Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Canvas Fingerprint #8

Closed
sikjoy opened this Issue Aug 30, 2013 · 15 comments

Comments

Projects
None yet
5 participants

sikjoy commented Aug 30, 2013

Perhaps adding canvas fingerprint will help with mobile devices. The technique is outlined here: https://www.browserleaks.com/canvas

sikjoy commented Aug 30, 2013

"After plugins and plugin-provided information, we believe that the HTML5 Canvas is the single largest fingerprinting threat browsers face today." - Tor Project. Original research: Pixel Perfect: Fingerprinting Canvas in HTML5, demo: HTML5 Canvas Fingerprinting.

Owner

Valve commented Aug 30, 2013

I've read the Pixel Perfect research and came to the conclusion that Canvas fingerprinting serves its purpose only when other, more traditional fingerprinting methods aren't available. For instance on a Tor Firefox browser it's impossible to identify a user by fingerprinting, because all components would be the same, and fingerprinting will identify all Tor-enabled browsers as one.
This research says that canvas fingerprinting is orthogonal to traditional fingerprinting and should be used independently.
Additionally, the browserleaks.com collected statistics suggest that on average there is one distinct PNG CRC checksum per 8 user agent strings, which leads me to think of it as not sufficiently diverse set of crc values.

This fingerprinting library should be as general-purpose as possible, not catering to specialized browser packages.

Please let me know what you think.

sikjoy commented Sep 2, 2013

I don't think orthogonality implies that it should be used independently, rather that it is statistically independent. This is a good thing, in that the net gain in entropy, by adding the technique among the other tests, is the full amount, as measured, if the technique were applied by itself.

Looking at the Pixel Perfect whitepaper, they did a small scale experiment with 294 tests which yielded 116 unique fingerprints despite having very little variation in browser and OS. They say this translates to an entropy of 5.73 bits, which is comparable to the entropy gain of the http accept test, which I believe you are currently using.

Owner

Valve commented Sep 2, 2013

OK, I'll implement it as an optional thing, similar to:

var fp = new Fingerprint({canvas: true});

When passed the canvas: true option, the fingerprinting will use this method with others.

@Valve Valve added a commit that referenced this issue Sep 2, 2013

@Valve Valve v.0.4 - add support for canvas fingerprinting,
registered as a bower 'fingerprint' package,
this fixes issue #8
f241dd9

@Valve Valve closed this Sep 2, 2013

Valve, is it possible to save the image generated by canvas fingerprinting with this?

Owner

Valve commented Jul 25, 2014

@prismspecs, to save the canvas image, you need to do similar to:

var el = document.getElementsByTagName('canvas')[0];
var base64 = el.toDataURL();
alert(base64);

Once you have the base64, you can save it with any server-side languages, by converting to byte array and saving to the disk.

Valve, how can we use the users information for creating images in canvas?
I have seen many examples but those all are using some predefined values. I am still unable to understand that how can they differentiate users on these values.

Please help...

Owner

Valve commented Aug 12, 2014

@tanuj-github what users information are your referring to?

Thank you Valve for replying immediately...

I am implementing device fingertprinting first time and I have studied we use user machine information like User Agent, App Name, App Code Name, App Version etc which we could get using Java Script.

So my question is how to create canvas image using this information?
And how can we utilize that in Canvas Fingerprinting?

Owner

Valve commented Aug 12, 2014

Canvas fingerptinting doesn't really care what text you draw there, the only thing that matters is applying all the colors (see here https://github.com/Valve/fingerprintjs/blob/master/fingerprint.js#L265)

In other words, it doesn't matter whether you draw abcefghjkl... or your app name and version

That means the image created this way itself contains the all information that we needed to identify a user machine over a network and we just need to store hash coded value in our database?

Owner

Valve commented Aug 12, 2014

fingerptintjs uses a lot of browser capabilities besides image, but overall yes, the way it's built now is sufficient. Remember that fingerprint does not guarantee you the correct identification, it only gives 89-94% of uniqueness.

Thank you Valve.. This information would be very helpful for me.

Hi Valve.

I am done with Canvas fingerprinting but each time I make change in browser config [like changing resolution, browser language setting etc] It is giving me a different hashcode. Then how can we identify a user uniquely?

Thats fine, this is how it works ;)
Maybe this link is interesting for you: https://panopticlick.eff.org/browser-uniqueness.pdf
You should use canvas fingerprinting additional to other techniques like IP, Cookies, and so on.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment