getClientRects fingerprinting and Pale Moon

General discussion area and chat

Moderator: satrow

Forum rules
This General Discussions forum is an open chat area, so you can talk about almost any subject. Please keep things civil, though!

Please do try to somewhat stick to the relevance of this forum, which focuses on everything around the Pale Moon project and its user community. "Totally random" subjects don't really belong here, even in the general discussion area.
User avatar
Sampei Nihira
Apollo supporter
Apollo supporter
Posts: 35
Joined: Tue, 03 Apr 2018, 16:17

getClientRects fingerprinting and Pale Moon

Unread postby Sampei Nihira » Sat, 13 Oct 2018, 15:03

Pale moon even with the setting "Canvas.Poisondata" set to true, fails the specific test of the title of the 3D.

Some more information at the link below:

http://jcarlosnorte.com/security/2016/0 ... nting.html

Test:

https://browserleaks.com/rects

The test can be repeated several times but the values:

Full Hash and Hash String 1/2/3

they are always the same.

Is it possible to avoid this?

__________________________________

With Basilisk just install the CanvasBlocker extension.

yami_
Fanatic
Fanatic
Posts: 205
Joined: Thu, 26 Apr 2018, 11:05

Re: getClientRects fingerprinting and Pale Moon

Unread postby yami_ » Sat, 13 Oct 2018, 15:19

This has nothing to do with HTML5 canvas. If you want to change those values just change the default font.
cat came back from Berkeley waving flags
- rob pike

User avatar
Sampei Nihira
Apollo supporter
Apollo supporter
Posts: 35
Joined: Tue, 03 Apr 2018, 16:17

Re: getClientRects fingerprinting and Pale Moon

Unread postby Sampei Nihira » Mon, 15 Oct 2018, 06:00

The point is to avoid a possible tracking:

Both the developer of Canvas Blocker and others think so:

https://github.com/kkapsner/CanvasBlocker/issues/236

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 22287
Joined: Sun, 28 Aug 2011, 17:27
Location: 58.5°N 15.5°E
Contact:

Re: getClientRects fingerprinting and Pale Moon

Unread postby Moonchild » Wed, 17 Oct 2018, 08:45

It's a web API that is needed for some responsive sites to function. If you want to prevent fingerprinting with it you should find or create an extension that blocks the use of this API (e.g. by overloading the relevant functions)
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne

User avatar
Sampei Nihira
Apollo supporter
Apollo supporter
Posts: 35
Joined: Tue, 03 Apr 2018, 16:17

Re: getClientRects fingerprinting and Pale Moon

Unread postby Sampei Nihira » Wed, 17 Oct 2018, 16:57

Hi Moonchild.
I asked KKapsner if it would be possible to develop a Legacy version of Canvas Blocker with the protection feature in question which is available from version 0.5.4.

His answer:

Unfortunately I do not have the time to create (and maintain) a new legacy version of CB. The changes I would have to make are just too big.

Sorry.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 22287
Joined: Sun, 28 Aug 2011, 17:27
Location: 58.5°N 15.5°E
Contact:

Re: getClientRects fingerprinting and Pale Moon

Unread postby Moonchild » Wed, 17 Oct 2018, 18:40

Well, to quote your quoted person:
"Unfortunately I do not have the time to create (and maintain) a new legacy version of CB."

Find someone who can.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne

User avatar
Fedor2
Astronaut
Astronaut
Posts: 553
Joined: Mon, 11 Apr 2016, 01:26

Re: getClientRects fingerprinting and Pale Moon

Unread postby Fedor2 » Wed, 17 Oct 2018, 23:33

Sure i unfortunately do not have the time to create (and maintain) too.
But that is important thing for me, i know that extension, used before canvas poison, and its not enough now.
I shall poke the code and if i shall success i shall share what and where to patch in the old version, 3.5 as i know was working.

User avatar
Sampei Nihira
Apollo supporter
Apollo supporter
Posts: 35
Joined: Tue, 03 Apr 2018, 16:17

Re: getClientRects fingerprinting and Pale Moon

Unread postby Sampei Nihira » Thu, 18 Oct 2018, 17:10

Thank you very much Fedor 2.
I await your news on this.

User avatar
Sampei Nihira
Apollo supporter
Apollo supporter
Posts: 35
Joined: Tue, 03 Apr 2018, 16:17

Re: getClientRects fingerprinting and Pale Moon

Unread postby Sampei Nihira » Sun, 21 Oct 2018, 10:21

Even "Trace":

https://addons.mozilla.org/en-US/firefo ... ble-trace/

and

"Chameleon":

https://addons.mozilla.org/en-US/firefo ... eleon-ext/


have this functionality but of course they are webextensions. :thumbdown:

User avatar
Fedor2
Astronaut
Astronaut
Posts: 553
Joined: Mon, 11 Apr 2016, 01:26

Re: getClientRects fingerprinting and Pale Moon

Unread postby Fedor2 » Sat, 27 Oct 2018, 04:24

Well i made an achievement.

My 3.5 now do fake domrect, according https://browserleaks.com/rects, each new page make new value, but when to reload already opened page, the value persists, consider this is right behavior.

New version has several new things beside domrect, actually three - audio, window and history. It could be added too, yet no means to test.

I asking on the github to publish the whole patched addon, i can put it here or on the my github.
If i shell get no permission i shell write an instructions how to patch.

User avatar
Sampei Nihira
Apollo supporter
Apollo supporter
Posts: 35
Joined: Tue, 03 Apr 2018, 16:17

Re: getClientRects fingerprinting and Pale Moon

Unread postby Sampei Nihira » Sat, 27 Oct 2018, 13:53

Good. :thumbup:

Another important feature is Font Fingerprinting:

https://browserleaks.com/fonts

With Pale Moon you can not use the extension below:

https://addons.mozilla.org/en-US/firefo ... ngerprint/

Can you add this feature?

With Firefox 52 ESR the layout is different from the screenshot inserted by the developer.
I have disabled "privacy.trackingprotection.enabled". but it does not change anything:

Image
Last edited by Sampei Nihira on Sat, 27 Oct 2018, 14:14, edited 2 times in total.

User avatar
Fedor2
Astronaut
Astronaut
Posts: 553
Joined: Mon, 11 Apr 2016, 01:26

Re: getClientRects fingerprinting and Pale Moon

Unread postby Fedor2 » Sun, 04 Nov 2018, 16:00

Take patched addon, i had added other make fake things and no all that options, they was set to the defaults.

You suggested too add block fonts thing, is this is actually reasonable? I can block fonts with noscript now.

Moderator note: Rogue edited extension with improper versioning removed.
Last edited by Moonchild on Sun, 04 Nov 2018, 16:21, edited 1 time in total.

User avatar
Fedor2
Astronaut
Astronaut
Posts: 553
Joined: Mon, 11 Apr 2016, 01:26

Re: getClientRects fingerprinting and Pale Moon

Unread postby Fedor2 » Sun, 04 Nov 2018, 17:12

A request for addons team was made.

User avatar
Sampei Nihira
Apollo supporter
Apollo supporter
Posts: 35
Joined: Tue, 03 Apr 2018, 16:17

Re: getClientRects fingerprinting and Pale Moon

Unread postby Sampei Nihira » Tue, 13 Nov 2018, 19:55

Out:

https://addons.palemoon.org/addon/canvasblocker-legacy/

@ Fedor2

The DOM Rect API protection intervenes anywhere also on the Google.com webpage.
This is right?
I have deleted the notification.

User avatar
Fedor2
Astronaut
Astronaut
Posts: 553
Joined: Mon, 11 Apr 2016, 01:26

Re: getClientRects fingerprinting and Pale Moon

Unread postby Fedor2 » Wed, 14 Nov 2018, 16:14

The DOM Rect API protection intervenes anywhere also on the Google.com webpage.


I also noticed that it used vastly though no everywhere, i would say not always for fingerprint purpose, but who knows.

Next i can possible make such how in the new version: icon on the browser toollbar, and shall try fix some weird stuff storage by array[hash], which make error on the Pale Moon 28.


Return to “General discussion”

Who is online

Users browsing this forum: mr tribute and 3 guests