New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fingerprinting #620
Comments
Privacy means no-one else but the sending and receiving party can read about it.
There is ain't no thing as a Tor Browser fingerprint. Font fingerprints are pretty unique for combination of OS + FF version + environment (fonts, prefs, etc...).
Isn't TB a Firefox? So if all the patches uplifted, ff will be differrent from TB only by prefs and logo. Changing the prefs will effectively make TB and FF the same. |
I am thinking now for a long time already that FPing is quite useless, if there is no tracking. @Thorin-Oakenpants, Am I wrong? |
Do you see WebGL as security risk or FP risk or both? |
I understand that, but when FP values (also referers, origins, etc.) are not passed to 3rd party then there the tracking is very limited or none. |
Maybe Beauty and the Beast? They used data from AmIunique.org ...same data used by P. Laperdrix to |
^^FP-Scanner: The Privacy Implications of Browser From reddit comment:
No, you don't. You're just into a big flock, moved around by Google and Cloudflare wolves.
Greatly a FP risk, it exposes your graphics drivers version, hence your GPU. Re: WebGL Security, see: https://www.khronos.org/webgl/security/ |
Not sure if here's the right place to query.. and, I'm not so technical on this FP discussion but is something I am aware of. I have decided to set RFP to false. I've been having issues with this set to true and will re-visit it at a later time. With RFP = false I have enabled section 4600 of the user.js, but I have also installed the "CanvasBlocker" extension with block mode configured to "fake readout API". The effect this has is that it randomizes the canvas fingerprint on each page that is visited/refreshed. I have also read various posts on reddit which only seem to suggest two options (1) Enable RFP or (2) install an extension such as "CanvasBlocker" to randomize the Canvas Fingerprint. So, with RFP disabled and have enabled the settings listed under 4600 of ghacks - user.js. Should I also be bothered with installing an extension such as "CanvasBlocker" to randomize the Canvas fingerprint? Thanks in advance! |
IMHO the wrong approach.
IMHO a better approach is to generate a random identity for every party capable to track and return it deterministically. And even better approach is to return always the same values, eliminating fingerprinting. The devil is how to define the party. IMHO - a party is a webapp in whole, with all the CORS resources. So the attacks like
won't work: the fingerprints are equal because evil1 and evil2 are considered the same party. and neither
would work, because evil1 and evil2 are different parties. Though
would probably suceed on detecting spoofing |
Do you mean that spoiling the stuff with fake data, if it is cheap to cause its production, if the data is indistinguishable from the real one within the budget affordable to tracking parties should not be used? IMHO quite contrary. Let's define privacy that's capability to hide the data and metadata the subject prefers to hide. So even if we can produce deterministic fingerprints, randomizing fingerprints, if they are unlinkable
1 + 2 makes the whole industry more costly to operate. Though there is a flaw - it may be hard to cheaply and securely implement randomization because defeating it is primary area of tracking business, so they would have the researchers and resources to train the models, unlike Mozilla (though they have done some researches on ML, I have not seen such a progress on anti-tracking features), but even eliminating stockpiling of tracking data by everyone smaller than government-sponsored orgs should be beneficial. |
If they had them, there would be no sense to do this activity. If they wanted money, they already had them. If they wanted power, it would be much easier to take over the world by buying whole states and then passing draconian laws. In reality every party has limited resources.
It's definitely true.
Let's analyse the section.
It's false dichotomy, they can be combined.
It is both true and false. Measurement of features and their randomization should be done separately. One measurement to evaluate if the features are fingerprintable, another one is to evaluate if the simulator model fingerprintable. For the purpose of measurement randomization should be disableable.
As I have said. It may be tricky to implement, but it doesn't mean it is useless.
Definitely it is not, we need BOTH.
This is true.
It's true.
It's also true, but is not about randomization. It should be done in order to unify the stuff. For example we need TCP stack to be unified. If it is unsuitable to unify it on kernel level, a userland tcp stack should be used.
It's the price. When one unifies the stuff, the same issues arise.
It's again true, but it doesn't addresses the 2 facts
|
Yes, per first-party webapp. Webapp is determined by cookies sharing and CORS. Each webapp gets a separate identity cleared "when cookies are cleared". Then each instance of youtube gets a different fingerprint. Each fingerprint is unlinkable to each other, because of different cookies sets. Of course there is a problem with IP address, so Tor should be used.
If one keeps cookies between sessions, he is tracked.
new VPN will be linked to your new identity. It still will be since cookies are kept.
Everything discussed was for PB mode. For non-PB mode there are cookies.
Even if pinning have failed, from the website PoV it would look like if a user have changed their browser. Not within a session, but each signin. (BTW, I constantly get messages from the services that I have changed my browser, it may mean thar RFP already incorporates some randomization). |
IMHO not a problem, since a fake fingerprint is useless for linking profiles.
Is there any papers where the lies were generated by a neural net? |
OK thanks for the feedback regarding the toolbar. I've now disabled it and regarding the fonts I had in my overrides the following user_pref("browser.display.use_document_fonts", 1); If I disable the above overrides and just use what's in the user.js file I now get the following |
snip
The text was updated successfully, but these errors were encountered: