Closed Kraxys closed 4 years ago
Did you toggle the about:config option to limit detectable fonts? I think that's how it's detecting your OS and browser. There's a few about:config entries you will need to enable to enhance your security. Check the wiki for more info if you haven't already.
I have tested with the preference _browser.display.use_documentfonts set to 0. Pretending with Chameleon 0.8.16 to be Chrome 69 on Ubuntu, Browserprint.info correctly guessed I was some Firefox version on some Windows version.
I added CanvasBlocker to the combo, because browserprint.info seems to test some AudioContext and CanvasBlocker is able (in "expect option") to spoof it, but without success. (Firefox on Windows always detectected).
Then I tried with an heavily customized profile (using Chameleon, Canvas Blocker and many others addons, one of these others being BP Privacy Block All Font and Glyph detection. In that case, Browserpring.info correctly guessed that my browser belonged to FF family, but was fooled concerning the OS, considering it belonged to the Linux family (as spoofed).
BP Privacy Block All Font and Glyph detection is intend to
Automatic blocking of all font detection for browser fingerprinting. Block detection of installed fonts by fingerprinting attempts, without breaking the appearance or function of any website. Works automatically to show 0 fonts detected and no unique glyphs per font type. This version also improves some compatibility issues with certain websites and Google products. Other minor improvements to the code will provide performance improvements to this lightweight font privacy extension.
Problem: I found BP Privacy Block All Font and Glyph detection no more on AMO, only on Google Store. But it was on AMO at least on 7 september, as about:addons is indicating it as been updated this day.
It seems that BP Privacy Block All Font and Glyph detection is now renamed as BP Block Font Fingerprint on AMO.
Sorry) And sorry for my english, I'm russian )
As I understand it - the Sereneblue has nothing to do with it.
The FireFox has a unique signature itself, how not to change useragent.
Example on php (function createHeaderSignature) https://svn.jondos.de/svn/anontest/inc/helper.php .
And the protocol TCP\IP - gives the operating system (bypassing the browser, Chameleon, etc.)
Proofs: https://en.wikipedia.org/wiki/TCP/IP_stack_fingerprinting https://security.stackexchange.com/questions/173233/how-do-i-hide-the-os-i-am-using-from-internet-sites https://www.doileak.com/about.html
Moreover, as a “bonus” - mobile devices send tap, and not click, so you don’t have to pretend to be mobile. https://patrickhlauke.github.io/touch/tests/event-listener_naive-touch-or-mouse.html
But it can do itself FireFox: https://developer.mozilla.org/en-US/docs/Tools/Responsive_Design_Mode
Therefore, in add-ons like the Windscribe, the substitution is limited to the versions of the FierFox versions and the versions of the original OS.
But that sites with this info (browser and os, especially if only versions are changed) will do? Cry, that they seem deceived again? :) I think they don’t need it and Windows with FierFox are millions https://www.w3schools.com/browsers/browsers_firefox.asp . Now if FF61 more first version add :)
IMHO - the spoofing of these parameters, with the exception of scammers, security services, etc., no one needs (by the way, problems may arise, for example, with anti-fraud systems, since a simple user will not do this). And in order to get rid of "advertisers" - the Chameleon is a fantastic extension :)
@3ibsand Your English is fine and thanks for the compliment. :)
As you've mentioned, there are some things that can't be 'fixed' with WebExtensions. I do think the current version of Chameleon with a few addons, VPN/proxy and good practices should be enough for most people.
I'm still looking into this since it seems like an interesting feature to add. :)
Hello :)
Yes, the opportunity is interesting. It’s a pity, I don’t write in Java, but I’m reading the code, since I’m writing in C # and other dotNet languages and C ++, otherwise I would love to help.
You can delete one of the headers, just as it is implemented in simple-modify-headers (for example - Spoof Accept-Language, it will not break the sites, and the signature will change). But then the FireFox will be defined as an "unknown browser", because of which they may not be allowed on sites :)
As for the operating system, in my opinion, nothing can be done, but can change the stack as in the TCPOptimizer program, but can also break Windows)
As for mobile operating systems - can probably activate the touchpad and touchscreen emulation in FireFox, but I don’t know how :)
True, if you want, I can translate the interface into Russian, maybe it will increase the number of users :)
And even your hackers reading in English can not always understand how to use the Chameleon, although they realize that it is useful. And so our hackers, which do not read English either, especially)))
One issue that you may run into when configuring the headers options is that no explanation is provided. While it is easy enough to understand some options, Enable Do-Not-Track does exactly that, it is unclear what others like Disable Authorization or Spoof via do exactly. :)
Accept-Language could be useful if you want to browse the web in a different language. I could try to rewrite some of the interface labels to make them more descriptive but it's a bit difficult fitting that in the popup window. I think I'll open the wiki page when the extension is first installed.
I appreciate the offer to translate the interface. I'm going to begin work in the near future to make it easier to add languages to Chameleon. There's a few things I want to finish first. ;)
Oк. Thanks)
Well, about the removal of header, I for example)) Who really wants to completely disguise - checkbox. Or answer that "you can use simple-modify-headers , but it will end badly")
OS is also still detectable via navigator.platform
@kevgk Do you have script injection enabled? That should be spoofed if you select a browser profile (or one of the random options)
@sereneblue worked, thanks.
Me too. browserprint.info, Telegram web and Fake Vision detect my Real OS.
PLATFORM Win10 Linux
Even I turned on Enable script injection, and checked Firefox 65 (Win 10). I use Firefox 65.0 and Chameleon v0.11.3. I think once spoof was working but now that is not working, I believe.
For browserprint and Fake Vision, I think it's the font that leaks the true OS. That's something I plan to work on. I don't use Telegram, so I'm not sure how they're detecting the real OS.
I turned on resistFingerprinting. Is resistFingerprinting not working properly?
Resist fingerprinting is working properly.
I did some research into the passive fingerprint that Fake Vision uses; I believe it's using this for the fingerprint. That's beyond the capabilities of a WebExtension.
If you enable resist fingerprinting, It limits the fonts detected but I think the fonts are still unique per platform. I've had mixed results (incorrect OS) with browserprint.
[edit: grammar, typos]
If you enable resist fingerprinting, It limits the fonts detected
privacy.resistFingrprinting does not do anything to stop font fingerprints, and it won't for at least another year, even it it decides to actually do something (straight from the horses mouth - I have contacts!). The current thinking is to follow Tor Browser's bundling of fonts. This has two parts
font.system.whitelist
Note that TB have slightly different bundled fonts per platform (i.e major platform: windows/linux/mac/droid)
The fingerprint testing site browserprint.info is able to guess my OS belogs to Windows family and my browser to Firefox
Just to let OP know that you CANNOT hide your OS or browser (or even your browser version) if anyone really wanted to know - see https://arkenfox.github.io/TZP/tzp.html#useragent - you can see I have a TCP/IP item (but haven't coded it). But math, chrome://, resource://, error messages, and feature detection all leak you are on Firefox, feature detection shows your version: math alone leaks your OS.
Outside of this active FP'ing is passive FP'ing, such as TCP/IP stack, TLS and ciphers, etc - all leak things server side.
Don't overthink it. While I'm not a fan of randomizing & raising entropy (vs lowering entropy) due to all the information paradoxes it brings (which also adds more FP'ing and causes breakage), the fact is that the vast bulk of FP'ing is using "simple" libraries like fingerprintjs2 because they're small, fast and contain enough complexity and stability to be usable, and they get 95% of people (easy free low hanging fruit) - not to mention all the other ways tracking is done to link your activities (3rd party cookies, ssl session ids, header referrers, etc)
@3ibsand I've finally gotten around to adding support for localizations. If you still want to help translate Chameleon, you can find the project page for translations here.
I haven't forgotten this issue either. Hopefully, I'll be able to close it before the end of the month. ;)
The fingerprint testing site browserprint.info is able to guess my OS belogs to Windows family and my browser to Firefox whatever user-agent I select with Chameleon.