Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Spoofing the same browser version gives away more bits of data? #508

Closed
Ph0rk0z opened this issue Jun 9, 2021 · 16 comments
Closed

Spoofing the same browser version gives away more bits of data? #508

Ph0rk0z opened this issue Jun 9, 2021 · 16 comments

Comments

@Ph0rk0z
Copy link

Ph0rk0z commented Jun 9, 2021

I tested using https://coveryourtracks.eff.org/

Librewolf 89 - No user agent override: less bits of data under user agent. Pretends to be windows firefox 78.

Librewolf 89 - Use any of the profiles: Your browser is unique, even when set to firefox 78

the arkenfox tester also says we are lying when using chameleon but not default forged user agent (FF78).

@sereneblue
Copy link
Owner

Hi @Ph0rk0z, it seems Librewolf enables RFP (resist fingerprinting) by default. This would make the fingerprint less unique which is the opposite of what Chameleon does (spoofs many fingerprints). Chameleon's ESR 78 user agent matches Firefox's ESR 78's user agent which is slightly different to Librewolf.

LW: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
ESR 78: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0

Arkenfox's tester uses a service worker to get the actual browser values. WebExtensions currently can not protect against them so there's not much that can be done on that front.

@Thorin-Oakenpants
Copy link

Thorin-Oakenpants commented Jun 13, 2021

arkenfox doesn't use any workers of any sort to influence FPs (bypasses) or report lies

edit: to clarify:

  • storage section uses workers to test if workers etc are available
  • user agent section shows workers matching/not matching
    • the lie logic comes from knowing you are on Firefox, if RFP is enabled or not, the real OS (e.g. win, linux etc), the FF real version, the real OS architecture (sometimes), and knowing how Mozilla combines those into a userAgent string etc
  • language has a worker that shows differences in the details

For now, workers are not promisified and used in results. For UA it's problematic (because oscpu is not available in workers), and I already can do what I need based on logic

Language, and other sections if/when I add workers, can and will be used, when I get around to it. But since workers can essentially be blocked, I'm exploring non-worker options first

That's my story, thanks for listening :)

@Thorin-Oakenpants
Copy link

the arkenfox tester also says we are lying when using chameleon but not default forged user agent (FF78).

Are you sure? TZP should detect you are on v89, but your userAgent says 78, so it records a lie and a bypass (but only if there have been no pinocchio's already)

here's Firefox 89 with RFP enabled (and no other user agent spoofing)

  • one lie is userAgent version with a bypass (swapping out 78.0 with 89.0 (see feature detection)
  • the other five lies are canvas
    RFP

@Ph0rk0z
Copy link
Author

Ph0rk0z commented Jun 13, 2021

So RFP should be off? It makes you more unique?

Also with RFP: real os isn't unmasked. Without RFP it is but you can fool creeper js when you change UA.

@Thorin-Oakenpants
Copy link

but you can fool creeper js when you change UA

can you fool TZP?

also creep should pick you up, because it uses prototype lies. Can you please reply below for @abrahamjuliot exactly what you did?


The rest I can't much sense of

With RFP on, the real OS isn't unmasked

RFP does not hide your OS in navigator properties

  • i.e it does not lie about windows vs linux vs android vs mac
  • it does standardize the OS version, which TZP doesn't care about (e.g. windows 7 or 8 or 10)
  • it does limit HTTP headers to two results (windows and android), but TZP doesn't check that (yet) - it does this to reduce entropy in non-JS modes, like safest in Tor Browser

So there is nothing to "unmask"

Without RFP it is

Without RFP what is? Sounds like you are using RFP and then trying to spoof via chameleon. RFP returns a set of values for all the user agent bits and pieces in JS and for the HTTP Header. If you use an extension to spoof, the extension should be the last one to modify what goes out or what JS gets


So RFP should be off? It makes you more unique?

No, and no. If you do nothing you are likely unique. If you use RFP you have now covered about 100 metrics that can help reduce entropy and mitigate paradoxes (most paradoxes don't matter with RFP and not in an enforced set of users if everyone is up to date)

Just on the user agent: if you spoof lies, you can make yourself stand out more (not necessarily unique, but with other factors, very likely). It depends on whether or not the lie is detected or causes a paradox, which in part depends on what exactly you are lying as

You cannot hide your OS, you usually can't hide the bitness of the OS (I'm working on it), you can't hide some OS versions (e.g. win7 vs win10, or some distros in Linux), you can't hide your version, and you can't hide that you are using Firefox.

RFP

RFP uses one of four results (windows, android, linux or mac) depending on your OS - that's it, it does not deviate.

So it's not trying to lie about the OS or that you're using anything but Firefox. That alone reduces the ability to detect lies: as appCodeName, appName, product, platform,buildID,productSub,vendor and vendorSub are all taken care of: that is, they aren't lying. And some of those are used in the userAgent, so large chunks of the userAgent are also not lying

So what's left: namely oscpu (OS version and OS bitness) and the version in the userAgent

  • version is easily detected, if a script wanted to, like TZP does: but I doubt anyone does that (and it would show up elsewhere anyway, without effort)
  • even scripts that get the real version, it doesn't really matter - as long as most people update, the information paradoxes will the same as everyone else: i.e say you are FF78 but have FF89 stuff. Everyone updates to 90 and still says they are FF78 but now they all have FF90 stuff
  • oscpu will be the right OS, and it can be difficult to determine the OS bitness.
  • oscpu's version is much trickier (see font example below: win7 vs win8.1/10)

That's it

  • RFP can "leak" it's version. RFP knows this, but no harm in making scripts work for it :)
  • other methods or equivalency can show up the OS version (or linux distros), but a lot of that is mitigated by other RFP protected metrics, and hopefully the number of users in each fingerprint is still sufficiently large - e.g. Win7 vs Win8.1/10 will show up in fonts, but splitting a large group of Firefox Windows users into two (about 20% win7 and 80% win8.1/10) isn't going to cause uniqueness

Information paradoxes

Not everyone is going to tell you that you're lying. They don't even need to, because information paradoxes will simply reveal it in the fingerprint.

for example (on Firefox 89)

  • lie that you are android, but return windows fonts
  • lie that you are FF78 but return results that shouldn't be supported
  • lie that you are a blink engine (like chrome) but not have blink properties
  • lie that you are windows 10 (but actually be windows 7) and be missing windows 10 base fonts

Trying to spoof as different browser to Firefox has so many differences in feature detection (supported APIs, properties), that it's easily detected. And lying about the OS (windows, mac etc) will also easily manifest itself

Scripts

Note that most scripts are naive, i.e it they don't detect randomizing or a lot of spoofing, so in that sense you are just fine, as long as you are randomizing. Advanced scripts will make a mockery of your attempts to hide: no offense to extension devs, don't beat me up sereneblue :)

@Ph0rk0z
Copy link
Author

Ph0rk0z commented Jun 14, 2021

RFP and no chameleon for user agent = 1 fingerprint from creeper
No RFP and only chameleon spoofing UA = different fingerprint from creeper

It re-detects you on subsequent visits as the 2 different fingerprints.

RFP = windows detected as windows 10 in "worker"
Only Chameleon = Windows 6.1 detected in "worker"

RFP detects less "lies"

But changing chameleon UA doesn't fool creeper beyond the inital FP.

@sereneblue
Copy link
Owner

RFP and no chameleon for user agent = 1 fingerprint from creeper
No RFP and only chameleon spoofing UA = different fingerprint from creeper

It re-detects you on subsequent visits as the 2 different fingerprints.

RFP = windows detected as windows 10 in "worker"
Only Chameleon = Windows 6.1 detected in "worker"

RFP detects less "lies"

But changing chameleon UA doesn't fool creeper beyond the inital FP.

image

The actual profile info isn't used when the hash is generated. Your true browser info is exposed from the web worker so it persists unless you enable another option like spoof audio context, etc, that would generate a new unique fingerprint.

@Ph0rk0z
Copy link
Author

Ph0rk0z commented Jun 15, 2021

Those options actually do not help. Creeper finds me even with audio context/canvas/etc spoofing.

The web worker cannot detect the correct windows version with RFP.

@sereneblue
Copy link
Owner

Those options actually do not help. Creeper finds me even with audio context/canvas/etc spoofing.

The web worker cannot detect the correct windows version with RFP.

I'm able to generate new IDs with spoof audio context and client rects enabled. Changing the profile also randomizes the audio context fingerprint so your ID should also change when the profile does. What do you mean Creeper is finding you? Are you referring to the session load?

RFP is working as designed. It will report specific values (UTC/Windows) because it's baked into the browser.

@Ph0rk0z
Copy link
Author

Ph0rk0z commented Jun 16, 2021

Despite the audio and canvas hashes changing the creeper JS still knows it's the same browser.

@Thorin-Oakenpants
Copy link

Thorin-Oakenpants commented Jun 16, 2021

Despite the audio and canvas hashs changing the creeper JS still knows it's the same browser.

quote me: "Advanced scripts will make a mockery of your attempts to hide"

@Ph0rk0z scripts do not have to tell you or even provide the same result - there's a whole other science behind linking slightly different fingerprints. However, creep and TZP like to display the random/fake value but discard any fake data, or replace it with leaked real values .. I'm not sure what creep does exactly. TZP lies likes to record "untrustworthy" so the metric count stays the same. TZP is a work-in-progress, so not everything is currently picked up on.

If a script knows a value is fake, it can record that value as fake and not swallow the "poison pill" - so your fingerprint will not change. Capisce?

@Ph0rk0z
Copy link
Author

Ph0rk0z commented Jun 17, 2021

So what's the solution? Return the same values as default browsers? I used an extension on the chrome side that seemed to do that called "rubber glove".

@sereneblue
Copy link
Owner

@Ph0rk0z

Despite the audio and canvas hashes changing the creeper JS still knows it's the same browser.

If you're referring to the area below, that's expected. That's the purpose of the project.

image

So what's the solution? Return the same values as default browsers? I used an extension on the chrome side that seemed to do that called "rubber glove".

I checked the extension. If a website is using an advanced script to get your browser fingerprint, I'm not sure how it would handle not being able to collect any useful data (from the navigator object). CreepJS is still able to find your actual browser profile from the shared worker.

Solutions:

  • Tor Browser: uniform browser profile
  • RFP: uniform browser profile
  • Whitelist JS: Tradeoff but probably what a privacy conscious user is already doing

@DGjone44
Copy link

If I am not wrong then this issue is due to web extensions not able to change navigator properties.

@sereneblue
Copy link
Owner

If I am not wrong then this issue is due to web extensions not able to change navigator properties.

WebExtensions can change navigator properties. However, the original values can be found because WebExtensions don't have access to workers. You've commented on the related issue on Bugzilla. This might be helpful in understanding why spoofing data is challenging.

@Kraxys
Copy link

Kraxys commented Oct 24, 2021

I tested using https://coveryourtracks.eff.org/

Librewolf 89 - No user agent override: less bits of data under user agent. Pretends to be windows firefox 78.

Librewolf 89 - Use any of the profiles: Your browser is unique, even when set to firefox 78

the arkenfox tester also says we are lying when using chameleon but not default forged user agent (FF78).

There is 2 ways for being less traceable (or at least, to hope so):

  1. The static way: Having the same profile than a lot of people (really a lot), and the same for each browsing session (and in that logic, being "unique" is bad). No browser ddon has a sufficiently large users base for this method to work. But it may work on the Tor network (and if using TB), as at any time, there are at least 1 million peoples on this network.
    But even so, you become less traceable only on site where there is a lot of traffic. On a given little visited site, you may be the sole visitor using the TB through Tor network. And if you browse this little visited site often, you can be traced cross session because of that.

  2. The dynamic way: Changing your profile for each browsing session. Theoretically, if all goes well, you can not be traced cross session, even by little visited sites. In that logic, it is a good thing to be for each session viewed as unique. But this assumes that the forged profile is plausible and consistent. Some addons trying to follow the "dynamic" path, are for example spoofing WebGL by indicating for the WebGL vendor a random string. Others provide plausible WebGL vendors, but that are changing each time the same site is reloaded during the same session. In each case it's bad. You can easily be traced as being "the guy/gal with highly improbable webgl characteristics".

The problem then is that even with an entirely plausible and consistent forged profile, some entities like CloudFlare or Google are using analysis methods powerful enough to be able to detect not only that you are using a forged profile, but also how it is forged. This information can play the role of signature, allowing to trace you cross session.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants