Prevent <canvas> fingerprinting
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.
This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.
Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.
This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.
Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
Prevent <canvas> fingerprinting
A browser can be fingerprinted using toDataURL() or getImageData() methods for <canvas> elements, simply due to differences in the way graphics are rendered. This has been documented for quite some time.
Can Pale Moon be made to return fake data for the two functions? Ideally, this would just alter the pixel values by a very small margin (e.g. actual=(100, 100, 100, 0), returned = (101, 100, 99, 0)), but returning fake data (randomised or all of them set to, say, (0, 0, 0, 0)) would also be acceptable, although probably more detectable.
This could be behind a pref and disabled by default, but having this would be nice.
Can Pale Moon be made to return fake data for the two functions? Ideally, this would just alter the pixel values by a very small margin (e.g. actual=(100, 100, 100, 0), returned = (101, 100, 99, 0)), but returning fake data (randomised or all of them set to, say, (0, 0, 0, 0)) would also be acceptable, although probably more detectable.
This could be behind a pref and disabled by default, but having this would be nice.
Re: Prevent <canvas> fingerprinting
I don't know if sending null data back is a good idea because for example my bank create the TAN generator "picture" with a canvas script.
But if we have then a option to whitelist sites and give fake data or something else to other sites, then this would be great
But if we have then a option to whitelist sites and give fake data or something else to other sites, then this would be great
-
- Pale Moon guru
- Posts: 35648
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: Prevent <canvas> fingerprinting
Very small margins can just as easily be fuzzed, so it won't make a difference re: fingerprinting. An image has a lot of data, and as current search engines' "similar images" and face recognition will show, even visually different images are very easily matched to the same source.
Nulling out the functions, making them unavailable or otherwise mangling the data would both be against the specification and generally against the principle behind accurate representation of content. Nulling it out or mangling beyond invisible margins would also be detrimental to the use of canvas as an essential element.
Instead, you should simply block requests to the very very small number of companies that do this kind of fingerprinting, e.g. by using ABL.
Nulling out the functions, making them unavailable or otherwise mangling the data would both be against the specification and generally against the principle behind accurate representation of content. Nulling it out or mangling beyond invisible margins would also be detrimental to the use of canvas as an essential element.
Instead, you should simply block requests to the very very small number of companies that do this kind of fingerprinting, e.g. by using ABL.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Prevent <canvas> fingerprinting
Sorry but no. ABL is very slow like ABP or ABE because of too long & inefficient filterlists.Moonchild wrote:by using ABL.
-
- Pale Moon guru
- Posts: 35648
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: Prevent <canvas> fingerprinting
Off-topic:
Please don't hijack this thread by repeating what you have already made very clear in other threads. Any potential performance drawback of the Adblock family is not the issue here (and your choice of filter subscription should not even matter - you can use it just with custom rules, anyway). Note the "e.g." there? It's an example given.dark_moon wrote:Sorry but no. ABL is very slow like ABP or ABE because of too long & inefficient filterlists.Moonchild wrote:by using ABL.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Prevent <canvas> fingerprinting
Blocking network requests is not the way to do this. The adversary could combine this data along with other essential data, and effectively cripple your site access.you should simply block requests to the very very small number of companies that do this kind of fingerprinting, e.g. by using ABL.
Also, a person cannot be reasonably expected to analyse the JS content of each site they visit, for sites not having any rules in the configuration.
I think you may have misunderstood my post. This feature request asks that the data returned from toDataURL() and getImageData() be mangled, and not the canvas data itself. Also, this will be behind a pref and disabled by default, so I'm not really seeing the problem.Moonchild wrote:Nulling out the functions, making them unavailable or otherwise mangling the data would both be against the specification and generally against the principle behind accurate representation of content.
Of course, this can lead to a certain number of problems e.g. JS on a site tries to invert the colours of content on a canvas, and since returned content is r=0,g=0,b=0,a=0, all the user gets is a black screen. But that is a problem privacy conscious users are willing to put up with. Introduction of slight error margins circumvents this problem, but this might be difficult to do, so I would find returning fake data an acceptable measure.
If you were to apply image processing techniques, then all images would come out to be similar, which would make fingerprinting useless. This isn't the motivation here -- each configuration is different, and one can take into account those small differences to identify that configuration uniquely.Moonchild wrote:An image has a lot of data, and as current search engines' "similar images" and face recognition will show, even visually different images are very easily matched to the same source.
Just FYI, you don't fingerprint users by sending the whole canvas data, you just send the checksum of the data for the fingerprinting purposes.
