canvas fingerprinting
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.
This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.
Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.
This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.
Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
canvas fingerprinting
Hi,
I don't know if blocking this can be implemented in Pale Moon (like the tor browser), but it's an interesting read anyway for those who are concerned about their privacy.
https://threatpost.com/thousands-of-sit ... ism/107356
Regards,
Jottum
I don't know if blocking this can be implemented in Pale Moon (like the tor browser), but it's an interesting read anyway for those who are concerned about their privacy.
https://threatpost.com/thousands-of-sit ... ism/107356
Regards,
Jottum
Re: canvas fingerprinting
I currently see no reason to cripple browser features to try and mitigate a practice that will happen regardless. Fingerprinting cannot be avoided.
I assume the TOR browser uses an extension to achieve this, in which case you can use the same extension if you are worried this is a problem for your privacy.
I assume the TOR browser uses an extension to achieve this, in which case you can use the same extension if you are worried this is a problem for your privacy.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: canvas fingerprinting
May I ask, how do avoiding canvas fingerprinting implies feature loss ? i.e. ; how can the fingerprint be used in a way beneficial for the user ? I don't know what was its purpose in the specification, so it's a true question.
Isn't it possible to detect specifically tracking canvas ?
Thus said, yes obviously there are so much ways to fingerprint atm that losing functionnality for no/marginal improvement is not worth it ; however if it may be mitigated without functionnality loss it's always good to take.
Isn't it possible to detect specifically tracking canvas ?
Thus said, yes obviously there are so much ways to fingerprint atm that losing functionnality for no/marginal improvement is not worth it ; however if it may be mitigated without functionnality loss it's always good to take.
Re: canvas fingerprinting
I don't see how preventing fingerprinting would cripple Pale Moon but you're the developer.Moonchild wrote:I currently see no reason to cripple browser features to try and mitigate a practice that will happen regardless. Fingerprinting cannot be avoided.
No, it does this by returning a blank image AFAIK not with an extension.Moonchild wrote:I assume the TOR browser uses an extension to achieve this, in which case you can use the same extension if you are worried this is a problem for your privacy.
Quote from the link in my OP:
The researchers claim the only way to successfully protect against canvas fingerprinting would be to use the Tor Browser, which as of June, returns an empty image from the API when it’s asked to read the fingerprint. - See more at: https://threatpost.com/thousands-of-sit ... MdGPb.dpuf
/Quote
It is not just my privacy I'm worried about, I think as an online community we have to try to stop big companies making big bugs at the expense of our ever diminishing privacy. IMHO
Regards,
Jottum
Last edited by Jottum on 2014-10-24, 09:37, edited 1 time in total.
Re: canvas fingerprinting
Confirming this.Jottum wrote:No, it does this by returning a blank image AFAIK not with an extension.Moonchild wrote:I assume the TOR browser uses an extension to achieve this, in which case you can use the same extension if you are worried this is a problem for your privacy.
They improved how the notifications work a few versions ago.
Their patchs work on a slightly modified FF 24 ESR ; so they shouldn't be hard to port to PM if something is done.
Re: canvas fingerprinting
I have recently been using this addon: CanvasBlocker https://addons.mozilla.org/en-US/firefox/addon/canvasblocker/
which happens to be working OK in PM25
which happens to be working OK in PM25
Re: canvas fingerprinting
So, what does the TOR browser do then? Can you point me to those patches?
Can canvas surfaces still be used in TOR (since I assume you have to black any website's access to canvas if you want to automate that, hence my "crippling features" remark)?
The articles don't give any links to useful information or technical details, just a vague description. Of note though is that blocking "AddThis" would get rid of most of this (95%+) in one go, which should be easy enough through a normal blocker.
Can canvas surfaces still be used in TOR (since I assume you have to black any website's access to canvas if you want to automate that, hence my "crippling features" remark)?
The articles don't give any links to useful information or technical details, just a vague description. Of note though is that blocking "AddThis" would get rid of most of this (95%+) in one go, which should be easy enough through a normal blocker.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: canvas fingerprinting
I'll try to come up with a clear explanation of how it works (maybe one or two screenshoots) and search the patches ; may you give a webpage to test if canvas still work correctly ?Moonchild wrote:So, what does the TOR browser do then? Can you point me to those patches?
Can canvas surfaces still be used in TOR (since I assume you have to black any website's access to canvas if you want to automate that, hence my "crippling features" remark) ?
Re: canvas fingerprinting
And behold, the fantastic result of canvas blanking in tor browser.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: canvas fingerprinting
Tested ; and got the same result as you. Works fine after allowing and reloading.
However, from my browsing with Tor, I mainly encountered websites which wanted to use it but didn't lose any functionnality when blanking canvas (so all these probably wanted use that for tracking). e.g. youtube
So couldn't we imagine to still use it ?
The two main options being : 1)Take the same default (blank) ; and assuming that sometimes it won't work out of the box. Should remain way more rare than issues with UA, and the allowing per domain permit to easily solve issues, with say an html5-games website. Maybe adding an auto-refresh to the webpage when allow is choosen, I had to close the webpage and open it again with Tor.
2)Take allow as a default. This will lead some people to ignore the box, but will allow to "work by default". For other, give an easy way to block it. Also contributes to awake awareness. Having a first time fingerprint is not an issue if it can't be seen a second time. (However obviously people wanting to clean their history may not want to keep that info ; and if it was lost wel the fingerprint would work)
With maybe also a toggle to change the default.
However, from my browsing with Tor, I mainly encountered websites which wanted to use it but didn't lose any functionnality when blanking canvas (so all these probably wanted use that for tracking). e.g. youtube
So couldn't we imagine to still use it ?
The two main options being : 1)Take the same default (blank) ; and assuming that sometimes it won't work out of the box. Should remain way more rare than issues with UA, and the allowing per domain permit to easily solve issues, with say an html5-games website. Maybe adding an auto-refresh to the webpage when allow is choosen, I had to close the webpage and open it again with Tor.
2)Take allow as a default. This will lead some people to ignore the box, but will allow to "work by default". For other, give an easy way to block it. Also contributes to awake awareness. Having a first time fingerprint is not an issue if it can't be seen a second time. (However obviously people wanting to clean their history may not want to keep that info ; and if it was lost wel the fingerprint would work)
With maybe also a toggle to change the default.
Re: canvas fingerprinting
It all depends on how it's implemented, but canvas is used in many places legitimately.
In fact, Pale Moon uses canvas surfaces in parts of its chrome; would the patches also account for that?
As said above though, block the one company prominently using this kind of fingerprinting (AddThis) and you should already be good for over 95% of this type of fingerprinting.
Also, if I were TOR, I wouldn't send a blank canvas back, but instead add random data to it. blank results can easily be filtered out, but random data can't be confirmed to be correct or false. Let them bloat their tracking databases with bogus data and see how they are going to manage that kind of data in the long run.
In fact, Pale Moon uses canvas surfaces in parts of its chrome; would the patches also account for that?
As said above though, block the one company prominently using this kind of fingerprinting (AddThis) and you should already be good for over 95% of this type of fingerprinting.
Also, if I were TOR, I wouldn't send a blank canvas back, but instead add random data to it. blank results can easily be filtered out, but random data can't be confirmed to be correct or false. Let them bloat their tracking databases with bogus data and see how they are going to manage that kind of data in the long run.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: canvas fingerprinting
I took a look about Tor patches.
All the relevant should be available via this ticket list ; however it includes a good bunch of irrelevant too.
The relevant ones seem to be this one, this one and that one.
All the relevant should be available via this ticket list ; however it includes a good bunch of irrelevant too.
The relevant ones seem to be this one, this one and that one.
Off-topic:
Searching in these tickets, I found a link about google and what it did again opera : https://dev.opera.com/blog/google-browser-sniffing-and-the-open-web/
This only confirm that google definitely won't change its stragey vs pale moon & other small browsers.
Searching in these tickets, I found a link about google and what it did again opera : https://dev.opera.com/blog/google-browser-sniffing-and-the-open-web/
This only confirm that google definitely won't change its stragey vs pale moon & other small browsers.
-
- Fanatic
- Posts: 104
- Joined: 2013-06-06, 01:29
Re: canvas fingerprinting
I know how to block canvas fingerprint, use Privoxy and remove all createElement("canvas"); and all test site show your browser doesn't support canvas.
Here is what I've reached so far.. http://i.imgur.com/Co5Q67X.png
Here is what I've reached so far.. http://i.imgur.com/Co5Q67X.png
Re: canvas fingerprinting
And what will you do if the site executes this?
You don't try to subvert malicious content with static analysis.
Code: Select all
eval("\x72\x63\x61\x65\x65\x74\x6c\x45\x6d\x65\x6e\x65\x28\x74\x61\x63\x76\x6");
-
- Fanatic
- Posts: 104
- Joined: 2013-06-06, 01:29
Re: canvas fingerprinting
That is just what I found, I think there is a way to use Javascript to override canvas tag, I've tried to override createElement with a prompt dialog confirm if you want to run createElement command or not but never tried to override canvas tag, maybe Moonchild, do you know how to override HTML tag using Javascript ?
Re: canvas fingerprinting
With JavaScript using DOM you can do anything with the document tree you want. that includes changing html tags, deleting nodes, inserting other nodes, etc.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite