Implement Anti-detection for Fingerprinting Resistance

[Metrokoto]

Preliminary checklist

• [X] I have read the README
• [X] I have searched existing issues for my feature request. This is a new issue (NOT a duplicate) and is not related to another issue.
• [X] I have searched wont fix issues and this request is not among them
• [X] This is a feature request for the Cromite browser; not the website nor F-Droid nor anything else.

Is your feature request related to privacy?

Yes

Is there a patch available for this feature somewhere?

N/A

Describe the solution you would like

Now, first thing I want to get out of the way is that Cromite does an impecable job of fooling CreepJS (the most in-depth fingerprinting library out there, as far as I know), however, there are improvements that can be made.

CreepJS is actually used by some websites for bot detection, meaning the fact Cromite gets detected means it could make for an annoying browsing experience on some sites in future, even ones not using CreepJS specifically, such as Cloudflare Challenge loops, RECAPTCHA being unsolvable, etc.

The following detections are thrown for CreepJS, and should be looked at to see if they can be made undetectable:

Trash:
1: CanvasRenderingContext2D.getImageData: suspicious pixel data

Lies:
CanvasRenderingContext2D.getImageData:
- pixel data modified
CanvasRenderingContext2D.measureText:
- metric noise detected
Element.getClientRects:
- unknown rotate dimensions

If these detections are prevented, it may be possible to get the trust score up from 22% -F on Android and 25% -F on Desktop respectively.

This can easily be tested on a stock Cromite installation here; https://abrahamjuliot.github.io/creepjs/

Describe alternatives you have considered

N/A

[uazo]

such as Cloudflare Challenge loops, RECAPTCHA being unsolvable, etc.

in principle, this is not a browser problem. this does not mean disregard, but there is no doubt that it is a limitation of those tools. maybe i am wrong, but for now i think so. One would have to open the code of these tools and understand what they do, but it is complex, I realise.

... is actually used by some websites for bot detection

@jamchowder If you want to contribute, your opinion is welcome. (context: https://github.com/uazo/cromite/discussions/1020)

The following detections are thrown for CreepJS

I am working on it, slowly :)

CanvasRenderingContext2D.getImageData: pixel data modified CanvasRenderingContext2D.measureText: metric noise detected

technically you draw in a canvas and then retrieve the bytes of the image to derive a hash, that is a value that many use for fingerprinting in the assumption that it somehow helps define the user's device. I think that what uniquely defines chromium's canvas behaviour is the screen geometry and the fonts present on the device. my hypothesis is that by flattening these two elements, the value derived from the canvas becomes identical.

Element.getClientRects: - unknown rotate dimensions

I am aware of that: try to disable chrome://flags/#fingerprinting-client-rects-noise (but then remember to reactivate it) As above, I would like to try to solve the problem at its root with this approach. every contribution is welcome. the next step is to understand how https://github.com/fathyb/carbonyl works

meaning the fact Cromite gets detected

is inevitable. my aim, for the time being, is not to disguise cromite, but not to allow it to be understood that the device is the same between different sessions (meaning a clean browser session, a restart, to be clear). the ultimate goal is to understand whether it is possible to flatten all devices.

but the biggest problem is the output ip, if you don't change that there's no point in using cromite. and I still haven't solved that problem.

[Metrokoto]

Element.getClientRects: - unknown rotate dimensions

I am aware of that: try to disable chrome://flags/#fingerprinting-client-rects-noise (but then remember to reactivate it) As above, I would like to try to solve the problem at its root with this approach. every contribution is welcome. the next step is to understand how https://github.com/fathyb/carbonyl works

This does not work, the only noticable difference is on this page: https://abrahamjuliot.github.io/creepjs/tests/domrect.html

The fingerprint is now static, yes, however it still shows the aforementioned error relating to getClientRects on the homepage.

[NearestWater262]

but the biggest problem is the output ip, if you don't change that there's no point in using cromite. and I still haven't solved that problem.

you could pre-install some kind of proxy switcher or make one of your own. it could auto rotate between proxies too if the user wants. that would be so cool. would take a lot of the work out of IP randomization. (also you should still think about my idea of adding a New Identity button like tor has. )

Something like Mullvad's proxy switcher on mullvad browser, or Foxy Proxy. i actually tried foxy proxy on cromite and it didn't work, i tried a lot of things on it.

@uazo

[uazo]

make one of your own

yes, I will try it at some point.