Html5 Canvas Fingerprinting

[mt2012]

Problem: http://www.browserleaks.com/canvas

Solution: turn off "hardware acceleration" by default (this is the only solution i tried, any other ways how to randomize this value?)

P.S. Thanks for the last 0.9.3 github version, its the greatest addon to break browserfingerprinting at the moment. anyway do you know the reason behind mozilla reviewer do not allow screen & timezone modifications?

What I'm scare is mozilla doing this because instructed by google: if big companies feel that one browser is blocking their fingerprinting techniques they can just easily blocked all access by this browser. User will feel it is browser's bug then change to another browser. It happens with opera once (the best privacy company that time). This opera browser was growing fastly couple years ago and it becoming a threat for google chrome growth, so google blocked all access to most google service by opera browser then recommend big 3 browser instead.

http://dev.opera.com/blog/google-browser-sniffing-and-the-open-web/

Now what happens? opera becomes google's bootlicker. Now they agree whatever google wants them to do. See all opera browser you will notice many google product is there now. Even opera now uses Google's Blink as their engine.

[dillbyrne]

@mt2012 What exactly did you do for turning off "hardware acceleration" by default ? and did it make any difference to the test. I tried the option in the preferences and others in about:config but they made no difference .

I'm working on it. See the attached image

" do you know the reason behind mozilla reviewer do not allow screen & timezone modifications?"

Yes because the functionality can break some sites because the site will be working with spoofed values or may not have any to work with depending on the options chosen. The only way I can get the code to work was the way I implemented it so I have to release limited versions on AMO without the extra protections but I'm still waiting on the limited version to be reviewed. Also the limited version informs the user that the missing functionality is only available in the github version so they can make their own choice.

Glad you like 0.9.3. Version 0.9.4 will have even more features.

[dillbyrne]

Update I still have a some more work to do on it

[mt2012]

What this "hardware acceleration" do is render the canvas image using your hardware, different hardware configuration will results in slightly different image. it can be used for fingerprinting. in fact this is the single largest fingerprinting threat https://wiki.mozilla.org/Fingerprinting#HTML5_Canvas

this is before i turn off HA (you can see "5/22136" that 5 user is all mine after upgrading firefox):

this is after i turn off HA (you can see now its "185/22136" so we are same with most of the user):

Have you tried disbled hardware acceleration from the menu instead and the browser needs to be restarted? http://lifehacker.com/disable-firefoxs-hardware-acceleration-to-fix-slowness-749344037

I'm curious from your screenshot, why your TEXT API FOR CANVAS is "NO". what setting do you use?

"because the functionality can break some sites because the site will be working with spoofed values or may not have any to work with depending on the options chosen" This is really doesnt make any sense many privacy addon have this problem, look AdblockPlus, NoScript, Ghostery, etc. all of them "will" (not "can") break some site. this is user's choice and they know if they install.it will break some sites. But that make sense why other anti-fingerprinting addon was disappear from the mozilla site (firegloves, torbutton, etc).

[oceandweller007]

I also get the same value for "Sets in this Group" whether or not I disable hw acceleration (FF 29). Could this have something to do with the uniqueness of the GPU? I'm using an AMD APU.

[dillbyrne]

@mt2012 I didn't restart it after changing the setting perhaps . Anyway the way I get it to work is by overriding the functions in the site itself so it won't work when it calls them and as a result it can not get a fingerprint.

As for the review process I have to go along with it even though it can be frustrating at times. I have been trying to get a limited version of RAS 0.9.3 without the Screen and timezone offset and other stuff passed for ages.

@oceandweller007 It could be .

[dillbyrne]

@mt2012 @oceandweller007 I have released the latest version at https://github.com/dillbyrne/random-agent-spoofer/releases/tag/0.9.4 . I want to further improve the canvas fingerprinting and other stuff as there is still some edge cases but I wanted to allow people to use what I have working for now and I'll add the improvements as I get them working.

[ldgbc]

@dillbyrne

I came across this add-on: CanvasBlocker :: Add-ons for Firefox https://addons.mozilla.org/en-US/firefox/addon/canvasblocker

It got some sort of semi-blocking and forging feature, what interest me most is this: https://addons.mozilla.org/en-US/firefox/addon/canvasblocker/reviews/655814/ "The new Version (0.1.4) has now an option to block only the readout API which will hinder fingerprinting but does not interfere with normal display applications like in your case the loading icon for youtube videos"

Currently it seem like RAS is a "All-or-nothing" when it come to canvas blocking, can you look into this so that canvas fingerprinting can be hindered by method described in that add-on?

[dillbyrne]

@ldgbc Sure I'll look into it. I'll open a new issue for it. It'll have to wait until I get some of the other issues out of the way first

[dillbyrne]

@ldgbc If you want to use youtube with no canvas at all and force html5 only then use the sony xperia e android profile ;)

[seli11]

with canvasblocker option fake readout api looks diferent every time refresh the page https://www.browserleaks.com/canvas 1-Your Fingerprint Signature 3AE7F9BE Found in DB × False General Conclusion Your system fingerprint appears to be unique, yet we don't collect signatures here, just check.

2-Signature 56E16BF7 Found in DB × False

General Conclusion Your system fingerprint appears to be unique, yet we don't collect signatures here, just check.

can't read about my operating system or browser detail

[dillbyrne]

@seli11 which version of RAS are you using. The mozilla version has no support for canvas blocking only the github version.

In the github version there is an extra's option to disable the canvas

When that option is checked you should see the following output on the canvas test

[seli11]

i make some tests with youtube and i have disabled flash player, because can not spof flash player, but canvas is easier to spof, (my idea) :), and this plugin https://addons.mozilla.org/en-US/firefox/addon/canvasblocker has option 'fake readout api'
in this site http://www.propublica.org/article/meet-the-online-tracking-device-that-is-virtually-impossible-to-block with canvasblocker addon 'fake readout api' every time do refresh he Give me another id ;), i mean it's god, my idea is to change my id of pc like another person with vpn, user agent, and other things, google and youtube has changed the security for the unemployed :), im waiting new version of random user agent for extra options

[danielcra]

Actually the page at https://www.browserleaks.com/canvas sometimes shows a fingerprint and sometimes it doesn't, depending on how I load it (retry several times: click bookmark, press return in address bar, use menu at bottom left, click reload in browser). I did clear my browser cache ;-) My settings are: canvas, webgl, webrtc disabled, the rest left to default. Whitelist: youtube.com

[dillbyrne]

@danielcra I need you to test a fix in #121

@seli11 Like I said above I plan to improve the fingerprinting support. I need to address other issues before I can get to this such as plugins. @seli11 if ras fingerprinting blocking is not working post in #121 not here thanks