FYI: CanvasBlocker can be detected by sites

[earthlng]

moved from #12

kkapsner/CanvasBlocker#114 (comment)

Detection Test: https://kkapsner.github.io/CanvasBlocker/test/detectionTest.html

edit: other interesting links about Canvas fingerprinting:

• https://browserleaks.com/canvas#how-does-it-work
• Websites using HTML5 canvas fingerprinting - with code samples
• List of websites that track you using Canvas
• Canvas Fingerprinting Scripts - thanks @Atavic
  => shows the summary of canvas fingerprinting scripts found on the homepages of top 100K Alexa sites.
  • LOL some of them didn't even change the "Text drawn into the canvas" 🤦‍♂️

[earthlng]

@zymase wrote:

@earthlng does your detection test concern only the CanvasBlocker add-on or does it detect the fact canvas is blocked, whatever the blocker? I am wondering if the other similar FF add-on, Canvas Defender would be detected by your test, and if is it detected by other sites as CanvasBlocker is.

@Gitoffthelawn wrote:

@zymase I just tested it for you. Canvas Defender is not detected.

@zymase wrote:

OK, @Gitoffthelawn .

Just wondering : earthlng's detection test mentions, here with CanvasBlocker:

    function length: CB detected
    function name: CB not detected
    error provocation 1: CB not detected
    error provocation 2: CB not detected
    error provocation 3: CB not detected

I guess the result is all in function length?

[earthlng]

I don't know that other addon. If it has a "fake readout" functionality it's possibly detectable too. If it only blocks canvas readout then that's detectable anyway. This test is specifically for CanvasBlocker.
But if you look at the 3 year old bugzilla ticket that kkapsner him/her-self submitted, it mentions that any addon that uses exportFunction can be detected that way.

[ghost]

I'll echo my comment on Ghacks 👍

I've just disabled CanvasBlocker (CB) and installed 'Canvas Defender' (CD)
At this point I'm wondering if CD is reliable. Why?

CB with Block Mode=fake readout API has the option to notify the user when the fake mode is used.
CD as well displays a notification.

When testing, both add-ons notified the canvas on the BrowserLeaks Canvas test page, but when testing on Google Maps, only CB notified, not CD. Google Maps definitely uses Canvas. So why did CD not notify me?

CD, 'Canvas Defender' ver. 1.1.0 is at this time marked as experimental by its developers. Maybe is that the explanation?

At this point I remain uncertain on what is the best option for managing Canvas tracking.

[Atavic]

CB blocks the Javascript API + has an option for spoofing.
CD creates a unique and persistent noise that hides your real canvas fingerprint (spoofing only).

what is the best option

CB on default uses spoofing as default, but I use it on block mode.

CB alone (block mode) isn't a good option, you should find some combo as this one.
Are you going to block such fingerprinting APIs? Block most of them.

Otherwise, if you go with the spoofing option (on either CB or CD), you should check how much reliable are those spoofing methods. Altough spoofing sounds better to me, there are some issues to consider.

[ghost]

As far as I understand CB, when choosing CB with Block Mode=fake readout API the process is not that of blocking, literately. CB has several modes (see https://addons.mozilla.org/en-US/firefox/addon/canvasblocker/), and,

fake readout API: Canvas Blocker's default setting, and my favorite! All websites not on the white list or black list can use the API to display something on the page, but the readout API is forced to return a new random value each time it is called

Moreover, as I mentioned above, CD didn't notify the active Canvas on Google Maps ...

[Atavic]

If it didn't notify, maybe the site has bypassed CD. As Gorhill said on my last link above, these specific addons face many workarounds as counter actions by site owners and developers.

I don't know this spoofing reliability: does it spoof various browsers based on your OS?
Is its randomness excessive, far and wide?

[ghost]

Well, the site mentioned above doesn't bypass CB ... and CB did not block the canvas (with Block Mode=fake readout API ) but spoofed it in fact, as far as I understand it. I even believe Google Maps just wouldn't run correctly with Canvas blocked.

[Atavic]

Gmaps needs the Canvas API to be working correctly. Maybe CB works in a clever way, by spoofing a readout API response that doesn't break Gmaps? better ask @kkapsner

[ghost]

I've tested Google Maps (in fact the true Canvas requirement is Google Street View) with CB's BlockMode=Block Readout API and Google Street View failed (black screen).

Now, I read at https://addons.mozilla.org/en-US/firefox/addon/canvasblocker/reviews/890823/ the developer of CB answering this:

You could switch to "fake input"-mode which should not be detected. But this mode is less secure - fingerprinting over WebGL is possible with that.

So if Goofle Maps/Street View runs with CB/Block Mode=fake readout API it's maybe, as Atavic mentioned it, because that mode is bypassed by Google.

In fact when a Canvas blocker/defender doesn't break a Canvas page it is either because it's efficient either because the page bypassed it. This is cruel.

[ghost]

@Atavic wrote,

Maybe CB works in a clever way, by spoofing a readout API response that doesn't break Gmaps?

That's what I had in mind, a hope rather than a certitude, because of above mentioned.

All this brain storming for the sole purpose of trying to defeat Web tracking....

[ghost]

With CanvasBlocker / Block Mode=fake readout API , testing on;

1- https://browserleaks.com/canvas

-> Canvas signature different with every page reload

2-https://browserleaks.com/proxy

-> HTML5 Canvas Protection detected, as well as with the CanvasBlocker tester page ...
! : I tested previously is same conditions and the Canvas protection had not been detected. This is weird.
!! : In fact, HTML5 Canvas Protection is detected when reloading that test page but not on first load.

PAUSE

[Atavic]

This particular fingerprinting isn't so widely used and most of the sites using it call a Javacript file hosted by addthis.com but uBlock's Privacy filter list blocks it.

More here.

[ghost]

@Thorin-Oakenpants ,

With CB & fake readout API I get
HTML5 Canvas Protection ✔ not detected
This is at complete odds with your test

I did mention,

In fact, HTML5 Canvas Protection is detected when reloading that test page but not on first load.

When the test is first performed HTML5 Canvas Protection is not detected,
When I reload the test page, HTML5 Canvas Protection is detected.

[crssi]

^^I have not detected on reload also.
Using CB, fake readout API, persistent

[crssi]

But the link provided by @earthlng gives me function length: CB detected

[ghost]

@crssi ,

^^I have not detected on reload also.
Using CB, fake readout API, persistent

Tested again, Block mode = fake readout API
1- Random number generator = non persistent -> Not detected on initial page, detected on page reload
2- Random Number generator = persistent -> detected on initial page load (+ of course on reload).

This is mystery. Of course, as you, earthlng's link to CanvasBlocker detection test proves CB detected.

Reminds me my teen-age years, wondering if she loved me or not :)

[kkapsner]

To bring a little bit insight to the question if the canvas protection is detected or not: this protection detection is performed on a one pixel canvas. CB adds exactly one bit of entropy to one pixel. Therefor it's 50% that the pixel is not altered and therefore the detection does not work.

I will update my detection test to include this tests.

[crssi]

@kkapsner to the rescue... nice to have you here. :)

[earthlng]

@kkapsner hi and thanks for chiming in here :)

this protection detection is performed on a one pixel canvas.

"this protection detection" - which one? https://browserleaks.com/proxy ?

I will update my detection test to include this tests.

I hope you don't mind that I copied your test file and hosted it on my repo to make it accessible online.
I tried a couple of links to see if you had already set it up on your repo but it didn't seem like it.
Maybe you could change the settings on your repo to make your test folder online accessible via a github.io page, that would be great.

[kkapsner]

Yes - the one from browserleaks.

I don't mind you copying it. But you're right having them online available ist better: http://kkapsner.github.io/CanvasBlocker/test/detectionTest.html

[Atavic]

@zymase Seems like the test page compares the results:

When the test is first performed HTML5 Canvas Protection is not detected,

Test page stores your fingerprint signature (for the first time).

When I reload the test page, HTML5 Canvas Protection is detected.

Test page stores a new signature, compares the results and the only value that has changed raises the detection.

[ghost]

@Atavic that's what I had in mind initially. I just checked, as before with Block Mode = fake readout API BUT with this time Random Number generator = persistent => same sig and indeed Canvas Protection not detected, initially and on page reload.

Makes me realize I mistaked above when I answered to crssi:

1- Random number generator = non persistent -> Not detected on initial page, detected on page reload
2- Random Number generator = persistent -> detected on initial page load (+ of course on reload).

In fact it is:
2- Random Number generator = persistent -> NOT detected on initial NOR on reload.

What likely happened is that I had forgotten to clear the site's cache/cookie.

[earthlng]

@kkapsner Great, thanks, I updated the link in my first comment and removed the now outdated detection test from my repo.
I see that you added more tests in the meantime. Hopefully you'll not try to fix the "known pixel value" tests, because you can never known which part of a canvas a fingerprinting site would look at, right?

[earthlng]

Seems like the test page compares the results

@kkapsner already explained that - it's pure RNG ie sometimes CB happens to change the value the code is looking at and other times not. 50-50 chance

This is the code the page uses, which shows that they only look at the "red" value (RGBA) of the 1st pixel and if that changes it knows that the readout was tampered with

function tbb_canvas() {
  try {
    var a = document.createElement('canvas').getContext('2d');
    return a.fillStyle = 'rgb(3,3,7)',
    a.fillRect(0, 0, 1, 1),
    a.fill(),
    3 !== a.getImageData(0, 0, 1, 1).data[0]
  } catch (a) {
    return !1
  }
}

They could easily make this a 100% reliable test if they look at all 4 values for that pixel

[earthlng]

@kkapsner how much identifiable bits can a single pixel really give? Not much I reckon. I assume most sites that use canvas fingerprinting have to use a larger canvas than that. You could maybe detect if a site only wants ImageData for width=1 && height=1 and not tamper with that. That would also have the benefit of always returning correct and un-tampered values for any color pickers out there. Like? xD

[earthlng]

I assume most sites that use canvas fingerprinting have to use a larger canvas than that

https://web.archive.org/web/20141228070123/http://webcookies.org:80/canvas-fingerprinting/
Seems like they all copy from each other, look at all the ,62,20 in there.

https://browserleaks.com/canvas#how-does-it-work
browserleaks also happens to use 62,20. Excluding 1,1 seems only beneficial and should be fine IMHO WRONG! total brain fart

[kkapsner]

I already included a new parameter for the next version to specify a minimal canvas size for faking (defaults to 1 so 1 pixel canvases are not faked).

The double readout detection can be circumvented by using the persistent random number generator.

[earthlng]

I already included a new parameter for the next version to specify a minimal canvas size for faking (defaults to 1 so 1 pixel canvases are not faked).

Nice, but I just realized that nothing really stops a site from loading a larger canvas pixel by pixel and putting the array together that way, right? Damn! Maybe make the minimal canvas size optional?

The double readout detection can be circumvented by using the persistent random number generator.

oh nice, I was wondering if that's what that is for. How does that work - does it keep the same data across all windows and tabs for the whole session, and unless "stored" will only change with the next FF startup?
I'm going to use that then, but why would someone want to store it though?

[kkapsner]

I have to correct me: every pixel has four bits of entropy - one for every channel.

[kkapsner]

I changed the way the max readout size works: in the new version (unfortunatelly I have no release date or schedule as I'm waiting for Mozilla to provide an API so I can feed the settings to the tabs before the scripts of the web page run - hoorray WebExtensions!!!) it's only dependent on the canvas size and not on the readout size. Same for the min size - so a large canvas can not be put together by single pixels.
But as most settings you can turn it off - just set it to zero.

Yes - the persistent rng keeps the same data across all windows and tabs for the whole session. If you tick the "store persistent data" it will be written to your settings and reloaded after shutdown.
But keep in mind that you can be tracked then within one session - but only within one domain.

[earthlng]

hoorray WebExtensions!!! indeed - good stuff 🤦‍♂️

so a large canvas can not be put together by single pixels.

Why not? I don't see how you could possibly prevent that, assuming you don't simply ignore how much data a site requested.

Yes - the persistent rng keeps the same data across all windows and tabs for the whole session.

