How to to stop browser fingerprinting and tracking?

LDogg

Level 33
Verified
Top Poster
Well-known
May 4, 2018
2,261
Except for CanvasBlocker (for FF) do the rest of the fingerprint blockers passed the test of preventing the original fingerprint from being exposed? Test is below

Test

It did work on it yep! Atm I have it disabled when using it for online banking.

~LDogg
 

Yellowing

Level 5
Verified
Jun 7, 2018
221
Except for CanvasBlocker (for FF) do the rest of the fingerprint blockers passed the test of preventing the original fingerprint from being exposed? Test is below

Test
It did work on it yep! Atm I have it disabled when using it for online banking.

~LDogg
Oh, now it is green for me too! :cool: But I only changed one thing: WebAPI Manager. But the Manager has nothing to do with it, I can deactivate it and it's stil green. Then ... Oh I also have Nano-defender now. But that is also not the culprit.
I'm at al loss why it's working, but its fine :)
 

Moonhorse

Level 37
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,605
Is there any way to stop fingerprint on edge browser?
 

Yellowing

Level 5
Verified
Jun 7, 2018
221
You need to press a couple of times to see it turn RED if you randomize your fingerprint
Oh, you're right. :( Damn. OK, I give up and let the fingerprint be consistent, yet somehow faked and not connected to "me". :D I don't know how that works. :D
This means: Deactivating CanvasDefender = forever green. (I tested it. Even more proof that nano Defender has something to do with it being green all of a sudden)
CanvasDefender was more of a hassle anyway: It's whitelisting function is under too many steps and it broke many websites without signifying it.

... I think I should test why it is suddenly green:
Ok, I ruled out CanvasDefender, ScriptSafe, uBlock Origin, Random User Agent, all other extensions, ... nano defender ... Oh come on! :D
I deactivate every extension and it is green? What is this web site testing? That I have a consistent fingerprint? :D Great, I don't think this is what we want at all. :giggle:

Code:
context API not blocked
fingerprint consistent (f....) -> good!
BTW that page has a couple more tests: https://canvasblocker.kkapsner.de/test/
 
Last edited:

Yellowing

Level 5
Verified
Jun 7, 2018
221
Ok... so how does that page work?
First it creates one fingerprint: Tue Jul 17 2018 23:41:30 GMT+0200 (Central European Summer Time) "starting first fingerprint"
And "one second" later it creates another one: Tue Jul 17 2018 23:41:31 GMT+0200 (Central European Summer Time) "starting second fingerprint"
This is the function it uses to make fingerprints:
JavaScript:
function fingerPrint(){
            "use strict";var canvas = document.createElement("canvas");
            canvas.setAttribute("width", 220);
            canvas.setAttribute("height", 30);
         
            var fp_text = "BrowserLeaks,com <canvas> 10";
         
            var ctx = canvas.getContext("2d");
            ctx.textBaseline = "top";
            ctx.font = "14px 'Arial'";
            ctx.textBaseline = "alphabetic";
            ctx.fillStyle = "#f60";
            ctx.fillRect(125, 1, 62, 20);
            ctx.fillStyle = "#069";
            ctx.fillText(fp_text, 2, 15);
            ctx.fillStyle = "rgba(102, 204, 0, 07)";
            ctx.fillText(fp_text, 4, 17);
         
            return canvas.toDataURL();
        }
That gives a string such as this "data:image/png;base64,[6,029 random chars]" and you can see the picture that this huge string represents here: Test (Because it's a PNG)
The first fingerprint is created:
JavaScript:
try {
            var firstFingerprint = fingerPrint();
        }
Then "window.setTimeout()" calls a function after 500ms. This one, explained below:
JavaScript:
window.setTimeout(function(){
                console.log(new Date(), "starting second fingerprint");
                document.body.appendChild(document.createElement("br"));
                var secondFingerprint = fingerPrint();
                if (firstFingerprint === secondFingerprint){
                    hash(firstFingerprint).then(function(hash){
                        document.body.appendChild(document.createTextNode("fingerprint consistent (" + hash + ") -> good!"));
                        document.body.style.backgroundColor = "green";
                    });
                }
                else {
                    Promise.all([hash(firstFingerprint), hash(secondFingerprint)]).then(function(hashes){
                        document.body.appendChild(document.createTextNode("fingerprint not consistent (" + hashes[0] + " != " + hashes[1] + ") -> very bad! (potential fingerprint leak)"));
                        document.body.style.backgroundColor = "red";
                    });
                }
            }, 500);
That happens: document.body.appendChild(document.createElement("br")) (I assume this creates an element, a brake-line, and appends it to the body of the HTML, after the text that has been written to it in the header.)
Then the second fingerprint is created: var secondFingerprint = fingerPrint(); (After the 500ms)
Some if-statements check if the two fingerprints are equal or not. In both cases, those huge fingerprint-strings are hashed with Sha256 to make them smaller:
JavaScript:
function hash(url){
            var buffer = new TextEncoder("utf-8").encode(url);
            return crypto.subtle.digest("SHA-256", buffer).then(function(hash){
                var chunks = [];
                (new Uint32Array(hash)).forEach(function(num){
                    chunks.push(num.toString(16));
                });
                return chunks.map(function(chunk){
                    return "0".repeat(8 - chunk.length) + chunk;
                }).join("");
            });
        }
Then the results of the if statements are added to the body of the HTML and the background color is changed accordingly.
After this step you see that page.

So... why is the second fingerprint different? I have not the slightest idea.
The fingerprint-function is called two times, both calls are identical. The only difference is the time since page-load, with the second fingerprint being 500ms late.
Then how can it be that sometimes the fingerprints are different and sometimes not? I can only assume that after the first fingerprint, that is done in the header, some extensions add their own scripts to change the sites behavior, and this changes the second fingerprint, that is done in the body.

Can someone confirm? I'm not a programmer. I could be wrong. :)
 
Last edited:

Yellowing

Level 5
Verified
Jun 7, 2018
221
Looking at this page I linked before Test and playing with my extensions, I am never able to get rid of my true fingerprint under "iFrame Test 3 - violating SOP".
My "true fingerprint" is the one I always see when I look at the page without extensions on.

Not even with all three extensions (ScriptSafe, Canvas Defender and WebAPI Manager) configured to stop or modify canvas fingerprints can I get rid of this one!

I am certain we should test our Canvas fingerprint with this page Test and the "old one" Test
Because,
- to pass this test you must not have more than one fingerprint, meaning the page should show you four fingerprints that are identical, but they should also be different from your true one.
- Also the fingerprint should change after a certain time or because of a certain event. (Making it hard to track you)
- You should not see any attempts blocked. (Like you, hiding under a blanket in a group of people)
- If you have two or more different fingerprints you'll stand out. (Like hiding under a blanket, but it has your favourite color)
- If it never changes you'll always have the same fingerprint. (figures) That is just as good as your true one. (You're just hiding under a blanket with a unique QR-code on it, and you cut holes in it so you never have to take it off.)

Together with the old one we can see that even when all four are identical, you can still be seen as someone who blocks fingerprinting, because the created PNG might not be correct or whatever :)


Extensions for Chrome that say to hide your fingerprint and/or fake it:
ScriptSafe:
Every canvas fingerprint blocking setting has it's own problem: Random readout does create such random prints that there is no consistency at all between the four trials, and they're not even correct - meaning they don't produce the right-looking PNG. Blank readout does what it sounds like, but because the fourth fingerprint is always your true one, this doesn't work either. Block readout also blocks only the first three.
Canvas Defender:
Can only change the first fingerprint. All other three times one is created it fails and shows your true one.
WebAPI Manager:
Does have a setting for it, but it does not work in this case. (Maybe any)
Canvas Fingerprint Defender:
Does only change the first two, and they are different from each other.
CanvasFingerprintBlock:
Does change all four! Yay! However it has bad reviews for breaking pages and it also does not appear to change it's faked fingerprint at anytime. Still the best so far! BUT: It fails the old test, showing as "context API blocked".
StopFingerprinting:
Does not change any at all.
Don't FingerPrint Me:
Does not change any at all. AFAIK only shows you the fingerprinting attempts in chromes developer menu thing.
Chameleon: (Not in Chrome webstore!) ghostwords/chameleonhttps://github.com/ghostwords/chameleon
Does not yet protect from fingerprinting.



