Canvas based tracking

[ghost]

I saw an article today where a render of a hidden image can be used to track users across the web.

First documented in a forthcoming paper by researchers at Princeton University and KU Leuven University in Belgium, this type of tracking, called canvas fingerprinting, works by instructing the visitor’s Web browser to draw a hidden image. Because each computer draws the image slightly differently, the images can be used to assign each user’s device a number that uniquely identifies it.

Do we have to start blocking images in HTTPSB to prevent this type of tracking?

[ghost]

@gorhill has already noticed.

My understanding is the image is drawn client side with Javascript and optionally sent to the server that instructed you to draw it via XHR, so blocking those is sufficient this case.

(Of course, a normal image could be used as a <noscript> fallback for normal style tracking.)

[gorhill]

already noticed

Yes, in my opinion this is the best way to foil that kind of tracking, and this works also for many other such tracking techniques: installed fonts, installed plugins, timing of visited links rendering, etc. It's simple, it doesn't involved tampering with the web apis: just block pathways by which the gathered information reaches the remote server.

And just as with RequestPolicy, block completely addthis.com and all others which can't play nice.

I won't start to tamper with web API when the solution is pretty simple in this case. Let's consider that ProPublica advises NoScript as a solution, so this applies also to HTTPSB, excepts you have even more control because just blocking cookies/XHR generically will foil all such attempts without having to prevent execution of javascript.

Regarding "normal image could be used as a <noscript>", not sure what you have in mind.

[ghost]

Since @AGPino mentioned images I was just pointing out that tracking Javascript often falls back to a simple image within noscript tags. Just a distracting tangent since the discussion is actually about canvas.

e.g.

<!-- Piwik -->
<script type="text/javascript">
  var _paq = _paq || [];
  _paq.push(['trackPageView']);
  _paq.push(['enableLinkTracking']);
  (function() {
    var u=(("https:" == document.location.protocol) ? "https" : "http") + "://example.com/piwik/";
    _paq.push(['setTrackerUrl', u+'piwik.php']);
    _paq.push(['setSiteId', 1]);
    var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0]; g.type='text/javascript';
    g.defer=true; g.async=true; g.src=u+'piwik.js'; s.parentNode.insertBefore(g,s);
  })();

</script>
<noscript><p><img src="http://example.com/piwik/piwik.php?idsite=1" style="border:0;" alt="" /></p></noscript>
<!-- End Piwik Code -->

[gorhill]

Dup of #323