rusty-snake
commented
2 years ago Even TOR seems completely useless against that test
Is the tor ID stable and unique or only stable but the same (or 4) for all tor users?
Closed DonPicciotto closed 2 years ago
rusty-snake
commented
2 years ago Even TOR seems completely useless against that test
Is the tor ID stable and unique or only stable but the same (or 4) for all tor users?
DonPicciotto
commented
2 years ago Even TOR seems completely useless against that test
Is the tor ID stable and unique or only stable but the same (or 4) for all tor users?
In my test it sadly seems stable and unique for me
rusty-snake
commented
2 years ago How many systems did you used for the test?
DonPicciotto
commented
2 years ago How many systems did you used for the test?
Just one (Windows 10), others seems to be ok with TailsOS
rusty-snake
commented
2 years ago And how do you know it's unique if you tested it on one system?
DonPicciotto
commented
2 years ago Sorry, maybe I explained things poorly. I expect the test ID on TOR browser is the same for any TOR users (so I expect to see at least some previous visit, a signature or something, even if it's the first time I make the test) or change every time TOR is restarted. Instead the test ID appear unique to my specific browser/machine/user and doesn't change when I restart TOR. The same thing happen on "hardened" firefox, unless I use JShelter. Sorry if I didn't explain things better before, I hope everything is more clear now
remyabel2
commented
2 years ago @overdodactyl The test is artificial and doesn't really tell you anything. They have heuristics hard-coded for browsers like Tor. So if you're using Tor it detects you're using Tor but so what? What matters is whether or not you blend in with other tor users, not whether scripts are able to detect you are using Tor.
I noticed in the source code they detect jshelter too so the results may eventually be skewed for that.
DonPicciotto
commented
2 years ago @remyabel2 The test doesn't just tell that you use TOR, sadly, it succeed in identifying specific TOR users and distinguish them from each other. It can be really problematic for people who needs complete anonymity (but of course if you need complete anonymity you shouldn't use TOR on windows on the first place)
remyabel2
commented
2 years ago That seems inaccurate. In my test it says:
visits: 67
first: 1/26/2022, 6:56:45 PMObviously I did not visit the site 67 times nor use a time machine, so if it was detecting me uniquely this information is incorrect.
DonPicciotto
commented
2 years ago That seems inaccurate. In my test it says:
visits: 67 first: 1/26/2022, 6:56:45 PMObviously I did not visit the site 67 times nor use a time machine, so if it was detecting me uniquely this information is incorrect.
Very good! It seems you are lucky and share the configuration with other peoples, it seems to be kind of random at this point: other report same as you, but for a lot of other people (me too) the ID seems unique
fxbrit
commented
2 years ago without having looked at all the above yet, I would say the issue can be closed and is outside of AF's business -> https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D
The best any browser can confidently do, excluding Tor Browser, is fool naive scripts.
Defeating advanced scripts requires a crowd, the larger the better
also, while being extremely powerful and good, I don't think creepjs is trying to replicate how fping normally works in the wild. there was a bit of the faq about loose fingerprint somewhere, did you remove it at some point @Thorin-Oakenpants ?
we can keep discussing and testing anyway, but I'm closing to avoid paranoia rampage over nothing.
Thorin-Oakenpants
commented
2 years ago @fxbrit
namely
So much of what has been said in this thread is just plain wrong
Thorin-Oakenpants
commented
2 years ago Even TOR seems completely useless
Tor is a protocol and has nothing to do with the clientside JS tests at creep
I expect the test ID on TOR browser is the same for any TOR users
False. There is no one FP for all Tor Browser users. This is impossible.
so I expect to see at least some previous visit
False. What makes you think ANY significant number of TB users have visited the site - what makes you think any significant number of firefox users have visited
It seems you are lucky and share the configuration with other peoples, it seems to be kind of random at this point:
seems ... seems .. so you're just guessing now to make your "theory" fit your narrative
I'll stop at this point and let the other dozen falsehoods just dangle there because I have better things to do
Thorin-Oakenpants
commented
2 years ago PS: detecting JShelter is trivial - it adds fake keys to the navigator object which are clearly fake (edit: and unique AFAICT)
fxbrit
commented
2 years ago thanks, I couldn't find that :-)
DonPicciotto
commented
2 years ago Hi @Thorin-Oakenpants, thanks as always for your answers and your time. I'm going to answer just to clarify my opinion, but I don't want to exasperate things and I'm not trying to impose my vision. I don't know kind of anything, I'm just trying to understand and learn. If this topic is useless or simply annoying I will just stop. Thanks again, and sorry for my mistakes.
Tor is a protocol and has nothing to do with the clientside JS tests at creep
I misused the protocol name, I was referring to the protocol+browser, sorry for the misunderstanding
I expect the test ID on TOR browser is the same for any TOR users
False. There is no one FP for all Tor Browser users. This is impossible.
