Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add AudioContext Fingerprint Blocking? #71

Closed
ChthonVII opened this issue May 21, 2016 · 57 comments
Closed

Add AudioContext Fingerprint Blocking? #71

ChthonVII opened this issue May 21, 2016 · 57 comments

Comments

@ChthonVII
Copy link

It looks like the world could really use a per-site blocker/spoofer for the AudioContext API. (See https://audiofingerprint.openwpm.com/) Maybe blocking/spoofing this API could be added to CanvasBlocker? Or, if that's too much a departure, maybe a separate extension using the same per-site blocker/spoofer model as CanvasBlocker?

@kkapsner
Copy link
Owner

I think this fingerprinting could be handled the same as canvas fingerprinting. But I'm not sure if this should be done in a separate addon. Both aproaches have benefits.

@secureemail
Copy link

What's the state on this? It is still talked about (https://webtransparency.cs.princeton.edu/webcensus/#audio-fp) and I think solving this would be good.

Anyone interested to post his results from https://audiofingerprint.openwpm.com/ ?

PS:
If this addon is called "CanvasBlocker", you may either rename it to something like FingerprintBlocker, or create a separate addon if AudioContext is solved. Just my opinion.

Also it's not going to be present in uBlock Origin: gorhill/uBlock#1647 [closed].
So this is one more reason to go ahead and then having more users to use your addon.

@kkapsner
Copy link
Owner

kkapsner commented Aug 6, 2016

There is no state yet. Had no time to dig into this subject.

@secureemail
Copy link

No problem, I see that even the TorBrowser guys are still working on this: https://trac.torproject.org/projects/tor/ticket/13017

@jetwhiz
Copy link

jetwhiz commented Sep 3, 2016

From what I can tell, the most popular fingerprinting methods here involve the usage of:

  • AudioBuffer.getChannelData() (and AudioBuffer.copyFromChannel())
  • AnalyserNode.getFloatFrequencyData() (and AnalyserNode.getByteFrequencyData())

I'm not sure if the same fingerprinting could be pulled off with time-domain data (AnalyserNode.getFloatTimeDomainData() / AnalyserNode.getByteTimeDomainData()).

See:

I wouldn't be surprised if there are other methods of obtaining audio data in the API, though.

@L-a-n-g-o-l-i-e-r-s
Copy link

Has anyone identified an extension that has been created to address this issue yet? Thanks

@Fraponi
Copy link

Fraponi commented Nov 13, 2016

I don't know about any addon but Mozilla has made it possible to disable the AudioContext API by setting dom.webaudio.enabled to false (https://bugzil.la/1288359). It's marked for being included in Firefox 51 which is schedules for 2017-01-24 (https://wiki.mozilla.org/RapidRelease/Calendar) so if you want to use it now you'll have to use beta/aurora/nightly. I also haven't really looked into where AudioContext is used so disabling it might break something.

@L-a-n-g-o-l-i-e-r-s
Copy link

L-a-n-g-o-l-i-e-r-s commented Nov 22, 2016

If it is opt out by default, it would make you more track-able or no?

@kkapsner
Copy link
Owner

So you're mainly interested in the faking modes?

@L-a-n-g-o-l-i-e-r-s
Copy link

L-a-n-g-o-l-i-e-r-s commented Nov 22, 2016

I guess, I'm not convinced an opt out is the way. I don't know enough about it though, you tell me.

@kkapsner
Copy link
Owner

I totally agree that an opt out is not the best way. Faking would be better.

@jugi1
Copy link

jugi1 commented Feb 7, 2017

There is SIlverdog extension for chrome regarding audio fing.
Maybe it can help implementing this in CanvasBlocker
http://www.ghacks.net/2017/01/06/silverdog-a-sound-firewall-for-chrome/

@L-a-n-g-o-l-i-e-r-s
Copy link

L-a-n-g-o-l-i-e-r-s commented Mar 5, 2017

@jugi1 are we sure this extension is directly related to this issue? It sounded a bit different from what I read there. I could be totally wrong, anyone test it on FF yet?

