Meet the Online Tracking Device That is Virtually Impossible to Block

Discussion in 'privacy problems' started by ronjor, Jul 21, 2014.

Thread Status:
Not open for further replies.
  1. dewilder

    dewilder Registered Member

    Joined:
    Jun 20, 2013
    Posts:
    10
    Is there a Proxomitron for osx to use these rules?

    By the way , chromium with hhtps everywhere says me that: www.wilderssecurity.com presented a certificated issue by an entity that is no trusted by your computer´s operating system .... Your connection is not private ... what a nonsense .

    This morning I dont have this advice :(
     
  2. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I'm not familiar with OSX. On linux, Proxomitron can be run via Wine. If something similar exists for OSX, it's entirely possible.
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,902
    Location:
    Slovenia, EU
    Wilders is using self signed certificate. You need to add it in certificate store manually. More here: https://www.wilderssecurity.com/thr...new-self-signed-certificate-installed.362478/
     
  4. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
  5. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    It seems highly unlikely that a MAC address change would affect the way something is graphically rendered and read back via canvas.

    Were one to see something like that I think some investigation would be in order. MAC Addresses are unique identifiers that can leave a device during everyday use and which are probably recorded in purchase records. So they are a somewhat attractive piece of information to try to grab and use for correlating data. I don't know how practical it would be, but theoretically speaking, one's MAC Address could be embedded within visually imperceptible digital watermarks when a device renders things. The objective being to make images produced via a user's device back-trackable to that device and related records. That would have the potential to affect canvas based fingerprinting results.

    One thing I haven't come across is a test where canvas based fingerprinting is performed on a number of identical systems. Done by, for example, an IT person who has just received a combined order of N machines of the same exact type and configuration. It would be interesting to know how similar the results are when there are no (known) hardware, software, firmware, microcode, etc differences.
     
  6. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,617
    Canvas Fingerprinting Takes Web Tracking Up a Notch
    http://www.pcmag.com/article2/0,2817,2461357,00.asp
     
  7. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
  8. Tipsy

    Tipsy Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    207
    This is the biggest problem. Almost you need a different VM for every thing you do online.
     
  9. Tipsy

    Tipsy Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    207
    And the websites just recode to make it impossible to use such thing as Noscript.
    If you want to use their site, you have to accept their spying.
     
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Indeed :)

    But you can use a VM, and associated connectivity path, for multiple things that can safely be linked.
     
  11. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,363
    Location:
    Oz
    Yes. I have different identities and personalities on the internet. Not a lot, but a few. You could use a different VM for each personality.
     
  12. Holysmoke

    Holysmoke Registered Member

    Joined:
    Jun 29, 2014
    Posts:
    139
    this would appear to defeat the use of a VPN. If you used the browser in the clear then went on your VPN to the same sites, you are revealed
     
  13. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Has anybody checked if using separate virtual systems on the same hardware actually changes what a fingerprinting method like canvas detects? The virtual systems are still using the same physical hardware and often the same virtualized hardware. Does the use of different operating systems and/or browsers change it enough to hide the fact that it's the same hardware?
    When the design of a website makes it clear that tracking, spying, and identifying you is their priority, why would you choose to use that site?
     
  14. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    I thought we already came to the conclusion that this is blockable. No idea why people are taking it to extremes like VMs, or why this thread is still going really. :D
     
  15. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    Well, here's a tinker I threw together to privately test a couple of things. Which performs the same fingerprinting operation on two canvases (one visible, one not visible) and compares the results. You can save it as a local html file and play around with it (without having to test against someone else's server).
    Code:
    <!doctype html>
    <html>
    <head>
    <meta charset="utf-8">
    <title>Canvas Fingerprinting Test</title>
    <style type="text/css">
    canvas {
      border: 2px solid red !important;
    }
    textarea {height:100px; width:300px;}
    </style>
    <script type="text/javascript">
    function modifyAndReadCanvas(canvas) {
      // Ref: http://www.browserleaks.com/canvas
      var rs = "Not Supported";
      if(canvas.getContext) {
        var ctx = canvas.getContext('2d');
        if(ctx) {
          var txt = '@/d#p$Z% aQ0+rh;fK9B T&7*o_{ xU3E.h]Ov';
          ctx.textBaseline = "top";
          ctx.font = "14px 'Arial'";
          ctx.textBaseline = "alphabetic";
          ctx.fillStyle = "#f60";
          ctx.fillRect(125,1,62,20);
          ctx.fillStyle = "#069";
          ctx.fillText(txt, 2, 15);
          ctx.fillStyle = "rgba(102, 204, 0, 0.7)";
          ctx.fillText(txt, 4, 17);
          rs = canvas.toDataURL().replace("data:image/png;base64,","");
        }
      }
      return(rs);
    }
    
    function getHash1(str) {
      // djb2 from:
      // http://erlycoder.com/49/javascript-hash-functions-to-convert-string-into-integer-hash-
      var hash = 5381;
      for (var i = 0; i < str.length; i++) {
        char = str.charCodeAt(i);
        hash = ((hash << 5) + hash) + char; /* hash * 33 + c */
      }
      return hash;
    }
    
    function getHash2(str) {
      // FNV-1a from:
      // https://gist.github.com/vaiorabbit/5657561
      var FNV1_32A_INIT = 0x811c9dc5;
      var hval = FNV1_32A_INIT;
      for ( var i = 0; i < str.length; ++i )
      {
        hval ^= str.charCodeAt(i);
        hval += (hval << 1) + (hval << 4) + (hval << 7) + (hval << 8) + (hval << 24);
      }
      return hval >>> 0;
    }
    
    function getHash(str) {
      return (getHash1(str).toString() + "__" + getHash2(str).toString());
    }
    </script>
    </head>
    <body>
    <div id="c1Holder"><canvas id="c1"></canvas></div>
    <div>Canvas1 Data:</div>
    <div><textarea id="ta1"></textarea></div>
    <div>Canvas2 Data:</div>
    <div><textarea id="ta2"></textarea></div>
    <script type="text/javascript">
    var c1Data = modifyAndReadCanvas(document.getElementById("c1"));
    var c2Data = modifyAndReadCanvas(document.createElement('canvas'));
    if((c1Data != "Not Supported") && (c2Data != "Not Supported")) {
      if((c1Data == c2Data))
        document.write("Canvas1 Data is identical to Canvas2 Data<br /><br />");
      else document.write("Canvas1 Data is NOT identical to Canvas2 Data<br /><br />");
      document.getElementById("ta1").value = c1Data;
      document.getElementById("ta2").value = c2Data;
      document.write("Canvas1 Hash: " + getHash(c1Data) + "<br />");
      document.write("Canvas2 Hash: " + getHash(c2Data) + "<br />");
    }
    else {
      document.write("Canvas method(s) not supported<br />");
    }
    </script>
    <noscript>
    This test page requires javascript
    </noscript>
    </body>
    </html>
    
    Edit: modified to dump canvas data
     
    Last edited: Aug 8, 2014
  16. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    That's why using multiple VMs is prudent. Even as a backup, in case ...
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    So does this code implement a "real world" sort of test? Like AddThis is doing, I mean.
     
  18. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    I've checked http://www.browserleaks.com/canvas from a few VMs on this VirtualBox host. Two Ubuntu VMs with Firefox (one 12.4 and the other 14.4) had the same canvas fingerprint. But two CrunchBang 11 VMs with IceWeasel had different ones (and different from the Ubuntu one). And then there's Tor browser, which is special, because it blocks.
    Well, if it has something that I want, I'll use it. And good luck identifying me, whatever "me" happens to be at the time ;)
     
  19. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    I haven't attempted to learn how AddThis was/is fingerprinting. I saw it reported that https://github.com/Valve/fingerprintjs is being used by some sites, saw it was leveraging canvas code published by BrowserLeaks, and decided a derivative of that would be good enough for my purposes as well.

    Were I serious about developing such a thing, I would dig a bit deeper into the subject and try to better understand the variables that cause the canvas data to be different. Perhaps it is possible to tune the canvas manipulations in a way that creates a more reliable fingerprint(?).

    Whatever the approach, the canvas fingerprint (or lack thereof) is just one of N possible pieces of information that can be used to arrive at a final unique identifier. I suspect the secret sauce would be how one goes about weighing those N pieces of information, and even less than ideally reliable pieces of information may combine in ways that are helpful trackers.

    Check out the link above and, if you want, take that code for a spin.
    So what is different?
     
  20. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    I don't know. The site just spits out a string.

    What seems important to me from that test site is that multiple visitors have the same canvas fingerprint code, and different VMs on the same host can have different codes.

    But of course, I don't know how that site's test compares to the AddThis approach.
     
  21. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    I meant: what is different between those two CrunchBang 11 VMs with IceWeasel. Anything you can think of?
     
  22. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    One VM doesn't have guest additions installed, and its IceWeasel is totally stock. The other VM does have guest additions, its IceWeasel has Adblock Plus and NoScript, and its display and IceWeasel window are much larger. Both Ubuntu VMs that I tested have guest additions installed.

    It seems likely that guest additions exposes more information about the host's hardware. Also, all of the VMs have PAE/NX, VT-x/AMD-V and nested paging enabled. Maybe I'll run some more tests, looking at the effects of each. I could even use VBoxManage, which exposes many more parameters to tweaking.
     
  23. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    From https://www.virtualbox.org/manual/ch04.html:
    Vanilla video drivers could produce slightly different rendering than custom video drivers supporting hardware acceleration.
     
    Last edited: Aug 9, 2014
  24. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Right, but that's just two options. Maybe guest additions with and without 2D and 3D acceleration would be useful too. The main point, though, is that different guest OS yield different fingerprints, even if both have guest additions installed.
     
  25. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    ... when using a fingerprinting method that doesn't leverage all of the techniques discussed in the "Pixel Perfect: Fingerprinting Canvas in HTML5" and "The Web never forgets: Persistent tracking mechanisms in the wild" papers, anyway. Proceed with caution.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.