privacytests / privacytests.org

Source code for privacytests.org. Includes browser testing code and site rendering.
https://privacytests.org
MIT License
862 stars 25 forks source link

Make a list of desired fingerprinting tests #5

Open arthuredelstein opened 6 years ago

arthuredelstein commented 6 years ago

Also write this into the repository, in JSON format.

Thorin-Oakenpants commented 3 years ago

an tiny initial list

universal tests

browser specific (meaning you mark the other browsers as a green - )


We could list all RFP and Brave's standard/strict protections, and decide if they should be added, and how they can be tested. For example, RFP enforces prefers-color as light, so your browser would need to be set up as prefers dark in Tor Browser.

Since you know the browser being tested and the default Brave Shield protection, you could simply return protections such as audio as protected (it is randomized). I am not a fan of this approach here - but there is something to be said for leveraging known implementations to detect randomizing protections in the real world, i.e. in fingerprinting scripts

Thorin-Oakenpants commented 3 years ago

FYI: you can add css as well as matchMedia queries, by using JS to look up the pseudo value, but since only RFP does this and we already know it's covered, it seems a bit moot

click me for concept

I use this on TZP to detect screen spoofing and bypass it, but I use an upper and lower bound (ranges are too large when you factor in scaling and zoom etc to cover everything). If not bypassable due to range, I still know if the value is untrustworthy. But you don't have those issues to worry about, just add the values that cover your tests css - except you probably don't want to use _min_ (I use that as it shows a difference with hiDPI - i.e subpixels and rounds down for entropy) ```css @media (min-device-width:499px){#S:before{content:"";}} @media (min-device-width:500px){#S:before{content:"500";}} /* etc */ @media (min-device-width:2560px){#S:before{content:"2560";}} @media (min-device-width:2561px){#S:before{content:"";}} /* upper */ @media (min-device-height:499px){#S:after{content:"";}} /* lower */ @media (min-device-height:499px){#S:after{content:"";}} /* lower */ @media (min-device-height:500px){#S:after{content:" x 500";}} /* etc */ @media (min-device-height:2560px){#S:after{content:" x 2560";}} @media (min-device-height:2561px){#S:after{content:"";}} ``` html - `x` is my catchall, I use this to also check other css values such as colors, CSS4 items, etc ```html ``` js example ```js function getElementProp(id, prop, pseudo) { try { let item = window.getComputedStyle(document.querySelector(id), pseudo) item = item.getPropertyValue(prop) if (item == "none") {item = "x"} item = item.replace(/"/g,"") if (!isNaN(item * 1)) {item = item * 1} // numbers if (item == "") {item = "x"} // blanks return item } catch(e) { return "x" } } let w = getElementProp("#S","content",":before"), h - getElementProp("#S","content",":after"), console.log("screen as shown by css", w +" x "+ h) ```