• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Killing Browser Fingerprinting

OJ

Daemon

Thanks: 243
Messages: 1,024

#77
Most websites are not all websites though, and therein lies part of the problem, at least as far as I see it.
You're right. Also people and their needs are different. My needs are philosophical, and commercial pragmatism is of little use to me when it comes to web sites. If I were to assume that all other people were like me I'd be quite mistaken, I'm sure. In fact I'd be mistaken if I were to assume that everyone else would accept my individual freedom to think as I wish as being legitimate.
 

drhowarddrfine

Daemon

Thanks: 643
Messages: 2,401

#78
Most websites are not all websites though, and therein lies part of the problem
You're right. And most web sites don't have malware and don't spam you either.

There are good guys and bad guys in everything but, far too often, we let the tail wag the dog nowadays. The honest marketer, the majority, is just trying to do his job but it's being relegated to the boogey man looking over your shoulder and watching everything you do, as if that was actually possible.

Sites that attempt to do anything like that are those you wouldn't visit anyway.
 

ronaldlees

Aspiring Daemon

Thanks: 189
Messages: 557

#79
According to the comments on github.com, the TOR project is (apparently) listing the HTML5 canvas as the single biggest fingerprinting issue.
"After plugins and plugin provided information, we believe that the HTML5 canvas is the single largest fingerprinting threat browsers face today." - Tor Project.
At cseweb.ucsd.edu/~hovav/dist/canvas.pdf is an explanation of how it works. HTML5 coders can draw to the HTML5 canvas, and then grab the image back (as it has been drawn) with the getImageData() function, which returns an ImageData object. That object is then analyzed, and in combination with other things is used to create the fingerprint.

I understand the purpose of the drawing functions, and they'd be used a lot. But, what purpose does getImageData() have, other than to provide a dang good way to grab a fingerprint? OKAY - I can think of uses for it - but I think I'll just do without.

Maybe just recompile your browser, and disable it (return nothing) ... although I suppose this could monkey wrench a few sites that *really* needed the function.
 

shepper

Aspiring Daemon

Thanks: 197
Messages: 617

#80
Sites that attempt to do anything like that are those you wouldn't visit anyway.
I think the line between "those that you would not visit" and those that you visit is becoming blurred. An example: I use Earthlink as an email provider and I cannot log into my webmail without at least 3 advertisements. One advertisement wants to know if a Political Candidate should go to jail. Another tells me the President encourages me to refinance my home. The last is telling me of the benefits of Chia Tea. I started with an empty cookiejar in Xombrero. Xombrero opens on a "favorites" listing of websites and in the process of going directly to Earthlink's Webmail site and logging in, I acquire 51 cookies.

I just want to empty my suspects folder.

I'll also bet that if you inventory the cookies, they have nothing to do with improving service for the user. Why would the NYTimes place .linked.com cookies on my system? What possible benefit would my liberal inclinations gain from a linkin cookie? Any why so many cookies? One per site would be enough.
 

drhowarddrfine

Daemon

Thanks: 643
Messages: 2,401

#81

OJ

Daemon

Thanks: 243
Messages: 1,024

#83
Advertising targeted at your preferences so you don't get ads for brassieres again.
That would only apply to those people who look at ads. For those of us who block perhaps there is some other purpose but one might classify that as cookie spamming.
 

OJ

Daemon

Thanks: 243
Messages: 1,024

#85
I'd prefer getting no ads at all! I do not want to be stalked by the marketing industry. And I do not want to be forced to "opt-out" of anything. Opting-in should be the default.
Yes, how about a red bar at the top of cookie sites with wording like "click here to opt in". ;)
In any case, I currently use uBlock Origin, but have been using blocking techniques for years - simply because I can't afford the equipment, time, and bandwidth to do otherwise.
 

shepper

Aspiring Daemon

Thanks: 197
Messages: 617

#86
British Television produced a 17 episode series called the The Prisoner. One of the more memorable quotes from the series is
"I will not make any deals with you. I've resigned. I will not be pushed, filed, stamped, indexed, briefed, debriefed, or numbered! My life is my own!". In addition to being numbered, I feel I'm being "parsed, sorted, abstracted and analyzed". My journey through the web is my own.
 

drhowarddrfine

Daemon

Thanks: 643
Messages: 2,401

#87
That would only apply to those people who look at ads.
Whether you look at them or not doesn't matter. If you were shown an ad once, they may not want to show it to you again. Or, if you clicked on it, they might want to remember that, too. If the site you were on was a tech site, and you clicked on a RaspberryPi ad, that's informative. If you were on a tech site and clicked on a brassiere ad, that's informative, too. Or maybe not to that advertiser.
My journey through the web is my own.
Except when it's sponsored. Without sponsors, that TV show, and possibly the web site you visited, wouldn't exist.
 

shepper

Aspiring Daemon

Thanks: 197
Messages: 617

#89
Except when it's sponsored
.

I'll point out that I pay Earthlink for email services, I pay for the connection and I pay for bandwidth. There seems to be no limit to how much bandwidth they feel entitled to. We won't even discuss how much my time they consume while I tend the to business of managing my emails.

It would be a different story if I was using gmail for free.

I can't drop them at the moment and I am not aware of any other email providers that does not sell some piece of me.
 

drhowarddrfine

Daemon

Thanks: 643
Messages: 2,401

#90
shepper That you pay for that and still get ads is between you and them and what I consider a bad email service. Why do you use them instead of your own on a FreeBSD system?

Content on the web would probably be of much smaller but much better quality if the "supported by ads" model went away.
I can't agree more. Quality stuff is still out there. It's just small signal to high noise to filter.
 

protocelt

Daemon

Thanks: 405
Messages: 1,257

#91
shepper That you pay for that and still get ads is between you and them and what I consider a bad email service. Why do you use them instead of your own on a FreeBSD system?


I can't agree more. Quality stuff is still out there. It's just small signal to high noise to filter.
There is, but it's taking more and more effort to find it over time.

We're kind of veering off topic here though. Lets all try to keep on track. I'm guilty of this in this thread as well.
 

OJ

Daemon

Thanks: 243
Messages: 1,024

#92
Whether you look at them or not doesn't matter. If you were shown an ad once, they may not want to show it to you again.
??? By not looking at them I meant blocking them, of course. I think it's pretty standard these days among those who consider browser performance.
 

OJ

Daemon

Thanks: 243
Messages: 1,024

#93
We're kind of veering off topic here though. Lets all try to keep on track. I'm guilty of this in this thread as well.
Right. :)

We see various on-line browser and fingerprinting tests from time to time. Here is another one which I just tried. Doileak.com I'm careful about DNS leaks and always do relatively well with these tests generally. It did strike me that they detected two operating systems, which is probably normal for a VPN, but also identifying. Also, I'm not so happy about IPv6. I find it hard to control because I don't know it well enough yet. This test showed they were not able to detect an IPv6 request, which confuses me because I can browse IPv6 sites that have no IPv4 support.
 

ronaldlees

Aspiring Daemon

Thanks: 189
Messages: 557

#94
Right. :)

We see various on-line browser and fingerprinting tests from time to time. Here is another one which I just tried. Doileak.com I'm careful about DNS leaks and always do relatively well with these tests generally. It did strike me that they detected two operating systems, which is probably normal for a VPN, but also identifying. Also, I'm not so happy about IPv6. I find it hard to control because I don't know it well enough yet. This test showed they were not able to detect an IPv6 request, which confuses me because I can browse IPv6 sites that have no IPv4 support.

OJ: Tnx for that link. My report from that site says it detects both Linux (via javascript) and FreeBSD (via fingerprint). I wonder if they're using OS fingerprinting or the user-agent for the latter? DNS request sources were detected with javascript, but not without javascript. Other than that, they didn't get much from me :)

I should be using static settings, and not DHCP, and I probably should not be using the ISP's DNS. Likely the default local DNS should be inaccessible. By turning off javascript, they don't have websockets to play with, to query my local DNS resolver. But, it turns out they can do it another way. All they have to do is put an url in the browser page that points to a subdomain (of theirs) that doesn't exist. Thus, the DNS caches won't have it, and so a query will be made to their servers. Then, I imagine they vary the "nonexistent" domain to turn it into a GUID, and figure out where the servers are.

Seems there's no hope to obscure DNS, outside Privoxy/Socks/Tor/VPN. WIthout using anon software, I lessen the damage only a little bit with external DNS, cuz there's less specific info in the remote DNS than the one my router uses.
 

ronaldlees

Aspiring Daemon

Thanks: 189
Messages: 557

#95
The WebGL hash is listed on panopticlick.eff.org as a contributing factor to the fingerprint, but a lesser one than the canvas hash. So, in firefox config, we can set webgl.disabled=true, and media.peer* to false. The latter kills off WebRTC AFAIK, which can leak the local subnet IP. Thanks again to the link OJ supplied, which details this pretty well. I'm always a little leary about random "test" links - hope this one is safe :)

I'm looking for a way to disable the canvas, short of recompiling Firefox (though the latter is an option). Some people are recommending a smart add-on that is basically like "noscript" but with the canvas in mind. Can't remember the name of the extension. It'd be better to have javascript, and no canvas, from the whizbang site experience POV.
 

ronaldlees

Aspiring Daemon

Thanks: 189
Messages: 557

#98
I would advise it is especially important to disable cache (although that may seem like an automatic thing to do). Apparently, HTML5 engenders a "cookie replacement" via the caching of uniquely built on-the-fly PNG images. The data is read back with getImageData(). The cache action can be requested in the response header from the server, but doesn't necessarily need to be honored. Still, it's scary. So I regularly flush cache, or don't use it.

Another function to add to the fingerprint enabler list: getClientRects(). It's about the same as the getImageData() of canvas, but it's not known if panopticlick factors it into their algorithm.

If that wasn't bad enough, HTML5 offers "web storage api" storage (up to 5M usually) of website-origin data on the user's computer, and if it's of the local or global variety, will survive operating system reboots (yes, even FreeBSD). Ostensibly, the browser is supposed to ask for permission before allowing this type of storage (which is data that can mimick cookies, or simply take the form of GUIDS. Nice). Problem is, there have been instances (so I have read) where a browser allowed silent storage from certain domains. Don't know if the latter statement is true, but where does it end?
 

drhowarddrfine

Daemon

Thanks: 643
Messages: 2,401

#99
Another function to add to the fingerprint enabler list: getClientRects(). It's about the same as the getImageData() of canvas
Huh? It gets the bounding box locations for HTML elements and has nothing to do with images or data or anything else.

Ostensibly, the browser is supposed to ask for permission before allowing this type of storage
Yes, it does. And only from that domain.