Re: Prevent <canvas> fingerprinting
I support this endeavor to increase users privacy and I have to vent some frustration over the fact that many people seem to be so inert on taking the necessary steps to keep up with "the bad guys". It's not just this problem (or even privacy/security problems as a whole) and PM, mind you. Consider Fx who are still supporting old processors and OS'es, keeping (arguably) unneccessary legacy and suffering in performance as a result. Consider OpenSSL as opposed to LibreSSL: LibreSSL is so much more superior, leaner and just plain better. It should be a no-brainer to ditch OpenSSL and never ever look back. OpenSSL even literally does not want to improve and still leaves SSL3 and even SSL2 enabled by default. All this inertia and this unwillingness to implement novel ideas or to even keep up with the times is just frustrating.
I am pretty sure that you could find novel algorithms and logic to implement measures that keep important functions running, but make them unable to be misused. This topic could just be one of these measures. Another one would be this idea from the user Thrawn of the Noscript Forum (Noscript is an addon developed by Giorgio Maone): https://forums.informaction.com/viewtop ... 19&t=20635 Idea: rate-limiting in browsers
keep in mind that this is not specific to Pale Moon, but this is relevant to this topic, as I think that fingerprinting should be curtailed and there should and can be novel ways to do it and not inhibit UX in the process.
I am pretty sure that you could find novel algorithms and logic to implement measures that keep important functions running, but make them unable to be misused. This topic could just be one of these measures. Another one would be this idea from the user Thrawn of the Noscript Forum (Noscript is an addon developed by Giorgio Maone): https://forums.informaction.com/viewtop ... 19&t=20635 Idea: rate-limiting in browsers
keep in mind that this is not specific to Pale Moon, but this is relevant to this topic, as I think that fingerprinting should be curtailed and there should and can be novel ways to do it and not inhibit UX in the process.
-
- Pale Moon guru
- Posts: 35648
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: Prevent <canvas> fingerprinting
It is impossible to curtail fingerprinting. It is not unwillingness to address the issue, it is the fact that apart from basic measures you can take without impacting actual functionality of the software you're using, there is no way to mitigate advanced profiling that draws from multiple channels and sources. I remind you that a browser is a client that should enable access to content on the web - not block it.
Please see my blog post about the internet being a public place. If you want perfect privacy, then you should not use the open internet, or limit yourself to dark or mesh nets.
Please see my blog post about the internet being a public place. If you want perfect privacy, then you should not use the open internet, or limit yourself to dark or mesh nets.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Prevent <canvas> fingerprinting
Fingerprinting is certainly difficult to prevent, but some basic measures can go a long way; this would be one of them.
I also don't see why it would be "blocking content" -- Pale Moon also has prefs for disabling JS and spoofing referers, those are not considered to be a hindrance to browsing.
If it is difficult to implement, I'm sure people can certainly wait for it.
I also don't see why it would be "blocking content" -- Pale Moon also has prefs for disabling JS and spoofing referers, those are not considered to be a hindrance to browsing.
If it is difficult to implement, I'm sure people can certainly wait for it.
Off-topic:
Going into a dark cave is not a reasonable solution either. But one can expect a reasonable degree of privacy measures implemented into software. (I believe that this request is reasonable.)
You also seem to be very optimistic about institutional changes, but I have to say that your confidence is a bit misplaced. That conversation though, is for another thread.
Going into a dark cave is not a reasonable solution either. But one can expect a reasonable degree of privacy measures implemented into software. (I believe that this request is reasonable.)
You also seem to be very optimistic about institutional changes, but I have to say that your confidence is a bit misplaced. That conversation though, is for another thread.
Re: Prevent <canvas> fingerprinting
Off-topic:
Moonchild did you check the link, squarfractal postet? Especially the code? Somehing like this would be very nice and give PM a big security feature which no other browser have!
Anyway you write what you not include this as privacy feature but in PM 24.6 you include the Shuffle reported plugin installation order to confuse trackers feature which is a privacy feature too.Moonchild did you check the link, squarfractal postet? Especially the code? Somehing like this would be very nice and give PM a big security feature which no other browser have!
But okay it looks we need the help from the canvas blocker addon dev.
Re: Prevent <canvas> fingerprinting
Off-topic:
@dark_moon: that is neither my code and nor does it have any bearing on this thread. AFAICT it's a Noscript surrogate that blocks XHRs beyond a particular limit.
BTW, for those who want to see a demo of this unique fingerprinting, I made one myself: https://d.maxfile.ro/wesrmfxncm.html
@dark_moon: that is neither my code and nor does it have any bearing on this thread. AFAICT it's a Noscript surrogate that blocks XHRs beyond a particular limit.
Last edited by squarefractal on 2015-06-04, 16:28, edited 2 times in total.
Re: Prevent <canvas> fingerprinting
Yes i know this isn't your script. Uhm maybe i write it wrong.
Did you know how i can include this script in my NoScript?
Did you know how i can include this script in my NoScript?
Re: Prevent <canvas> fingerprinting
Your mistake is that it's Scrounger who posted the link to it, not squarefractal.
Re: Prevent <canvas> fingerprinting
Moonchild wrote:It is impossible to curtail fingerprinting. It is not unwillingness to address the issue, it is the fact that apart from basic measures you can take without impacting actual functionality of the software you're using, there is no way to mitigate advanced profiling that draws from multiple channels and sources. I remind you that a browser is a client that should enable access to content on the web - not block it.
Please see my blog post about the internet being a public place. If you want perfect privacy, then you should not use the open internet, or limit yourself to dark or mesh nets.
Off-topic:
I just want to head this off by saying I am so glad that PM exists and that you care about us and develop this browser while simultaneously being open and approachable for everyone no matter how insignificant we are. on Fx and definitely every other browser we could do jack and I want to stress that I am happy you will listen to us and acknowledge our worries. I think there is lots of inertia and unwillingness, but I am frustrated by major corporations and not you. I wanted to clarify this. It's sad that those who care about other people enough have to listen to the most "input" if you will, whereas companies just block everything and people still flock to their products.
This is a sad perversion that can be spun all the way to what we are talking about here. Yes, the internet is public and this is what it should be. Still, in public you will not get stalked by 100 different crooked people intent on snooping out everything about your life and analyzing/marking everything about you in order to identify and track you, no matter where you are. There is the public and then there is maliciousness. It is these malicious people that will pervert useful functions of the internet and turn them into privacy busting surveillance tools. You know this yourself: what about the HSTS pref you bestowed us. This is wonderful and that is also why I know you understand what I mean, deep within.I just want to head this off by saying I am so glad that PM exists and that you care about us and develop this browser while simultaneously being open and approachable for everyone no matter how insignificant we are. on Fx and definitely every other browser we could do jack and I want to stress that I am happy you will listen to us and acknowledge our worries. I think there is lots of inertia and unwillingness, but I am frustrated by major corporations and not you. I wanted to clarify this. It's sad that those who care about other people enough have to listen to the most "input" if you will, whereas companies just block everything and people still flock to their products.
This thread and the idea of Thrawn I linked to are simple mitigations that are based on ingenious insight into how normal people use the internet or how it functions and how malicious people pervert it. Normal behavior is predictable and I am convinced that crooked behavior also has repeating patterns. It is these patterns that ingenious algorithms and mitigations can detect and block, while leaving normal browsing unaffected. Look at the Hitmanpro-Family of security-products from the developer surfright (no plug intended, but they are a perfect example of what I want to get at here). They do not use virus signatures but logic in what viruses and other malware usually do, in order to stop them.
To go back to the analogy above. You go into the public, but you're shielded from the stalkers who misuse the functionality the public provides.
Off-topic:
@ others: this code has no bearing on this thread, but rate-limiting in browsers as Thrawn envisioned it is not supposed to be a Noscript Surrogate Script (which is clearly stated in that thread), but a full-fledged security feature for browsers. It is not the code, but the idea behind the code that would be a simple mitigation that does not inhibit UX, but increases security and makes you pretty much impervious to many attacks on TLS. I quoted it, because that idea is simple and effective like yours, frustrating me, because no one (especially not major browser vendors) even considers putting it in or at least testing it.
@ others: this code has no bearing on this thread, but rate-limiting in browsers as Thrawn envisioned it is not supposed to be a Noscript Surrogate Script (which is clearly stated in that thread), but a full-fledged security feature for browsers. It is not the code, but the idea behind the code that would be a simple mitigation that does not inhibit UX, but increases security and makes you pretty much impervious to many attacks on TLS. I quoted it, because that idea is simple and effective like yours, frustrating me, because no one (especially not major browser vendors) even considers putting it in or at least testing it.
-
- Pale Moon guru
- Posts: 35648
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: Prevent <canvas> fingerprinting
Rate limiting: Has nothing to do with Canvas or this thread, since it is a rate limiting on XHR that is meant to somehow mitigate SSL/TLS probing (like attackers would ever use a browser for that kind of thing?) and it will in fact cripple many web applications. As such it is related to this thread by being a perfect example of a measure that will negatively impact the browser's capabilities
Shuffling plugin order for enumeration: Has no impact on the user experience and is perfectly harmless to do from a user experience point of view.
Canvas blocking: Will prevent e.g. many canvas games from working properly and limits the capabilities of the browser. As an example, as a game dev, I would want to grab sprites as a single resource and then pull individual frames/tiles out of the resource to use for animation to prevent connection flooding (of downloading 100 tiles of a few hundred bytes each instead of 1 sheet). If you block being able to grab graphics data from a canvas, then this is no longer possible. Just as a random example.
Stalking/monitoring in public: You apparently have no idea exactly on how many camera's you're caught, let alone everyone and their uncle having GPS-enabled, constantly pinging smartphones on them On the other hand, if you think that every move you make on the internet is "being stalked by 100 different crooked people intent on snooping out everything about your life" then you're being rather paranoid.
Also, the trick on the internet is.. let them stalk all they want, just don't give them anything that's actually useful. Use common sense.
To get back to the main reason for this thread: If there is a good way to prevent canvas fingerprinting that does not impact browser capabilities or block parts of the feature set as-intended and as-used by legitimate applications, then I'm all ears.
Shuffling plugin order for enumeration: Has no impact on the user experience and is perfectly harmless to do from a user experience point of view.
Canvas blocking: Will prevent e.g. many canvas games from working properly and limits the capabilities of the browser. As an example, as a game dev, I would want to grab sprites as a single resource and then pull individual frames/tiles out of the resource to use for animation to prevent connection flooding (of downloading 100 tiles of a few hundred bytes each instead of 1 sheet). If you block being able to grab graphics data from a canvas, then this is no longer possible. Just as a random example.
Stalking/monitoring in public: You apparently have no idea exactly on how many camera's you're caught, let alone everyone and their uncle having GPS-enabled, constantly pinging smartphones on them On the other hand, if you think that every move you make on the internet is "being stalked by 100 different crooked people intent on snooping out everything about your life" then you're being rather paranoid.
Also, the trick on the internet is.. let them stalk all they want, just don't give them anything that's actually useful. Use common sense.
To get back to the main reason for this thread: If there is a good way to prevent canvas fingerprinting that does not impact browser capabilities or block parts of the feature set as-intended and as-used by legitimate applications, then I'm all ears.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Prevent <canvas> fingerprinting
Note to mod: can we have the offtopic posts moved to a different thread?
BTW, Moonchild, are you not reading my posts? I believe that I have answered these questions, but nevermind.
* Most privacy-conscious users will be happy to make this tradeoff...
* ... just as long as it doesn't stop script execution (some Firefox extensions implement such features by throwing an exception)
Iterate over all the pixels, and vary their r, g, b, a components by a very small value randomly, e.g. -2 <= x <= 2 for the r, g, b values etc.
BTW, Moonchild, are you not reading my posts? I believe that I have answered these questions, but nevermind.
* This will be behind a pref that's disabled by default.Moonchild wrote:I would want to grab sprites as a single resource and then pull individual frames/tiles out of the resource to use for animation
* Most privacy-conscious users will be happy to make this tradeoff...
* ... just as long as it doesn't stop script execution (some Firefox extensions implement such features by throwing an exception)
The functions return data with very small error margins, i.e.:Moonchild wrote:If there is a good way to prevent canvas fingerprinting that does not impact browser capabilities or block parts of the feature set as-intended and as-used by legitimate applications, then I'm all ears.
Iterate over all the pixels, and vary their r, g, b, a components by a very small value randomly, e.g. -2 <= x <= 2 for the r, g, b values etc.
Re: Prevent <canvas> fingerprinting
I also think its impossible to prevent fingerprinting unless..you brake the whole web,or believing that you can achive that by using..an addon.
In fact,you can,but then we talking about ''solutions born from paranoia..''.
In fact,you can,but then we talking about ''solutions born from paranoia..''.
Re: Prevent <canvas> fingerprinting
BlablablasuperA wrote:I also think its impossible to prevent fingerprinting unless..you brake the whole web,or believing that you can achive that by using..an addon.
In fact,you can,but then we talking about ''solutions born from paranoia..''.
Such posts without ANY point (or wrong to the point of absurd "impossible to prevent unless you break the whole web") but just attacks on others are terribly infuriating.
Re: Prevent <canvas> fingerprinting
Off-topic:
Try living in a small town, where the municipal secretary reports to your mother that you have been at the office…
No need for cameras and phones or any technology.Moonchild wrote:Stalking/monitoring in public: You apparently have no idea exactly on how many camera's you're caught, let alone everyone and their uncle having GPS-enabled, constantly pinging smartphones on them
Try living in a small town, where the municipal secretary reports to your mother that you have been at the office…
Re: Prevent <canvas> fingerprinting
Of course I dont attack anybody,I like defence instead.Supernova wrote:BlablablasuperA wrote:I also think its impossible to prevent fingerprinting unless..you brake the whole web,or believing that you can achive that by using..an addon.
In fact,you can,but then we talking about ''solutions born from paranoia..''.
Such posts without ANY point (or wrong to the point of absurd "impossible to prevent unless you break the whole web") but just attacks on others are terribly infuriating.
Please,if you know any other way than have a browser that would lie furiously about its characteristics,your fonts,without flash or addons or run multiple distros in diffrent VMs,with diffrent screen resolution,time and UAs,let me know.