I didn't just say that I expected TorBrowser fingerprint to be the same for everyone, but that I expected that it would at least change for every session too (one of the 2 options, of course). It's really strange to me that a single TorBrowser has a specific "fingerprint" different from every other TorBrowser, I thought the main purpose of TorBrowser was to blend all the users and don't let anyone stand out. This is why it seemed so strange to me what happened. Some people share the same ID with other people, but for me and other people the ID stay the same across every TorBrowser session and is unique. This was really strange to me, I didn't think this supposed to happen.
so I expect to see at least some previous visit
False. What makes you think ANY significant number of TB users have visited the site - what makes you think any significant number of firefox users have visited
When I did the test with Mull (the DivestOS version of "hardened" Firefox) on Android (after changing the value of "intl.accept-languages" to "en-US, en" in about:config) a non-unique ID appear, signed by someone else and visited multiple time. Mull has a lot less users (thousands vs millions, I believe) than TorBrowser, and still I found previous visits to creepjs. It's strange to think that no one else on TorBrowser did the test. Then I ask to other peoples to do the test, and they too have a unique ID and no previous visit on the site
It seems you are lucky and share the configuration with other peoples, it seems to be kind of random at this point:
seems ... seems .. so you're just guessing now to make your "theory" fit your narrative
Of course I use "seems", I'm not sure of anything, I don't have any expertise. I'm just making assumption based on various tests and the little I know, but I'm here just with doubts and 0 solutions. I can just explain my opinion on what I saw and thought, but of course it's just that: an opinion.
Nevertheless I didn't open the issue to discuss about TorBrowser. I apologize for all the OT, it wasn't international, I'm deeply sorry. I wanted just to suggest JShelter as a possible candidate for the recommended addons, since it seems usefull, effective and is developed by competent people. Sorry again for my poor English, for all the chaos and for the time stolen to you. I'm grateful for the discussion and the answers
Thorin-Oakenpants
commented
2 years ago I didn't just say ... supposed to happen
the data set is tiny, the data set is tainted, the data set is pointless ... this is NOT how you calculate possible FPs or determine entropy ... also, do you even know what creepyjs is trying to do here with these tests
all your assumptions are incorrect: e.g.
It's really strange to me that a single TorBrowser has a specific "fingerprint" different from every other TorBrowser, I thought the main purpose of TorBrowser was to blend all the users and don't let anyone stand out
- how do you know that a single TB has a unique FP? - you cannot possible know that from your own observations with or without a few other people's results
- TB aims to lower entropy, but nowhere has it ever been said that all users must be the same, that is IMPOSSIBLE (unless all TB users were forced to use the same OS and fonts etc like Tails, and even then it's STILL impossible)
- ^ TB even raises entropy
I'm not sure of anything, I don't have any expertise. I'm just making assumption based on various tests and the little I know
Once again, interpreting these tests with your own results is a WASTE OF TIME, and using entropy or stats from said sites is also a WASTE OF TIME
as a possible candidate for the recommended addons, since it seems usefull, effective
it's not useful and of very limited use, based on, IMO, some faulty premises, for example: for Firefox
We already recommend CanvasBlocker as an alternative to RFP - that is all you need and all you can do - fool naive scripts. Almost every script contains canvas, so that's almost every naive script covered. You do NOT need to go messing with timing, fucking around with plugins, diddling audio, breaking web workers (it does this because it knows that workers exposes it)
I even find pissing around with geo to be of minimal benefit (geo is behind a prompt and if you allow it, wouldn't you want it to work - not really my area of expertise, but I guess there can be a case for less precision by default with browsers as a standard)
kkapsner (CanvasBlocker) is respected, the extension has been around for a long time, and he knows what he's doing. There is no need to jump on some new extension - especially when I see the likes of faking plugins, it's like some sort of bad joke
Thorin-Oakenpants
commented
2 years ago and with plugins, it's not even protecting the real value, which is 101 FP protection basics, see rule 1
And that's on the top level document. If we use service workers, for example, we can expose it as well, but that's a limitation of web extension APIs and is a different story
And it it's aim is to simply confuse scripts (i.e naive ones), then it's pointless (and a stupid metric to pick IMO) when it is already doing that to webgl and canvas (for example)
They should rethink what they are trying to achieve here and be more selective, IMO. I honestly have no interest in it, except to keep exposing untrustworthy results in TZP: so we can ultimately just collect only real values for analysis, and also to show up extensions as inadequate for the job
Thorin-Oakenpants
commented
2 years ago this is what happens to extensions that do STUPID things, and I'm not even finished with hardening up each metric at teh top doc level
how SHIT is that ... additionally I'm not even using any workers or iframes in there (yet: although cydec blocks workers as well and probably covers all iframe methods)
this is cydec on Firefox
Even if I'm afraid of death for suggesting an addon here, I have to try nevertheless. I know fingerprinting doesn't have a solution, but I still think that minimizing threats is a useful thing, even if I'm going to be accused of "enumerating badness". So, I did the CreepJS test a lot of times with different settings ("clean" firefox with just arkenfox user.js and ublock too) but nothing seems to work and a persistent id showed up every time I changed my configuration. Even TOR seems completely useless against that test, and this is, well... creepy. It seems the only addon that really works is JShelter from the FSF, and after installing it (you have to disable "fingerprint detector" to make the test) my ID finally change every time I open the browser. Maybe it could be a good idea to recommend this extension too in the wiki section? Sorry for my bad English and thanks as always for your work!