canvas fingerprinting

Talk about code development, features, specific bugs, enhancements, patches, and similar things.
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.

This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.

Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
Jottum

canvas fingerprinting

Unread post by Jottum » 2014-10-20, 20:10

Hi,

I don't know if blocking this can be implemented in Pale Moon (like the tor browser), but it's an interesting read anyway for those who are concerned about their privacy.

https://threatpost.com/thousands-of-sit ... ism/107356

Regards,
Jottum

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35478
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: canvas fingerprinting

Unread post by Moonchild » 2014-10-21, 07:05

I currently see no reason to cripple browser features to try and mitigate a practice that will happen regardless. Fingerprinting cannot be avoided.

I assume the TOR browser uses an extension to achieve this, in which case you can use the same extension if you are worried this is a problem for your privacy.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Supernova

Re: canvas fingerprinting

Unread post by Supernova » 2014-10-21, 10:14

May I ask, how do avoiding canvas fingerprinting implies feature loss ? i.e. ; how can the fingerprint be used in a way beneficial for the user ? I don't know what was its purpose in the specification, so it's a true question.
Isn't it possible to detect specifically tracking canvas ?
Thus said, yes obviously there are so much ways to fingerprint atm that losing functionnality for no/marginal improvement is not worth it ; however if it may be mitigated without functionnality loss it's always good to take.

Jottum

Re: canvas fingerprinting

Unread post by Jottum » 2014-10-21, 10:45

Moonchild wrote:I currently see no reason to cripple browser features to try and mitigate a practice that will happen regardless. Fingerprinting cannot be avoided.
I don't see how preventing fingerprinting would cripple Pale Moon but you're the developer.
Moonchild wrote:I assume the TOR browser uses an extension to achieve this, in which case you can use the same extension if you are worried this is a problem for your privacy.
No, it does this by returning a blank image AFAIK not with an extension.

Quote from the link in my OP:

The researchers claim the only way to successfully protect against canvas fingerprinting would be to use the Tor Browser, which as of June, returns an empty image from the API when it’s asked to read the fingerprint. - See more at: https://threatpost.com/thousands-of-sit ... MdGPb.dpuf

/Quote

It is not just my privacy I'm worried about, I think as an online community we have to try to stop big companies making big bugs at the expense of our ever diminishing privacy. IMHO

Regards,
Jottum
Last edited by Jottum on 2014-10-24, 09:37, edited 1 time in total.

Supernova

Re: canvas fingerprinting

Unread post by Supernova » 2014-10-21, 12:17

Jottum wrote:
Moonchild wrote:I assume the TOR browser uses an extension to achieve this, in which case you can use the same extension if you are worried this is a problem for your privacy.
No, it does this by returning a blank image AFAIK not with an extension.
Confirming this.
They improved how the notifications work a few versions ago.
Their patchs work on a slightly modified FF 24 ESR ; so they shouldn't be hard to port to PM if something is done.

Triton

Re: canvas fingerprinting

Unread post by Triton » 2014-10-21, 16:09

I have recently been using this addon: CanvasBlocker https://addons.mozilla.org/en-US/firefox/addon/canvasblocker/

which happens to be working OK in PM25

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35478
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: canvas fingerprinting

Unread post by Moonchild » 2014-10-21, 19:34

So, what does the TOR browser do then? Can you point me to those patches?
Can canvas surfaces still be used in TOR (since I assume you have to black any website's access to canvas if you want to automate that, hence my "crippling features" remark)?

