Prevent <canvas> fingerprinting

[squarefractal]

A browser can be fingerprinted using toDataURL() or getImageData() methods for <canvas> elements, simply due to differences in the way graphics are rendered. This has been documented for quite some time.

Can Pale Moon be made to return fake data for the two functions? Ideally, this would just alter the pixel values by a very small margin (e.g. actual=(100, 100, 100, 0), returned = (101, 100, 99, 0)), but returning fake data (randomised or all of them set to, say, (0, 0, 0, 0)) would also be acceptable, although probably more detectable.

This could be behind a pref and disabled by default, but having this would be nice.

[dark_moon]

I don't know if sending null data back is a good idea because for example my bank create the TAN generator "picture" with a canvas script.
But if we have then a option to whitelist sites and give fake data or something else to other sites, then this would be great

[Moonchild]

Very small margins can just as easily be fuzzed, so it won't make a difference re: fingerprinting. An image has a lot of data, and as current search engines' "similar images" and face recognition will show, even visually different images are very easily matched to the same source.

Nulling out the functions, making them unavailable or otherwise mangling the data would both be against the specification and generally against the principle behind accurate representation of content. Nulling it out or mangling beyond invisible margins would also be detrimental to the use of canvas as an essential element.

Instead, you should simply block requests to the very very small number of companies that do this kind of fingerprinting, e.g. by using ABL.

[dark_moon]

by using ABL.

Sorry but no. ABL is very slow like ABP or ABE because of too long & inefficient filterlists.

[Moonchild]

Off-topic:

by using ABL.

Sorry but no. ABL is very slow like ABP or ABE because of too long & inefficient filterlists.

Please don't hijack this thread by repeating what you have already made very clear in other threads. Any potential performance drawback of the Adblock family is not the issue here (and your choice of filter subscription should not even matter - you can use it just with custom rules, anyway). Note the "e.g." there? It's an example given.

[squarefractal]

you should simply block requests to the very very small number of companies that do this kind of fingerprinting, e.g. by using ABL.

Blocking network requests is not the way to do this. The adversary could combine this data along with other essential data, and effectively cripple your site access.
Also, a person cannot be reasonably expected to analyse the JS content of each site they visit, for sites not having any rules in the configuration.

Nulling out the functions, making them unavailable or otherwise mangling the data would both be against the specification and generally against the principle behind accurate representation of content.

I think you may have misunderstood my post. This feature request asks that the data returned from toDataURL() and getImageData() be mangled, and not the canvas data itself. Also, this will be behind a pref and disabled by default, so I'm not really seeing the problem.

Of course, this can lead to a certain number of problems e.g. JS on a site tries to invert the colours of content on a canvas, and since returned content is r=0,g=0,b=0,a=0, all the user gets is a black screen. But that is a problem privacy conscious users are willing to put up with. Introduction of slight error margins circumvents this problem, but this might be difficult to do, so I would find returning fake data an acceptable measure.

An image has a lot of data, and as current search engines' "similar images" and face recognition will show, even visually different images are very easily matched to the same source.

If you were to apply image processing techniques, then all images would come out to be similar, which would make fingerprinting useless. This isn't the motivation here -- each configuration is different, and one can take into account those small differences to identify that configuration uniquely.

Just FYI, you don't fingerprint users by sending the whole canvas data, you just send the checksum of the data for the fingerprinting purposes.

[Scrounger]

I support this endeavor to increase users privacy and I have to vent some frustration over the fact that many people seem to be so inert on taking the necessary steps to keep up with "the bad guys". It's not just this problem (or even privacy/security problems as a whole) and PM, mind you. Consider Fx who are still supporting old processors and OS'es, keeping (arguably) unneccessary legacy and suffering in performance as a result. Consider OpenSSL as opposed to LibreSSL: LibreSSL is so much more superior, leaner and just plain better. It should be a no-brainer to ditch OpenSSL and never ever look back. OpenSSL even literally does not want to improve and still leaves SSL3 and even SSL2 enabled by default. All this inertia and this unwillingness to implement novel ideas or to even keep up with the times is just frustrating.

I am pretty sure that you could find novel algorithms and logic to implement measures that keep important functions running, but make them unable to be misused. This topic could just be one of these measures. Another one would be this idea from the user Thrawn of the Noscript Forum (Noscript is an addon developed by Giorgio Maone): https://forums.informaction.com/viewtop ... 19&t=20635 Idea: rate-limiting in browsers

keep in mind that this is not specific to Pale Moon, but this is relevant to this topic, as I think that fingerprinting should be curtailed and there should and can be novel ways to do it and not inhibit UX in the process.

[Moonchild]

It is impossible to curtail fingerprinting. It is not unwillingness to address the issue, it is the fact that apart from basic measures you can take without impacting actual functionality of the software you're using, there is no way to mitigate advanced profiling that draws from multiple channels and sources. I remind you that a browser is a client that should enable access to content on the web - not block it.

Please see my blog post about the internet being a public place. If you want perfect privacy, then you should not use the open internet, or limit yourself to dark or mesh nets.

[squarefractal]

Fingerprinting is certainly difficult to prevent, but some basic measures can go a long way; this would be one of them.

I also don't see why it would be "blocking content" -- Pale Moon also has prefs for disabling JS and spoofing referers, those are not considered to be a hindrance to browsing.

If it is difficult to implement, I'm sure people can certainly wait for it.

Off-topic:
Going into a dark cave is not a reasonable solution either. But one can expect a reasonable degree of privacy measures implemented into software. (I believe that this request is reasonable.)

You also seem to be very optimistic about institutional changes, but I have to say that your confidence is a bit misplaced. That conversation though, is for another thread.

[dark_moon]

Off-topic:
Moonchild did you check the link, squarfractal postet? Especially the code? Somehing like this would be very nice and give PM a big security feature which no other browser have!

Anyway you write what you not include this as privacy feature but in PM 24.6 you include the Shuffle reported plugin installation order to confuse trackers feature which is a privacy feature too.
But okay it looks we need the help from the canvas blocker addon dev.

[squarefractal]

Off-topic:
@dark_moon: that is neither my code and nor does it have any bearing on this thread. AFAICT it's a Noscript surrogate that blocks XHRs beyond a particular limit.

BTW, for those who want to see a demo of this unique fingerprinting, I made one myself: https://d.maxfile.ro/wesrmfxncm.html

As expected, different results in different browsers! (Tested on Linux x64)
Opera 29.0.1795.60: b061a75af3139f5d93c734b6d48b0b56c054f96771216424335cc99396f7e20f
FF 38.0.5: 0dacff51bd3e0801380a5232d22fdfbe3b614e7d65c225278578d6a0ebc33a4c
PM 25.4.1: 733f58b40f4821584556593f47e3d243829887b30dd15d27b41fca2663927d95

[dark_moon]

Yes i know this isn't your script. Uhm maybe i write it wrong.
Did you know how i can include this script in my NoScript?

[Supernova]

Your mistake is that it's Scrounger who posted the link to it, not squarefractal.

[Scrounger]

It is impossible to curtail fingerprinting. It is not unwillingness to address the issue, it is the fact that apart from basic measures you can take without impacting actual functionality of the software you're using, there is no way to mitigate advanced profiling that draws from multiple channels and sources. I remind you that a browser is a client that should enable access to content on the web - not block it.

Please see my blog post about the internet being a public place. If you want perfect privacy, then you should not use the open internet, or limit yourself to dark or mesh nets.

Off-topic:
I just want to head this off by saying I am so glad that PM exists and that you care about us and develop this browser while simultaneously being open and approachable for everyone no matter how insignificant we are. on Fx and definitely every other browser we could do jack and I want to stress that I am happy you will listen to us and acknowledge our worries. I think there is lots of inertia and unwillingness, but I am frustrated by major corporations and not you. I wanted to clarify this. It's sad that those who care about other people enough have to listen to the most "input" if you will, whereas companies just block everything and people still flock to their products.

This is a sad perversion that can be spun all the way to what we are talking about here. Yes, the internet is public and this is what it should be. Still, in public you will not get stalked by 100 different crooked people intent on snooping out everything about your life and analyzing/marking everything about you in order to identify and track you, no matter where you are. There is the public and then there is maliciousness. It is these malicious people that will pervert useful functions of the internet and turn them into privacy busting surveillance tools. You know this yourself: what about the HSTS pref you bestowed us. This is wonderful and that is also why I know you understand what I mean, deep within.

This thread and the idea of Thrawn I linked to are simple mitigations that are based on ingenious insight into how normal people use the internet or how it functions and how malicious people pervert it. Normal behavior is predictable and I am convinced that crooked behavior also has repeating patterns. It is these patterns that ingenious algorithms and mitigations can detect and block, while leaving normal browsing unaffected. Look at the Hitmanpro-Family of security-products from the developer surfright (no plug intended, but they are a perfect example of what I want to get at here). They do not use virus signatures but logic in what viruses and other malware usually do, in order to stop them.

To go back to the analogy above. You go into the public, but you're shielded from the stalkers who misuse the functionality the public provides.

Off-topic:
@ others: this code has no bearing on this thread, but rate-limiting in browsers as Thrawn envisioned it is not supposed to be a Noscript Surrogate Script (which is clearly stated in that thread), but a full-fledged security feature for browsers. It is not the code, but the idea behind the code that would be a simple mitigation that does not inhibit UX, but increases security and makes you pretty much impervious to many attacks on TLS. I quoted it, because that idea is simple and effective like yours, frustrating me, because no one (especially not major browser vendors) even considers putting it in or at least testing it.

[Moonchild]

Rate limiting: Has nothing to do with Canvas or this thread, since it is a rate limiting on XHR that is meant to somehow mitigate SSL/TLS probing (like attackers would ever use a browser for that kind of thing?) and it will in fact cripple many web applications. As such it is related to this thread by being a perfect example of a measure that will negatively impact the browser's capabilities

Shuffling plugin order for enumeration: Has no impact on the user experience and is perfectly harmless to do from a user experience point of view.

Canvas blocking: Will prevent e.g. many canvas games from working properly and limits the capabilities of the browser. As an example, as a game dev, I would want to grab sprites as a single resource and then pull individual frames/tiles out of the resource to use for animation to prevent connection flooding (of downloading 100 tiles of a few hundred bytes each instead of 1 sheet). If you block being able to grab graphics data from a canvas, then this is no longer possible. Just as a random example.

Stalking/monitoring in public: You apparently have no idea exactly on how many camera's you're caught, let alone everyone and their uncle having GPS-enabled, constantly pinging smartphones on them On the other hand, if you think that every move you make on the internet is "being stalked by 100 different crooked people intent on snooping out everything about your life" then you're being rather paranoid.
Also, the trick on the internet is.. let them stalk all they want, just don't give them anything that's actually useful. Use common sense.

To get back to the main reason for this thread: If there is a good way to prevent canvas fingerprinting that does not impact browser capabilities or block parts of the feature set as-intended and as-used by legitimate applications, then I'm all ears.

[squarefractal]

Note to mod: can we have the offtopic posts moved to a different thread?

BTW, Moonchild, are you not reading my posts? I believe that I have answered these questions, but nevermind.

I would want to grab sprites as a single resource and then pull individual frames/tiles out of the resource to use for animation

* This will be behind a pref that's disabled by default.
* Most privacy-conscious users will be happy to make this tradeoff...
* ... just as long as it doesn't stop script execution (some Firefox extensions implement such features by throwing an exception)

If there is a good way to prevent canvas fingerprinting that does not impact browser capabilities or block parts of the feature set as-intended and as-used by legitimate applications, then I'm all ears.

The functions return data with very small error margins, i.e.:
Iterate over all the pixels, and vary their r, g, b, a components by a very small value randomly, e.g. -2 <= x <= 2 for the r, g, b values etc.

[superA]

I also think its impossible to prevent fingerprinting unless..you brake the whole web,or believing that you can achive that by using..an addon.

In fact,you can,but then we talking about ''solutions born from paranoia..''.

[Supernova]

I also think its impossible to prevent fingerprinting unless..you brake the whole web,or believing that you can achive that by using..an addon.

In fact,you can,but then we talking about ''solutions born from paranoia..''.

Blablabla
Such posts without ANY point (or wrong to the point of absurd "impossible to prevent unless you break the whole web") but just attacks on others are terribly infuriating.

[ikar-us]

Off-topic:

Stalking/monitoring in public: You apparently have no idea exactly on how many camera's you're caught, let alone everyone and their uncle having GPS-enabled, constantly pinging smartphones on them

No need for cameras and phones or any technology.
Try living in a small town, where the municipal secretary reports to your mother that you have been at the office…

[superA]

I also think its impossible to prevent fingerprinting unless..you brake the whole web,or believing that you can achive that by using..an addon.

In fact,you can,but then we talking about ''solutions born from paranoia..''.

Blablabla
Such posts without ANY point (or wrong to the point of absurd "impossible to prevent unless you break the whole web") but just attacks on others are terribly infuriating.

Of course I dont attack anybody,I like defence instead.

Please,if you know any other way than have a browser that would lie furiously about its characteristics,your fonts,without flash or addons or run multiple distros in diffrent VMs,with diffrent screen resolution,time and UAs,let me know.