Skip to content
This repository was archived by the owner on Dec 11, 2019. It is now read-only.

Fix canvas fingerprinting #694

Closed
yipoduyoy opened this issue Feb 9, 2016 · 9 comments
Closed

Fix canvas fingerprinting #694

yipoduyoy opened this issue Feb 9, 2016 · 9 comments
Assignees
@diracdeltas
Labels
duplicate Issue has already been reported hackathon Legacy label for a hackaton. misc/fingerprinting

Comments

@yipoduyoy
Copy link

PLEASE REMOVE WEBRTC AND CANVAS

http://www.browserleaks.com/webrtc
https://www.perfect-privacy.com/webrtc-leaktest/

http://www.browserleaks.com/canvas
http://venturebeat.com/2014/07/30/canvas-fingerprinting-is-tracking-you-and-you-dont-even-know-what-it-is/
@diracdeltas
Copy link
Member

Duplicate of #260 #242

@diracdeltas diracdeltas added the duplicate Issue has already been reported label Feb 9, 2016
@diracdeltas diracdeltas added the hackathon Legacy label for a hackaton. label Mar 28, 2016
@diracdeltas diracdeltas mentioned this issue Mar 28, 2016
Closed
@diracdeltas diracdeltas mentioned this issue Apr 5, 2016
Closed
@diracdeltas
Copy link
Member

Actually the canvas fingerprinting issue would be a huge win and is not duplicated in the other issues above. Changing the title to reflect that.

@diracdeltas diracdeltas changed the title webRTC Leaks / Canvas Fingerprintings / MediaStreamTrack Fix canvas fingerprinting Apr 5, 2016
@diracdeltas
Copy link
Member

Proposal:

@diracdeltas diracdeltas added this to the 0.9.0 milestone Apr 7, 2016
@diracdeltas diracdeltas self-assigned this Apr 7, 2016
@bbondy bbondy modified the milestones: 0.9.1, 0.9.0, 0.9.2 Apr 8, 2016
@diracdeltas diracdeltas mentioned this issue Apr 14, 2016
Merged
@jussihuotari
Copy link

fwiw, I've enabled "Block HTML canvas and WebGL fingerprinting" on v0.9.6

However, both https://www.browserleaks.com/canvas and https://panopticlick.eff.org/ show a unique canvas fingerprint for me.

Hash of WebGL fingerprint is undetermined, as expected.

@diracdeltas
Copy link
Member

@jussihuotari The panopticlick canvas fingerprinting value should be 891f3debe00dbd3d1f0457a70d2f5213 (same for all Brave users). With fingerprinting defense turned off, panopticlick says that 1/20,000 browsers have my canvas hash value. With fingerprinting defense on, only 1/800 browsers have this value, which is a great improvement.

@diracdeltas
Copy link
Member

I think you're right that we are missing some of the canvas methods in https://www.browserleaks.com/canvas#how-does-it-work though. I'll fix; thanks!

@diracdeltas
Copy link
Member

Looks like the problem is that browserleaks creates a canvas element in an iframe and somehow we are properly stubbing canvas.toDataURL in the page but not in child frames:

var a = document.createElement('canvas')
> undefined
a
> <canvas>​
a.toDataURL
> function () {
            console.log('trapping', item.propName)
            var script_url = getOriginatingScriptUrl()
            var msg = {
              obj: item.objName,
              prop: ite…
var a = document.getElementById("iframe").contentDocument.createElement("canvas")
> undefined
a.toDataURL
> function toDataURL() { [native code] }

@HLFH
Copy link

HLFH commented May 17, 2016

@diracdeltas hi. so maybe we should reopen the issue for this moment.

@diracdeltas
Copy link
Member

i'll open a new one

@diracdeltas diracdeltas mentioned this issue May 17, 2016
Closed
@bsclifton bsclifton removed this from the 0.9.2dev milestone Mar 16, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@diracdeltas diracdeltas

Labels
duplicate Issue has already been reported hackathon Legacy label for a hackaton. misc/fingerprinting
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@diracdeltas @bbondy @jussihuotari @HLFH @luixxiul @bsclifton @yipoduyoy