Firefox plugin to block Canvas fingerprinting

Talk about internet security, computer security, personal security, your social security number...
Post Reply
morganism
Senior Member
Posts: 134
Joined: Tue Nov 26, 2013 9:44 pm

Firefox plugin to block Canvas fingerprinting

Post by morganism »

from the Browser Leaks folks.

Think this is legit, but prob not necessary as NS is supposed to block JS lookups ?


Blocks the JS-API for modifying <canvas> to prevent Canvas-Fingerprinting.</canvas>

https://addons.mozilla.org/EN-US/firefo ... src=search
Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/26.0
morganism
Senior Member
Posts: 134
Joined: Tue Nov 26, 2013 9:44 pm

Re: Firefox plugin to block Canvas fingerprinting

Post by morganism »

and this looks like the tool to modify all the other hidden fingerprints.

Would be nice to just have a list of stuff that you could anonymize, but here ya go.

http://krebsonsecurity.com/2015/03/anti ... gerprints/

Antidetect allows users to very quickly and easily change components of the their system to avoid browser fingerprinting, including the browser type (Safari, IE, Chrome, etc.), version, language, user agent, Adobe Flash version, number and type of other plugins, as well as operating system settings such as OS and processor type, time zone and screen resolution.


I like Firegloves plugin for blocking/anon most of these, and have modded the user agent string anyway, but who knows how much is hidden in there.....
Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/26.0
Lurion
Junior Member
Posts: 36
Joined: Wed Jul 23, 2014 12:38 pm

Re: Firefox plugin to block Canvas fingerprinting

Post by Lurion »

I too would like to see mote anti-tracking technologies developed. There are many things that can be used to fingerprint your browser, and the majority of them are done via JavaScript. So perhaps using something to block the fingerprinting on the JavaScript API level would be a good idea? For example see the following script fragment that I found on the RSI (Star Citizen) website. They are using a number of things to generate a fingerprint including WebGL, fonts, canvas, plugins, ActiveX, system colors, screen properties, navigator properties, etc.

I had to pastebin the code to avoid the forum spam filter: http://pastebin.com/VwCyf11w
Its time to kick ass and chew bubble gum, and Im all out of gum.
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Firefox plugin to block Canvas fingerprinting

Post by barbaz »

Lurion wrote:There are many things that can be used to fingerprint your browser, and the majority of them are done via JavaScript. So perhaps using something to block the fingerprinting on the JavaScript API level would be a good idea?
There are so many different ways to fingerprint someone using JS, you are pretty much talking about blocking *all* JavaScript there...
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Firefox plugin to block Canvas fingerprinting

Post by Thrawn »

barbaz wrote:you are pretty much talking about blocking *all* JavaScript there...
And on every site. The reason that the Tor project sponsored the Cascade Permissions feature was so that sites wouldn't be able to fingerprint you by checking what's on your whitelist.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Fedora; Linux i686; rv:37.0) Gecko/20100101 Firefox/37.0
Lurion
Junior Member
Posts: 36
Joined: Wed Jul 23, 2014 12:38 pm

Re: Firefox plugin to block Canvas fingerprinting

Post by Lurion »

Except that some websites don't work without javascript enabled (I.E. you can't login on the RSI website. Trust me, I tried.) and it annoys the hell out of me.
Its time to kick ass and chew bubble gum, and Im all out of gum.
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Firefox plugin to block Canvas fingerprinting

Post by Thrawn »

Lurion wrote:Except that some websites don't work without javascript enabled
That's true enough. If you need to use those sites, then you must accept the fact that they will potentially be able to fingerprint you using JavaScript, and there's very little that you can do about it except stop visiting them.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0
Lurion
Junior Member
Posts: 36
Joined: Wed Jul 23, 2014 12:38 pm

Re: Firefox plugin to block Canvas fingerprinting

Post by Lurion »

Hello,

I partially have to agree with that part, but asking users to stop visiting a website they like simply doesn't sound like a very friendly advice. I'm hoping there is some way to filter out those fingerprinting javascript API calls by either blocking them or faking them just like the CanvasBlocker does it for the canvas element. Generally, the fingerprinting scripts don't rely on any single property for identification. Instead they collect data from various places and then group it together to accumulate a sufficient amount of entropy to uniquely identify a browser. The idea is that if it were possible to block or at least fake out a sufficient amount of properties then this could potentially reduce the effectiveness of such tracking scripts. Please correct me, if I am wrong, but after a while of reading online resources about tracking I came to a small conclusion.

There are two solutions to this problem:
1) Make the user look like everyone else all the time
2) Make the user look like nobody else all the time

The first solution proposes that we make the user look like everyone else, so a tracker cannot distinguish between different users. I think the Tor Browser and JonDonym use this approach. This does not prevent data collection, however it does at least make the data anonymous. It also relies on having a large amount of users with the same fingerprint.

The second approach makes the user look different each time, all the time. This can be done by faking out (randomizing) the properties i.e. giving them a different value each time they are read. The CanvasBlocker "fake readout API" uses this approach to randomize the canvas fingerprint. Unfortunately the canvas is merely one element that has to be faked.

And yes, there are truly a lot of things that can be used for fingerprinting so implementing either solution isn't easy.

Resources:
http://browserspy.dk/
https://www.browserleaks.com/
Its time to kick ass and chew bubble gum, and Im all out of gum.
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Firefox plugin to block Canvas fingerprinting

Post by Giorgio Maone »

If it's anti-tracking / privacy / anonymity you're after, your best bet are the Tor Browser and Tails.
Everything else is currently incomplete, and therefore vulnerable to a motivated and financially endowed attacker.
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Lurion
Junior Member
Posts: 36
Joined: Wed Jul 23, 2014 12:38 pm

Re: Firefox plugin to block Canvas fingerprinting

Post by Lurion »

By the way, I found this rubbish on dropbox: http://pastebin.com/BwP6zAiq
Seems way worse than that of the RSI.

Perhaps a new thread with tracking javascript examples is in order?
Its time to kick ass and chew bubble gum, and Im all out of gum.
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Firefox plugin to block Canvas fingerprinting

Post by barbaz »

Lurion wrote:Perhaps a new thread with tracking javascript examples is in order?
Go ahead and start one - or I'd be willing to split this one.

(Personally I think that would be a very useful thread.)
*Always* check the changelogs BEFORE updating that important software!
-
Lurion
Junior Member
Posts: 36
Joined: Wed Jul 23, 2014 12:38 pm

Re: Firefox plugin to block Canvas fingerprinting

Post by Lurion »

How do you propose we archive the javascript code? I tried posting the code in a thread like this, but the forum complained about a spam filter. I'm not sure how long the pastebin links persist.
Its time to kick ass and chew bubble gum, and Im all out of gum.
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Firefox plugin to block Canvas fingerprinting

Post by barbaz »

Lurion wrote:the forum complained about a spam filter
PM a Mod (me, GµårÐïåñ, therube, or Thrawn) and we'll try to post it for you. PMs to forum staff are not spam filtered, and the spam filter is more lenient on us.

Unless there is a LOT of code... in which case, I don't know.. try a site like this that explicitly says it'll host files indefinitely?


EDIT Lurion started viewtopic.php?f=19&t=20856
*Always* check the changelogs BEFORE updating that important software!
-
Post Reply