Winner so far: CanvasFingerprintBlock! For actually blocking all four fingerprint attempts. Yet, it is not perfect.
CanvasFingerprintBlock
 
Last edited:

Yellowing

Level 5
Verified
Jun 7, 2018
221
@Yellowing

Like I mentioned only CanvasBlocker (FF) pass the test. All other extensions from FF/Chrome failed. The purpose of the test is to see whether the original fingerprint can be extracted.
Yes, but this extension is not available for Chrome. :cry:
Still: If you pass the test you did, the "old one", it could very well be any fingerprint. It only checks if both fingerprints are identical, nothing else. It could still be your true one. Infact you pass it with stock-chrome.
Please make the test with the four fingerprints. They are all done using different methods. It should show you four identical fingerprints and four pictures. Yet, if you visit the page without Canvas Blocker, you should see four different fingerprints with pictures.
Also your Canvas Blocker-fingerprint should change at some time or else it is useless.. :(
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,027
Yes, but this extension is not available for Chrome. :cry:
Still: If you pass the test you did, the "old one", it could very well be any fingerprint. It only checks if both fingerprints are identical, nothing else. It could still be your true one. Infact you pass it with stock-chrome.
Please make the test with the four fingerprints. They are all done using different methods. It should show you four identical fingerprints and four pictures. Yet, if you visit the page without Canvas Blocker, you should see four different fingerprints with pictures.
Also your Canvas Blocker-fingerprint should change at some time or else it is useless.. :(
Yes, but this extension is not available for Chrome. :cry:
Still: If you pass the test you did, the "old one", it could very well be any fingerprint. It only checks if both fingerprints are identical, nothing else. It could still be your true one. Infact you pass it with stock-chrome.
Please make the test with the four fingerprints. They are all done using different methods. It should show you four identical fingerprints and four pictures. Yet, if you visit the page without Canvas Blocker, you should see four different fingerprints with pictures.
Also your Canvas Blocker-fingerprint should change at some time or else it is useless.. :(

FYI, if you run the old test the hash changes with each test. This means it's not the same as your original fingerprint

Ok, so I disabled the canvas fingerprint feature in CanvasBlocker, Trace and ScriptSafe and ran the new test Test and my original fingerprint is

Hash: 6a3ba41271e380061312702a1e72e4ed6fe84944ec984d9005b8db60860184a3

The test shows TRUE for the 4 tests with the same original fingerprint

Then I enabled CanvaBlocker and re-ran the new test. The result with the same fingerprint is

Hash: a8af02e8c5f67eb9a37fbda9ab673dcbaea11dc07ca82992ad4ea8880d75151f

which is different from my original as expected since CanvasBlocker fakes a consistent readout. However, the last test iFrame Test 3 - violating SOP shows a False. At any rate when I carried out the test a few times the True and False for the 4 tests changes but the Hash remains consistently (same) for the 4 tests but different with each test

BTW, what picture are you referring to?

Here's one more test to detect the presence of your canvas blocker

Detection test
 
Last edited:

Yellowing

Level 5
Verified
Jun 7, 2018
221
These pictures, the PNGs your browser creates in the canvas test:
download.png


EDIT: Actually I am not using this extension. (CanvasFingerprintBlock) It breaks too much and it has no whitelist feature, making it too hard to use. Unfortunately that makes it: Zero useful extensions for Chrome.
 
Last edited:
  • Like
Reactions: HarborFront

Yellowing

Level 5
Verified
Jun 7, 2018
221
I see you are a Content Creator :unsure:. I assume that means you program tools? Could you do an extension for Chrome? :ROFLMAO:
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,027
These pictures, the PNGs your browser creates in the canvas test:
View attachment 192766

EDIT: Actually I am not using this extension. (CanvasFingerprintBlock) It breaks too much and it has no whitelist feature, making it too hard to use. Unfortunately that makes it: Zero useful extensions for Chrome.
Yes, currently there's no Chrome/FF extension or canvas feature in an extension that can perform as well as CanvasBlocker for FF

As for Chrome just use any canvas fingerprint extension or feature in an extension will do.....for the moment
 

Moonhorse

Level 37
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,605
CanvasFingerprintBlock makes malwaretips.com too buggy

gonna keep using canvas defender + privacy possum on chromium based browser, untill something better pops up
 
  • Like
Reactions: Rebsat

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top