-
Notifications
You must be signed in to change notification settings - Fork 53
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Spoofing the same browser version gives away more bits of data? #508
Comments
Hi @Ph0rk0z, it seems Librewolf enables RFP (resist fingerprinting) by default. This would make the fingerprint less unique which is the opposite of what Chameleon does (spoofs many fingerprints). Chameleon's ESR 78 user agent matches Firefox's ESR 78's user agent which is slightly different to Librewolf. LW: Arkenfox's tester uses a service worker to get the actual browser values. WebExtensions currently can not protect against them so there's not much that can be done on that front. |
arkenfox doesn't use any workers of any sort to influence FPs (bypasses) or report lies edit: to clarify:
For now, workers are not promisified and used in results. For UA it's problematic (because Language, and other sections if/when I add workers, can and will be used, when I get around to it. But since workers can essentially be blocked, I'm exploring non-worker options first That's my story, thanks for listening :) |
Are you sure? TZP should detect you are on v89, but your userAgent says 78, so it records a lie and a bypass (but only if there have been no pinocchio's already) here's Firefox 89 with RFP enabled (and no other user agent spoofing) |
So RFP should be off? It makes you more unique? Also with RFP: real os isn't unmasked. Without RFP it is but you can fool creeper js when you change UA. |
can you fool TZP? also creep should pick you up, because it uses prototype lies. Can you please reply below for @abrahamjuliot exactly what you did? The rest I can't much sense of
RFP does not hide your OS in navigator properties
So there is nothing to "unmask"
Without RFP what is? Sounds like you are using RFP and then trying to spoof via chameleon. RFP returns a set of values for all the user agent bits and pieces in JS and for the HTTP Header. If you use an extension to spoof, the extension should be the last one to modify what goes out or what JS gets
No, and no. If you do nothing you are likely unique. If you use RFP you have now covered about 100 metrics that can help reduce entropy and mitigate paradoxes (most paradoxes don't matter with RFP and not in an enforced set of users if everyone is up to date) Just on the user agent: if you spoof lies, you can make yourself stand out more (not necessarily unique, but with other factors, very likely). It depends on whether or not the lie is detected or causes a paradox, which in part depends on what exactly you are lying as You cannot hide your OS, you usually can't hide the bitness of the OS (I'm working on it), you can't hide some OS versions (e.g. win7 vs win10, or some distros in Linux), you can't hide your version, and you can't hide that you are using Firefox. RFPRFP uses one of four results (windows, android, linux or mac) depending on your OS - that's it, it does not deviate. So it's not trying to lie about the OS or that you're using anything but Firefox. That alone reduces the ability to detect lies: as So what's left: namely
That's it
Information paradoxesNot everyone is going to tell you that you're lying. They don't even need to, because information paradoxes will simply reveal it in the fingerprint. for example (on Firefox 89)
Trying to spoof as different browser to Firefox has so many differences in feature detection (supported APIs, properties), that it's easily detected. And lying about the OS (windows, mac etc) will also easily manifest itself ScriptsNote that most scripts are naive, i.e it they don't detect randomizing or a lot of spoofing, so in that sense you are just fine, as long as you are randomizing. Advanced scripts will make a mockery of your attempts to hide: no offense to extension devs, don't beat me up sereneblue :) |
RFP and no chameleon for user agent = 1 fingerprint from creeper It re-detects you on subsequent visits as the 2 different fingerprints. RFP = windows detected as windows 10 in "worker" RFP detects less "lies" But changing chameleon UA doesn't fool creeper beyond the inital FP. |
The actual profile info isn't used when the hash is generated. Your true browser info is exposed from the web worker so it persists unless you enable another option like spoof audio context, etc, that would generate a new unique fingerprint. |
Those options actually do not help. Creeper finds me even with audio context/canvas/etc spoofing. The web worker cannot detect the correct windows version with RFP. |
I'm able to generate new IDs with spoof audio context and client rects enabled. Changing the profile also randomizes the audio context fingerprint so your ID should also change when the profile does. What do you mean Creeper is finding you? Are you referring to the session load? RFP is working as designed. It will report specific values (UTC/Windows) because it's baked into the browser. |
Despite the audio and canvas hashes changing the creeper JS still knows it's the same browser. |
quote me: "Advanced scripts will make a mockery of your attempts to hide" @Ph0rk0z scripts do not have to tell you or even provide the same result - there's a whole other science behind linking slightly different fingerprints. However, creep and TZP like to display the random/fake value but discard any fake data, or replace it with leaked real values .. I'm not sure what creep does exactly. TZP If a script knows a value is fake, it can record that value as fake and not swallow the "poison pill" - so your fingerprint will not change. Capisce? |
So what's the solution? Return the same values as default browsers? I used an extension on the chrome side that seemed to do that called "rubber glove". |
If you're referring to the area below, that's expected. That's the purpose of the project.
I checked the extension. If a website is using an advanced script to get your browser fingerprint, I'm not sure how it would handle not being able to collect any useful data (from the navigator object). CreepJS is still able to find your actual browser profile from the shared worker. Solutions:
|
If I am not wrong then this issue is due to web extensions not able to change navigator properties. |
WebExtensions can change navigator properties. However, the original values can be found because WebExtensions don't have access to workers. You've commented on the related issue on Bugzilla. This might be helpful in understanding why spoofing data is challenging. |
There is 2 ways for being less traceable (or at least, to hope so):
The problem then is that even with an entirely plausible and consistent forged profile, some entities like CloudFlare or Google are using analysis methods powerful enough to be able to detect not only that you are using a forged profile, but also how it is forged. This information can play the role of signature, allowing to trace you cross session. |
I tested using https://coveryourtracks.eff.org/
Librewolf 89 - No user agent override: less bits of data under user agent. Pretends to be windows firefox 78.
Librewolf 89 - Use any of the profiles: Your browser is unique, even when set to firefox 78
the arkenfox tester also says we are lying when using chameleon but not default forged user agent (FF78).
The text was updated successfully, but these errors were encountered: