Privacy: Canvas fingerprinting

News that do not fit in elswhere

Moderators: b1o, jkerr82508

User avatar
viking60
Über-Berserk
Posts: 9279
Joined: 14 Mar 2010, 16:34

Privacy: Canvas fingerprinting

Postby viking60 » 11 Aug 2014, 14:48

A new method has been found to identify you on the internet. Even if you are able to hide your IP - this will identify you:

The method is called Canvas fingerprinting and exploits the new ability browsers have to draw an image. These images will not be exactly alike. There will always be one pixel here and one pixel there that is different even if it is the same brand of Browser.

if your browser always misses pixel no 47649877 in that picture it will miss it every time. You don't care because you cannot see it since it has no visual impact.
But this can be used to create a unique number for you - like a social security number or an IP +1
This number will be recognized on the next site you visit so that the dirty spies can get a broader picture of what you are interested in and place dto interesting adds for you.

If canvas fingerprinting is combined with addThis then you will get adds based on what you surf upon - and pray to God that you do not need to search for Fungus or Venereal deceases .

If you like chubby women or men, preferably without clothes, then I can inform you that Youporn has used Canvas fingerprinting in combination with addThis.
So they will know.
AddThis is a popular bookmark and sharing service that uses canvas fingerprinting in their tracing algorithms.

What did shock Youporn and the Norwegian health authorities who used this for more than a year, is that addThis intercepted the data and sold them.

So anyone who surfed the Norwegian health authorities website for really embarrassing deceases did receive "helpful" adds for various medicines and cures.
Those Authorities may have been truly surprised by this - it is an open question if the Youporn guys where shocked.

In any case; both have stopped using it now.

http://whitehouse.gov does also use canvas fingerprinting and addthis - there is no information to if they are shocked or surprised by the identification possibilities these technologies provide....

There is no incognito mode in any browser that can deal with this - since cookies are not used here. It has been claimed that Tor will prevent identification.

And indeed it gives a warning that canvas image data can identify you so a blank image has been sent.

But it still resolves the image and gives the same unique number every time in my tests.

So I went to a check site and it straight away informed me that I was Using Chrome on Linux and the number of my fingerprint signature.

Then I visited the same site with TOR and got this:
General Conclusion ?Canvas Protection was detected, it seems that Tor Browser is here! :B

So it looks like Tor might still protect you - that's what Vikings do :-D

I have heard that Addblock pluss and Privacy badger can deal with this to.

I will check and let you know...
Check your fingerprint here:
Image

More here
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"

User avatar
viking60
Über-Berserk
Posts: 9279
Joined: 14 Mar 2010, 16:34

Re: Privacy: Canvas fingerprinting

Postby viking60 » 12 Aug 2014, 13:45

I have found that Addblock does not stop this directly.
Privacy badger will show that there is an addthis tracker on the site so you can disable it.
You need to do it manually though.
Image
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"

User avatar
Snorkasaurus
Berserk
Posts: 587
Joined: 30 Dec 2013, 19:19
Contact:

Re: Privacy: Canvas fingerprinting

Postby Snorkasaurus » 12 Aug 2014, 16:06

I'm not sure I see canvas fingerprinting as providing any more information disclosure than user-agent.
browserleaks.com canvas page wrote:It is very likely that you are using [Firefox] on [Windows]
but I am not, I am using SeaMonkey (which is clearly stated in my user-agent). Of course the version of my browser and my OS are also given in my user-agent.
browserleaks.com canvas page wrote:We don't know all the reasons, but we have already collected more than a thousand unique signatures.
If the entire digital population were to be broken in to a couple thousand groups then I imagine that my user-agent is providing more uniqueness than my canvas fingerprint. Of course I could always use an extension like UAControl to fake my user-agent. :-)

Their geo page is off by almost 500km for me, and they claim that I have WebRTC enabled but couldn't locate anything other than my internal IP (which not surprisingly is in one of the common private address spaces). In all reality my IP address and user-agent are providing significantly more information that any other disclosure (especially if my ISP is willing to cough up information about my IP). I assume that if someone owned enough web sites, and if I visited more than one of them, that they could combine some of the non-IP and non-user-agent information to generate a reasonably specific profile but it just doesn't seem practical.

My 3¢
S.

User avatar
viking60
Über-Berserk
Posts: 9279
Joined: 14 Mar 2010, 16:34

Re: Privacy: Canvas fingerprinting

Postby viking60 » 12 Aug 2014, 17:23

What you should worry about is if you are given the same unique number (signature) every time you visit there with the same browser.
That is how they trace you, and it does not matter if your browser is called Apfelstrudel.
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"

User avatar
Snorkasaurus
Berserk
Posts: 587
Joined: 30 Dec 2013, 19:19
Contact:

Re: Privacy: Canvas fingerprinting

Postby Snorkasaurus » 12 Aug 2014, 17:42

But doesn't my IP address plus my user-agent provide remote web sites with the same tracking/profiling ability without even having to read up on how canvas works?
S.

User avatar
Snorkasaurus
Berserk
Posts: 587
Joined: 30 Dec 2013, 19:19
Contact:

Re: Privacy: Canvas fingerprinting

Postby Snorkasaurus » 12 Aug 2014, 17:47

Strangely, when I tried it from SeaMonkey/Linux_x64 it told me I am very likely running SeaMonkey on Linux... then I tried IceWeasel from the same box and it told me I am very likely running SeaMonkey on Linux (with the same sig). :-)
S.

User avatar
viking60
Über-Berserk
Posts: 9279
Joined: 14 Mar 2010, 16:34

Re: Privacy: Canvas fingerprinting

Postby viking60 » 12 Aug 2014, 19:04

The fingerprint is used to recognize you when you come back to a site so that they know that you are above average interested in Turtles or whatever.
Even if you have all the cookie blocks they will identify you with Canvas fingerprint.

It is also possible to hide your IP and still your browser will be identifiable by this..

What these guys do not get is that when you set your cookies to not tracing you - then it is because you do not want to be traced.
So they tap dance around it by using something other than cookies - which in no way has altered your attitude towards tracing you. But they get to ignore you and do what they want against your will.

This should be punishable as a crime - instead the White house uses it too...
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"

User avatar
Snorkasaurus
Berserk
Posts: 587
Joined: 30 Dec 2013, 19:19
Contact:

Re: Privacy: Canvas fingerprinting

Postby Snorkasaurus » 12 Aug 2014, 19:32

Hmmm, using hidemyass.com they are unable to present a signature for me (likely some javacrap that hidemyass blocks) - but going through a proxy in Honduras they were able to present the same signature. I still wouldn't consider that to be very unique though since I am lumped in to that signature group with tens of thousands of other people. Mathematically speaking, a web site owner would get more "tracking mileage" on me from tracking user-agent/IP than my canvas sig... though if someone were using a more popular browser they could be "narrowed down" a bit. Ahhh, the perils of not using Chrome LAWL! :-)

S.

User avatar
viking60
Über-Berserk
Posts: 9279
Joined: 14 Mar 2010, 16:34

Re: Privacy: Canvas fingerprinting

Postby viking60 » 12 Aug 2014, 22:30

Your browser has a unique number. Try another browser and it gets a different number - but the same every time you retry it.
This is more accurate than you think.
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"

User avatar
Snorkasaurus
Berserk
Posts: 587
Joined: 30 Dec 2013, 19:19
Contact:

Re: Privacy: Canvas fingerprinting

Postby Snorkasaurus » 13 Aug 2014, 04:43

Actually SeaMonkey and IceWeasel (Debian un-branded FireFox) gave me the same signature. My guess would be that this is because they use a similar gecko rendering engine [version numbers 4.5 years apart] and were being used on the same video card. The web site claims 757106 visitors and 2626 signatures which [my mistake] means an average group size of 288. My point is that my use of SeaMonkey (and my willingness to allow the default user-agent for most web sites) is more unique than 288. I would be willing to bet that the number of people using SeaMonkey 2.26.1 on Linux x64 is less than that, and possibly that no other user at my ISP's IP address ranges would share my user-agent.

However, I can see that if I were using a more popular browser, the canvas fingerprint could narrow me down to whatever group size my signature would be. If someone were to track both canvas fingerprint and IP address they could possibly identify individual users... with exceptions of course for large organizations with standardized desktops behind a single IP. In the early 2000's I worked for an organization that blocked all local Internet access for local PC's so all surfing had to be done through a Terminal Server session. The terminal servers were completely standardized and so all 3500 users would appear to canvas fingerprinting to be the same signature. It is an exceptional case but a real-life example just the same.

Hmmm, funny thing is... IceWeasel v24.7.0 uses Gecko engine v20140722 and claims to be FireFox v24.0 compatible - while SeaMonkey v2.26.1 with gecko engine v20100101 claims to be FireFox 29.0 compatible. Seems a little counter intuitive to me (and unrelated to canvas fingerprinting). :-)

S.

User avatar
R_Head
Berserk
Posts: 2566
Joined: 17 Mar 2010, 15:40

Re: Privacy: Canvas fingerprinting

Postby R_Head » 13 Aug 2014, 11:41

Try Konqueror.

In the settings you can change the browser ID to pretty much anything you want.

User avatar
Snorkasaurus
Berserk
Posts: 587
Joined: 30 Dec 2013, 19:19
Contact:

Re: Privacy: Canvas fingerprinting

Postby Snorkasaurus » 13 Aug 2014, 14:26

I actually use the UAControl addon which lets me change my user-agent on a site by site basis if I want. :-)
S.


Return to “General News”