search

cowlicks / privacypossum

Privacy Possum makes tracking you less profitable
Other
753 stars 84 forks source link

Fingerprinting #15

Open gameb0y opened 6 years ago

gameb0y commented 6 years ago

Can you add blocking list?

CSS Exfil https://www.mike-gualtieri.com/css-exfil-vulnerability-tester

AudioContext Fingerprint https://audiofingerprint.openwpm.com/

getClientRects Fingerprinting https://browserleaks.com/rects

Webgl - Webgl2 Fingerprinting https://browserleaks.com/webgl

HTML5 Canvas Fingerprinting https://browserleaks.com/canvas

krathalan commented 6 years ago

Would like to add that with many sites, Privacy Possum does not detect canvas fingerprinting whereas CanvasBlocker does. For example, CanvasBlocker detects that this page on Android Police is fingerprinting, while Privacy Possum does not.

You can see the same behavior (CanvasBlocker working where Privacy Possum does not) in the HTML5 and WebGL links from gameb0y.

Edit: would like to add that the only time I've seen the Privacy Possum fingerprint blocking work is on the link from the GitHub README.

cowlicks commented 6 years ago

@krathalan if you visit twich, or reddit when you are not logged in, you will detect these sites fingerprinting, orr here https://www.intercom.com/ or others.

The fingerprinting vectors above are almost never used in isolation. Fingerprinting is done by combining multiple fingerprinting vectors, like all of the above, to get a more unique fingerprint. PP detects FP by watching for code that touches multiple esoteric api's.

I wrote more about this here

Canvas fingerprinting is usually use in conjunction with many other browser fingerprinting vectors. The more vectors the more unique your fingerprint is. So Privacy Possum (PP) doesn't do detection of individual vectors. It detects when a script attempts to touch many of these vectors at once. Which looks like accessing a bunch of esoteric API's. This is a very weird thing for normal code to do, but it is what fingerprinting code does. So we detect that. More info is here:

https://github.com/cowlicks/privacypossum/blob/d84c259c74148fa9f1ca87dea21661c7bdfa3e70/src/js/web_accessible/fingercounting.js#L5-L11

cowlicks commented 6 years ago

@gameb0y can you elaborate on what you mean by blocking list?

grenzor commented 6 years ago

I'm guessing he means adding a way for PP to detect and spoof/block those types of fingerprinting?

gameb0y commented 6 years ago

@cowlicks

like this: https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf

untitled

toDataURL getImageData getContext measureText readPixels drawImage

MediaStreamTrack webkitRTCPeerConnection

webkitAudioContext OfflineAudioContext AudioContext webkitAudioContext createDynamicsCompressor createOscillator OscillatorNode getChannelData getFloatFrequencyData webkitOfflineAudioContext

WebGLRenderingContext WebGL2RenderingContext

getClientRects getBattery NavigationTiming navigationStart

Riajyuu commented 6 years ago

@gameb0y Those methods are unlikely to be without the Firefox exclusive API used by CanvasBlocker. As far as I know, this is exactly why this addon can be compatible with Chrome