Is Tracking Protection really useful? [Discussion]

oldschool

Level 81
Thread author
Verified
Top Poster
Well-known
Mar 29, 2018
7,043
I just read this article, poached from Wilders: Browser Fingerprinting: An Introduction and the Challenges Ahead | Tor Blog . So I started to re-think this subject after recently testing different forms of tracking protection. The most interesting point raised by the author is that it may be best to use no tracking protection of any kind.

"...
3. Today, there is no ultimate solution to fix browser fingerprinting. As its origin is rooted in the beginning of the internet, there is no single patch that can fix it for good. And as such, designing defenses is hard. A lot of approaches have been tried and evaluated over the years with each their strengths and weakness. Examples include blocking attributes, introducing noise, modifying values, or increasing fingerprint diversity. However, one important observation that has been made is that sometimes having no specific defense is better than having one. Some solutions, because of the way they were designed or coded, remove some fingerprinting vectors but introduce some artifacts or inconsistencies in the collected fingerprints. (my italics)
For example, imagine a browser extension that changes the value of fingerprints before they are sent.
Everything works perfectly except the fact that the developer forgot to override the navigator.platform value. Because of this, the user-agent may say that the browser is running on Windows whereas the platform still indicates it is on a Linux system. This creates a fingerprint that is not supposed to exist in reality and, as such, make the user more visible online. It is what Eckersley [1] called the “Paradox of Fingerprintable Privacy Enhancing Technologies.” By wanting to increase online privacy, you install extensions that in the end make you even more visible than before. ..."

I've done some very initial testing at AmIUnique.org and my experience verifies this conclusion. However, I'll continue informal testing at other sites and to ponder the implications and how best to combat fingerprinting with available technology. Some may disagree but I believe privacy protection is part and parcel of web security.

What do you think about browser fingerprinting and tracking generally? If you use tracking protection, what form do you use? Specific browser? Extensions? VPN or other? Let me know your thoughts.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
A VPN only changes your IP address. Yes, some providers do have other content protection features but I doubt they are effective. Some browsers offer tracking/coin mining protection but I would suggest using uBO/uMatrix with selected filters for more effective protection. Those offered by the browsers are more for the common users.

As for fingerprinting I don't think a VPN can protect you against them. It's a browser issue. Correct me if I'm wrong on this.

It's also true that using extensions to avoid fingerprints can create other problems as the extension(s) themselves are sometimes not well coded. But bear in mind that there's NO single extension which can help to avoid all types of fingerprints.

Fingerprints come in many forms. ScriptSafe/Trace extensions protect against a wide variety of fingerprints. Note that some features are not effective against some testing sites.

You can use hardware device with built-in tracking/fingerprinting protection or use software/filters/extensions in your computer.

Complementing the above with a VM and the use of TOR browser will help greatly

To summarize. IMO if you value your privacy then protection against tracking/fingerprinting/data stealers is important
 
Last edited:

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,730
Honestly I do value my privacy and have been down this road. However, it seems all the work it takes to obfuscate your internet use draws more attention than less. But, then again, I don’t think the mega corps care about the privacy nerds huddled in the corner either (me included). The sad truth is the corps don’t care about individuals, they care about target demographics and dollars. We aren’t people to them. Which is a relief on some level. I just use uBo and privacy badger, and privacy protection on mobile browsers. But I also don’t think they are fooling anyone really.
 

Moonhorse

Level 37
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,602
Firefox = security browser kind & still webrtc will leak your local ip by default
Firefox = fingeprint protectionis next to nothing, unless you enable resist.fingerprintall from about:config and that will break some sites completely

With firefox you need to live with broken sites, if you enable most of about:configs, or either need extensions for anti-fingerprint + other tracking extensions (trace)

On chromium browsers, ublock origin will do everything = block ads, hide cookie banners, block tracking/domains with malicious stuff, chromium browsers wont leak webrtc by default and only problem is just header/fingerprint protection wich is achievable with trace extension

Tracking protection browsers offer, blocking 3rd party cookies is only one thats worth using, ublock origin does the rest, yet you can set-up chrome :/flag to block downloads over insecure connections and set-up ask where to safe while to avoid anykind of driveby download

Ublock origin is pretty much all you need, no need to bloat browser with such anti-tracking extensions
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
On chromium browsers, ublock origin will do everything = block ads, hide cookie banners, block tracking/domains with malicious stuff
This line is kind of misleading. You made it sound like uBlock Origin does this only on Chromium browsers. I'm sure that's not what you meant. uBlock Origin actually works better on Firefox.
chromium browsers wont leak webrtc by default
But every webrtc leak test is showing my ip address. On Firefox I can completely disable webrtc as I don't need it. I don't know if there's such option in Chromium.
 
P

Pkjfkknm

I just read this article, poached from Wilders: Browser Fingerprinting: An Introduction and the Challenges Ahead | Tor Blog . So I started to re-think this subject after recently testing different forms of tracking protection. The most interesting point raised by the author is that it may be best to use no tracking protection of any kind.

"...
3. Today, there is no ultimate solution to fix browser fingerprinting. As its origin is rooted in the beginning of the internet, there is no single patch that can fix it for good. And as such, designing defenses is hard. A lot of approaches have been tried and evaluated over the years with each their strengths and weakness. Examples include blocking attributes, introducing noise, modifying values, or increasing fingerprint diversity. However, one important observation that has been made is that sometimes having no specific defense is better than having one. Some solutions, because of the way they were designed or coded, remove some fingerprinting vectors but introduce some artifacts or inconsistencies in the collected fingerprints. (my italics)
For example, imagine a browser extension that changes the value of fingerprints before they are sent.
Everything works perfectly except the fact that the developer forgot to override the navigator.platform value. Because of this, the user-agent may say that the browser is running on Windows whereas the platform still indicates it is on a Linux system. This creates a fingerprint that is not supposed to exist in reality and, as such, make the user more visible online. It is what Eckersley [1] called the “Paradox of Fingerprintable Privacy Enhancing Technologies.” By wanting to increase online privacy, you install extensions that in the end make you even more visible than before. ..."

I've done some very initial testing at AmIUnique.org and my experience verifies this conclusion. However, I'll continue informal testing at other sites and to ponder the implications and how best to combat fingerprinting with available technology. Some may disagree but I believe privacy protection is part and parcel of web security.

What do you think about browser fingerprinting and tracking generally? If you use tracking protection, what form do you use? Specific browser? Extensions? VPN or other? Let me know your thoughts.

useful only if you control all data from start
you have digital footprint from day born
all of it out of your control
much of it easy access to all
all efforts to remain hidden thus fruitless
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
The most interesting point raised by the author is that it may be best to use no tracking protection of any kind.
I would not say none, but basic to get rid of the most obvious ones, but lets not push it, like canvas and such. Otherwise you might end up like this:

download.jpg



Anyone, who wants the real privacy, will use VPN or Tails and will not rely just on extensions, because they ultimately fail on the browser itself.

ScriptSafe/Trace extensions protect against a wide variety of fingerprints.
True, like tracking the mouse movement, that is almost as unique as the real fingerprint itself. The way people move mouse while browsing.

If you use tracking protection, what form do you use?
1. DNScrypt within the browser, that is pretty much basics for privacy and security. It is not as good as VPN, but it is better than nothing.
2. Blocking port 80 to make sure, webpages will not open resources, which could be easily tracked by ISP, not to mention security as well.
3. Adguard to block an excessive tracking, it can slow down browsing and to block referrers to avoid webpages knowing, where I came from.
4. Cookie-Autodelete to remove first/third party cookies, blocking them cripples some webpages, so they are allowed, but removed ASAP.

What do you think about browser fingerprinting and tracking generally?
As far as the internet is concerned, I am not unique at all, I am average, even bellow average. I use the same name and username, all over the place, sometimes even the password. My FB is linked to steam, which is linked to Discord, etc, so I am not sticking out too much. Of course, I do not post my personal details, like the real date of birth, address or phone, but you can freely see, what I like, so can buy me my favorite drink. :D
 

Attachments

  • capture_09052019_124930.jpg
    capture_09052019_124930.jpg
    270.4 KB · Views: 251

Atlas147

Level 30
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 28, 2014
1,990
Honestly I have no idea how effective is my tracking protection because I block ads too. Currently I am using Privacy badger for tracking protection and uBlock Origin for my ad blocking. I am also currently on firefox and I use firefox containers to separate my social media from my normal browsing (although I'm not sure how effective they are and if they work like that).
 

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
Btw, this is based on EasyList & EasyPrivacy only. Advanced/semi advanced users should add some other filters too. uBlock Origin in medium mode/uMatrix/NoScript helps a lot too.
True, but it represents the majority of people using ad blocking software.

Yes, the bottom line is governments need to take action - but how much hope is there when so many are in debt to the same companies?
I for one have very little hope. Even if we our respective governments suddenly became benign and decided to act in the public interest by taking action against these companies, they've consistently proven themselves to be wholly incompetent and I wouldn't trust them to draft legislation that isn't filled with loopholes and/or wouldn't be subject to corporate pressure to have any such legislation weakened or repealed.
 

oldschool

Level 81
Thread author
Verified
Top Poster
Well-known
Mar 29, 2018
7,043
Some of the info I found recently that I thought I'd share since I've had a little CoronaTime on my hands. First is this article:

Thought your canvas fingerprint blocker made you incognito? Think again.