The articles don't give any links to useful information or technical details, just a vague description. Of note though is that blocking "AddThis" would get rid of most of this (95%+) in one go, which should be easy enough through a normal blocker.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Supernova

Re: canvas fingerprinting

Unread post by Supernova » 2014-10-21, 20:06

Moonchild wrote:So, what does the TOR browser do then? Can you point me to those patches?
Can canvas surfaces still be used in TOR (since I assume you have to black any website's access to canvas if you want to automate that, hence my "crippling features" remark) ?
I'll try to come up with a clear explanation of how it works (maybe one or two screenshoots) and search the patches ; may you give a webpage to test if canvas still work correctly ?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35478
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: canvas fingerprinting

Unread post by Moonchild » 2014-10-21, 21:01

And behold, the fantastic result of canvas blanking in tor browser.
Attachments
tor-canvas1.png
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Supernova

Re: canvas fingerprinting

Unread post by Supernova » 2014-10-21, 21:52

Tested ; and got the same result as you. Works fine after allowing and reloading.
However, from my browsing with Tor, I mainly encountered websites which wanted to use it but didn't lose any functionnality when blanking canvas (so all these probably wanted use that for tracking). e.g. youtube

So couldn't we imagine to still use it ?
The two main options being : 1)Take the same default (blank) ; and assuming that sometimes it won't work out of the box. Should remain way more rare than issues with UA, and the allowing per domain permit to easily solve issues, with say an html5-games website. Maybe adding an auto-refresh to the webpage when allow is choosen, I had to close the webpage and open it again with Tor.
2)Take allow as a default. This will lead some people to ignore the box, but will allow to "work by default". For other, give an easy way to block it. Also contributes to awake awareness. Having a first time fingerprint is not an issue if it can't be seen a second time. (However obviously people wanting to clean their history may not want to keep that info ; and if it was lost wel the fingerprint would work)
With maybe also a toggle to change the default.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35478
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: canvas fingerprinting

Unread post by Moonchild » 2014-10-21, 23:20

It all depends on how it's implemented, but canvas is used in many places legitimately.
In fact, Pale Moon uses canvas surfaces in parts of its chrome; would the patches also account for that?

As said above though, block the one company prominently using this kind of fingerprinting (AddThis) and you should already be good for over 95% of this type of fingerprinting.
Also, if I were TOR, I wouldn't send a blank canvas back, but instead add random data to it. blank results can easily be filtered out, but random data can't be confirmed to be correct or false. Let them bloat their tracking databases with bogus data and see how they are going to manage that kind of data in the long run.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Supernova

Re: canvas fingerprinting

Unread post by Supernova » 2014-10-22, 00:16

I took a look about Tor patches.
All the relevant should be available via this ticket list ; however it includes a good bunch of irrelevant too.
The relevant ones seem to be this one, this one and that one.
Off-topic:
Searching in these tickets, I found a link about google and what it did again opera : https://dev.opera.com/blog/google-browser-sniffing-and-the-open-web/
This only confirm that google definitely won't change its stragey vs pale moon & other small browsers.

jangdonggun1234
Fanatic
Fanatic
Posts: 104
Joined: 2013-06-06, 01:29

Re: canvas fingerprinting

Unread post by jangdonggun1234 » 2014-11-15, 10:59

I know how to block canvas fingerprint, use Privoxy and remove all createElement("canvas"); and all test site show your browser doesn't support canvas.

Here is what I've reached so far.. http://i.imgur.com/Co5Q67X.png

access2godzilla

Re: canvas fingerprinting

Unread post by access2godzilla » 2014-11-15, 13:37

And what will you do if the site executes this?

Code: Select all

 eval("\x72\x63\x61\x65\x65\x74\x6c\x45\x6d\x65\x6e\x65\x28\x74\x61\x63\x76\x6");
You don't try to subvert malicious content with static analysis.

jangdonggun1234
Fanatic
Fanatic
Posts: 104
Joined: 2013-06-06, 01:29

Re: canvas fingerprinting

Unread post by jangdonggun1234 » 2014-11-15, 14:52

That is just what I found, I think there is a way to use Javascript to override canvas tag, I've tried to override createElement with a prompt dialog confirm if you want to run createElement command or not but never tried to override canvas tag, maybe Moonchild, do you know how to override HTML tag using Javascript ?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35478
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: canvas fingerprinting

Unread post by Moonchild » 2014-11-15, 19:01

With JavaScript using DOM you can do anything with the document tree you want. that includes changing html tags, deleting nodes, inserting other nodes, etc.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Locked