getClientRects fingerprinting and Pale Moon

General discussion area and chat

Moderator: satrow

Forum rules
This General Discussions forum is an open chat area, so you can talk about almost any subject. Please keep things civil, though!

Please do try to somewhat stick to the relevance of this forum, which focuses on everything around the Pale Moon project and its user community. "Totally random" subjects don't really belong here, even in the general discussion area.
User avatar
Sampei Nihira
Apollo supporter
Apollo supporter
Posts: 39
Joined: Tue, 03 Apr 2018, 16:17

getClientRects fingerprinting and Pale Moon

Unread postby Sampei Nihira » Sat, 13 Oct 2018, 15:03

Pale moon even with the setting "Canvas.Poisondata" set to true, fails the specific test of the title of the 3D.

Some more information at the link below:

http://jcarlosnorte.com/security/2016/0 ... nting.html

Test:

https://browserleaks.com/rects

The test can be repeated several times but the values:

Full Hash and Hash String 1/2/3

they are always the same.

Is it possible to avoid this?

__________________________________

With Basilisk just install the CanvasBlocker extension.

yami_
Fanatic
Fanatic
Posts: 209
Joined: Thu, 26 Apr 2018, 11:05

Re: getClientRects fingerprinting and Pale Moon

Unread postby yami_ » Sat, 13 Oct 2018, 15:19

This has nothing to do with HTML5 canvas. If you want to change those values just change the default font.
cat came back from Berkeley waving flags
- rob pike

User avatar
Sampei Nihira
Apollo supporter
Apollo supporter
Posts: 39
Joined: Tue, 03 Apr 2018, 16:17

Re: getClientRects fingerprinting and Pale Moon

Unread postby Sampei Nihira » Mon, 15 Oct 2018, 06:00

The point is to avoid a possible tracking:

Both the developer of Canvas Blocker and others think so:

https://github.com/kkapsner/CanvasBlocker/issues/236

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 22328
Joined: Sun, 28 Aug 2011, 17:27
Location: 58.5°N 15.5°E
Contact:

Re: getClientRects fingerprinting and Pale Moon

Unread postby Moonchild » Wed, 17 Oct 2018, 08:45

It's a web API that is needed for some responsive sites to function. If you want to prevent fingerprinting with it you should find or create an extension that blocks the use of this API (e.g. by overloading the relevant functions)
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne

Take note: 23 November is Wolfenoot! Eat roast meat and/or cake decorated like the full moon. #wolfenoot

User avatar
Sampei Nihira
Apollo supporter
Apollo supporter
Posts: 39
Joined: Tue, 03 Apr 2018, 16:17

Re: getClientRects fingerprinting and Pale Moon

Unread postby Sampei Nihira » Wed, 17 Oct 2018, 16:57

Hi Moonchild.
I asked KKapsner if it would be possible to develop a Legacy version of Canvas Blocker with the protection feature in question which is available from version 0.5.4.

His answer:

Unfortunately I do not have the time to create (and maintain) a new legacy version of CB. The changes I would have to make are just too big.

Sorry.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 22328
Joined: Sun, 28 Aug 2011, 17:27
Location: 58.5°N 15.5°E
Contact:

Re: getClientRects fingerprinting and Pale Moon

Unread postby Moonchild » Wed, 17 Oct 2018, 18:40

Well, to quote your quoted person:
"Unfortunately I do not have the time to create (and maintain) a new legacy version of CB."

Find someone who can.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne

Take note: 23 November is Wolfenoot! Eat roast meat and/or cake decorated like the full moon. #wolfenoot

User avatar
Fedor2
Astronaut
Astronaut
Posts: 557
Joined: Mon, 11 Apr 2016, 01:26

Re: getClientRects fingerprinting and Pale Moon

Unread postby Fedor2 » Wed, 17 Oct 2018, 23:33

Sure i unfortunately do not have the time to create (and maintain) too.
But that is important thing for me, i know that extension, used before canvas poison, and its not enough now.
I shall poke the code and if i shall success i shall share what and where to patch in the old version, 3.5 as i know was working.

User avatar
Sampei Nihira
Apollo supporter
Apollo supporter
Posts: 39
Joined: Tue, 03 Apr 2018, 16:17

Re: getClientRects fingerprinting and Pale Moon

Unread postby Sampei Nihira » Thu, 18 Oct 2018, 17:10

Thank you very much Fedor 2.
I await your news on this.

User avatar
Sampei Nihira
Apollo supporter
Apollo supporter
Posts: 39
Joined: Tue, 03 Apr 2018, 16:17

Re: getClientRects fingerprinting and Pale Moon

Unread postby Sampei Nihira » Sun, 21 Oct 2018, 10:21

Even "Trace":

https://addons.mozilla.org/en-US/firefo ... ble-trace/

and

"Chameleon":

https://addons.mozilla.org/en-US/firefo ... eleon-ext/


have this functionality but of course they are webextensions. :thumbdown:

User avatar
Fedor2
Astronaut
Astronaut
Posts: 557
Joined: Mon, 11 Apr 2016, 01:26

Re: getClientRects fingerprinting and Pale Moon

Unread postby Fedor2 » Sat, 27 Oct 2018, 04:24

Well i made an achievement.

My 3.5 now do fake domrect, according https://browserleaks.com/rects, each new page make new value, but when to reload already opened page, the value persists, consider this is right behavior.

New version has several new things beside domrect, actually three - audio, window and history. It could be added too, yet no means to test.

I asking on the github to publish the whole patched addon, i can put it here or on the my github.
If i shell get no permission i shell write an instructions how to patch.

User avatar
Sampei Nihira
Apollo supporter
Apollo supporter
Posts: 39
Joined: Tue, 03 Apr 2018, 16:17

Re: getClientRects fingerprinting and Pale Moon

Unread postby Sampei Nihira » Sat, 27 Oct 2018, 13:53

Good. :thumbup:

Another important feature is Font Fingerprinting:

https://browserleaks.com/fonts

With Pale Moon you can not use the extension below:

https://addons.mozilla.org/en-US/firefo ... ngerprint/

Can you add this feature?

With Firefox 52 ESR the layout is different from the screenshot inserted by the developer.
I have disabled "privacy.trackingprotection.enabled". but it does not change anything:

Image
Last edited by Sampei Nihira on Sat, 27 Oct 2018, 14:14, edited 2 times in total.

User avatar
Fedor2
Astronaut
Astronaut
Posts: 557
Joined: Mon, 11 Apr 2016, 01:26

Re: getClientRects fingerprinting and Pale Moon

Unread postby Fedor2 » Sun, 04 Nov 2018, 16:00

Take patched addon, i had added other make fake things and no all that options, they was set to the defaults.

You suggested too add block fonts thing, is this is actually reasonable? I can block fonts with noscript now.

Moderator note: Rogue edited extension with improper versioning removed.
Last edited by Moonchild on Sun, 04 Nov 2018, 16:21, edited 1 time in total.

User avatar
Fedor2
Astronaut
Astronaut
Posts: 557
Joined: Mon, 11 Apr 2016, 01:26

Re: getClientRects fingerprinting and Pale Moon

Unread postby Fedor2 » Sun, 04 Nov 2018, 17:12

A request for addons team was made.

User avatar
Sampei Nihira
Apollo supporter
Apollo supporter
Posts: 39
Joined: Tue, 03 Apr 2018, 16:17

Re: getClientRects fingerprinting and Pale Moon

Unread postby Sampei Nihira » Tue, 13 Nov 2018, 19:55

Out:

https://addons.palemoon.org/addon/canvasblocker-legacy/

@ Fedor2

The DOM Rect API protection intervenes anywhere also on the Google.com webpage.
This is right?
I have deleted the notification.

User avatar
Fedor2
Astronaut
Astronaut
Posts: 557
Joined: Mon, 11 Apr 2016, 01:26

Re: getClientRects fingerprinting and Pale Moon

Unread postby Fedor2 » Wed, 14 Nov 2018, 16:14

The DOM Rect API protection intervenes anywhere also on the Google.com webpage.


I also noticed that it used vastly though no everywhere, i would say not always for fingerprint purpose, but who knows.

Next i can possible make such how in the new version: icon on the browser toollbar, and shall try fix some weird stuff storage by array[hash], which make error on the Pale Moon 28.

User avatar
pm4eva
Apollo supporter
Apollo supporter
Posts: 33
Joined: Tue, 12 Jun 2018, 10:26
Location: CET

Re: getClientRects fingerprinting and Pale Moon

Unread postby pm4eva » Thu, 15 Nov 2018, 02:52

Thank you for Canvas Blocker Legacy

You also can test it here
https://canvasblocker.kkapsner.de/test/

btw. CanvasBlocker 0.5.5 works with Basilisk
Last edited by pm4eva on Thu, 15 Nov 2018, 02:59, edited 2 times in total.
thx and greets

User avatar
pm4eva
Apollo supporter
Apollo supporter
Posts: 33
Joined: Tue, 12 Jun 2018, 10:26
Location: CET

Re: getClientRects fingerprinting and Pale Moon

Unread postby pm4eva » Fri, 16 Nov 2018, 00:53

Found a bug in version 0.1

If you have installed the addon Stylish or Stylem and you want edit a Userstyle
and If the option "Protect DomRect API" in CanvasBlockerLegacy is aktivated
then PaleMoon will freeze/hang/crash.

System was Win7-32bit
Hope you can fix it.
Last edited by pm4eva on Fri, 16 Nov 2018, 00:57, edited 2 times in total.
thx and greets

User avatar
Thehandyman1957
Board Warrior
Board Warrior
Posts: 1670
Joined: Tue, 19 May 2015, 02:26
Location: Arizona U.S.

Re: getClientRects fingerprinting and Pale Moon

Unread postby Thehandyman1957 » Fri, 16 Nov 2018, 01:42

Sampei Nihira wrote:Out:

https://addons.palemoon.org/addon/canvasblocker-legacy/

@ Fedor2

The DOM Rect API protection intervenes anywhere also on the Google.com webpage.
This is right?
I have deleted the notification.


This add on caused major issues with Amazon to the point of dragging the whole
browser down to a crawl. I downloaded it just after the latest update from PM.
It took me an hour to finally figure it out after going through safe mode and then messing with
Ublock settings thinking it was something that had been added to their web page.
I even uninstalled the update and went back to the previous version and it still did it.

After disabling canvasblocker the problem went away. Turn it back on and try to
use Amazon and the whole browser drags to a unusable state.
This was the only site I experienced these problems with.:problem:
“It is difficult to get a man to understand something,
when his salary depends on him not understanding it. Upton Sinclair” ;) "

User avatar
Sampei Nihira
Apollo supporter
Apollo supporter
Posts: 39
Joined: Tue, 03 Apr 2018, 16:17

Re: getClientRects fingerprinting and Pale Moon

Unread postby Sampei Nihira » Fri, 16 Nov 2018, 16:31

The CPU increases to 100.
You need to add the domain in whitelist.
Or disable scripts.

User avatar
Fedor2
Astronaut
Astronaut
Posts: 557
Joined: Mon, 11 Apr 2016, 01:26

Re: getClientRects fingerprinting and Pale Moon

Unread postby Fedor2 » Fri, 16 Nov 2018, 17:11

This add on caused major issues with Amazon


The issue exists indeed and possible a bug with Stylish because of it too, certainly i try fix.


Return to “General discussion”

Who is online

Users browsing this forum: No registered users and 5 guests