Anti-fingerprinting extensions tend to make fingerprinting easier

206 点作者 a2x0超过 4 年前

19 条评论

ardy42超过 4 年前

> There you go, the website will now see the same display resolution for everybody, right? Well, that’s unless the website does this:<pre><code> delete screen.width; delete screen.height; </code></pre> > And suddenly screen.width and screen.height are restored to their original values. Fingerprinting can now use two data points instead of one: not merely the real display resolution but also the fake one. Even if that fake display resolution were extremely common, it would still make the fingerprint slightly more precise.> Is this magic? No, just how JavaScript prototypes work. See, these properties are not defined on the screen object itself, they are part of the object’s prototype. So that privacy extension added an override for prototype’s properties. With the override removed the original properties became visible again.This seems like a flaw in the browser extension model. There should be a way of overriding these properties outside the page's javascript environment itself, before it's initialized, in a way that's immutable to anything that runs afterwards.

评论 #25380100 未加载

评论 #25378479 未加载

avastel超过 4 年前

I worked on browser fingerprinting and countermeasures during my PhD. In one paper, we showed that in the case of an anti canvas fingerprinting extension (canvas defender I think) we were able to extract the seed used to randomise the canvas on each. Since by default the seed was constant, you could use it for tracking: <a href="https://hal.inria.fr/hal-01820197" rel="nofollow">https://hal.inria.fr/hal-01820197</a> (the paper also talks about other anti fingerprinting techniques).There is also a shorter version in a blog post: <a href="https://antoinevastel.com/tracking/2018/07/01/eval-canvasdef.html" rel="nofollow">https://antoinevastel.com/tracking/2018/07/01/eval-canvasdef...</a> (Evaluating the privacy implications of a canvas fingerprinting countermeasure)

评论 #25378606 未加载

评论 #25397600 未加载

评论 #25377929 未加载

qdhqdhqdg超过 4 年前

We should make fingerprinting illegal.Fingerprinting is an exploit, an attack on the person and machine. It is tracking using mechanisms that were not meant for tracking.It is without consent and it is without user control (you can clear cookies, you can't clear the fingerprint you've let on thousands of website you browse every week).Cookies, Local Storage (and IP) should be the only legally authorised means of tracking

评论 #25378360 未加载

评论 #25378147 未加载

评论 #25379792 未加载

评论 #25378328 未加载

评论 #25379268 未加载

评论 #25379237 未加载

1vuio0pswjnm7超过 4 年前

"It doesn't matter what the data is, it should be: - unique to a sufficiently small group of people""What you'd rather want is finding the largest group out there and joining it."Presumably there is a threshhold for how large the group must be before the value of fingerprinting to advertisers drops.That is one question.Another question is what value to the advertiser is there, if any, in the data contained in the fingerprint itself (beyond its value in forming a fingerprint).Hypothetical. User disables Javascript, CSS, does not send Cookies, does not send User-Agent. User only sends a minumum number of headers needed to retrieve the page. For example, Host: and Connection: only.Putting aside arguments about whether or not this user is more or less "unique" than other users (the size of the group sending minimal data may be small), as well as any arguments about "breaking websites", is the data in the fingerprint valuable to advertisers.For example, is the advertiser interested in guessing whether the user is using a Javascript and CSS-enabled browser that stores cookies, etc. Will the advertiser perceive the user as a more or less worthy target than another user due to the specifics of the fingerprint.

评论 #25379405 未加载

gorhill超过 4 年前

> This bind() call makes sure the getter looks like a native function. Exactly what we needed.Even the example given as finally working will show difference with the native method, the bound function will have a property `name` set to `bound`, while the native one has a `name` property set to `get width`.My opinion on this is that only the browser can really foil fingerprinting based on surveying the properties of DOM objects.

评论 #25375558 未加载

评论 #25375671 未加载

评论 #25375491 未加载

评论 #25376715 未加载

red_hare超过 4 年前

As someone who worked on a system that did fingerprinting as an alternative to cookies for non-nefarious reasons, I can tell you the best way to not be fingerprinted is to just use Safari on the newest iPhone.Not because iPhones or Safari are any more private. Just because it's a fixed size browser that you can't customize with extensions and looks identical to 20% of all other sessions.

评论 #25380065 未加载

nomdep超过 4 年前

The solution is very simple, but is not technical: make advertising targeted with personal data illegal.

评论 #25379191 未加载

评论 #25377976 未加载

评论 #25377482 未加载

评论 #25377840 未加载

评论 #25377903 未加载

评论 #25380374 未加载

评论 #25378127 未加载

betwixthewires超过 4 年前

>Now one could come up with schemes to change this value regularly, but fact is: making users stand out isn’t the right way.I don't know that I understand the reasoning behind this. The idea behind it is that it isn't the unique fingerprint that is valuable, it is correlation between different captures of the same unique fingerprint that is valuable. So a randomized fingerprint would he unique, but only for one session, and so the data has no value. If anyone understands the reasoning and could explain how I'm wrong I'd appreciate it.

评论 #25381123 未加载

gruez超过 4 年前

...and that's why you should be using firefox with resistfingerprinting enabled.

评论 #25375709 未加载

评论 #25375748 未加载

评论 #25377948 未加载

jonplackett超过 4 年前

When I first read this headline I was imagining physical extensions to my finger tips..

评论 #25376575 未加载

KarlTheCool超过 4 年前

I've been using Tor with proxy disabled[1] ever since that fingerprint tester[2] was posted a while ago. I figure of all people forking and hardening a web browser, I trust the tor project the most. I'm no tracking expert, but it's the only way I've been able to score a non-unique fingerprint.[1] <a href="https://github.com/KarlTheCool/tor-without-tor" rel="nofollow">https://github.com/KarlTheCool/tor-without-tor</a>[2] <a href="https://coveryourtracks.eff.org/" rel="nofollow">https://coveryourtracks.eff.org/</a>

mastre_超过 4 年前

What about randomizing some values on every load to make existing, and additional values (as described in the article), result in new (and therefore useless) fingerprints on every load?

评论 #25377622 未加载

评论 #25377607 未加载

h_anna_h超过 4 年前

Recently Privacy Badger by EFF added a way for sites to detect if the user has it installed <a href="https://www.eff.org/gpc-privacy-badger" rel="nofollow">https://www.eff.org/gpc-privacy-badger</a>

评论 #25389354 未加载

WaitWaitWha超过 4 年前

> What has been is what will be, and what has been done is what will be done, and there is nothing new under the sun.This a cat & mouse game and the leaders constantly change. Sometimes the mice are ahead, sometimes the cats.

xwvvvvwx超过 4 年前

Only sure way to browse safely is with js disabled....

评论 #25382580 未加载

paulie_a超过 4 年前

I say just ruin the information collected. let them fingerprint you all they want, make the data collected extremely useless

jowq3rijofpg超过 4 年前

For those saying that fingerprinting should be illegal, how does this balance against the idea that a GET request should never be illegal? Not that I don't despise it, I just can't see how that's not a slippery slope.

eeZah7Ux超过 4 年前

TL;DR: browser anti-fingerprinting is difficultUse Tor Browser so that your fingerprint will be identical to many thousands of other users.

评论 #25377546 未加载

pmoriarty超过 4 年前

"Is this magic? No, just how JavaScript prototypes work."Yet another reason to avoid JavaScript.

评论 #25375553 未加载