RNG: Persistent isn't persistent

[mindstormer12]

Even with random number generator set to persistent, if you go to https://browserleaks.com/canvas and refresh the page 20 times, it won't show the same fingerprint 20 times. It will show one fingerprint for a while, and then another, and then back to the original, and then perhaps back to the other (so refreshing ~20 times will show 2 different fingerprints).

So not only is it not persistent, but it also isn't completely RNG if it is able to show me back the original fingerprint after having been given a different one.

Also, there should be an option to allow fingerprint to be persistent even after the session is terminated. Some people use multiple profiles for multiple identities and they would benefit from having a truly persistent identity, rather than one that merely lasts a session.

Lastly, I'm not sure why a domain is added to the whitelist as a default... I don't know anything about kkapsner.de and anyone that uses such an addon certainly does not want any domain to be whitelisted by default. This is a huge red flag in my opinion.

This addon has the potential to surpass Canvas Defender--it just needs more work and polishing. It is more ambitious and that's what I like.

P.S. The wording in the settings might benefit from being re-worded. For example, a short description of each of the block modes available (like the one in the description--you can just include it in the settings as a popup textbox or grayed out text easily). Another example: "Random Number Generator" is not explicit enough (as you can tell by the comments section of the addon, this is not too clear). Persistent fingerprint for what? Persistent for all sessions (this is not the case)? For the current session only? It also contradicts with the block modes... So if the mode is fake readout API and RNG is persistent, then the readout API isn't forced to return a new random value each time it is called and it returns the same value each time? If a setting is dependent on the other in this way, then they should be grouped together.

[kkapsner]

I'm not able to repoduce your problem. I alway get the same fingerprint on refresh when the peristent mode is set. Which Firefox version are you using? Any other add-ons installed?

I do not quite see the point in having the rng peristent even after closing the browser. This would increase the probabilty to being tracked by the fingerprint.

The whitelited kkapsner.de (my own domain) is from the very first days of this addon. Since the fake option is now available I think I will just remove it.

If you want to do some rewording - you are welcome to help. Just create a fork, do the changes and send a pull request. At the moment I have little time for this project.

[dezhavu]

heh, nothing changes in this county i once tried to persuade developer in the need of persistent fingerprint over different domains & after browser reload (as you may notice in current implementation you have persistent fp over 1 domain, try on different and you have different fingerprints, thus if main site sets to get fingerprints from 2 different sites = whole addon is useless) sure he can do it, but i guess the whole thing is more complicated, as these options interfere some global interests

[kkapsner]

You will not be able to persuade me to include this option - but if you can convince me I will add it. It's not that complicated and I do not know what you mean by "some global interests".

PS: the default entry in the whitelist was removed in https://github.com/kkapsner/CanvasBlocker/commit/f93f2958b716154e9bfbc7e5aa29a48a34a8bb76

[mindstormer12]

Anyone who frequently opens and closes a browser session will benefit from session-persistent fingerprint--it's why Canvas Defender was originally preferred over CanvasBlocker--CanvasBlocker had only offered to block canvas completely (which breaks things and makes you unique because few people block canvas), or to generate a random different canvas every time (also makes you unique, for the same reason--no typical user's canvas changes frequently). In fact, a user's canvas is expected to stay the same--by definition the canvas is a hash of some fingerprintable data that is based on hardware. How often does a user's hardware change? Almost never, so the canvas should similarly almost never change, hence the need for this feature.

If a user frequently opens and closes his session, he will get new canvas every time and that's similar to receiving a random canvas every time you refresh the website--you're just making yourself more unique because canvas shouldn't be changed frequently if you're a typical user (which you want to be because you don't want to be unique...).

Since this is a genuine use-case and it can be implemented quite easily, I'm not sure why it isn't. How is providing another useful option ever bad for the user?

P.S. The reason why I moved from Canvas Defender to CanvasBlocker is Canvas Defender is no longer in development and CanvasBlocker seems willing to improve and add useful features.

[spodermenpls]

Besides the question if it should be implemented or not, is there really detection technology out there that requires to emulate conventional, consistent canvas behaviour? My concept was to jump to a different canvas hash with every new page, so that my browser doesn't leave a consistent string of identical canvas hash values while surfing the web. Your concept is of course more "stealthy" because the hashes don't jump back and forth with every load, but you would be leaving a consistent string of identical canvas hashes for a long period of time while surfing the web that could be used to re-identify your browser (e.g. for tailored advertising) until you decide to change up your hash values manually. I think your aimed "anti-uniqueness" is only possible by using the Tor browser. 😅

[mindstormer12]

I think if you're using anything that's not Tor, including Firefox, it is inevitable that you will be tracked throughout a given session. Cookies, dom storage (the main issue here), HSTS information (google about it, there's a long discussion here if you CTRL+F "HSTS", etc. You can generate a new hash value every page, but the fact is your cookies, dom storage, HSTS information, and a bunch of other settings are the same--you may try to clear these information throughout the session (say every 10 minutes or so), but unless you're doing it consistently and in a very short interval, simply having a new hash value on every page visit won't make you a "different" user in the eyes of the tracking company--you are still being tracked because there's hundreds of other fingerprintable data that remains the same and it is the aggregate of these data that makes up your identity--not the hash value alone. In fact, you'll me raising attention to your identity due to this. (Note: dom storage is the main problem here--there is very little control offered by browsers on what data here domains can access. It's difficult to delete and manage without affecting your usability and will probably be close to impossible when Firefox enforces web extensions in Firefox 57).

As for my particular use-case, I maintain multiple Firefox profiles each with a pseudo-identity. For example, a profile dedicated only to work-related info, another purely for shopping, and another for social media. Having a different yet persistent hash values for these profiles achieves to goal of pseudo-identity and without the need to change a bunch of fingerprintable data. A tracking company will be able to track you no matter what if you're using a non-Tor browser for general browsing. The idea with pseudo-identities, achieved by a different yet persistent hash value, is to limit the scope of what these companies can see--if I'm on Amazon and I shop for pet stuff, for example, then I'm not so concerned that another shopping site can see I am interested in pet stuff--what I am concerned about is whether they are correlating my interest in pet stuff with my social media activity or my work-related stuff, for example. An advantage to this is I don't need to clear dom storage, cookies, etc. as frequently--I can do so at the end of the session (which is far more doable than deleting them in a given session). That also means my usability and workflow is completely uninterrupted. There's not much a tracking company can gain no matter how long the session lasts because I've isolated all my related activity to a different profile.

Of course Tor browser deals with these problems well, but I'm talking about general browser usage. Different yet persistent hash values make what I just described very effective and is a great balance in terms of privacy vs. usability. If the developer doesn't think this feature will be used by many, he can make it a hidden setting or something--but what I've described is a concept that is certainly not revolutionary--I've done quite a bit of research and this is the best approach (again, with regards to usability vs. privacy) used by many people who are privacy-conscious and did a bit of reading themselves.

[spodermenpls]

In your case with multiple browsers (= Firefox with different profiles), where you switch between them frequently, a faked Canvas hash that stays the same after a restart would make sense. I don't think there are a lot of people out there that invest such effort in splitting up their browsing activities in multiple browser profiles (kind of a sandbox approach) and therefore are in need of "restart-surviving" Canvas hashes, but I think @kkapsner is able to satisfy your needs. 😄

As you correctly mentioned is the Canvas hash only one of many fingerprinting items. I use therefore BetterPrivacy, Self-Destructing Cookies, Ghostery, NoScript, CanvasBlocker and Adblock Plus to oppress tracking, and I switched the Flash plugin (other plugins are deactivated) to "ask to activate" to minimize the opportunities to read out my fonts list as a whole. The fonts list (= number of installed fonts) is the only useful item to my knowledge on my system that makes me vulnerable to tracking (besides sophisticated NSA-style spying). There is a program out there (https://github.com/da2x/fluxfonts) that is able to blur the fonts number automatically, but unfortunately it only works with Linux and OS X (@kkapsner, you're not by chance able to write a Windows port some day? 😅). Point is, most (commercial) tracking ventures limit the analysis of fingerprint items to a handful of items (which I made mostly useless, as described), therefore your claim "that you will be tracked no matter what" is from my point of view not true, even with the use of only one single browser profile.

PS: @kkapsner As the new release is still stuck in Mozilla's Code Review, I saw someone mention on Twitter a couple of days ago that he's waiting since 2 weeks for his add-on to get signed.. do you know where your update is right now in the queue? Too bad I can't switch off the signment-restriction at my release-Firefox to update it by hand..

[mindstormer12]

None of those addons (which I've used in the past and some no longer) deals with DOM storage though, which as I've mentioned is even more powerful than cookies in terms of tracking (and because it's more persistent) and currently, browsers like Firefox (or addons) do not allow the user to manage it in such a way that it is ideal for preventing tracking. Self-Destructing Cookies is an addon I still use and does a little of that, but it certainly does not prevent tracking with regards to DOM storage. Cookies are dealt with adequately, but not DOM storage (no addon provides good DOM storage control mainly because Firefox doesn't provide the necessary tools to do so). And with Firefox enforcing web extensions, addons like Self-Destructing Cookies will no longer be able to be used (unless it's rewritten, but from what I've read, web extensions will no longer allow such control so dealing with cookies may not even be possible). Until a browser allows allows the users more control for DOM storage, I wouldn't say any browser except for Tor browser prevents tracking in a meaningful way without resorting to using multiple Firefox profiles (which doesn't deal with DOM storage because Firefox can't in a meaningful way, but does limit the types of data stored in it so it significantly reduces what useful information is being tracked).

Also, I highly recommend uBlock Origin over Adblock Plus and to use uMatrix if you're serious about privacy. uMatrix is the single most important addon for privacy but requires some effort to use. You should ditch Ghostery because it's associated with online advertising company and is made redundant by uMatrix and uBlock Origin.

[spodermenpls]

Well, Self-Destructing Cookies takes care of normal and localStorage cookies, BetterPrivacy of Flash cookies and CCleaner takes care of DOM cookies. I think I should be safe.

We will see what WebExtensions will be capable of at the end of the year, hopefully there won't be too many function restrictions to harass the add-on developers by then.

Thanks for your advice. I already replaced ABP with uBlock Origin, which blocks a few things that ABP didn't catch. I will do the same with Ghostery + NoScript and uMatrix, but this will probably take a little bit longer to set everything right.

Edit: @mindstormer12 You posted something underneath this but deleted it before I could read it..

[kkapsner]

@spodermenpls: Regarding the addon queue - it's at 77 from 129 now and started at around 110... so the queue is worked on but slower as it used to be.

Regarding the shift to webextensions: they cut a lot of functionality there and I think a lot of addons will not be possible with them. I hope I can manage to shift CB to it...

@mindstormer12: I start to see your point. And since the modifications are unique for each (sub-)domain it's equivalent to having Cookies - so no extra fingerprinting. But I still do not see why having different hashes for different sessions is a big deal. You can synchronize your profile with Firefox Sync between different devices that would all have a different hash. So changing hashes should not be something suspicious.