Implement Stealth Mode for Mobile

[TPS]

The new 2.0 version @ https://panopticlick.eff.org/ complete fails ( all ❌s) a standard web browser through AG with browsing security & all (including spyware) filters enabled. Ghostery browser does much better, with only unblocking DNT unsupported, & I think AG could fix that via the Useful Ads filter.… Comments?

[ameshkov]

Haha, I "love" such tests:)

@Alex-302, please add these domains to spyware filter:

||eviltracker.net^$third-party
||do-not-tracker.org^$third-party
||trackersimulator.org^$third-party

And also $empty rules to mobile ads filter as this website uses https and third-party won't work in Android:

||eviltracker.net^$empty
||do-not-tracker.org^$empty
||trackersimulator.org^$empty

@Alex-302, don't forget to add a comment pointing to this issue.

[ameshkov]

@TPS, what for DNT and fingerprinting, we could do something with that, but not until we have HTTPS filtering capabilities.

Yet DNT is not really important, any browser has an option to enable, and, frankly, I don't think it gives you anything.

Fingerprinting, on the other hand, is rather interesting. We are working on blocking it in our another project (Adguard for Windows) with a special privacy protection module "Stealth Mode". But we have not yet finished with it, as there's no way to simply "block" creating fingerprinting. Instead you should pretend to be some "common" user agent.

[TPS]

Re: DNT, as little value as it has now, there seem to be a number of indications that it'll eventually become legally enforceable down the road, & it might be nice to have an option at the VPN/proxy level for those apps that don't give the option.

I'm actually of mixed feelings about your approach re: blocking those test domains (eviltracker.net, do-not-tracker.org, & trackersimulator.org). To me, it seems a lot like blocking the EICAR & GTUBE tests — useful to test whether the software itself generally functions, but not actually preventing a "real" problem.

I think your fingerprinting approach will be awesome once implemented, especially in mobile OSes, & I look forward to testing it out.

Wouldn't it be better not to block these actually safe domains directly & leave them open to be dealt with via the Stealth Mode module, when implemented? I figure that's truer to the spirit Panopticlick's been implemented in.

[ameshkov]

I'm actually of mixed feelings about your approach re: blocking those test domains (eviltracker.net, do-not-tracker.org, & trackersimulator.org).

That's totally ok and in fact this is what they want us to do.

From https://panopticlick.eff.org/about:

and we strive to have our test domains included in such tools’ lists.

Now let's return to trackers and fingerprinting:)

Wouldn't it be better not to block these actually safe domains directly & leave them open to be dealt with via the Stealth Mode module, when implemented? I firgure that's truer to the spirit Panopticlick's been implemented in.

In fact their approach is also to block trackers. But instead of creating and managing lists of known trackers, they are trying to use some heuristics to detect if domain is tracker or not. Frankly, I don't believe in this approach. It often leads to false positives.

Stealth mode is a bit different. We still block known trackers, but we also clean up third party requests, blocking things which may be used by trackers (like cookies, etags and such).

Now let me tell you what's the main issue with this fingerprinting. All these things (cookies/etags/authorization data and such) are bound to the tracker domain on the browser level. It simply cannot be used if request to the tracker is blocked. Fingerprint is the property that is not bound to any domain. So, for instance, the fingerprint may be calculated by the website you visit and then processed without any third-party request. You even won't be able to detect such things as it is processed somewhere on the server side of that website.

Fortunately this is not a common case now, but I see here really great capabilities for the trackers/ad networks business and if I were them I would be working on this right now.

[TPS]

What I'm concerned about when blocking those test-tracking domains is then I cannot use the tool to determine how the fingerprint-"washing" does, once it's implemented.

Else, I'm with you all 💯%! ☺

Do you want to change this to be tracking issue, titled something like "Implement Stealth Mode for Android/iOS AdGuard"?

[ameshkov]

What I'm concerned about when blocking those test-tracking domains is then I cannot use the tool to determine how the fingerprint-"washing" does, once it's implemented.

These test domains aren't used for fingerprint testing, they are for trackers/ad blocking tests.

Do you want to change this to be tracking issue, titled something like "Implement Stealth Mode for Android/iOS AdGuard"?

Yep, I think it would be better:)

[TPS]

I do think this should be toggled explicitly, & perhaps also in relation to Browsing Security &/Or Spyware filter settings.

[ameshkov]

I do think this should be toggled explicitly, & perhaps also in relation to Browsing Security &/Or Spyware filter settings.

That's how it's done in desktop AG. Stealth mode is a separate module there with it's own ON/OFF button.

[TPS]

Fingerprint is the property that is not bound to any domain. So, for instance, the fingerprint may be calculated by the website you visit and then processed without any third-party request. You even won't be able to detect such things as it is processed somewhere on the server side of that website.

The above tickled something in my memory 10 days ago when I read it, & it finally surfaced now: Can/does the AG Stealth Mode implementation have any abilities like CanvasBlocker &/or Pale Moon's canvas.poisondata? kkapsner/CanvasBlocker#44 also seems instructive.…

[ameshkov]

This may be helpful. Yet they don't always use a canvas only for fingerprinting.

We should find some real-life fingerprinting examples. All those leak tests are not very representative.

[TPS]

Well, here's around 100 PDF scholarly articles detailing such.… Happy reading! 😜

[TPS]

@TPS, what for DNT and fingerprinting, we could do something with that, but not until we have HTTPS filtering capabilities.

@ameshkov Just wanted to put this back on the radar, now that #21 has landed.

[ameshkov]

I'll assign it to v4.0 for now. This is a huge feature, would be hard along with redesign and all firewall improvements planned for v3.0

[TPS]

For future reference: Here's an issue that'd be solved by this that hits quite close to home: isaacs/github#657

[zebrum]

Close as dup.
I hope @TPS you don't mind.

[TPS]

@zebrum Nope, just as long as points raised here aren't forgotten. 🙇