Thanks for confirming. I also noticed on the browserleaks testpage that if you look at the image details, the file size and number of colors barely changes with "persistent" but with "non persistent" it changes a lot. So that probably stands out a lot. The file size with CB disabled or CB "persistent" is around 2kb and with non persistent it's upwards of 7kb, while the # of colors changes from around 70 to 300+. That and the fact that if your IP doesn't change neither should the canvas fingerprint (IMO), I think making "persistent" the default setting would probably be better. I think even in Tor Browser "persistent" would be preferable. Thanks for creating and maintaining this great addon btw!

[earthlng]

@Gitoffthelawn wrote:

@zymase I just tested it for you. Canvas Defender is not detected.

That's weird because when I tested it, it was detected by both length and name. Not only that but its exposed function also had 2 additional variables that neither the original function nor CB's function has.
Did you create a copy of the file and test it via file:/// ?
Canvas Defender injects some code into a page and that can be blocked by a site with CSP. Idk what it tries to inject but I do know that github.io doesn't allow script:self and therefore blocks the execution. Maybe that's why we got different results.
They also advertise one of their products in CD so I definitely know which one of the 2 addons I prefer.

[ghost]

Canvas Defender is not detected.

@earthlng are we referring to the same test?
The Canvas detection test I and @Gitoffthelawn were referring to was
https://kkapsner.github.io/CanvasBlocker/test/detectionTest.html
On that test page CanvasBlocker was detected, Canvas Defender was not.

But running Canvas Defender and testing on https://browserleaks.com/proxy showed that a Canvas Blocker was indeed detected.

[earthlng]

are we referring to the same test?

yes, I tested it yesterday and CD was detected. Idk what to tell you, no idea whats causing that.
Do you get a notification from CD on that page?

[ghost]

Do you get a notification from CD on that page?

I assume you mean on https://kkapsner.github.io/CanvasBlocker/test/detectionTest.html

I disabled CB and installed CD (again) this morning to test CD on https://browserleaks.com/proxy and Canvas Blocker was detected. I did not test this time on https://kkapsner.github.io/CanvasBlocker/test/detectionTest.html because previous testing there showed CD was not detected.

If you wish I may test again CD on https://kkapsner.github.io/CanvasBlocker/test/detectionTest.html
Meanwhile I have removed CD to stick on CB.

[Just-me-ghacks]

https://kkapsner.github.io/CanvasBlocker/test/detectionTest.html
CanvasBlocker 0.3.8 - detected
Canvas Defender 1.1.0 - detected

[ghost]

I've removed the BlockCanvas Firefox add-on and wont be using Block Defender either.

Why? Seems to me this blocking is pertinent when the scenario is using multiple identities and/or several browsers. If I understand correctly what is explicitly explained by the developer of Block Defender :

The only viable solution that exists

• Make the canvas fingerprinting function available on the websites you visit. (So it’s not clear you are wearing a mask.)

• Use a canvas identity with consistency. (So it’s not clear you are trying to avoid detection.)

• Switch up the identity when necessary. (To erase your tracks.)

I get to consider that blocking Canvas fingerprinting has no real advantage when other defenses aren't included, in other words don't block the fingerprinting unless you change identity. I'm not concerned.

[earthlng]

@zymase "multiple identities" can also mean different IPs. If your IP changes but you still produce the same (perhaps unique) canvas fingerprint, that's something you may not want.

[ghost]

@earthlng ,

"multiple identities" can also mean different IPs. If your IP changes but you still produce the same (perhaps unique) canvas fingerprint, that's something you may not want.

Yeah, that's how I get it. My feeling is that Canvas Blocking fills the gap left when the scheme is that of multiples identities or TOR, VPN : the user hides but is recognized by a Canvas fingerprinting : too stupid, all that work to finally get spotted with a Canvas! Otherwise, a simple traveler like me ends up being spotted as someone who breaks Canvas fingerprinting without the benefit of not being recognized ...

Again, nothing is definitive. I try to learn and if I understand that I'd be mistaking that I'd reconsider Canvas fingerprinting when applied for my Web sessions.