InformAction Forums

from the Browser Leaks folks.

Think this is legit, but prob not necessary as NS is supposed to block JS lookups ?


Blocks the JS-API for modifying <canvas> to prevent Canvas-Fingerprinting.</canvas>

https://addons.mozilla.org/EN-US/firefo ... src=search

and this looks like the tool to modify all the other hidden fingerprints.

Would be nice to just have a list of stuff that you could anonymize, but here ya go.

http://krebsonsecurity.com/2015/03/anti ... gerprints/

Antidetect allows users to very quickly and easily change components of the their system to avoid browser fingerprinting, including the browser type (Safari, IE, Chrome, etc.), version, language, user agent, Adobe Flash version, number and type of other plugins, as well as operating system settings such as OS and processor type, time zone and screen resolution.


I like Firegloves plugin for blocking/anon most of these, and have modded the user agent string anyway, but who knows how much is hidden in there.....

I too would like to see mote anti-tracking technologies developed. There are many things that can be used to fingerprint your browser, and the majority of them are done via JavaScript. So perhaps using something to block the fingerprinting on the JavaScript API level would be a good idea? For example see the following script fragment that I found on the RSI (Star Citizen) website. They are using a number of things to generate a fingerprint including WebGL, fonts, canvas, plugins, ActiveX, system colors, screen properties, navigator properties, etc.

I had to pastebin the code to avoid the forum spam filter: http://pastebin.com/VwCyf11w

Lurion wrote:There are many things that can be used to fingerprint your browser, and the majority of them are done via JavaScript. So perhaps using something to block the fingerprinting on the JavaScript API level would be a good idea?

There are so many different ways to fingerprint someone using JS, you are pretty much talking about blocking *all* JavaScript there...

barbaz wrote:you are pretty much talking about blocking *all* JavaScript there...

And on every site. The reason that the Tor project sponsored the Cascade Permissions feature was so that sites wouldn't be able to fingerprint you by checking what's on your whitelist.

Except that some websites don't work without javascript enabled (I.E. you can't login on the RSI website. Trust me, I tried.) and it annoys the hell out of me.

Lurion wrote:Except that some websites don't work without javascript enabled

That's true enough. If you need to use those sites, then you must accept the fact that they will potentially be able to fingerprint you using JavaScript, and there's very little that you can do about it except stop visiting them.

Hello,

I partially have to agree with that part, but asking users to stop visiting a website they like simply doesn't sound like a very friendly advice. I'm hoping there is some way to filter out those fingerprinting javascript API calls by either blocking them or faking them just like the CanvasBlocker does it for the canvas element. Generally, the fingerprinting scripts don't rely on any single property for identification. Instead they collect data from various places and then group it together to accumulate a sufficient amount of entropy to uniquely identify a browser. The idea is that if it were possible to block or at least fake out a sufficient amount of properties then this could potentially reduce the effectiveness of such tracking scripts. Please correct me, if I am wrong, but after a while of reading online resources about tracking I came to a small conclusion.

There are two solutions to this problem:
1) Make the user look like everyone else all the time
2) Make the user look like nobody else all the time

The first solution proposes that we make the user look like everyone else, so a tracker cannot distinguish between different users. I think the Tor Browser and JonDonym use this approach. This does not prevent data collection, however it does at least make the data anonymous. It also relies on having a large amount of users with the same fingerprint.

The second approach makes the user look different each time, all the time. This can be done by faking out (randomizing) the properties i.e. giving them a different value each time they are read. The CanvasBlocker "fake readout API" uses this approach to randomize the canvas fingerprint. Unfortunately the canvas is merely one element that has to be faked.

And yes, there are truly a lot of things that can be used for fingerprinting so implementing either solution isn't easy.

Resources:
http://browserspy.dk/
https://www.browserleaks.com/

If it's anti-tracking / privacy / anonymity you're after, your best bet are the Tor Browser and Tails.
Everything else is currently incomplete, and therefore vulnerable to a motivated and financially endowed attacker.

By the way, I found this rubbish on dropbox: http://pastebin.com/BwP6zAiq
Seems way worse than that of the RSI.

Perhaps a new thread with tracking javascript examples is in order?

Lurion wrote:Perhaps a new thread with tracking javascript examples is in order?

Go ahead and start one - or I'd be willing to split this one.

(Personally I think that would be a very useful thread.)

How do you propose we archive the javascript code? I tried posting the code in a thread like this, but the forum complained about a spam filter. I'm not sure how long the pastebin links persist.

Lurion wrote:the forum complained about a spam filter

PM a Mod (me, GµårÐïåñ, therube, or Thrawn) and we'll try to post it for you. PMs to forum staff are not spam filtered, and the spam filter is more lenient on us.

Unless there is a LOT of code... in which case, I don't know.. try a site like this that explicitly says it'll host files indefinitely?


EDIT Lurion started viewtopic.php?f=19&t=20856