-
Notifications
You must be signed in to change notification settings - Fork 523
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
general discussion on FPing: have at it #942
Comments
@ilikenwf .. so .. no show then? Don't you want to know why panopticlick is "wrong" (well, that was your word: to be more precise: why the entropy figures Closing as invalid PS: FYI RFP now randomizes canvas |
Actually yes, but I'm working on a backlog of work... I want to know what is, at least according to your work and experience, the right way to go about things and why - the why being the big part because most of the places I read about this kind of thing, people are talking out their asses. |
That's cool then. When you're ready, ask away (and give me examples of "most other places", because context is important). I don't blame people for not knowing: and it's an easy assumption given that sites like amiunique and panopticlick give an entropy figure, but more importantly that.they state x out of y browsers. I'll fire some quick general points here
So, what I'm kinda saying is that e.g TB users are already in a small set of say two million concurrent users: it's how FPing stacks up in that set that actually matters. When a user breaks from the FP protections of RFP/TB (lets say they randomize canvas instead of spoofing [edit: as a white-canvas]), then that very small group of two million is now splintered into one group of 1,999,999 users and a single user for that one metric (I'm not looking at the rest of the world, TB users are already an easily distinguished group). When you combine the other metrics (e.g. are-you-TB: true/false): that single user is unique not just to TB users, but everywhere If that still doesn't make sense: I'll put it this way. You cannot hide your browser (TB, FF, chrome, safari), so it only makes sense to tackle and understand FPing metrics per browser
The KEY here is simply numbers: when TB has enough numbers then the buckets become less important
Every metric can overlap: so overall (from the above) something like 35 languages x 25 fonts (over all OSes) x 4 windows = 3,500 different possible FPing buckets. Not all will have someone in them, IDK for sure, but lets say they did - the distribution wouldn't be even - but hopefully, the user wouldn't be unique. As soon you stray (resize the window to be e.g. 1600x900) you drastically start to lose your "herd immunity", now randomize canvas instead of spoofing a white-canvas = bingo: you lose. Note: I did not add the 4x for the 4 OSes: that's because the font fingerprinting already covers it. OS is not a good example: because you can't hide your OS anyway [windows, mac, android, linux] Can you see now? If you want, I can show you how the entropy etc figures on panopticlick etc can;t be relied on. PS: soz for the long ass rambly post |
sorry to jump in pants, but i wanted to ask whether CB is still substantially beneficial in your opinion ??? |
RFP has stalled: some new features are being covered (e.g prefers motion, etc), and a few older tickets have been addressed (e.g LBing), and Mozilla devs are all very aware of FPing, but most outstanding issues haven't been tackled yet. RFP is incomplete, and there's only so much that can be done without wholesale breakage. Also the Tor Uplift team was discontinued - but that's not to say (see first sentence) that work isn't ongoing. Looking at FF users only... Everyone is in the shit on this one: font protection there is 1. the whitelist, but 2. fonts aren't bundled and the whitelist is not used: this is due to:
fonts is a mess, and the only solid solution is to bundle everyone with the same fonts (same list, same versions) per platform (you can't hide the OS). Even then, Safari tried and found that had still had to provide different lists of system fonts based on user's languages.
first of all, RFP measures are way more solid since they're handled in code, e.g. workers (there's no web ext ability to spoof etc in workers: you leak in any metric workers have access to: such as navigator and soon offscreen canvas) CB:
tl;dr: personally, I would only use CB for the domrect and textmetrics (and webgl and audio if I ever enabled them: so far I never have) and for the fallback canvas fake (but I've never had to allow canvas exceptions). But that's my usage and everyone will get different results. Yes, I do get breakage, but it's only for one off sites: and I just use any one of multiple FF portables I have in my test suite (but usually my Nightly). All my test suites fully sanitize on close. I think people underrate compartmentalizing: no one makes me change my core FF which is tighter than a nun's ass :) Personally, I don't use CB though, because FP scripts should never get to run: uBO is fairly tight with no 3rd party and uMatrix is in nightmare mode. There is always 1st party FPing and 3rd parties I allow per scope: but the risk is low - things like domrect and textmetrics are not used in boilerplate FPing scripts (and all those FPing parties just like to use drop-ins like fpjs2: they're almost all the same in what they target, and it hasn't changed much over the last 2 or 3 years - see this), and I have the rest covered. That linked list above is the fingerprinters list - but if you were to get all those scripts and de-minify and unobfuscate them, they're all fairly similar and limited. Also, CB messes with my testing :) It really comes down to the user's threat model: but if I was to recommend one extension for anti-FPing, it would be CB - it covers some things no-one else does including RFP, you can enable/disable spoofing per API, and kkapsner is very accomplished, knowledgeable and thorough. It's a great extension, IMO PS: soz for the massive rambly post (again) |
re-opening since I haven't explained yet why sites like panopticlick's entropy can't be relied on also ... on RFP canvas spoofing: there are differences with CB (I guess depending on CB settings: e.g stealth mode?).. RFP doesn't care about stealth: re-running tests (i.e not reloading the page) gives a new RFP randomizing, whereas CB doesn't. Also RFP doesn't randomize isPoint* (they still use the white-canvas) - I don't think that's important (certainly not as a leak), but it is a point of difference edit: I need to double check that isPoint statement: so don't take it as gospel Update: Yup. IsPoint still uses the white-canvas. If you have 78+ with my test assumes you updated nightly 78 to the latest and that random pref exists: RFP is green if RFP is on (my sneaky 1ms check) and a second test hash differs - otherwise it's red cuz now you differ from the herd. Flip the random pref and test it again, you'll see :) Anything prior to 78 uses the white canvas hases to determine if RFP is working |
thanks for providing a comprehensive answer to my question unfortunately there is no yes or no answer, but given the current state of RFP it seems that the need for CB has decreased even more than the last time i checked, just a few months ago given the few (but interesting) advantages of RFP over CB, i'm quite inclined to drop CB from my config guide (at least as a 'required' ext.) despite the losses not happy to hear that RFP has stalled and the uplift is dead, but it is what it is thanks again - your knowledge is impressive |
Uplifting |
This is shaping up to be a really really valuable informational post. @Thorin-Oakenpants thank you so much for humoring us here. I think it is a large problem that nobody is sharing any useful data, but it makes sense because of the monetary value of such a thing. Even if Mozilla were to share it's own data, it would be biased towards Firefox users...but maybe enough to let us see what can be done to standardize the browser footprint/fingerprint better between everyone without breaking features. Perhaps we should come together and build a site that lets people voluntarily get fingerprinted, and we can, other than IP, share that data with whoever so that this fingerprinting problem can be better understood and mitigated? We could allow people to comment/note on their own fingerprints what user.js customizations, addons, settings they're using so that we can better grasp it all? So far I've been attempting to blend my own browser in, mostly, with TB - and have mostly succeeded there, and while it plus an IP is enough to ruin privacy, it does make me unremarkable...for fonts, I've copied TBB's settings for Linux, for example, and added it to user-overrides.js...I can share some of the highlights of my customizations, if anyone is curious. Since I also block ads that alone is another source of measurement. I almost feel like some kind of new paradigm needs investigation to find the right balance between privacy and usability, that or we just need stronger privacy protection laws to prevent abusive measures by corporations. Governments do what they do but I fear big G more... In regard to entropy I appreciate you description. It almost makes me feel that short of using basic measures and not purposefully standing out, that it's otherwise a lost cause to try and improve on defaults unless the improvement is in an update and applies to all users of Firefox and it's family... For the uplift and RFP work, perhaps the community can pick up and help with patches to work on the roadmap? I mean...ghacksuserjs is probably the most aware group for such a thing. |
No body cares about other browsers: as in, it only matters how FPing is done within Firefox (for all users, or for a set of users: e.g. RFP). If you wanted to extrapolate that, just multiply it by the percentage of users worldwide who use FF. Tests like panopticlick and amiunique are good for getting the number of buckets. In order to get the real entropy in a set, you need the distribution: i.e only get a single result from each user. Mozilla can do this via telemetry (for buckets: e.g I mentioned telemetry being gathered for system fonts) and studies (for distribution). So imagine if Mozilla pushed a study to grab audio FPs (context, oscillator etc) for 1% of users. That there is pure gold: 20 million single one off data points: and shield studies can push special powers to get the real info, not info that is spoofed. I have been pushing (and working on: but I'm not a JS wizard: I retired a long time ago and my career skills lie in data) for a FPing site that can do just what you say: it only allows FPs to be submitted by FF. The FP distinguishes between FF and TB (so this also lets us investigate the effect of RFP). It could even be that the site is a mozilla domain, and they give that domain special powers - and a shield study could use it to push an auto-submit (obviously the shield study needs human interaction to say no PII, click here: and the data is sent to the backend database). That is visitors to the site have their data tagged as a visit, but shield study data is tagged as one off. So one backend, one front-end, shield-studies leverage the backend: backend can do data analysis: drill down into TB, or FF, or RFP users, or all, by metric, by type (visit, study number), etc. Beats the fuck out of guessing :) Although, we already know what needs "fixing", and for most we already know what the answer is. What we don't know is how damaging (entropy) each one is or even how many buckets: because, no decent FF only data, and no good stats on distribution. Have you not seen TZP?