Awaiting eagerly for your response, thank you.

Edit:
Can anyone confirm https://audiofingerprint.openwpm.com/ is still working for them? Even enabling flash ended with no result for the upper portion, not sure if an extension or protection was developed in use on my side or the website is just broken, thanks.

@spodermenpls
Copy link
Contributor

The mentioned site works fine on my end.

@L-a-n-g-o-l-i-e-r-s
Copy link

I tried it again today, it's working again, this is still, unfortunately, a problem, at least in Waterfox, not sure if FF 57 fixed it, but I doubt it.

Thanks

@Helpper
Copy link

Helpper commented Jan 9, 2018

@jetwhiz Do you know how to reconstruct function AnalyserNode.getFloatFrequencyData() to add some noise to the data?

@davidhedlund
Copy link

davidhedlund commented Jun 3, 2018

Perhaps you can reuse the source code from the WebExtension AudioContext Fingerprint Defender?

@Helpper
Copy link

Helpper commented Jun 4, 2018

Thank you!

@kkapsner
Copy link
Owner

kkapsner commented Jun 4, 2018

I'll have a look.

@kkapsner
Copy link
Owner

Well... I had a look and am not impressed. I think I can do better.

@crssi
Copy link

crssi commented Jun 12, 2018

Nice to hear and happy to get two in one. :)

Cheers

@crssi
Copy link

crssi commented Jun 15, 2018

@kkapsner
Do you might have any ETA? Assuming that you will take this road.

Thank you and cheers

@kkapsner
Copy link
Owner

The basics are already finished, but I have to rethink some RNG things.

I think I can provide an alpha within the next week.

@crssi
Copy link

crssi commented Jun 15, 2018

OMG... you made my day. 😄

@kkapsner
Copy link
Owner

https://github.com/kkapsner/CanvasBlocker/releases/tag/0.4.6-Alpha1
You should deactivate the normal CanvasBlocker when using the CanvasBlocker-Beta. You can port your settings by the following:

  • activating the expert mode
  • clicking on export settings
  • copy the content you see
  • go to CB-Beta
  • activating the expert mode
  • clicking on export settings
  • delete everything and paste

Please test and give feedback.

@kkapsner
Copy link
Owner

Just imported to my main profile and already found a bug... you must not activate storeImageForInspection...

@crssi
Copy link

crssi commented Jun 16, 2018

At first glace it looks that this works as it shoud.
Very good job.

@kkapsner
Copy link
Owner

New alpha: https://github.com/kkapsner/CanvasBlocker/releases/tag/0.4.6-Alpha2

Please test and give feedback.

@DRigby26: now it should not be persistent.

@DRigby26
Copy link

DRigby26 commented Jun 23, 2018

It looks like those two fingerprints are still persistent for me.

@kkapsner
Copy link
Owner

Weird - I get non persistent values. What are your CB settings?

@crssi
Copy link

crssi commented Jun 23, 2018

Same here, they are persisten... default settings.

@DRigby26
Copy link

Same here

{
"logLevel": 1,
"urlSettings": [],
"whiteList": "",
"blackList": "",
"blockMode": "fakeReadout",
"minFakeSize": 1,
"maxFakeSize": 0,
"rng": "nonPersistent",
"apiWhiteList": {},
"useCanvasCache": true,
"ignoreFrequentColors": 0,
"minColors": 0,
"fakeAlphaChannel": false,
"persistentRndStorage": "",
"storePersistentRnd": false,
"persistentRndClearIntervalValue": 0,
"persistentRndClearIntervalUnit": "days",
"lastPersistentRndClearing": 1529776484900,
"askOnlyOnce": "individual",
"askDenyMode": "block",
"showCanvasWhileAsking": true,
"showNotifications": true,
"storeImageForInspection": false,
"notificationDisplayTime": 30,
"ignoreList": "",
"showCallingFile": false,
"showCompleteCallingStack": false,
"enableStackList": false,
"stackList": "",
"protectAudio": true,
"audioFakeRate": "10",
"audioNoiseLevel": "high",
"audioUseFixedIndices": true,
"audioFixedIndices": "0",
"displayAdvancedSettings": true,
"displayDescriptions": false,
"isStillDefault": false,
"storageVersion": 0.3
}

@kkapsner
Copy link
Owner

Can you please set the logging level to "warning" and tell me if you see any messages in the browser console (to open hit F12 and go to console) that have a "[CanvasBlocker]" in it?

