Open Mikaela opened 5 years ago
blacklight447
commented
5 years ago While I agree that the unique fingerprint is no longer really useful, its still a good tool for seeing what your browser sends out. I recall talking about this before, but maybe we can can make a fingerprint page on the ptio website ourselves, not to test "entropy" like panopticlick, but just to show the user what his general fingerprint looks like.
Thorin-Oakenpants
commented
5 years ago I think you should still have a FP section: but almost everything currently in there is just sooooo wrong. I can explain in further detail at some point: and I'm not saying that randomly raising entropy is not a valid technique (that's not what I meant when I said wrong).
This is one section I would like to re-write for you. People, in general, just don't understand how FP entropy works, or information paradoxes, or even what's possible: and the internet is so full of misinformation on this
I have been interested in device/browser FPing for about 8 years or more, since Ekersley's paper. I've followed developments, researched, and read hundreds of papers, thesis's (or whatever the plural of that is), PhD's, studies, and so on, in that time. IN the last 8 months I've actually been doing more in this area.
Disclosure: I have been working with (or badgering) the Tor Uplift guys (well, Tom Ritter mainly: he has a special inbox for my emails, lol) for years, and have recently been to meetings with the tor project and Mozilla guys specifically for my FP'ing knowledge (I guess they deemed me worthy: I don't think that highly of myself or anything special TBH).
but just to show the user what his general fingerprint looks like
No need to re-invent the wheel. But I can talk more about this later. PS: I know you said not to include entropy figures (because that's probably too hard to implement), but those figures are all BS
Thorin-Oakenpants
commented
5 years ago I am under impression that even Tor Browser users get unique fingerprints on Panopticlick
I'll just address this quickly, so people are informed. Yes, they may get a once-in-a-while unique from Panopticlick: but they are not unique.
You can't really look at all visits to Panopticlick, you need to look at Tor Browser users only (or the enclosed set being protected such as RFP users). It is trivial to detect Tor Browser.
Excluding leaks that haven't been patched, if any: math and science will tell you that the TZ (timezone) is immaterial is a moot point: because everyone is the same. So that TZ entropy figure does not apply. Math and science will tell you that the user agent and navigator properties and Firefox version number = 4 different buckets or FP's (the distribution of those 4 would determine the entropy, but it's not high at all). So Panopticlick's figures are not correct in this sense.
It is precisely because Panopticlick is trying to provide entropy for everyone, that it fails. Because it isn't everyone. This is just the nature of the site: not a design issue per se. It was designed to show users that FPing is a real thing.
Again, this is not a criticism of Panopticlick (well, maybe a little): it is a criticism of how people perceive it. It's great for showing what values your browser returns on certain metrics, but that's it. Panopticlick's purpose is to scare and inform people: and that it achieves.
blacklight447
commented
5 years ago That was exactly my thought as well, is great to see what values your browser gives away, which is why I wonder if we should consider to make our own fingerprint scanner, your knowledge of fingerprinting techniques would be especially helpful.
Thorin-Oakenpants
commented
5 years ago which is why I wonder if we should consider to make our own fingerprint scanner
you really don't want to go down that road :)
blacklight447
commented
5 years ago Care to elaborate?
Thorin-Oakenpants
commented
5 years ago Ummm .. not here maybe .. parts of it .. not sure .. will sleep on it
blacklight447
commented
5 years ago We can talk over it on chat or email.
beerisgood
commented
5 years ago I find this test more useful: https://www.bromite.org/detect
blacklight447
commented
4 years ago @Thorin-Oakenpants do you still want to explain why it would be a bad idea?
Thorin-Oakenpants
commented
4 years ago I'll give just one reason for starters
I guess it depends on what you want to actually provide. If all you want to do is return some basics (full proper webgl FPing is not basic though) like Pantopticlick (without the 3rd party tracking BS) or amiunique, then you can probably get away with it - but I fail to see why re-doing it all and maintaining it is any better than just pointing at the site itself - e.g amiunique was created by Pierre who knows what he's doing.
csagan5
commented
4 years ago I collected some resources here on Bromite's wiki: https://github.com/bromite/bromite/wiki/Fingerprinting (might benefit from some updates)
I still suggest https://browserleaks.com/ considering the data collection policies and purposes of the other websites.
ian-tedesco
commented
4 years ago Bump
Thorin-Oakenpants
commented
4 years ago Who are you bumping?
Sorry for not re-reading at what is currently on PTIO ... but I see so many people on reddit in r/privacy, r/firefox, and r/privacytoolsio trying to get their FP down on sites like panopticlick and amiunique - when the whole thing is flawed, and they get some really bad advice/answers from some people who just don't know better. Even tor users get all this shit wrong, but at least on r/tor system33- (that's Matt Traudt from the US Navy Research ) and a few others, seem to handle misconceptions - e.g by pointing to this - scroll down to "Testing your fingerprint"
On anonymity scores: Matt doesn't work on device/browser FPing, but he's on the right track and while his comments in his article are spot on: they are really just a bunch of questions - not actual answers or reasons why. I would go further than that and actually say why they are ALL unreliable (I have about 10 to 12 reasons)
So yeah, I'd be nice to see something drafted, but IDK if I'll get time.
PS: another thing to add is that tests should be done with JS, iframes, images, css, service workers etc all allowed: as this gives you the worst case scenario of what you leak. So often I see people on reddit (or 4chan lulz) bragging how they got down to 7.5 or 8.5 or something on panopticlick - and they post a screenshot, and JS is disabled: that's not real world for anyone (except maybe Stallman )
PPS: @blacklight447-ptio If I draft something up and you go with it, I'd like to also be able to publish it elsewhere - so none of that copyright BS - kay?
PPPS: here's a little something I've been working ... <snip> <image removed>
Mikaela
commented
4 years ago The bumb is likely related to this being resurfaced in the forum [Requesting Help] Battle against Fingerprinting - How to get good results on fingerprinting tests with commons browsers? where it was cross-posted from Reddit.
PPS: blacklight447-ptio If I draft something up and you go with it, I'd like to also be able to publish it elsewhere - so none of that copyright BS - kay?
The main cite is CC0 / public domain, so I don't know what you mean exactly. https://www.privacytools.io/LICENSE.txt
I would say that PRs are welcome, I don't know if anyone in the team is currently up to taking this as there are all the other issues (CoI/Whistleblower policy and I think blacklight said to take over https://github.com/privacytoolsIO/privacytools.io/issues/1430 on https://github.com/privacytoolsIO/privacytools.io/issues/1704#issuecomment-585317355) and I am not sure what the rest of the team is currently doing.
Personally I am informally away and not making editorional decisions until I feel better about it (if you haven't seen my mental health problems and burnout and issues, you are lucky) and I have been assured that PrivacyTools won't fall apart if I am not there to label every issue and comment on everything regardless of how dis/interested I am in it. See also https://github.com/privacytoolsIO/privacytools.io/issues/977
PS. I think you marked some of your comments as off-topic above so I did that to the comments relating to it. I think if it was a team member, they would have done that.
Edit/PPS. I marked the bumb as spam so future readers don't have to read it and I think it's more appropiate label than off-topic while I don't consider it as spam entirely either.
Thorin-Oakenpants
commented
4 years ago so I don't know what you mean exactly
OK. I need to think about this. Because I also can't have future edits by anyone distorting my word. I had already planned to write something like this, attributed to me. And then this issue popped up. I still plan to do it, independently, but it's not high priority. So maybe the easiest and cleanest way is for me to publish it, and then the one at PTIO links to it as a source, and summarizes it
I think you marked some of your comments as off-topic
I did. I didn't want to discuss what would lead to me pointing at you-know-what because I don't want to deal with "people" about you-know-what - at least not until you-know-what is ready/finished. Not trying to hide it, just making an effort not to mention it
if you haven't seen my mental health problems and burnout and issues, you are lucky
I was going to share something about being there, done that .. but I just backspaced it all. Just know that you're unique (not in a fingerprintable way) and the world is better for having you around. And ...: You don't owe anyone anything. Do what you want, especially do the things you love - and I'm not talking about just on here: I mean life in general. Don't take any shit from anyone. And if anyone around you is negative all the time (always complaining, telling lies, stressing you out), then cut them out of your life :)
PS: This : unless you've been through it, you can't really understand it. I understand it, I know where you're coming from.
Edit: ❤️
Thorin-Oakenpants
commented
4 years ago amiunique is flawed: you will always be unique (per session) on Firefox if you have media devices enabled, because the devices IDs are not persisted across restarts. Anyway, the whole thread is just so wrong: not just the measurements, but the methodology and actually understanding what the threat model is
Edit: He must have fixed that by omitting it from the "uniqueness" score. I just tested twice with a restart in between. Both tests had different device ids as unique, but the results at the top changed from unique to almost (but only 1 browser in x)
blacklight447
commented
4 years ago @Thorin-Oakenpants about the draft, sure! All the things we post on ptio and this repo are CC-0, so everyone is free to copy and repurpose it as they wish. :)
dngray
commented
3 years ago I'm going to be working on this along with #1328 and #1430.
dngray
commented
3 years ago I think you should still have a FP section: but almost everything currently in there is just sooooo wrong. I can explain in further detail at some point: and I'm not saying that randomly raising entropy is not a valid technique (that's not what I meant when I said wrong).
I'm inclined to agree. It's one of the parts of the site that has needed redoing in a while.
This is one section I would like to re-write for you. People, in general, just don't understand how FP entropy works, or information paradoxes, or even what's possible: and the internet is so full of misinformation on this
Very much so, we'd also very much appreciate that if you're still interested. I agree it is out of date.
So yeah, I'd be nice to see something drafted, but IDK if I'll get time.
It would probably take you a lot less time than us, given your background, experience and history over the years in this area.
OK. I need to think about this. Because I also can't have future edits by anyone distorting my word.
However you do it, we won't edit it. I am thinking maybe a quotation style, with your pseudonym as a source.
I consider you to have valuable insight based on specific experience, (that would be hard for us to replicate) supported by research and experiments of your own.
I'm thinking the way we should go forward maybe is explain what fingerprinting is, but not mention Panopticlick specifically?
I'd certainly like it to be a part of https://github.com/privacytools/privacytools.io/pull/2081
Thorin-Oakenpants
commented
3 years ago This is just like so much work for me, and I want to do it in my own time. I have plans to add a arkenfox/blog repo so I can just point to the articles and not have to keep explaining the same things over and over. I plan to add occasional pages linking to specific tests at TZP: standalone ones listed in the TZP index: and create posts such as
lots of suck entries :)
Edit: don't take my made-up-title-examples literally: they need deserve proper analysis and explanation
dngray
commented
3 years ago I have plans to add a arkenfox/blog repo so I can just point to the articles and not have to keep explaining the same things over and over.
This would actually be really good. We could then use it as a reference.
Thorin-Oakenpants
commented
3 years ago article 1 would be defining what privacy, anonymity and security (security in the context of the other two) mean: you know, my analogy of old-timey vs digital
dngray
commented
3 years ago article 1 would be defining what privacy, anonymity and security (security in the context of the other two) mean: you know, my analogy of old-timey vs digital
This actually ties heavily into https://github.com/privacytools/privacytools.io/issues/1760
IacobusKopiirefuto
commented
3 years ago If Panopticlick will still be included in the new rewrite, we probably should reflect its rebranding by EFF. The new name is Cover Your Tracks and the URL was changed as well to https://coveryourtracks.eff.org/.
The URL for the article How Unique Is Your Web Browser? Peter Eckersley, EFF was also changed to https://coveryourtracks.eff.org/static/browser-uniqueness.pdf.
The https://panopticlick.eff.org/ links redirects to the new site just fine so far, but we should probably use the new links.
gary-host-laptop
commented
3 years ago @IacobusKopiirefuto As far as I know the idea was to left behind all the fingerprinting idea since it wasn't so good at describing how it affects one's privacy, so I doubt that will still be included.
Description
I am under impression that even Tor Browser users get unique fingerprints on Panopticlick at times and that it doesn't tell the full story and at times makes people investigate fingerprint randomizers or trying to lessen their fingerprint which may have the opposite effect?