You can't pretend to be TB ... but I understand what you're saying. RFP does most of that. Outside of that, depending on your platform, you can whitelist the fonts (just check what TB sets it as on your platform: it may contain non Don't overthink it: fingerprinters in ETP is the first line of defense. uBO + uM the second. After that, if a FPing script runs, RFP and pref tweaks for APIs is your third line of defense - but don't be fooled: if they wanted to, you're unique. However, most scripts are not that complicated, and basically covered by RFP/pref tweaks |
Not really. There is a w3c for standards and a FP framework - and standards are always evolving. No just new standards: e.g discussions on client hints, but also on phasing out and dropping old ones. Mozilla is very much involved here, and very aware of FPing and privacy. Even chrome devs are pro privacy - not everyone is "evil". While chrome has ulterior motives (they're owned by an advertising company, so it's in their best interests to track individuals), they do have some good ideas. And they can code chrome itself to allow their own tracking regardless of standards (which they already do): i.e they don't really need to try and "manipulate" standards (speaking generally of course: obviously shit like manifest 3 sticks out) and in fact I would say that it's in their best interests to promote anti-fingeprinting/privacy as it hampers their opposition: for example their FP-API limit thingy: i.e request screen size = 1 point, every request for 10 fonts = 1 point, extrack canvas = 3 points, etc = sites are limited to 15 points and then the returns are undefined. So changing standards is one way, but RFP is a shortcut: i.e it breaks standards. For example, RFP returns inner sizes for outer window dimensions. It doesn't break anything and is a bit of a legacy that websites no longer use for functionality. Therefore, mozilla can push that upstream to get the standard dropped: i.e no longer supported. The same can probably be said for outer window positions (who uses that for functionality?). Inner window positions and screen positions are a Mozilla thing (chrome returns undefined), so they can probably be dropped as well internally in FF. In fact, all that is in a bugzilla and being worked on It's just zero priority for RFP, since RFP handles them - but for all users, Mozilla can promote cleaning up old standards (as well as removing their own proprietary things) |
anyone want to know why entropy and stats from sites like amiunique etc are unreliable? |
Go for it...but I would assume that there's a bias issue?
…On 5/17/20 10:20 PM, Thorin-Oakenpants wrote:
anyone want to know why entropy and stats from sites like amiunique
etc are unreliable?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#942 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AADFIOSVCM7XMHHZK3SI23LRSCSP7ANCNFSM4NAIKPJQ>.
|
bias: yup, in a number of ways. There's other issues as well, such as the time frame (which amiunique and pantopliclick have changed or allow a time frame: but it wasn't always that way: other entropy sites, IDK), not to mention the tests can be limited and/or faulty. And sometimes the logic just isn't smart enough (but there are changes: such as pantopticlick now detects canvas randomness where possible = a more smarter stable FP result) I wrote this Wiki: Anti-Fingerprinting Extensions... F&%K NO!. The last section sums up a little of what's wrong with entropy from these sites. I can't be bothered explaining more in depth |
Ok, given and granted everything, what would you suggest, just using ghacks user.js, and certain addons? That is to say, what strategy do you suggest for the right balance of fingerprint resistance (or blending in, either one), and usability? |
In addition, I don't see this happening to my browser, however it may to others...quite interesting and evil...when this method works it would bypass the firewall. |
ghacks user.js doesn't enforce default values for prefs that can mess with RFP: i.e section 4600 is commented out by default, and the prefs for RFP is the only known set of enforced users - this is the way. Everyone else is just guessing. But anti-FPing code is the last resort. My recommendation is to ramp up blocking 3rd parties etc: ETP fingerprinters list, uBO, uMatrix. Have RFP on as the best solution for fallback. And then if you want, CB offers domrect, textmetrics etc. Also audio, webgl if you enable those in prefs. Go for it. At the end of the day, you'll still be unique if scripts dig deep enough. So don't overthink it
-- Outside of the browser, compartmentalizing is good. Use Tor Browser when it fits, use secondary browsers (don't compromise your main FF setup). I do. I have a portable Opera, a portable Chrome, and 23 portable Firefoxes for testing from ESR60-68, thru 59 to Beta, Dev, Nightly : all for testing. They're practically vanilla profiles with a few tweaks (no updates, sanitize on close). Nightly I added a few extensions for testing, but only uBO is on by default - I use NIghtly as my main one off, as it's easier to run concurrently with other FF's. I also have six main TB's (32 + 64bit ESR60 finals, stables, alphas) and 34 other languages in alpha (I'm really pushing hard to find app language leaks: I have some, but not sharing) So for me, if anything is unusable in my main FF that I can't work around (e.g. I don't give a shit if the css breaks when reading an article, or an icon glyph is missing) then I have a plethora of one off options :) |
ubo can mitigate this, see netblue30/firejail#3427 Thanks to @rusty-snake for the tip:
|
I did some testing: NOTE: this will breaks |
For localhost: https://github.com/gwarser/filter-lists/blob/24c8aaecbaabe62d74aca02dab08aa89ba2e4624/lan-block.txt#L26 Discussed here uBlockOrigin/uAssets#4318 about blocking access by HTTP to local resources, for example router or modem interfaces. |
That's quite a bit more robust... Chameleon also will block websockets, except for the whitelisted...and does a lot of other things. I just don't like how many errors it causes in the backend...nothing that makes anything not work, just disconcerting. |
This was already discussed here. |
|
You can use the same in uBO from here #319 (comment), not sure for the IPv6 part doe. |
OK, I think we're done here - closing. But do post any other FPing questions if you have any |
from OP
Not that I can particularly find concrete references .. it's not like I have kept a list (I don't need to), but here is one that helps explain in more generalized terms I have had the very occasional email with Matt Traudt: he works for the US Naval Research Lab and mostly lives in the network stack (i.e he works on Tor, not Tor Browser/FPing) |
no-one does that except me. What's the dimensions? |
Dimensions of my screen, or of the images? I can find the branding dir on the waterfox git if you want them. |
where it says e.g |
There's a classic and a current branch of WF:
https://github.com/MrAlex94/Waterfox/tree/current/browser/branding/waterfox
https://github.com/MrAlex94/Waterfox/tree/classic/browser/branding/alpha
…On 5/27/20 12:27 AM, Thorin-Oakenpants wrote:
where it says e.g |[resource://] browser | Firefox Browser -
Developer/Nightly [336 x 64]| .. the |336 x 64| is the dimensions of
the branding svg
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#942 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AADFIOUDZCQ3HVZMTB3YAKTRTSQDBANCNFSM4NAIKPJQ>.
|
So what are the dimensions? |
Well, I linked the images so you could grab them yourself, but for me personally they are 128x22 for the "Waterfox" text image, and 300 x 236 for the logo with text, but that gets truncated and scaled down on the page. |
Yeah but I'm not worried about it, you were :) https://github.com/MrAlex94/Waterfox/blob/current/browser/branding/waterfox/content/about-wordmark.svg tells me it's 128x22 if i check in the inspector But https://github.com/MrAlex94/Waterfox/blob/classic/browser/branding/alpha/content/about-wordmark.svg tells me it's 300 x 107. You need to use the actual PoC - that's what it's there for, because it eliminates (or shows up) variables: rather than me scurrying around loading files and inspecting them. I'm measuring an element, not the svg, btw (but AFAIK, the element should be the same size). |
I'm also not measuring the item you see on the screen - I measuring a full sized one that is hidden |
Good to know... I think the way my DE scales things could be throwing it
off.
…On 5/27/20 1:45 AM, Thorin-Oakenpants wrote:
I'm also not measuring the item you see on the screen - I measuring a
full sized one that is hidden
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#942 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AADFIOQXXW7UOMAXUHT2XS3RTSZJFANCNFSM4NAIKPJQ>.
|
On fingerprinting...we can at least get a good look at some of the techniques used including WS portscans by ebay and customers of this online metrics company - the payload decryption script is a nice tool, and you can find test cases for it in the archive.org cache of these fingerprint domains... I'm going to paste my more interesting findings from === After doing some research, I've found that these portscanning fingerprint scripts are all hosted via CNAME on the same domain, which uBO already blocks when CNAME checking is on:
Beyond that, it usually is served up as one ore more of these:
It's used by a lot of sites:
Someone also has built a payload decryption tool: https://gist.github.com/nemec/ea6b21bcd027b81ac1e3fbcfeb01db3e |
...because we know most of these fingerprinting/tracking companies' endpoints it makes me wonder why a tool isn't built to dump oodles of fake info into their systems and ruin their data models by increasing entropy. |
This seems relevant to this discussion, this is beyond disgusting: |
@ilikenwf rather than spam PTIO's issue .. here is your own issue. Don't spam #350 , and please stick to the topic. I've unblocked you. The reason I blocked you was because you went OT and starting ranting about Mozilla etc. That's always a sign that the poster is waste of my time. However, if you are rational and don't go too OT, then I will explain all the points you don't seem to understand.
What you brought up was the ability for RFP to let extensions handle canvas (I assume behind a pref: default not to let extensions handle it, as Firefox doesn't come bundled with a canvas extension - but the implementation is not important). And I said that diverging from the RFP set of users was not a good move.
This has nothing to do with comparing methods for defeating FPing, or test sites like Panopticlick, but have at it.
The text was updated successfully, but these errors were encountered: