a link at the top in the lastest benchmark. As an example of what I am trying to say, I expected google-analytics.com to be completely blocked with uBlock (because Peter Lowe's), and yet, there was one hit, which can be explained only because of an exception (with ABP, there were 3 hits).
     
    Last edited: Jul 24, 2014
  11. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
  12. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
    Canvas Fingerprinting URLs.

    Related: Clear Your Cookies? You Can’t Escape Canvas Fingerprinting.

    -- Tom
     
  13. tlu

    tlu Guest

    This thing is completely overblown as gorhill and Palant correctly point out.
     
  14. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,362
    Location:
    Oz
    Yes that was my point. This is just like browser fingerprinting. Nothing much new. And if you sandbox and delete your sandboxed browser after each use, there is nothing to collect. For instance, when I quit my posting here at Wilders, I will delete my sandbox before I go to another web page.
     
  15. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,362
    Location:
    Oz
    Alternately, you can create different browsers to go with different identities. Or you can go that extra step and create multiple VMs like Mirmir does, which of course is better. I don't think that browser fingerprinting works with the TBB though unless you do something to it, which is not advised.
     
  16. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,382
    Location:
    Slovenia
    Deleting sandbox won't help you. There is no cookies or anything saved on your computer that they use to identify you. Your browser will draw the same image using canvas no matter what you do with Sandboxie. Using different browsers, hardware or VMs might help but it would be really impractical. Script control might help you if you know all domains that need to be blacklisted.
     
    Last edited: Jul 26, 2014
  17. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    • 'Canvas fingerprinting' tracking method is sneaky but easy to halt
    http://www.infoworld.com/d/security/canvas-fingerprinting-tracking-method-sneaky-easy-halt-247011

    TPL's and other methods can block web based widget sharing services.
     
  18. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    67,838
    Location:
    U.S.A.
    Removed Reported Post, Duplicated Link in Post #14 of this Thread.
     
  19. dewilder

    dewilder Registered Member

    Joined:
    Jun 20, 2013
    Posts:
    10
    My stadistics panopticlick´s test:

    Tor : 482 computers
    Safari : 218,854 computers
    Firefox with Johndofox (no proy of JDF) : 125060 computer

    Enought ?
     
  20. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,382
    Location:
    Slovenia
    Enough unique to identify you...
     
  21. dewilder

    dewilder Registered Member

    Joined:
    Jun 20, 2013
    Posts:
    10
    So ...all Tor users are indentified, as unique user ... The question if the machine is indentified as unique ... even if you change your location real or virtual, you are always the same guy. They know always what are saying the same guy.
    I doubt about facebook ... they usual blocks with the changes of ip... Now , i cannt get blocked ....so...
     
  22. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    This might be useful for testing HTML5 Canvas.
    I suspect that "canvas" is just the tip of the iceberg with HTML5 features that can be used for unique identification purposes. More on HTML5 and CSS3 features here.
    Proxomitron will defeat HTML5 canvas fingerprinting without disabling javascript. The filtersets linked in this thread already have the necessary filters.
     
  23. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,362
    Location:
    Oz
    LOL... I am slow sometimes. But now I understand. But I also came up with an idea. If the picture that is drawn is made unique by multiple aspects of the computer, does it seem possible that using something like MADMAC might defeat this, with little effort? Evidently it randomly assigns a different MAC address and computer name every time you restart. Would this be enough of a change to draw he picture a little differently?

    http://www.irongeek.com/i.php?page=security/madmacs-mac-spoofer
     
  24. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    After trying the test site with a different filterset, I've determined that it's the ProxBlox filter that is defeating the canvas fingerprinting. The ProxBlox filter can be merged with any other Proxomitron filterset. The ProxBlox filter allows the user to whitelist entire hosts, specific subdomains, or specific paths only on a per item basis. Proxomitron works with all browsers that can be configured to use a localhost proxy.
    [​IMG]
     
    Last edited: Jul 28, 2014
  25. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,382
    Location:
    Slovenia
    I don't know if changing those thing will effect canvas picture. You can check information your browser and other browser components 'leak' on this site: http://www.browserleaks.com/
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.