As many know, canvas fingerprinting is the most recent development in web tracking. In the past, the easiest way to prevent web tracking was to block out the method of tracking entirely. For example, to prevent cookie tracking, you simply disable cookies in your browser.
But when it comes to canvas fingerprinting, things are not so cut-and-dry. Believe it or not, using a canvas fingerprint blocker can make you more trackable than if you weren’t using one. That statement defies common sense, but it’s true.
To understand why it is so, we must, first, explore canvas fingerprinting as a whole and how it works. Then we tackle canvas fingerprint blockers and why they don’t work. To conclude, we’ll cover the only modern and viable method that does work to stop canvas fingerprint tracking.
If you value your privacy and are currently using a canvas fingerprint blocker, this is must-know information for 2016.

Canvas fingerprint blocking tactics – and why they don’t work
There are two primary ways to block canvas fingerprinting. Each one is equally ineffective.

Preventing canvas fingerprinting entirely
Your first instinct is probably to grab a browser extension that prevents the canvas image from loading. If it doesn’t load, they can’t track you – right?
Wrong. Preventing the canvas image from loading is an identifier in itself. Although the canvas fingerprint will not be sent, the fact that you did not load the canvas image will be. So, you will be sorted into a very small group of tech-savvy users who are also blocking fingerprints. From there, sometimes your ordinary fingerprints will be enough to identify you completely.
To visualize how this works, imagine you are standing in a crowd. Not caring about canvas fingerprinting is like you’re just standing there smiling. Having a canvas fingerprint blocker is like you’re standing there with a mask. No one is sure who you are exactly, but you’re the only one wearing a mask so you can be identified like that. Even if a few other people are wearing masks, you all are simply grouped as “the people wearing masks”.
If everyone were to use canvas fingerprint blockers (or wear masks, as in our example), they would be effective. But as it stands, almost no one uses canvas fingerprint blockers. Heck, it’s estimated that only 5% to 10% of web users utilize an ad blocker. The percentage of canvas fingerprint blockers must be a small fraction of that, and that’s not a big enough group to blend into – far from it.

Submitting random canvas fingerprints
Using different fingerprints for every request doesn’t work for the same reason as submitting no fingerprint at all. Any regular visitor will not change his fingerprint during a session. So, if you change your fingerprint during a session, that behavior is unusual, and it’s enough to categorize you into an irregular group.
In our example, submitting random canvas fingerprint is like changing the outfit you wear every 10 seconds. On the first request, you look normal. But if you change your outfit 10 seconds later on the second request, even though you’re not wearing a mask, you still make yourself stand out. Normal people don’t change their outfits throughout the day or use different canvas fingerprint identities in a single session.

The only viable solution that exists
Most web users don’t want or need to go to the trouble of blocking canvas fingerprinting technology. If you are an experienced web user who values his or her privacy above all, there is a way. Here’s how:
  • Make the canvas fingerprinting function available on the websites you visit. (So it’s not clear you are wearing a mask.)
  • Use a canvas identity with consistency. (So it’s not clear you are trying to avoid detection.)
  • Switch up the identity when necessary. (To erase your tracks.)
You are still being tracked – that’s unavoidable. But you control the tracking. When you change your fingerprint, you destroy any evidence of your browsing history on the other fingerprint. You wipe the slate clean. And because you used the old fingerprint with consistency, you have not been sorted into an irregular group and tracked like that. No one can recognize that you wiped the slate clean in the first place.
Whew! We hope you stuck with us through that lengthy explanation. Canvas fingerprinting is on the rise, and “blockers” or “random submitters” will not keep you safe – in fact, they will make you more easily trackable. And now you know why.

Note: Source for the above is How Canvas Fingerprint Blockers Make You Easily Trackable - Multilogin

A couple of other useful links for the tracki,ng curious user:
Are You Trackable?
Aloodo: help people get protection from web tracking

Remember: Keep it light, keep it right and enjoy! (y)(y)
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
To be effective canvas fingerprint blocker needs to fulfil the followings

1) To hide/fake/randomize the fingerprint
2) Not to expose its own(real) fingerprint

The 2nd one is difficult to achieve. So far I know CanvasBlocker for FF is the only one that can achieve both especially the 2nd one. There are some tests at github that can test for the 2nd one

Some discussions here on canvas fingerprint 2 yrs back

 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top