Project

General

Profile

Actions

Feature #236

open

Spoof WebGL fingerprint hash

Added by Soren Stoutner over 6 years ago. Updated 10 months ago.

Status:
New
Priority:
4.x
Start date:
12/25/2017
Due date:
% Done:

0%

Estimated time:

Description

Makes browser fingerprinting more difficult.

https://panopticlick.eff.org.

Actions #1

Updated by ask low 10 months ago

Strange. The above fingerprinting test site just does not work here. It throws error, that my browser does not support WebGL.

Actions #2

Updated by ask low 10 months ago

Is this supposed to be a privacy enhancement feature?
I use bromite webview, and it seems like [bromite fingerprint test](https://www.bromite.org/detect) gives different fingerprint each time...

Actions #3

Updated by Soren Stoutner 10 months ago

The resource has been renamed to https://coveryourtracks.eff.org, but the old URL should redirect.

WebGL requires JavaScript, so if it is disabled then the WebGL test will return no information.

Bromite has some fingerprint randomization defenses.

Actions #4

Updated by ask low 10 months ago

https://coveryourtracks.eff.org redirects multiple times to https://firstpartysimulator.org/kcarter-nojs & then net::ERR_CONNECTION_REFUSED
Strange.

Actions #5

Updated by v ... 10 months ago

I had an net::ERR_NAME_NOT_RESOLVED when redirected to https://trackersimulator.org/kcarter-reporting-nojs, because of my local proxy filtering the requests. So when I deactivated it, it was OK.

Actions #6

Updated by v ... 10 months ago

@ask low, maybe it's a similar issue in your case.

Actions #7

Updated by Soren Stoutner 10 months ago

When you run the test, if you leave the "Test with a real tracking company?" option selected, then it will redirect to https://firstpartysimulator.org during the testing. To see what the results are with JavaScript enabled, you need to make sure it is enabled for both domains.

Actions #8

Updated by ask low 10 months ago

I think fingerprinting can also be done even without scripting support. Not sure why these tracking test models ask it...

Actions #9

Updated by Soren Stoutner 10 months ago

The vast majority of accurate fingerprinting requires JavaScript. They can get a little bit of fingerprinting information without it, but often not enough to uniquely identify you, especially as you move between IP addresses.

That is one of the reasons why JavaScript is more dangerous to your privacy than all other internet technologies combined.

Actions #10

Updated by ask low 10 months ago

Is it theoretically possible to containerize js parsing locally ?
This'll sound cheezy. As you mentioned spoofing WebGL fp hash in this tracker, is the same possible with spoofing js, thereby getting the content without even enabling js...

Actions #11

Updated by Soren Stoutner 10 months ago

I am not sure I understand the question. It would be fairly easy to containerize the parsing of JavaScript, but the parsing of it isn't generally the problem. The issue is the execution of JavaScript, which you couldn't effectively containerize without breaking the functionality, at which point it would effectively be the same as disabling it.

On this topic, you might be interested in Feature #270: Fine grained JavaScript controls.

Actions

Also available in: Atom PDF