getClientRects fingerprinting and Pale Moon

General discussion and chat (archived)
Sampei Nihira

getClientRects fingerprinting and Pale Moon

Unread post by Sampei Nihira » 2018-10-13, 15:03

Pale moon even with the setting "Canvas.Poisondata" set to true, fails the specific test of the title of the 3D.

Some more information at the link below:

http://jcarlosnorte.com/security/2016/0 ... nting.html

Test:

https://browserleaks.com/rects

The test can be repeated several times but the values:

Full Hash and Hash String 1/2/3

they are always the same.

Is it possible to avoid this?

__________________________________

With Basilisk just install the CanvasBlocker extension.

yami_

Re: getClientRects fingerprinting and Pale Moon

Unread post by yami_ » 2018-10-13, 15:19

This has nothing to do with HTML5 canvas. If you want to change those values just change the default font.

Sampei Nihira

Re: getClientRects fingerprinting and Pale Moon

Unread post by Sampei Nihira » 2018-10-15, 06:00

The point is to avoid a possible tracking:

Both the developer of Canvas Blocker and others think so:

https://github.com/kkapsner/CanvasBlocker/issues/236

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35475
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: getClientRects fingerprinting and Pale Moon

Unread post by Moonchild » 2018-10-17, 08:45

It's a web API that is needed for some responsive sites to function. If you want to prevent fingerprinting with it you should find or create an extension that blocks the use of this API (e.g. by overloading the relevant functions)
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Sampei Nihira

Re: getClientRects fingerprinting and Pale Moon

Unread post by Sampei Nihira » 2018-10-17, 16:57

Hi Moonchild.
I asked KKapsner if it would be possible to develop a Legacy version of Canvas Blocker with the protection feature in question which is available from version 0.5.4.

His answer:
Unfortunately I do not have the time to create (and maintain) a new legacy version of CB. The changes I would have to make are just too big.

Sorry.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35475
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: getClientRects fingerprinting and Pale Moon

Unread post by Moonchild » 2018-10-17, 18:40

Well, to quote your quoted person:
"Unfortunately I do not have the time to create (and maintain) a new legacy version of CB."

Find someone who can.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Fedor2

Re: getClientRects fingerprinting and Pale Moon

Unread post by Fedor2 » 2018-10-17, 23:33

Sure i unfortunately do not have the time to create (and maintain) too.
But that is important thing for me, i know that extension, used before canvas poison, and its not enough now.
I shall poke the code and if i shall success i shall share what and where to patch in the old version, 3.5 as i know was working.

Sampei Nihira

Re: getClientRects fingerprinting and Pale Moon

Unread post by Sampei Nihira » 2018-10-18, 17:10

Thank you very much Fedor 2.
I await your news on this.

Sampei Nihira

Re: getClientRects fingerprinting and Pale Moon

Unread post by Sampei Nihira » 2018-10-21, 10:21

Even "Trace":

https://addons.mozilla.org/en-US/firefo ... ble-trace/

and

"Chameleon":

https://addons.mozilla.org/en-US/firefo ... eleon-ext/


have this functionality but of course they are webextensions. :thumbdown:

Fedor2

Re: getClientRects fingerprinting and Pale Moon

Unread post by Fedor2 » 2018-10-27, 04:24

Well i made an achievement.

My 3.5 now do fake domrect, according https://browserleaks.com/rects, each new page make new value, but when to reload already opened page, the value persists, consider this is right behavior.

New version has several new things beside domrect, actually three - audio, window and history. It could be added too, yet no means to test.

I asking on the github to publish the whole patched addon, i can put it here or on the my github.
If i shell get no permission i shell write an instructions how to patch.

Sampei Nihira

Re: getClientRects fingerprinting and Pale Moon

Unread post by Sampei Nihira » 2018-10-27, 13:53

Good. :thumbup:

Another important feature is Font Fingerprinting:

https://browserleaks.com/fonts

With Pale Moon you can not use the extension below:

https://addons.mozilla.org/en-US/firefo ... ngerprint/

Can you add this feature?

With Firefox 52 ESR the layout is different from the screenshot inserted by the developer.
I have disabled "privacy.trackingprotection.enabled". but it does not change anything:

Image
Last edited by Sampei Nihira on 2018-10-27, 14:14, edited 2 times in total.

Fedor2

Re: getClientRects fingerprinting and Pale Moon

Unread post by Fedor2 » 2018-11-04, 16:00

Take patched addon, i had added other make fake things and no all that options, they was set to the defaults.

You suggested too add block fonts thing, is this is actually reasonable? I can block fonts with noscript now.

Moderator note: Rogue edited extension with improper versioning removed.
Last edited by Moonchild on 2018-11-04, 16:21, edited 1 time in total.

Fedor2

Re: getClientRects fingerprinting and Pale Moon

Unread post by Fedor2 » 2018-11-04, 17:12

A request for addons team was made.

Sampei Nihira

Re: getClientRects fingerprinting and Pale Moon

Unread post by Sampei Nihira » 2018-11-13, 19:55

Out:

https://addons.palemoon.org/addon/canvasblocker-legacy/

@ Fedor2

The DOM Rect API protection intervenes anywhere also on the Google.com webpage.
This is right?
I have deleted the notification.

Fedor2

Re: getClientRects fingerprinting and Pale Moon

Unread post by Fedor2 » 2018-11-14, 16:14

The DOM Rect API protection intervenes anywhere also on the Google.com webpage.
I also noticed that it used vastly though no everywhere, i would say not always for fingerprint purpose, but who knows.

Next i can possible make such how in the new version: icon on the browser toollbar, and shall try fix some weird stuff storage by array[hash], which make error on the Pale Moon 28.

User avatar
pm4eva
Moonbather
Moonbather
Posts: 74
Joined: 2018-06-12, 10:26
Location: CET

Re: getClientRects fingerprinting and Pale Moon

Unread post by pm4eva » 2018-11-15, 02:52

Thank you for Canvas Blocker Legacy

You also can test it here
https://canvasblocker.kkapsner.de/test/

btw. CanvasBlocker 0.5.5 works with Basilisk
Last edited by pm4eva on 2018-11-15, 02:59, edited 2 times in total.
thx and greets

User avatar
pm4eva
Moonbather
Moonbather
Posts: 74
Joined: 2018-06-12, 10:26
Location: CET

Re: getClientRects fingerprinting and Pale Moon

Unread post by pm4eva » 2018-11-16, 00:53

Found a bug in version 0.1

If you have installed the addon Stylish or Stylem and you want edit a Userstyle
and If the option "Protect DomRect API" in CanvasBlockerLegacy is aktivated
then PaleMoon will freeze/hang/crash.

System was Win7-32bit
Hope you can fix it.
Last edited by pm4eva on 2018-11-16, 00:57, edited 2 times in total.
thx and greets

Thehandyman1957

Re: getClientRects fingerprinting and Pale Moon

Unread post by Thehandyman1957 » 2018-11-16, 01:42

Sampei Nihira wrote:Out:

https://addons.palemoon.org/addon/canvasblocker-legacy/

@ Fedor2

The DOM Rect API protection intervenes anywhere also on the Google.com webpage.
This is right?
I have deleted the notification.
This add on caused major issues with Amazon to the point of dragging the whole
browser down to a crawl. I downloaded it just after the latest update from PM.
It took me an hour to finally figure it out after going through safe mode and then messing with
Ublock settings thinking it was something that had been added to their web page.
I even uninstalled the update and went back to the previous version and it still did it.

After disabling canvasblocker the problem went away. Turn it back on and try to
use Amazon and the whole browser drags to a unusable state.
This was the only site I experienced these problems with.:problem:

Sampei Nihira

Re: getClientRects fingerprinting and Pale Moon

Unread post by Sampei Nihira » 2018-11-16, 16:31

The CPU increases to 100.
You need to add the domain in whitelist.
Or disable scripts.

Fedor2

Re: getClientRects fingerprinting and Pale Moon

Unread post by Fedor2 » 2018-11-16, 17:11

This add on caused major issues with Amazon
The issue exists indeed and possible a bug with Stylish because of it too, certainly i try fix.

Locked