Which Firefox version are you using?

@kkapsner
Copy link
Owner

Additional you can set the fixed indices to "0,1" which should force the first two numbers of these two fingerprints to change.

@DRigby26
Copy link

Oh okay that seemed to work for the first two number which are not persistent. I also checked the browser console, and found no warnings. I set it back to 9 and noticed only the 9th index was changing along with the the 4th index in the Oscillator Node fingerprint, but the other numbers seem to be mostly the same.

@DRigby26
Copy link

So I went ahead and set it fixed to spoof all the indices and it did that!

@crssi
Copy link

crssi commented Jun 24, 2018

If Fixed indices = 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29 then all numbers of Fingerprint using OscillatorNode and Fingerprint using hybrid of OscillatorNode/DynamicsCompressor method are different, which is OK, but the method is slow.
Problem is that in that case the Fingerprint using DynamicsCompressor (sum of buffer values) and Fingerprint using DynamicsCompressor (hash of full buffer) remains the same every time, which is not OK.

@DRigby26
Copy link

Oh yeah it stays the same for me too.

@kkapsner
Copy link
Owner

The point is that I cannot change all numbers as this would be way too slow (each request contains 44100 datapoints).
Therefore only some of the datapoints are faked. If you do not use fixed indices the used indices are randomized and the amount is controlled by the fake rate.

I have to look into the sum and the hash to check why they stay the same.

@kkapsner
Copy link
Owner

This test page... I will create my own as it is slow and badly written.

@kkapsner
Copy link
Owner

I figured out the problem and will provide a new alpha soon.

@DRigby26
Copy link

Awesome! Thank you!

@kkapsner
Copy link
Owner

I created this test page which provides the same hash and sum, but is much faster: http://kkapsner.github.io/CanvasBlocker/test/audioTest.html

There you can see that the other addon does not fully protect you. The second hash will stay constant.

@kkapsner
Copy link
Owner

kkapsner commented Jul 1, 2018

New alpha: https://github.com/kkapsner/CanvasBlocker/releases/tag/0.4.6-Alpha3
You will have to disable the audio cache if you want to use the other test page.

@crssi
Copy link

crssi commented Jul 2, 2018

This looks super cool now :)
What exactly are Fixed indices?
Why there is only value 24 and not all in the array?

@DRigby26
Copy link

DRigby26 commented Jul 2, 2018

It looks great to me so far! Thank you!

@kkapsner
Copy link
Owner

kkapsner commented Jul 2, 2018

@crssi: the indices that are changed in the audio data are usually picked at random. With the "fixed indices" you can pick some by yourself. The default is to chose one from 0-30 at random by browser start.
The basic idea there was that apparently some fingerprinters are only using the first 30 entries in the audio data and the you are always somewhat protected there. Otherwise it could by random that you are tracked because the random indices were not in that range.

If I would always fake all audio data entries CB would render the other test page not useable - my test page is actually fine... so I will also add a 10% and 100% buffer fake rate.

@kkapsner
Copy link
Owner

The new release is out.

@DRigby26
Copy link

Thank you!!!

@davidhedlund
Copy link

davidhedlund commented Jul 21, 2018

@kkapsner
Copy link
Owner

Please try 0.5.1.1b

@davidhedlund
Copy link

davidhedlund commented Jul 21, 2018

I can now play all three videos thanks to your bug fix in that version.

@kkapsner
Copy link
Owner

You're welcome.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests