Canvas Fingerprinting and HTML5 Canvas Fingerprinting

avatar

Administrator
Staff member
Administrator
Hi!

I've been researching this one a while ago.

The problem is that there is no "clear" way to block it. Canvas fingerprinting is not some browser technology you can disable in the settings (like WebRTC).

The only way is to override javascript API used for fingerprint creation and tricking fingerprint creator. And it is hell of a work:(

I've opened an issue, but this feature is planned for 6.1 release only:
https://github.com/AdguardTeam/AdguardForWindows/issues/114
 

snf

New Member
Thanks for reply

It's a bad news

I'm not technical can you explain how

The only way is to override javascript API used for fingerprint creation and tricking fingerprint creator. And it is hell of a work

Plesae

Because expect Chromium and Firefox none browser can disable canvas and htlm5 canvas
 
Last edited by a moderator:

avatar

Administrator
Staff member
Administrator
Ok, let's look at this and compare with some other tracking method like WebRTC.


WebRTC is a separate program module which can be disabled in the browser settings.

Canvas Fingerprinting is not a module, but a technique for creation almost unique browser "fingerprints".
This technique involves using different legit javascript API's like working with fonts or drawing on canvas.
These API's can't be disabled in browser settings.

Breaking these API's is not a good solution because it can mess with websites functionality.
 

snf

New Member
Thank's avatar.

i undertand now.

Thank you very mutch fore take time to answer me.

Best regards
 

avatar

Administrator
Staff member
Administrator
No problem:)

Anyway, we'll try to block this, all I am talking about is that it can't be done fast.
 

Gass

Member
Hello all,

This is what I'm finding on the web, it's far from thorough or comprehensive as this is still a developing issue.

HTML5 APIs Fingerprint Users - How to Prevent - gives a good understanding of why this is hard to deal with.
http://blog.add0n.com/2016/03/23/html5-apis-fingerprint-users-how-to-prevent.html

Keeping pace with the web trackers / Tracking the trackers
People have a “certain threshold” for tracking and what they’re comfortable with, according to Furr, but there’s
still a lack of awareness over how deep tracking goes. Visualizing this activity can make a huge difference.
http://www.digitaltrends.com/computing/web-trackers-privacy/

Better Web Browsing - https://riseup.net/en/security/network-security/better-web-browsing
(mostly for Chrome, Firefox) but a good set of pratices to use with any Browser.

Anti-Fingerprinting extensions:

Firefox browser
Stop Fingerprinting - https://addons.mozilla.org/en-US/firefox/addon/stop-fingerprinting/?src=ss
CanvasBlocker - https://addons.mozilla.org/en-US/firefox/addon/canvasblocker/
Canvas Fingerprint Blocker - https://addons.mozilla.org/en-US/firefox/addon/canvas-fingerprint-blocker/?src=ss

Chrome browser
Canvas Defender - https://chrome.google.com/webstore/detail/canvas-defender/obdbgnebcljmgkoljcdddaopadkifnpm
CanvasFingerprintBlock - https://chrome.google.com/webstore/detail/canvasfingerprintblock/ipmjngkmngdcdpmgmiebdmfbkcecdndc
Ghostery - https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij
ScriptSafe - Fingerprint Protection and so much more, Canvas Fingerprint, Audio Fingerprinting, WebGL Fingerprinting,
Battery Fingerprinting, Block Device Enumeration, Block Gamepad Enumeration, Block Canvas Font Access,
Block Client Rectangles, Reduce Keyboard Fingerprinting.
Downloads: https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf
https://github.com/andryou/scriptsafe/releases
ScriptSafe Options General Settings - https://www.andryou.com/scriptsafe/options


Some Hybrid Browsers claim or attempt to do this-

Slimjet Web Browser
Fast & Efficient, Powerful & Flexible, Secure & Stable, robust sandboxed multi-process architecture.
Slimjet is armed with the most advanced anti-tracking technology to thwart various attempts to invade on your
privacy (e.g., track your identity or profile your behavior) by the intrusive businesses.
Welcome to the ONLY browser that automatically blocks ALL ads. No plugins, opt-ins or configurations needed.
http://www.slimjet.com/
How to prevent canvas fingerprinting in Slimjet
http://www.slimjet.com/en/webhelp/prevent-canvas-fingerprinting.htm
Review - https://m.reddit.com/r/privacytoolsIO/comments/4o3xg3/slimjet_a_privacyaware_chromium_browser/

Brave browser
The privacy-focused browser Brave, co-founded by Brendan Eich Mozilla co-founder and JavaScript creator,
is trying to consolidate these efforts into one browser rather than using several extensions.
“Right now we’re blocking canvas and WebGL fingerprinting, WebRTC and IP fingerprinting,” Yan Zhu said, (an
engineer at Brave), and recently Brave added features to block a type of audio fingerprinting discovered by
the WebTAP researchers at Princeton that collects data from your machine’s audio signature.
SOURCE1: http://www.digitaltrends.com/computing/web-trackers-privacy/
Brave redirects sites to HTTPS. We've integrated HTTPS Everywhere into every Brave browser to make sure you
are always moving your bits across the safest possible pipe.
SOURCE2: https://www.brave.com/

Epic Privacy Browser
Based on Chromium, Epic is the perfect example of a browser that strips out every conceivable feature to maximise
privacy. It’s rather like using a minimalist Google Chrome with the Google.
Cookies and trackers are eliminated after each session, all searches are proxied through the firm’s own servers
(which means there is no way to connect an IP address to a search), and it attempts to prioritise SSL connections
wherever possible., useful for open Wi-Fi connections.
It does not collect data about its users and comes with excellent built-in ad blocking.
https://www.epicbrowser.com/index.html

Epic Privacy Browser Forums → Epic Privacy Browser - Privacy Features & Privacy Concerns → Anonymiy Leaks
alok/Administrator 2015-06-23 21:00:39 >> Robert Unfortunately, it's not so simple to just block everything...
many sites stop working. We're working on stopping more data leaks without breaking sites -- it's harder than it
seems.
At present, we actively block known fingerprinting scripts...so even though that data is in theory accessible,
if calls are made by a known fingerprinter/data collector, we are block them.
Until we can block plugins, blocking a lot of that data isn't very helpful in terms of blocking fingerprinting
because plugins leak all that data and more.
http://forum.epicbrowser.com/viewtopic.php?id=1185

Pale Moon browser
Pale Moon browser is a stripped-down version of Firefox, that leaves out certain features, to focus on speed of
browsing. It has added Canvas anti-fingerprinting option in 25.6.0 (2015-07-27) update.
Pale Moon now includes the option to make canvas fingerprinting much more difficult. By setting the about:
config preference canvas.poisondata to true, any data read back from canvas surfaces will be "poisoned" with
humanly-imperceptible data changes. By default this is off, because it has a large performance impact on the
routines reading this data.
https://www.palemoon.org/#

==========================================================================

The Federal Trade Commission (FTC) now warns consumers about online tracking. This guidance was updated in June to
provide more details on newer tracking practices like fingerprinting and unique device identifiers.
https://www.consumer.ftc.gov/articles/0042-online-tracking

acoustic fingerprinting
http://digiday.com/platforms/what-is-acoustic-fingerprinting/
https://altmode.org/2016/07/06/the-ftc-silverpush-warning-letters/
https://www.liquidvpn.com/spying-for-profit-silverpush-framework/
http://thehackernews.com/2016/05/audio-fingerprint.html

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

I'd read some reviews and check any support forums for users comments or problems.
Hope this post helps some of you.

Gass
 
Last edited:

ejonesss

New Member
can we use the replace command and replace every occurrence of the word "canvas" with something else say "dsfhgs" to break the canvas variable so the script errors out and canvas fingerprinting wont happen?

the replacing html and javascript variables seems to work with other commands like "function" witch is used by some adblock detectors
 
Top