New Update JShelter - JavaScript Restrictor

Add-on/Extension Page
https://jshelter.org/
F

ForgottenSeer 92963

The extension does a lot more, just have a look when creating a custom profile. Bluntly blocking XHR requests is stupid, generates to many false positives, probably another block is causing the test to hang (in Edge it just not responding). Could be poor programming in the extension, the test website or Firefox, who knows?
 

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,597
The extension does a lot more, just have a look when creating a custom profile. Bluntly blocking XHR requests is stupid, generates to many false positives, probably another block is causing the test to hang (in Edge it just not responding). Could be poor programming in the extension, the test website or Firefox, who knows?
I know that the extension is doing a lot more, but I am using recommended profile that doesn't have the filtering of XMLHttpRequests enabled, so I can exclude that as an option for the website breakage... Considering that my first link only checks the Audio Fingerprint, it has to be somewhat connected to that setting in the extension. :unsure:
 

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,597
Version 0.6 released:

* New protection: Fingerprint detector, see the blogpost for explanation.
* Physical environment wrapper group added. It contains `Sensor`, `Magnetometer`, `Accelerometer`, `LinearAccelerationSensor`, `GravitySensor` wrappers. Some readings might be inconsistent. `Gyroscope` and `Orientation` sensors will be a part of a future release.
* It is possible to import/export configuration (Github issue #159).
* Improved accessibility of the pop up and option pages.
* Bugfix: Fix double injection of some wrappers. For example, this solves regression in Geolocation wrapper introduced in 0.5.



The new Fingerprint detector does this:
Fingerprinting detection prevents web pages to extract fingerprint of your browser using JavaScript properties. See our blog post or Browser Fingerprinting: A survey for a closer description of browser fingerprinting.

PS: After the new update the extension requires new permissions.
 

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,158
Okay, on business travel without laptop (because I needed to use the PC's of the company who contracted me to help with a proposal for a large IT-contract). Yesterday evening I finished the final concept, so I am done to my surprise I have two days left before returning home again. To kill time I looked for a cheap PC and went to an old fashioned radio shack and bought me an Asus transformer (which I used long a long time ago on Windows 8.1). It is slow (only Z3740 CPU with 2 GBRAM). Windows10 does not always recognize the 64GB micro SD card I got with it for free because the accu charger did not work (the charger of my phone worked with a mini-usb to usb-C cable). But for 50 bucks total I can't complain. The guy asked 100 euros, but because charger did not work and pointing device went bananas I got it for 50 euro. It surprises me that everything works (I only had to disable ASUS smart gestures, to get it working decently again). I removed all crap and added Hard_Configurator and hardened Edge Browser site permissions, so security wise I should be fine.

I installed Jshelter to see whether I could get a working custom setup. I was very curious about their XMLHTTPrequest filtering, but it simply does not work correctly. So I added a custom level 4, which is level 3 without the XHR Filtering.

I am also on Edge, so poup panel does not work., I accessed the extensions options by rightclicking on the JShelter icon, this are the settings I used
__________________________

1, Press "ADD CUSTOM LEVEL" button
2. Call it Level 3 without XHR with identifcation 4
3. Choose options as explained in spoilers below
4. Save custom setttings

__________________________




For me, when I set to Level 3 (using the latest v0.6) it prompts each time when I search something in the address bar. See below

1642039746902.png


So your without XHR in Level 4 is out of necessity or because of the constant annoyance? What's the reason for enabling XHR in Level 3 vs without XHR in Level 2..........a kind of security protection? Any issue without XHR?

Thanks
 
Last edited:
F

ForgottenSeer 92963

For me, when I set to Level 3 (using the latest v0.6) it prompts each time when I search something in the address bar. See below

View attachment 263529

So your without XHR in Level 4 is out of necessity or because of the constant annoyance? What's the reason for enabling XHR in Level 3 vs without XHR in Level 2..........a kind of security protection? Any issue without XHR?

Thanks
XMLHTTPrequest, XHR for short and its succesor a 'Fetch' were intended to get data and meta data in one go. XHR can be used for user tracking, but it is heavily used in Ajax (for normal usage, nothing suspicious). So I have really no idea why they included it, when they were not able to recognise 90% of the legit usage of XHR. To compare it with a real world scenario: when walking outside a pigeon can deposit the content of its intestines on you , so every time you walk outside a police offer stops you in your tracks and asks you "are you aware of the pigeons". Annoyance and 'there are bigger fish to catch in the ocean' are the reasons I excluded it from level 3
 
Last edited by a moderator:

Jan Willy

Level 13
Verified
Top Poster
Well-known
Jul 5, 2019
607
XMLHTTPrequest, XHR for short and its succesor a 'Fetch' were intended to get data and meta data in one go. XHR can be used for user tracking, but it is heavily used in Ajax (for normal usage, nothing suspicious). So I have really no idea why they included it, when they were not able to recognise 90% of the legit usage of XHR. To compare it with a real world scenario: when walking outside a pigeon can deposit the content of its intestines on you , so every time you walk outside a police offer stops you in your tracks and asks you "are you aware of the pigeons". Annoyance and 'there are bigger fish to catch in the ocean' are the reasons I excluded it from level 3
You wouldn't also block fetch? Blocking fetch is an option in NoScript, at default not activated.
 
F

ForgottenSeer 92963

You wouldn't also block fetch? Blocking fetch is an option in NoScript, at default not activated.
XHR/fetch purpose is nearly the same, only fetch is a better and newer API (link) When I enable fetch in NoScript it also blocks XHR requests (so NoScript monitors both API's). I think that the developer of NoScript is telling "hey I am more up to date than other script blockers" (like ScriptSafe, ScriptNo, NotScript etc).
 
Last edited by a moderator:

Sunkar

New Member
Jan 14, 2022
7
Hi, I have been working on JShelter project recently. If you have any questions, feel free to ask. For now, project is under development. We are currently working on a brand new GUI, rebranding (JSR to JShelter), and overall user experience. We already addressed many comments from this thread like annoying XHR alerts, confusing settings, random slowdowns and so on. These updates are on the way.

And don't be mistaken, this is not a script-blocking extension like uBlock. JShelter modifies default JS APIs to reduce coverage of possible threats (just like Brave does). It is recommended to use JShelter in conjunction with other ad/script blocking extension. It's just another layer of protection in cases when malicious scripts weren't blocked properly.
 

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,597
Hi, I have been working on JShelter project recently. If you have any questions, feel free to ask. For now, project is under development. We are currently working on a brand new GUI, rebranding (JSR to JShelter), and overall user experience. We already addressed many comments from this thread like annoying XHR alerts, confusing settings, random slowdowns and so on. These updates are on the way.

And don't be mistaken, this is not a script-blocking extension like uBlock. JShelter modifies default JS APIs to reduce coverage of possible threats (just like Brave does). It is recommended to use JShelter in conjunction with other ad/script blocking extension. It's just another layer of protection in cases when malicious scripts weren't blocked properly.
Great having you here! It would also be much appreciated if you could update the protection level info page as it shows different descriptions than the actual custom settings within the extension. Can be quite confusing at times. Also, great to hear that you guys are working on a new UI. I think it's definitely needed. 😅
The anti fingerprinting protection could also use some optimization as it literally blocks like 50% of all the pages I try to access. It even blocks all google search results...

Screenshot 2022-01-14 233240.png
 
Last edited:

SpiderWeb

Level 13
Thread author
Verified
Top Poster
Well-known
Aug 21, 2020
609
Time to revisit this extension since I switched from Chrome to Firefox. Might behave differently.

Update: Reinstalled. it's much faster than before. Recommended setting seems to be the best. High settings gives off too many pop ups and breaks too many sites. No discernible difference on Recommended (Level 2). I tested on browserleaks.org and it is giving me all of my true user agent data and a unique fingerprint lol. It doesn't seem to do anything on my end.
 
Last edited:
F

ForgottenSeer 92963

Hi, I have been working on JShelter project recently. If you have any questions, feel free to ask. For now, project is under development. We are currently working on a brand new GUI, rebranding (JSR to JShelter), and overall user experience. We already addressed many comments from this thread like annoying XHR alerts, confusing settings, random slowdowns and so on. These updates are on the way.

And don't be mistaken, this is not a script-blocking extension like uBlock. JShelter modifies default JS APIs to reduce coverage of possible threats (just like Brave does). It is recommended to use JShelter in conjunction with other ad/script blocking extension. It's just another layer of protection in cases when malicious scripts weren't blocked properly.
First of all good to see you are joining this forum. It is one of the best ways to get feedback on security/privacy, thanks for joining (y)

In Dutch we have a saying based on 17th century sailing and trading history which says "the flag should represent the cargo". In branding this translates that the name of the product should represents its purpose/benefits (functional name) or relate to the user/life style group you are targeting (fantasy name).

I have a hard time discovering which assocations you used to come up with a name. When this extension modifies API's to prevent misuse, why did you call the extension "JAVASCRIPT SHELTER" in the first place?


FEATURE REQUEST 1
In stead of randomizing responses, which results in non-existing values making it very easy to fingerprint someone OVER DIFFERENT SESSION when combined with IP/address and/or GEO location, it is much better to hide in the herd.

Because data can be combined from different sources and some data categories are related, it is much better to hide in the herd using realistic most prevalent values than generating random return values. By reducing the precision of some API-results (e.g. time/geo) and providing most common or default values related to OS/rendering engine (chromium based/firefox/Safari)/browser language it is much harder to back track returning users.

FEATURE REQUEST 2
Allowing users to define which API's to block makes no sense, because most users don't know that plug-ins/accepts/navigator data can be combined from the user agent or are related to each other (e.g. geo location, time and language). In 9 out of 10 cases an average home user starts fiddling with these settings that user makes himself more unique and easier to track.

Presets should be based on functionality and risk of website breakage. A better approach would be to offer four levels of protection and allow a user to change this setting for a website: 0 = OFF for trusted websites, 1 = best for compatibility, 2 = balanced, 3 = best for protection

Regards Kees
 
Last edited by a moderator:

SpiderWeb

Level 13
Thread author
Verified
Top Poster
Well-known
Aug 21, 2020
609
Is there a site where you can actually test this working? Every site I have visited completely ignored JShelter and detected my browser, location, microphone, camera (both disabled by default), timezone, etc. What is this enforcing? Is it sandboxing? I don't understand...
 
F

ForgottenSeer 92963

@SpiderWeb

Modern browsers have a lot of predefined services and functions which a website can use. These functions are accessed through interfaces called API's short for Application Program Interface. These API's provide a website all sorts of useful data to provide you with the best web experience (e.g. screensize, language, night time dark or day time light background etc).

Over the years new and improved API's were standardized in browsers by the W3C, up to a point that a browser by default provides so much information that by combining this data you can be uniquely tracked. JShelter intercepts and changes the results when a website calls these API's (using javascript). For instance reducing the granularity of your time and geo-location. This makes it harder to pin-point you.

Problem with most of these extensions is that it requires a lot of knowledge to configure them correctly (only the Pro version of an expensive extension like Cydec has all data points covered*) and when blocking one API to your data, often another API provides similar data, so by combining stuff you are still fingerprinted.

The good thing about JShelter is that it is a subsidized project and related to a educational organization (so hopefully funds and knowledge are available for the long term). Many of the API-blurring extensions started with a first version, but stranded because it required to much manpower and knowledge. I am keeping an eye on JShelter because it may have a chance of actually succeeding in providing a version for the average user.

What may help them is that the browser developers also are working on ways to limit the use (retrieving info) using these API's. When I recall correctly Google has submitted an idea to the W3C (organization which defines the web standards) to give a website an API-budget. When a website exceeds its budgets, browsers will start to shield access to other API's. I thought that Microsoft supported the idea, but browsers which are a bit further on this field (Firefox, Brave and Apple) are opposed (because they would lose their advantage).

___
* As far as I know and I am retired so my knowledge is aging
 
Last edited by a moderator:

Sunkar

New Member
Jan 14, 2022
7
Thank you all for welcoming :).
Great having you here! It would also be much appreciated if you could update the protection level info page as it shows different descriptions than the actual custom settings within the extension. Can be quite confusing at times. Also, great to hear that you guys are working on a new UI. I think it's definitely needed. 😅
The anti fingerprinting protection could also use some optimization as it literally blocks like 50% of all the pages I try to access. It even blocks all google search results...

View attachment 263586
Thanks for feedback. In the near future, we will drop the old page that you have linked and be using a new one. I think, the clarification of description within the extension is planned for 0.7 GUI update.

Please, can you give me more information about your issues with fingerprinting detection? I'm directly responsible for this feature and would like to replicate the problem. For me and my colleagues it's working as intended. Can you share your Firefox version and OS via PM?

Time to revisit this extension since I switched from Chrome to Firefox. Might behave differently.

Update: Reinstalled. it's much faster than before. Recommended setting seems to be the best. High settings gives off too many pop ups and breaks too many sites. No discernible difference on Recommended (Level 2). I tested on browserleaks.org and it is giving me all of my true user agent data and a unique fingerprint lol. It doesn't seem to do anything on my end.
You shouldn't be aware of the changes. If you can tell something has changed, potential attacker will do as well. I recommend to take a look at our blogs to get a better understanding how the extension works.

But if you will, you can compare output data of different JS APIs on our test page (with and without the extension). It won't simply hide or change your userAgent because it may introduce inconsistency of the fingerprint and make it more unique. What we want to achieve is to create separate consistent fingerprint for each visited domain, so trackers from different domains cannot link your online activity.

First of all good to see you are joining this forum. It is one of the best ways to get feedback on security/privacy, thanks for joining (y)

In Dutch we have a saying based on 17th century sailing and trading history which says "the flag should represent the cargo". In branding this translates that the name of the product should represents its purpose/benefits (functional name) or relate to the user/life style group you are targeting (fantasy name).

I have a hard time discovering which assocations you used to come up with a name. When this extension modifies API's to prevent misuse, why did you call the extension "JAVASCRIPT SHELTER" in the first place?


FEATURE REQUEST 1
In stead of randomizing responses, which results in non-existing values making it very easy to fingerprint someone OVER DIFFERENT SESSION when combined with IP/address and/or GEO location, it is much better to hide in the herd.

Because data can be combined from different sources and some data categories are related, it is much better to hide in the herd using realistic most prevalent values than generating random return values. By reducing the precision of some API-results (e.g. time/geo) and providing most common or default values related to OS/rendering engine (chromium based/firefox/Safari)/browser language it is much harder to back track returning users.

FEATURE REQUEST 2
Allowing users to define which API's to block makes no sense, because most users don't know that plug-ins/accepts/navigator data can be combined from the user agent or are related to each other (e.g. geo location, time and language). In 9 out of 10 cases an average home user starts fiddling with these settings that user makes himself more unique and easier to track.

Presets should be based on functionality and risk of website breakage (hardware screen ration might affect display). A better approach would be to offer four levels of protection and allow a user to change this setting for a website: 0 = OFF for trusted websites 1 = best for compatibility, 2 = balanced, 3 = best for protection

Regards Kees
Thanks for feedback. Unfortunately, I wasn't involved in the naming process. From what I know, it was initially called JS-Shield, but we changed it to supposedly more original name (to match the logo). However, I don't think Privacy Badger or Ghostery are more self-explanatory in this regard.

FEATURE REQUEST 1
Already doing this way and some more info about "hiding in the herd".

FEATURE REQUEST 2
Definition of a custom level is intended for advanced users. We recommend to use pre-built levels. I honestly don't understand the last paragraph, as we already using pre-built levels and users can change the setting for a website. By default, all websites have assigned recommended setting. If you change it, it will be saved for this website in the future.

Thanks again for your feedback. You can report any issue or feature request here.
 
Last edited:
F

ForgottenSeer 92963


At the moment the implementation of WebGL returns non-real world values

WebGL should pass valid GPU cards at Unmasked Vendor
1642245908077.png


Plugin fingerprinting should provide only default plugins for all Chromium based browsers (Chrome, Edge, Opera, etc), a default one for Firefox and Apple. Same for font-fingerprinting only return the defaults for the OS. Better than adding fake/wrong values for that OS/browser.

Ad Feature request 2
I de-installed JShelter to quickly (after a quicktest on browserleaks.com) :), thought that the setting applied to all websites, sorry for the confusion :oops:
 
Last edited by a moderator:

Sunkar

New Member
Jan 14, 2022
7
At the moment the implementation of WebGL returns non-real world values

WebGL should pass valid GPU cards at Unmasked Vendor
View attachment 263592

Plugin fingerprinting should provide only default plugins for all Chromium based browsers (Chrome, Edge, Opera, etc), a default one for Firefox and Apple. Same for font-fingerprinting only return the defaults for the OS. Better than adding fake/wrong values for that OS/browser.

Ad Feature request 2
I de-installed JShelter to quickly (after a quicktest on browserleaks.com) :), thought that the setting applied to all websites, sorry for the confusion :oops:
Good point. Unfortunately, I cannot comment on why this decision was made as I'm not an author. According to JShelter blog, it should behave like that only for the maximum protection level. Apparently, it is random on recommended level too, right? This should be considered a bug. Can you make an issue on this on our github page? Maybe you can get a definitive answer for this.
 
F

ForgottenSeer 92963

Good point. Unfortunately, I cannot comment on why this decision was made as I'm not an author. According to JShelter blog, it should behave like that only for the maximum protection level. Apparently, it is random on recommended level too, right? This should be considered a bug. Can you make an issue on this on our github page? Maybe you can get a definitive answer for this.
done Better to provide real world values than random or faked values for three spoofs WebGL, Plugins and Fonys · Issue #166 · polcak/jsrestrictor
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top