From eugen@leitl.org Mon Oct 7 02:07:59 2013 From: Eugen Leitl To: cypherpunks@lists.cpunks.org Subject: [linux-elitists] Browser fingerprinting Date: Mon, 07 Oct 2013 08:07:56 +0200 Message-ID: <20131007060756.GX10405@leitl.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8152988734442837367==" --===============8152988734442837367== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable ----- Forwarded message from Don Marti ----- Date: Sun, 6 Oct 2013 11:11:46 -0700 From: Don Marti To: linux-elitists(a)zgp.org Subject: [linux-elitists] Browser fingerprinting Message-ID: <20131006181146.GA21225(a)zea.gateway.2wire.net> User-Agent: Mutt/1.5.21 (2010-09-15) Corporate speak: "Tawakol and Ingis both said the new technology, which is still under development, would allow companies to use alternative approaches that are sometimes called statistical or probabilistic tracking, while remaining in compliance with industry privacy standards." Translation: "Fine, you smug cookie-blocking nerds. We're going to go all browser fingerprinting on you." http://blog.sfgate.com/techchron/2013/10/04/ad-groups-prepare-for-cookieles= s-future-develop-opt-out-tool-for-alternative-tracking/ Mozilla has been working on cleaning up the third-party cookie problem, and making a dent in it, as you can tell by the complaints from the creepy adtech business. Unfortunately, Firefox appears to be highly fingerprintable. https://panopticlick.eff.org/ says "Your browser fingerprint appears to be unique among the 3,458,043 tested so far." Ouch. Got to get my act together here. But of course the more that I customize, the more unique my browser looks. Who's got a browser that comes up reasonably generic on Panopticlick, and what did you do? --=20 Don Marti +1-510-332-1587 (mobile) http://zgp.org/~dmarti/ Alameda, California, USA dmarti(a)zgp.org _______________________________________________ Do not Cc: anyone else on mail sent to this list. The list server is set for= maximum one recipient. linux-elitists mailing list linux-elitists(a)zgp.org http://zgp.org/cgi-bin/mailman/listinfo/linux-elitists ----- End forwarded message ----- --=20 Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 --===============8152988734442837367==-- From coderman@gmail.com Mon Oct 7 03:09:13 2013 From: coderman To: cypherpunks@lists.cpunks.org Subject: Re: [linux-elitists] Browser fingerprinting Date: Mon, 07 Oct 2013 00:09:04 -0700 Message-ID: In-Reply-To: <20131007060756.GX10405@leitl.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0357640877473509290==" --===============0357640877473509290== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit On Sun, Oct 6, 2013 at 11:07 PM, Eugen Leitl wrote: > ... > Who's got a browser that comes up reasonably generic > on Panopticlick, and what did you do? Tor Browser... just use it in an isolated environment like Qubes, Whonix, Tails, etc. --===============0357640877473509290==-- From coderman@gmail.com Mon Oct 7 04:17:03 2013 From: coderman To: cypherpunks@lists.cpunks.org Subject: Re: [linux-elitists] Browser fingerprinting Date: Mon, 07 Oct 2013 01:16:54 -0700 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1831586234286805764==" --===============1831586234286805764== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit On Mon, Oct 7, 2013 at 12:09 AM, coderman wrote: > [... re: panopticlick ... ] > Tor Browser... just use it in an isolated environment like Qubes, > Whonix, Tails, etc. to be clear, this is true when running Tor and the browser on the same computer, or having a Tor router / proxy appliance that you connect to as transparent proxy. in the latter case, you would still be best served by running a copy of the Tor Browser in "Transparent Tor" mode[0], which delegates routing through Tor to another service, while providing a browser environment with all of the useful protections[1] to avoid this very problem and many others. 0. "Tor Browser - Whonix" transparent proxy mode https://www.whonix.org/wiki/Tor_Browser NOTE: even in this mode, you may want to have the Tor router provide local access to the SOCKS port directly. 1. "The Design and Implementation of the Tor Browser" https://www.torproject.org/projects/torbrowser/design/ --===============1831586234286805764==-- From adam@cypherspace.org Mon Oct 7 05:57:55 2013 From: Adam Back To: cypherpunks@lists.cpunks.org Subject: Re: [linux-elitists] Browser fingerprinting Date: Mon, 07 Oct 2013 11:57:44 +0200 Message-ID: <20131007095744.GB2671@netbook.cypherspace.org> In-Reply-To: <20131007060756.GX10405@leitl.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2141705095231515938==" --===============2141705095231515938== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Scary numbers. Even with chrome incognito unique to 1 in 1.7 m on linux.=20 Maybe better on windows. I wonder if no-script would help or is this passive headers only? Seems like the leak was fonts, plugins and user agent in that order at 1 in 128k, 266k, and 1.7m respectivey. Need less chatty browsers. Adam On Mon, Oct 07, 2013 at 08:07:56AM +0200, Eugen Leitl wrote: >----- Forwarded message from Don Marti ----- > >Date: Sun, 6 Oct 2013 11:11:46 -0700 >From: Don Marti >To: linux-elitists(a)zgp.org >Subject: [linux-elitists] Browser fingerprinting >Message-ID: <20131006181146.GA21225(a)zea.gateway.2wire.net> >User-Agent: Mutt/1.5.21 (2010-09-15) > >Corporate speak: "Tawakol and Ingis both said the >new technology, which is still under development, >would allow companies to use alternative approaches >that are sometimes called statistical or probabilistic >tracking, while remaining in compliance with industry >privacy standards." > >Translation: "Fine, you smug cookie-blocking nerds. >We're going to go all browser fingerprinting on you." > > http://blog.sfgate.com/techchron/2013/10/04/ad-groups-prepare-for-cookiele= ss-future-develop-opt-out-tool-for-alternative-tracking/ > >Mozilla has been working on cleaning up the >third-party cookie problem, and making a dent in it, >as you can tell by the complaints from the creepy >adtech business. > >Unfortunately, Firefox appears to be highly >fingerprintable. > >https://panopticlick.eff.org/ says "Your browser >fingerprint appears to be unique among the 3,458,043 >tested so far." > >Ouch. Got to get my act together here. But of >course the more that I customize, the more unique my >browser looks. > >Who's got a browser that comes up reasonably generic >on Panopticlick, and what did you do? > >--=20 >Don Marti +1-510-332-1587 (mobile) >http://zgp.org/~dmarti/ Alameda, California, USA >dmarti(a)zgp.org >_______________________________________________ >Do not Cc: anyone else on mail sent to this list. The list server is set fo= r maximum one recipient. >linux-elitists mailing list >linux-elitists(a)zgp.org >http://zgp.org/cgi-bin/mailman/listinfo/linux-elitists > >----- End forwarded message ----- >--=20 >Eugen* Leitl leitl http://leitl.org >______________________________________________________________ >ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org >AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 --===============2141705095231515938==-- From cane@jondos.de Mon Oct 7 06:45:31 2013 From: "Carsten N." To: cypherpunks@lists.cpunks.org Subject: Re: [linux-elitists] Browser fingerprinting Date: Mon, 07 Oct 2013 10:45:17 +0000 Message-ID: <525290BD.1040600@jondos.de> In-Reply-To: <20131007060756.GX10405@leitl.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7201716366987501423==" --===============7201716366987501423== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit On 07.10.2013 06:07, Eugen Leitl wrote: > Who's got a browser that comes up reasonably generic > on Panopticlick, and what did you do? Hello, Panopticlick is a demonstration project, how browser fingerprinting works and not a scientific up2date database for actual used browsers. - The database is not a representative database, because most users, who know something about the project and visit it, use a privacy-friendly browser configuration. - Old entries in the database were not deleted. Firefox 3.5.3 has one of the best ratings in this database. But nobody uses this old browser version any more. You will be unique with this user agent in real life. - It is easy to manipulate the database. You can call the page with your preferred browser multiple times and your preferred browser will be higher rated. Best regards Carsten --===============7201716366987501423==-- From stephan.neuhaus@tik.ee.ethz.ch Mon Oct 7 07:20:20 2013 From: Stephan Neuhaus To: cypherpunks@lists.cpunks.org Subject: Re: [linux-elitists] Browser fingerprinting Date: Mon, 07 Oct 2013 13:20:09 +0200 Message-ID: <525298E9.3070209@tik.ee.ethz.ch> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6633294937403635232==" --===============6633294937403635232== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit On 10/07/2013 09:09 AM, coderman wrote: > On Sun, Oct 6, 2013 at 11:07 PM, Eugen Leitl wrote: >> ... >> Who's got a browser that comes up reasonably generic >> on Panopticlick, and what did you do? Firefox with NoScript and Ghostery. About 10 bits of entropy. Not perfect, but not bad either. Stephan --===============6633294937403635232==-- From bill.stewart@pobox.com Sun Oct 13 20:06:41 2013 From: Bill Stewart To: cypherpunks@lists.cpunks.org Subject: Re: [linux-elitists] Browser fingerprinting Date: Sun, 13 Oct 2013 17:06:22 -0700 Message-ID: <20131014000636.44F74DD8F@a-pb-sasl-quonix.pobox.com> In-Reply-To: <20131007060756.GX10405@leitl.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6855827326631795856==" --===============6855827326631795856== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit >Date: Sun, 6 Oct 2013 11:11:46 -0700 >From: Don Marti > >Translation: "Fine, you smug cookie-blocking nerds. >We're going to go all browser fingerprinting on you." >... >Unfortunately, Firefox appears to be highly fingerprintable. One reason Firefox is highly fingerprintable is that it sends a list of your available fonts to the web server so the server can format its pages with cool fonts instead of boring fonts if you're able to read them. That often turns out to be surprisingly unique, at least if you like fonts, and AFAIK it's not just the fonts you've configured into your browser, it's the fonts configured into your computer. For instance, my work PC has a font for the $DAYJOB corporate logo, and has since acquired a couple more fonts so I can display their newer marketing presentations correctly in Powerpoint, plus it's got the dozen or two different monospace console fonts I was trying out to find a good one for programming use, and the usual collection of Bocklin and Dwarvish and Tibetan that old hippies usually have on our computers, just in case we might need to count to nine billion or have an appropriate password entry form. When I first tested it with the panopticlick tool, it was unique; there are now a couple other similar machines (but that's "my machine's IE", "my machine's Firefox", and "my machine running Win7 with the Long Term Support version of Firefox that Corporate IT department makes us use", so it's still unique in reality.) Sure would be nice if Mozilla had an option for "only announce the standard vanilla web fonts". --===============6855827326631795856==-- From cathalgarvey@cathalgarvey.me Sun Oct 13 20:28:40 2013 From: Cathal Garvey To: cypherpunks@lists.cpunks.org Subject: Re: [linux-elitists] Browser fingerprinting Date: Mon, 14 Oct 2013 01:28:11 +0100 Message-ID: <20131014012811.6d6463f5@Neptune> In-Reply-To: <20131014000636.44F74DD8F@a-pb-sasl-quonix.pobox.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7056206612231741765==" --===============7056206612231741765== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit > Sure would be nice if Mozilla had an option for "only announce the > standard vanilla web fonts". Check out firegloves. It's outdated, and I'd love to see it getting some love, but it's a great POC for anti-fingerprinting in Firefox. Still works with Iceweasel 20, so it's aged well for an apparently unmaintained academic project. Among the key features; a restricted set of fonts sent to sites, possibly including cycling the fonts randomly to confuse fingerprinting by recurrent font-lists. Note though, it breaks some websites in a manner akin to fascist-maxima-noscript. So you'll sometimes need to disable it; Paypal is a good example. User-agents are the devil, though, because whatever about other sources of browser entropy, the User Agent is a big honking bonus score every site gets for zero effort. Worse, most efforts to minimise User-Agents can end up maximising them instead, and there don't seem to be any *current* lists of "most common user-agent string" to work from to reduce entropy. I've set mine to a super-generic-looking Windows/Firefox setting, but as other people upgrade their browsers and OSes and as architectures get more diverse, browser UAs are getting more and more diverse, too.. I vote we ditch them entirely and just assume that all browsers to HTML5 or GTFO. On Sun, 13 Oct 2013 17:06:22 -0700 Bill Stewart wrote: > > >Date: Sun, 6 Oct 2013 11:11:46 -0700 > >From: Don Marti > > > >Translation: "Fine, you smug cookie-blocking nerds. > >We're going to go all browser fingerprinting on you." > >... > >Unfortunately, Firefox appears to be highly fingerprintable. > > One reason Firefox is highly fingerprintable is that it sends a list > of your available fonts to the web server so the server can format > its pages with cool fonts instead of boring fonts if you're able to > read them. That often turns out to be surprisingly unique, at least > if you like fonts, and AFAIK it's not just the fonts you've > configured into your browser, it's the fonts configured into your > computer. > > For instance, my work PC has a font for the $DAYJOB corporate logo, > and has since acquired a couple more fonts so I can display their > newer marketing presentations correctly in Powerpoint, plus it's got > the dozen or two different monospace console fonts I was trying out > to find a good one for programming use, and the usual collection of > Bocklin and Dwarvish and Tibetan that old hippies usually have on our > computers, just in case we might need to count to nine billion or > have an appropriate password entry form. When I first tested it with > the panopticlick tool, it was unique; there are now a couple other > similar machines (but that's "my machine's IE", "my machine's > Firefox", and "my machine running Win7 with the Long Term Support > version of Firefox that Corporate IT department makes us use", so > it's still unique in reality.) > > Sure would be nice if Mozilla had an option for "only announce the > standard vanilla web fonts". > --===============7056206612231741765== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjEuNC4xMiAoR05V L0xpbnV4KQoKaVFJY0JBRUJDZ0FHQlFKU1d6cWJBQW9KRUwwaU5nU1lpNUNaRHVzUC8yV09pL3ht ZCtESGRIRVhPTmhpL0dKZApyQUNZc1k2RHc2YlJ5bHc5cVl6MXQ1N1h3cTFHVndGZm9INWwveUda T2RvYktTWFlOTndtUnd6Q1A4c0JWcFNmCkVuZCtpMVdxcEw1TTBsUWRyV0hKVmdCZC9vQ2pBNE9h eGV3NVF0ODVrRFpMYTZscmZBb2J5WlVUd0pNZGpjckoKb2toU1c2Mk51cjVTR1J1OXR0Nzl5RGVT VmZGeXpYcnJFZUJHZWhXM3RYQlBhSjJQQWN0U0VkQ2VCYUpIM3lKVQorK1RQRzhzc0ZEdENtaTVC cUtnbWFvQ0RPaytLNUVocE94NUdVaXdsbXNTdWlZakdjME5sL2ZYaXpwT2xTZmcxCldvNmRNZmFV a1JRd0xNVVZMT2ovcmd1ZlNhclhLc1ZtcU15NkhLVUFRcGFkcDVsT3lBRFIwMnlYcGlkUkxnWXEK cGVwN2dGWEJRckJSY1hiTnVpWHptUjN0MHQ5RFdHOVVpYnA3THdiZmdmZnJtSXM2THkwV1hvZGhl UVFFQkhCUQpzZTN4anRXNFcrT1JsODVzbC9KSnRhRUJOTjBzZTZJbzIwcmlaeitDNHRiVXZZSUor OXBndUY3c2lIZmlZWU1MCms4ZllVcVFwL0pqbWNrL0x5VTFHS3UxWGVwcUhmRnFrdlZZWC9wVUZh Q3J5MDlSQWdFd053TGZkNWJiUEQwdXMKS2xQZk81K3JhbjczWjdpV0RzeVVtZ1JMWXBHdklHYTZk QjR0UUx0SUhpcmJIWDhQeHhzVGZ1TFd0RkNpcFgwUgplYk9aVHlSWjJzdW9nUzYzMDVRbS9VSC9G bUVVY3RGdEJJbGZuYi8zeFg0d0s4cmxQWU45T2E4cW8rRjFXdWwxCmh5N1JjOTZrSjhOc2JRNE1q YzM2Cj1vbktOCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============7056206612231741765==-- From alfiej@fastmail.fm Sun Oct 13 20:45:06 2013 From: Alfie John To: cypherpunks@lists.cpunks.org Subject: Re: [linux-elitists] Browser fingerprinting Date: Mon, 14 Oct 2013 11:45:02 +1100 Message-ID: <1381711502.26005.33570853.18DA6075@webmail.messagingengine.com> In-Reply-To: <20131014012811.6d6463f5@Neptune> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1113007257110629156==" --===============1113007257110629156== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit On Mon, Oct 14, 2013, at 11:28 AM, Cathal Garvey wrote: > > Sure would be nice if Mozilla had an option for "only announce the > > standard vanilla web fonts". That would be great, along with: - "only use mandatory required headers" (e.g. Host, eTags*) - "use custom request headers" (without resorting to Live HTTP Headers for each request) *thinking about this more, eTags could also be used to track users if MITMed. > User-agents are the devil, though, because whatever about other sources > of browser entropy, the User Agent is a big honking bonus score every > site gets for zero effort. Worse, most efforts to minimise User-Agents > can end up maximising them instead, and there don't seem to be any > *current* lists of "most common user-agent string" to work from to > reduce entropy. I've set mine to a super-generic-looking > Windows/Firefox setting, but as other people upgrade their browsers and > OSes and as architectures get more diverse, browser UAs are getting > more and more diverse, too.. Speaking of User-Agents being evil: http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/ Alfie -- Alfie John alfiej(a)fastmail.fm --===============1113007257110629156==-- From katana@riseup.net Mon Oct 14 03:28:54 2013 From: katana To: cypherpunks@lists.cpunks.org Subject: Re: [linux-elitists] Browser fingerprinting Date: Mon, 14 Oct 2013 09:27:41 +0200 Message-ID: <525B9CED.20907@riseup.net> In-Reply-To: <20131014012811.6d6463f5@Neptune> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4213437034300994233==" --===============4213437034300994233== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Hi, > Check out firegloves. It's outdated, and I'd love to see it getting > some love, but it's a great POC for anti-fingerprinting in Firefox. In about their FPDetective Framework , the authors wrote about Firegloves: "Additionally, Firegloves limits the number of fonts that a single browser tab can load and reports false dimension values for the offsetWidth and offsetHeight properties of HTML elements to evade JavaScript-based font detection. We evaluated the effectiveness of Firegloves’ as a countermeasure to fingerprinting, and discovered several shortcomings. For instance, instead of relying on offsetWidth and offsetHeight values, we could easily use the width and the height of the rectangle object returned by getBoundingClientRect method, which returns the text’s dimensions, even more precisely than the original methods. This enabled us to detect the same list of fonts as we would without the Firegloves extension installed. Surprisingly, our probe for fonts was not limited by the claimed cap on the number of fonts per tab. This might be due to a bug, or to changes in the Firefox extension system that have been introduced after FireGloves, which is not currently being maintained, was first developed. Although Firegloves spoofs the browser’s user-agent and platform to pretend to be a Mozilla Firefox version 6 running on a Windows operating system, the navigator.oscpu is left unmodified, revealing the true platform. Moreover, Firegloves did not remove any of the new methods intro- duced in later versions of Mozilla Firefox and available in the navigator object, such as navigator.mozCameras and navigator.doNotTrack." I add: OK, the naviagtor.oscpu issue can be fixed easily, but the timezone feature doesnt't work too with enabled JavaScript. --- Katana --===============4213437034300994233==-- From cathalgarvey@cathalgarvey.me Mon Oct 14 08:10:54 2013 From: Cathal Garvey To: cypherpunks@lists.cpunks.org Subject: Re: [linux-elitists] Browser fingerprinting Date: Mon, 14 Oct 2013 13:10:33 +0100 Message-ID: <20131014131033.0ee9af12@Neptune> In-Reply-To: <525B9CED.20907@riseup.net> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4680334014450566528==" --===============4680334014450566528== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Well, crap. Thanks for that! Anyone with FF-plugin chops care to make a better version? This all seems a bit backwards, though. Wasn't the whole idea of browser rendering that the server would send one canonical page to the client, and the client is responsible for rendering? Our browsers shouldn't even be telling the server their dimensions, CPUs and OSes; if we can't render the page sent by the site, either we or the site are at fault but not our architectures and OSes. This internet is broken, make me a new one. On Mon, 14 Oct 2013 09:27:41 +0200 katana wrote: > Hi, > > > Check out firegloves. It's outdated, and I'd love to see it getting > > some love, but it's a great POC for anti-fingerprinting in Firefox. > > In > about their FPDetective Framework > , the authors wrote > about Firegloves: > > "Additionally, Firegloves limits the number of fonts that a single > browser tab can load and reports false dimension values for the > offsetWidth and offsetHeight properties of HTML elements to evade > JavaScript-based font detection. We evaluated the effectiveness of > Firegloves’ as a countermeasure to fingerprinting, and discovered > several shortcomings. For instance, instead of relying on offsetWidth > and offsetHeight values, we could easily use the width and the height > of the rectangle object returned by getBoundingClientRect method, > which returns the text’s dimensions, even more precisely than the > original methods. This enabled us to detect the same list of fonts as > we would without the Firegloves extension installed. Surprisingly, > our probe for fonts was not limited by the claimed cap on the number > of fonts per tab. This might be due to a bug, or to changes in the > Firefox extension system that have been introduced after FireGloves, > which is not currently being maintained, was first developed. > Although Firegloves spoofs the browser’s user-agent and platform to > pretend to be a Mozilla Firefox version 6 running on a Windows > operating system, the navigator.oscpu is left unmodified, revealing > the true platform. Moreover, Firegloves did not remove any of the new > methods intro- duced in later versions of Mozilla Firefox and > available in the navigator object, such as navigator.mozCameras and > navigator.doNotTrack." > > I add: OK, the naviagtor.oscpu issue can be fixed easily, but the > timezone feature doesnt't work too with enabled JavaScript. > > --- > Katana --===============4680334014450566528== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjEuNC4xMiAoR05V L0xpbnV4KQoKaVFJY0JBRUJDZ0FHQlFKU1c5ODVBQW9KRUwwaU5nU1lpNUNaWjRJUUFLTnY1VnJH bXJ5OWxESU92SWFEQjlReApldDI2ZjUrUVZ5aENLZzF0R3V5MVAyYVlzVlNlM3QwTG9MYzlCVmJF VVdqa1FxRHRMczRDUk9qSzM4UzErczRDClovZ3pNMzlxdnlEdXdad3g0aW1IRDZrL2hKZk5RejRH eWhER1Y3UjB4UitES3hlaUxxTFhhSlAzb1g1UFZsbmwKU29ua1RkeWlnT1dUOG9BbEpuSmo4ckdz MTFRb3hKdWN4UDRPZTloNlRxR1N3NUhQTXJzbzRoVDQyWDhteDlkMgphcFprdVB2NUg3NzRuZGVB MHBaSEQzTnVRaUxtcVcwZ2dGQXhobStOeWt4ODN5UDBOTnBZdDFiYkZINVhLcVZRCnJFZU9DMCs3 UmZySjZ1eEM1NjlNY1pZd1M0Z2szWmU5R2V1clVwb0xoay96NmlOL2tmcjN5ZzkwNjlrSWdaSVUK VUZBMFkrZ1YxNzg5WnNhNVRCVUhpTlV2REVyQlVJemp3V29TREI2bTBsNzJ1RmlwcHJZMHBMa0Uv YUw3Ymo5Rgp2RjU4YzlBQnZwR3NTcGFid0hQN3hYODJ1TFpuOWxET1hVV0VLUlg0T3JUdzh3cU1J ei9jUThRdlNuOWJ5Um03ClFReUtPdHF3UVcxcWNvMmUraERDekRBR0ZCQXZ6VlU0VXJ1K05XbmRG SHFFTzg2S3ZBMThITG02eTRGMWVhMUcKRG56Wnh0Y3RBWi9raktIZFloMGs2QTd6eUtxL0ZmVFhi L0o0cXRwc2g3QkRsMHF2ZlkyRFdwK2s3V0E5cWRVMgpnUDRTaVBIQkl6Y0tONmJrTEcxRUZUaWJs cG5PTDJMdkExL2lWN0g3ZTVPYlV5QS93bHhrNGlYUGRYMklmNFhIClVnV09mOExmbDMycjcyUUx1 YnJyCj01SW1SCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============4680334014450566528==-- From jacob@appelbaum.net Mon Oct 14 10:13:02 2013 From: Jacob Appelbaum To: cypherpunks@lists.cpunks.org Subject: Re: [linux-elitists] Browser fingerprinting Date: Mon, 14 Oct 2013 13:46:15 +0000 Message-ID: <525BF5A7.1080801@appelbaum.net> In-Reply-To: <20131014131033.0ee9af12@Neptune> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2532828876051536156==" --===============2532828876051536156== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Cathal Garvey: > Well, crap. Thanks for that! >=20 > Anyone with FF-plugin chops care to make a better version? The Tor Browser, of course! https://www.torproject.org/torbrowser/design These may be interesting to you: https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-g= lobal-compromise https://blog.torproject.org/blog/deterministic-builds-part-two-technical-deta= ils Source and binary releases are available - I suggest using the 3.0 alphas to help us improve them for general use: https://blog.torproject.org/category/tags/tbb-30 All the best, Jacob --===============2532828876051536156==-- From data@kuketz.de Mon Oct 14 10:30:27 2013 From: Mike Kuketz To: cypherpunks@lists.cpunks.org Subject: Re: [linux-elitists] Browser fingerprinting Date: Mon, 14 Oct 2013 16:30:18 +0200 Message-ID: <4444FC40-50C3-4AAD-A53C-920E45B0810F@kuketz.de> In-Reply-To: <525BF5A7.1080801@appelbaum.net> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6794623215180193489==" --===============6794623215180193489== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable > Cathal Garvey: >> Well, crap. Thanks for that! >>=20 >> Anyone with FF-plugin chops care to make a better version? >=20 > The Tor Browser, of course! >=20 > https://www.torproject.org/torbrowser/design >=20 > These may be interesting to you: >=20 >=20 > https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and= -global-compromise >=20 >=20 > https://blog.torproject.org/blog/deterministic-builds-part-two-technical-de= tails >=20 > Source and binary releases are available - I suggest using the 3.0 > alphas to help us improve them for general use: >=20 > https://blog.torproject.org/category/tags/tbb-30 >=20 > All the best, > Jacob >=20 As an alternative to the Tor Browser i suggest the following:=20 On this site you can check your browser "visibility": http://ip-check.info/?l= ang=3Den I think with the JonDo Firefox profile (https://anonymous-proxy-servers.net/e= n/jondofox.html) and these addons it's not easy to fingerprint you: - Adblock Edge - BetterPrivacy - CookieMonster - Disconnect - NoScript - RequestPolicy About a week i published an article about RequestPolicy on my IT security blo= g: RequestPolicy =E2=80=93 Mehr Kontrolle beim Surfen It explains some tracking and why RequestPolicy is a fine Firefox addon. It's in german, but you can use Google Translate. Best regards, Mike Kuketz --===============6794623215180193489== Content-Type: text/html Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="attachment.html" MIME-Version: 1.0 PGh0bWw+PGhlYWQ+PG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0 L2h0bWwgY2hhcnNldD13aW5kb3dzLTEyNTIiPjwvaGVhZD48Ym9keSBzdHlsZT0id29yZC13cmFw OiBicmVhay13b3JkOyAtd2Via2l0LW5ic3AtbW9kZTogc3BhY2U7IC13ZWJraXQtbGluZS1icmVh azogYWZ0ZXItd2hpdGUtc3BhY2U7ICI+PGRpdj48YmxvY2txdW90ZSB0eXBlPSJjaXRlIj5DYXRo YWwgR2FydmV5Ojxicj48YmxvY2txdW90ZSB0eXBlPSJjaXRlIj5XZWxsLCBjcmFwLiBUaGFua3Mg Zm9yIHRoYXQhPGJyPjxicj5BbnlvbmUgd2l0aCBGRi1wbHVnaW4gY2hvcHMgY2FyZSB0byBtYWtl IGEgYmV0dGVyIHZlcnNpb24/PGJyPjwvYmxvY2txdW90ZT48YnI+VGhlIFRvciBCcm93c2VyLCBv ZiBjb3Vyc2UhPGJyPjxicj4gJm5ic3A7PGEgaHJlZj0iaHR0cHM6Ly93d3cudG9ycHJvamVjdC5v cmcvdG9yYnJvd3Nlci9kZXNpZ24iPmh0dHBzOi8vd3d3LnRvcnByb2plY3Qub3JnL3RvcmJyb3dz ZXIvZGVzaWduPC9hPjxicj48YnI+VGhlc2UgbWF5IGJlIGludGVyZXN0aW5nIHRvIHlvdTo8YnI+ PGJyPjxicj48YSBocmVmPSJodHRwczovL2Jsb2cudG9ycHJvamVjdC5vcmcvYmxvZy9kZXRlcm1p bmlzdGljLWJ1aWxkcy1wYXJ0LW9uZS1jeWJlcndhci1hbmQtZ2xvYmFsLWNvbXByb21pc2UiPmh0 dHBzOi8vYmxvZy50b3Jwcm9qZWN0Lm9yZy9ibG9nL2RldGVybWluaXN0aWMtYnVpbGRzLXBhcnQt b25lLWN5YmVyd2FyLWFuZC1nbG9iYWwtY29tcHJvbWlzZTwvYT48YnI+PGJyPjxicj5odHRwczov L2Jsb2cudG9ycHJvamVjdC5vcmcvYmxvZy9kZXRlcm1pbmlzdGljLWJ1aWxkcy1wYXJ0LXR3by10 ZWNobmljYWwtZGV0YWlsczxicj48YnI+U291cmNlIGFuZCBiaW5hcnkgcmVsZWFzZXMgYXJlIGF2 YWlsYWJsZSAtIEkgc3VnZ2VzdCB1c2luZyB0aGUgMy4wPGJyPmFscGhhcyB0byBoZWxwIHVzIGlt cHJvdmUgdGhlbSBmb3IgZ2VuZXJhbCB1c2U6PGJyPjxicj4gJm5ic3A7aHR0cHM6Ly9ibG9nLnRv cnByb2plY3Qub3JnL2NhdGVnb3J5L3RhZ3MvdGJiLTMwPGJyPjxicj5BbGwgdGhlIGJlc3QsPGJy PkphY29iPGJyPjxicj48L2Jsb2NrcXVvdGU+PC9kaXY+PGJyPjxkaXY+QXMgYW4gYWx0ZXJuYXRp dmUgdG8gdGhlIFRvciBCcm93c2VyIGkgc3VnZ2VzdCB0aGUgZm9sbG93aW5nOiZuYnNwOzwvZGl2 PjxkaXY+PGRpdj5PbiB0aGlzIHNpdGUgeW91IGNhbiBjaGVjayB5b3VyIGJyb3dzZXIgInZpc2li aWxpdHkiOiZuYnNwOzxhIGhyZWY9Imh0dHA6Ly9pcC1jaGVjay5pbmZvLz9sYW5nPWVuIj5odHRw Oi8vaXAtY2hlY2suaW5mby8/bGFuZz1lbjwvYT48L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2Pkkg dGhpbmsgd2l0aCB0aGUgSm9uRG8gRmlyZWZveCBwcm9maWxlICg8YSBocmVmPSJodHRwczovL2Fu b255bW91cy1wcm94eS1zZXJ2ZXJzLm5ldC9lbi9qb25kb2ZveC5odG1sIj5odHRwczovL2Fub255 bW91cy1wcm94eS1zZXJ2ZXJzLm5ldC9lbi9qb25kb2ZveC5odG1sPC9hPikgYW5kIHRoZXNlIGFk ZG9ucyBpdCdzIG5vdCBlYXN5IHRvIGZpbmdlcnByaW50IHlvdTo8L2Rpdj48ZGl2Pi0gQWRibG9j ayBFZGdlPC9kaXY+PGRpdj4tIEJldHRlclByaXZhY3k8L2Rpdj48ZGl2Pi0gQ29va2llTW9uc3Rl cjwvZGl2PjxkaXY+LSBEaXNjb25uZWN0PC9kaXY+PGRpdj4tIE5vU2NyaXB0PC9kaXY+PGRpdj4t IFJlcXVlc3RQb2xpY3k8L2Rpdj48ZGl2Pjxicj48L2Rpdj48ZGl2PkFib3V0IGEgd2VlayBpIHB1 Ymxpc2hlZCBhbiBhcnRpY2xlIGFib3V0IFJlcXVlc3RQb2xpY3kgb24gbXkgSVQgc2VjdXJpdHkg YmxvZzombmJzcDs8YSBocmVmPSJodHRwOi8vd3d3Lmt1a2V0ei1ibG9nLmRlL3JlcXVlc3Rwb2xp Y3ktbWVoci1rb250cm9sbGUtYmVpbS1zdXJmZW4vIiBzdHlsZT0ibWFyZ2luOiAwcHg7IHBhZGRp bmc6IDBweDsgYm9yZGVyOiAwcHg7IGZvbnQ6IGluaGVyaXQ7IHZlcnRpY2FsLWFsaWduOiBiYXNl bGluZTsgdGV4dC1kZWNvcmF0aW9uOiBub25lOyBjb2xvcjogcmdiKDE0OSwgMTk4LCAyMSk7IGZv bnQtZmFtaWx5OiBIZWx2ZXRpY2EsIEFyaWFsLCBzYW5zLXNlcmlmOyBsaW5lLWhlaWdodDogMTlw eDsgLXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBub25lOyBiYWNrZ3JvdW5kLWNvbG9yOiByZ2Io MjU1LCAyNTUsIDI1NSk7ICI+UmVxdWVzdFBvbGljeSCWIE1laHIgS29udHJvbGxlIGJlaW0gU3Vy ZmVuPC9hPjwvZGl2PjxkaXY+SXQgZXhwbGFpbnMgc29tZSB0cmFja2luZyBhbmQgd2h5IFJlcXVl c3RQb2xpY3kgaXMgYSBmaW5lIEZpcmVmb3ggYWRkb24uPC9kaXY+PGRpdj48YnI+PC9kaXY+PGRp dj5JdCdzIGluIGdlcm1hbiwgYnV0IHlvdSBjYW4gdXNlIEdvb2dsZSBUcmFuc2xhdGUuPC9kaXY+ PGRpdj48YnI+PC9kaXY+PGRpdj5CZXN0IHJlZ2FyZHMsPC9kaXY+PGRpdj5NaWtlIEt1a2V0ejwv ZGl2PjwvZGl2PjwvYm9keT48L2h0bWw+ --===============6794623215180193489==-- From cathalgarvey@cathalgarvey.me Mon Oct 14 10:34:00 2013 From: Cathal Garvey To: cypherpunks@lists.cpunks.org Subject: Re: [linux-elitists] Browser fingerprinting Date: Mon, 14 Oct 2013 15:33:41 +0100 Message-ID: <20131014153341.5af687a3@Neptune> In-Reply-To: <525BF5A7.1080801@appelbaum.net> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1947478203987344203==" --===============1947478203987344203== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable > The Tor Browser, of course! >=20 > https://www.torproject.org/torbrowser/design :) Fair point! I guess if I want a common user-agent from a browser that minimises fingerprinting generally, I couldn't get any better than Tor Browser with the Tor bits turned off. Come to think of it, I may just do that now for my routine-daily-browser and replace Iceweasel with a gutted version of Tor BB's Aurora build. Thanks! On Mon, 14 Oct 2013 13:46:15 +0000 Jacob Appelbaum wrote: > Cathal Garvey: > > Well, crap. Thanks for that! > >=20 > > Anyone with FF-plugin chops care to make a better version? >=20 > The Tor Browser, of course! >=20 > https://www.torproject.org/torbrowser/design >=20 > These may be interesting to you: >=20 >=20 > https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and= -global-compromise >=20 >=20 > https://blog.torproject.org/blog/deterministic-builds-part-two-technical-de= tails >=20 > Source and binary releases are available - I suggest using the 3.0 > alphas to help us improve them for general use: >=20 > https://blog.torproject.org/category/tags/tbb-30 >=20 > All the best, > Jacob >=20 --===============1947478203987344203== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjEuNC4xMiAoR05V L0xpbnV4KQoKaVFJY0JBRUJDZ0FHQlFKU1hBREZBQW9KRUwwaU5nU1lpNUNaNGp3UC8yUGxHelZq SVNsdnkyUTlGdTBRSjZlVQptUENSMFBOeVZxa2szQnIyUkxlU2J6QXUvV05EclhOYXphYm5hUjNR cHZEbWxxNGYyeXgxNGdyY1RpNStFMll2CmlSNWNqL1RJRTZ6SlEyMzRVRStFU2VoR1dyWWorYndP MjRlUnhMUnQvek5rUXc5V2FYdXE3KzlJWjZIMUtENEoKTHptdkJmbGVQRUJrdkN6aFJBYjJjWVlQ dHhlbGxsdzZGanNBY3lwajhzUUtrakNBWDM4VDhQUmV3MlFnYzdKeApRaTEzajlDNE1xUDB0eTFN eTl3UWdKb3RyZmlmNC9wcSswUXhZcjlGbzMrcTVpbVBhSWo2WEF6akd4UmprdWtxCi82Z2JrVzlp L3hYb2pJRllrSGJvbEtsbm1Gdk53VVczdGRxbFdyTjlOU2ZoWk5rN0V4NkJaQmlNdUpBd1ByUW0K MHFxS0Y0ZlJ6UDVDb1lVeEtJaWVzai8rTWpEVkJrMzdSK2RQd0tNdVJsRGd5WHVLRlYyZEpKUVlL dzk4V0h5NQo4RGQ1RUgvbndoL2VXZHFzdFpwWloreEw1eHNJOHdEcEplYTQ4R01ZYml2aSs5aU5n MkRvZk9KZDJyVlI2UUY2Cmx5ZXN3aU8xMzJhNUQ1LzllUUlyYkFLRTZSTndDRGpXZVRhaTRJWGNP MCt4SGphS0J3dERhdTVKQVNzc2FSK1cKWE9vTWY1OUNFc09abFM0bHQybXZYMFhoRmdUaW15aXdM RFNTN3hCU0Q5K0ZsMnpoZ2I3WElrY1I3dzRlbVI1bAptU2t0b0xQOHJEUlVmWFZPRllsSWhMcHRZ dXJGbnJBdXljazIvbU1kVG1HL1I5bGY2NkF6YzVDT3djOHBRQm9LClZuT1lETHZLblc0OVA1RlZo bHFjCj1pVVhNCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============1947478203987344203==-- From griffin@cryptolab.net Mon Oct 14 10:56:08 2013 From: Griffin Boyce To: cypherpunks@lists.cpunks.org Subject: Re: Browser fingerprinting Date: Mon, 14 Oct 2013 10:55:56 -0400 Message-ID: <525C05FC.3000702@cryptolab.net> In-Reply-To: <4444FC40-50C3-4AAD-A53C-920E45B0810F@kuketz.de> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3280635521840875294==" --===============3280635521840875294== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Mike Kuketz wrote: > > As an alternative to the Tor Browser i suggest the following:=20 > On this site you can check your browser > "visibility": http://ip-check.info/?lang=3Den Yeah, if you don't need or want location anonymity, there are a lot of really good options out there. RequestPolicy takes a lot of tinkering (which can be *really* aggravating), but it's incredibly useful for blocking tracking scripts. Modifying one's user-agent string was found to be a CFAA violation during Weev's trial. Who knew? Ashkan Soltani wrote a really great opinion piece on this [1]. In addition to the other great recommendations, I'd highly recommend blocking Flash if you're concerned about privacy. Not only do flash cookies persist longer / are hard to block / are harder to remove, but it's easy to fingerprint someone via a tiny bit of flash. Flash is also enabled by default on Google Chrome, so check out FlashBlock [2]. It also offers more granularity in case you like gaming :D best, Griffin [1] http://www.wired.com/opinion/2013/07/the-catch-22-of-internet-commerce-and-pr= ivacy-could-mean-youre-the-bad-guy/ [2] https://chrome.google.com/webstore/detail/flashblock/gofhjkjmkpinhpoiabjplobc= aignabnl?hl=3Den --=20 "Cypherpunks write code not flame wars." --Jurre van Bergen #Foucault / PGP: 0xAE792C97 / OTR: saint(a)jabber.ccc.de My posts are my own, not my employer's. --===============3280635521840875294==-- From albill@openbuddha.com Mon Oct 14 12:54:34 2013 From: Al Billings To: cypherpunks@lists.cpunks.org Subject: Re: [linux-elitists] Browser fingerprinting Date: Mon, 14 Oct 2013 09:54:24 -0700 Message-ID: In-Reply-To: <20131014131033.0ee9af12@Neptune> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4930923466893234290==" --===============4930923466893234290== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable About 19 years ago, it was. The rest of the world (and web developers) moved = on since then. From:=C2=A0Cathal Garvey Cathal Garvey Wasn't the whole idea of=C2=A0 browser rendering that the server would send one canonical page to the=C2=A0 client, and the client is responsible for rendering?=C2=A0 --=C2=A0 Al Billings http://makehacklearn.org --===============4930923466893234290== Content-Type: text/html Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="attachment.html" MIME-Version: 1.0 PGh0bWw+PGhlYWQ+PC9oZWFkPjxib2R5IHN0eWxlPSJ3b3JkLXdyYXA6IGJyZWFrLXdvcmQ7IC13 ZWJraXQtbmJzcC1tb2RlOiBzcGFjZTsgLXdlYmtpdC1saW5lLWJyZWFrOiBhZnRlci13aGl0ZS1z cGFjZTsgIj48ZGl2IGlkPSJibG9vcF9jdXN0b21mb250IiBzdHlsZT0iZm9udC1mYW1pbHk6SGVs dmV0aWNhLEFyaWFsO2ZvbnQtc2l6ZToxM3B4OyBjb2xvcjogcmdiYSgwLDAsMCwxLjApOyBtYXJn aW46IDBweDsgbGluZS1oZWlnaHQ6IGF1dG87Ij5BYm91dCAxOSB5ZWFycyBhZ28sIGl0IHdhcy4g VGhlIHJlc3Qgb2YgdGhlIHdvcmxkIChhbmQgd2ViIGRldmVsb3BlcnMpIG1vdmVkIG9uIHNpbmNl IHRoZW4uPC9kaXY+PGRpdiBpZD0iYmxvb3BfY3VzdG9tZm9udCIgc3R5bGU9ImZvbnQtZmFtaWx5 OkhlbHZldGljYSxBcmlhbDtmb250LXNpemU6MTNweDsgY29sb3I6IHJnYmEoMCwwLDAsMS4wKTsg bWFyZ2luOiAwcHg7IGxpbmUtaGVpZ2h0OiBhdXRvOyI+PGJyPjwvZGl2PiA8ZGl2IHN0eWxlPSJj b2xvcjpncmF5Ij48aHIgc3R5bGU9InN0eWxlOmxpbmVhciI+RnJvbTombmJzcDs8c3BhbiBzdHls ZT0iY29sb3I6YmxhY2siPkNhdGhhbCBHYXJ2ZXk8L3NwYW4+IDxhIGhyZWY9Im1haWx0bzpjYXRo YWxnYXJ2ZXlAY2F0aGFsZ2FydmV5Lm1lIj5DYXRoYWwgR2FydmV5PC9hPjxicj48L2Rpdj48Ymxv Y2txdW90ZSB0eXBlPSJjaXRlIiBzdHlsZT0iYm9yZGVyLWxlZnQ6MXB4ICMwMDQwODAgc29saWQg IWltcG9ydGFudDttYXJnaW4tbGVmdDowcHg7cGFkZGluZy1sZWZ0OjVweDsiPjxzcGFuPjxkaXY+ PHNwYW4gc3R5bGU9ImNvbG9yOiByZ2IoMCwgMCwgMCk7IGZvbnQtZmFtaWx5OiBoZWx2ZXRpY2E7 IGZvbnQtc2l6ZTogMTNweDsgZm9udC1zdHlsZTogbm9ybWFsOyBmb250LXZhcmlhbnQ6IG5vcm1h bDsgZm9udC13ZWlnaHQ6IG5vcm1hbDsgbGV0dGVyLXNwYWNpbmc6IG5vcm1hbDsgbGluZS1oZWln aHQ6IG5vcm1hbDsgb3JwaGFuczogMjsgdGV4dC1hbGlnbjogLXdlYmtpdC1hdXRvOyB0ZXh0LWlu ZGVudDogMHB4OyB0ZXh0LXRyYW5zZm9ybTogbm9uZTsgd2hpdGUtc3BhY2U6IG5vcm1hbDsgd2lk b3dzOiAyOyB3b3JkLXNwYWNpbmc6IDBweDsgLXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OiBhdXRv OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IGRpc3BsYXk6IGlubGluZSAhaW1wb3J0 YW50OyBmbG9hdDogbm9uZTsgIj5XYXNuJ3QgdGhlIHdob2xlIGlkZWEgb2Y8c3BhbiBjbGFzcz0i QXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+PC9zcGFuPjxiciBzdHlsZT0iY29s b3I6IHJnYigwLCAwLCAwKTsgZm9udC1mYW1pbHk6IGhlbHZldGljYTsgZm9udC1zaXplOiAxM3B4 OyBmb250LXN0eWxlOiBub3JtYWw7IGZvbnQtdmFyaWFudDogbm9ybWFsOyBmb250LXdlaWdodDog bm9ybWFsOyBsZXR0ZXItc3BhY2luZzogbm9ybWFsOyBsaW5lLWhlaWdodDogbm9ybWFsOyBvcnBo YW5zOiAyOyB0ZXh0LWFsaWduOiAtd2Via2l0LWF1dG87IHRleHQtaW5kZW50OiAwcHg7IHRleHQt dHJhbnNmb3JtOiBub25lOyB3aGl0ZS1zcGFjZTogbm9ybWFsOyB3aWRvd3M6IDI7IHdvcmQtc3Bh Y2luZzogMHB4OyAtd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87IC13ZWJraXQtdGV4dC1z dHJva2Utd2lkdGg6IDBweDsgIj48c3BhbiBzdHlsZT0iY29sb3I6IHJnYigwLCAwLCAwKTsgZm9u dC1mYW1pbHk6IGhlbHZldGljYTsgZm9udC1zaXplOiAxM3B4OyBmb250LXN0eWxlOiBub3JtYWw7 IGZvbnQtdmFyaWFudDogbm9ybWFsOyBmb250LXdlaWdodDogbm9ybWFsOyBsZXR0ZXItc3BhY2lu Zzogbm9ybWFsOyBsaW5lLWhlaWdodDogbm9ybWFsOyBvcnBoYW5zOiAyOyB0ZXh0LWFsaWduOiAt d2Via2l0LWF1dG87IHRleHQtaW5kZW50OiAwcHg7IHRleHQtdHJhbnNmb3JtOiBub25lOyB3aGl0 ZS1zcGFjZTogbm9ybWFsOyB3aWRvd3M6IDI7IHdvcmQtc3BhY2luZzogMHB4OyAtd2Via2l0LXRl eHQtc2l6ZS1hZGp1c3Q6IGF1dG87IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgZGlz cGxheTogaW5saW5lICFpbXBvcnRhbnQ7IGZsb2F0OiBub25lOyAiPmJyb3dzZXIgcmVuZGVyaW5n IHRoYXQgdGhlIHNlcnZlciB3b3VsZCBzZW5kIG9uZSBjYW5vbmljYWwgcGFnZSB0byB0aGU8c3Bh biBjbGFzcz0iQXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+PC9zcGFuPjxiciBz dHlsZT0iY29sb3I6IHJnYigwLCAwLCAwKTsgZm9udC1mYW1pbHk6IGhlbHZldGljYTsgZm9udC1z aXplOiAxM3B4OyBmb250LXN0eWxlOiBub3JtYWw7IGZvbnQtdmFyaWFudDogbm9ybWFsOyBmb250 LXdlaWdodDogbm9ybWFsOyBsZXR0ZXItc3BhY2luZzogbm9ybWFsOyBsaW5lLWhlaWdodDogbm9y bWFsOyBvcnBoYW5zOiAyOyB0ZXh0LWFsaWduOiAtd2Via2l0LWF1dG87IHRleHQtaW5kZW50OiAw cHg7IHRleHQtdHJhbnNmb3JtOiBub25lOyB3aGl0ZS1zcGFjZTogbm9ybWFsOyB3aWRvd3M6IDI7 IHdvcmQtc3BhY2luZzogMHB4OyAtd2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87IC13ZWJr aXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDsgIj48c3BhbiBzdHlsZT0iY29sb3I6IHJnYigwLCAw LCAwKTsgZm9udC1mYW1pbHk6IGhlbHZldGljYTsgZm9udC1zaXplOiAxM3B4OyBmb250LXN0eWxl OiBub3JtYWw7IGZvbnQtdmFyaWFudDogbm9ybWFsOyBmb250LXdlaWdodDogbm9ybWFsOyBsZXR0 ZXItc3BhY2luZzogbm9ybWFsOyBsaW5lLWhlaWdodDogbm9ybWFsOyBvcnBoYW5zOiAyOyB0ZXh0 LWFsaWduOiAtd2Via2l0LWF1dG87IHRleHQtaW5kZW50OiAwcHg7IHRleHQtdHJhbnNmb3JtOiBu b25lOyB3aGl0ZS1zcGFjZTogbm9ybWFsOyB3aWRvd3M6IDI7IHdvcmQtc3BhY2luZzogMHB4OyAt d2Via2l0LXRleHQtc2l6ZS1hZGp1c3Q6IGF1dG87IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6 IDBweDsgZGlzcGxheTogaW5saW5lICFpbXBvcnRhbnQ7IGZsb2F0OiBub25lOyAiPmNsaWVudCwg YW5kIHRoZSBjbGllbnQgaXMgcmVzcG9uc2libGUgZm9yIHJlbmRlcmluZz88c3BhbiBjbGFzcz0i QXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+PC9zcGFuPjwvZGl2Pjwvc3Bhbj48 L2Jsb2NrcXVvdGU+IDxkaXYgY2xhc3M9IiIgaWQ9ImJsb29wX3NpZ25fMTM4MTc2OTYzMjE4MDYz NDExMiI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OmhlbHZldGljYSxhcmlhbDtmb250LXNpemU6 MTNweCI+PC9zcGFuPi0tJm5ic3A7PGJyPkFsIEJpbGxpbmdzPGJyPmh0dHA6Ly9tYWtlaGFja2xl YXJuLm9yZzxkaXY+PGJyPjwvZGl2PjwvZGl2PjwvYm9keT48L2h0bWw+ --===============4930923466893234290==-- From adam@cypherspace.org Mon Oct 14 13:30:40 2013 From: Adam Back To: cypherpunks@lists.cpunks.org Subject: Re: [linux-elitists] Browser fingerprinting Date: Mon, 14 Oct 2013 19:30:22 +0200 Message-ID: <20131014173022.GA32033@netbook.cypherspace.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3179084869435233493==" --===============3179084869435233493== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Well you should say the web developers regressed since then. Adam On Mon, Oct 14, 2013 at 09:54:24AM -0700, Al Billings wrote: > About 19 years ago, it was. The rest of the world (and web developers) > moved on since then. > __________________________________________________________________ > > From: Cathal Garvey [1]Cathal Garvey > > Wasn't the whole idea of > browser rendering that the server would send one canonical page to the > client, and the client is responsible for rendering? --===============3179084869435233493==-- From eugen@leitl.org Mon Oct 14 14:15:48 2013 From: Eugen Leitl To: cypherpunks@lists.cpunks.org Subject: Re: [linux-elitists] Browser fingerprinting Date: Mon, 14 Oct 2013 20:15:42 +0200 Message-ID: <20131014181542.GY10405@leitl.org> In-Reply-To: <20131014173022.GA32033@netbook.cypherspace.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4621147530350517362==" --===============4621147530350517362== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit On Mon, Oct 14, 2013 at 07:30:22PM +0200, Adam Back wrote: > Well you should say the web developers regressed since then. The worst is that the entire trainwreck has been so predictable, right from the start. --===============4621147530350517362==-- From bill.stewart@pobox.com Mon Oct 14 20:24:28 2013 From: Bill Stewart To: cypherpunks@lists.cpunks.org Subject: Re: [linux-elitists] Browser fingerprinting Date: Mon, 14 Oct 2013 17:24:18 -0700 Message-ID: <20131015002423.DACBDE31E@a-pb-sasl-quonix.pobox.com> In-Reply-To: <20131014181542.GY10405@leitl.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1757904756518192560==" --===============1757904756518192560== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit At 11:15 AM 10/14/2013, Eugen Leitl wrote: >On Mon, Oct 14, 2013 at 07:30:22PM +0200, Adam Back wrote: > > > Well you should say the web developers regressed since then. > >The worst is that the entire trainwreck has been so >predictable, right from the start. If by "right from the start" you're including "back in ~1987, when I was on standards committees that were specifying SGML for their applications", then yes, the trainwreck was around then, even before HTML or the web. "Computer-Aided Logistics Support", aka CALS, was trying to address standards for handling documentation, mainly for the aircraft business and military contractors; you couldn't fit the design and maintenance documentation for a typical cargo airplane into the airplane itself. The people who got the concept wanted to be able to do things like have maintenance manuals that you could read on whatever display you had, whether it's a high-res computer terminal or a monospaced wrist-mounted screen when you were standing on a ladder working on an engine, and you'd have objects like "a 2nd-level header". The people who didn't get it wanted to be able to have data formats that could keep track of page numbers (so you could replicate taking the old page 1435.2 out of a 3-ring binder and replace it with an updated version), and objects like "a line of 14-point bold-faced text." We ended up with some botched DTD that sort of let you do both, badly. Graphics were supposed to be in a portable vector-based format, but they didn't have that finished while I was still working on that committee. And eventually Sir Tim came up with HTML, which was sort of like a simplified DTD that did basic markup mostly correctly (plus hypertext and forms entry!), though with bitmapped pictures, and later people started to botch it up by letting you specify specific fonts and layouts (even if the reader's display didn't look like the author's), and Javascript to try to plaster over the botches, and it's been unsafely downhill from there. --===============1757904756518192560==-- From albill@openbuddha.com Mon Oct 14 22:27:16 2013 From: Al Billings To: cypherpunks@lists.cpunks.org Subject: Re: [linux-elitists] Browser fingerprinting Date: Mon, 14 Oct 2013 19:27:07 -0700 Message-ID: <1381804027490.ae5de89b@Nodemailer> In-Reply-To: <20131014173022.GA32033@netbook.cypherspace.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7603355230545827494==" --===============7603355230545827494== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Only if you wish it was "the good old days" but then this is the list with fo= lks that refuse to run JavaScript and don't understand why anyone would want = to use twitter, as I recall. Al On Mon, Oct 14, 2013 at 10:30 AM, Adam Back > wrote: Well you should say the web developers regressed since then. =20 Adam --===============7603355230545827494== Content-Type: text/html Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="attachment.html" MIME-Version: 1.0 PCFET0NUWVBFIGh0bWwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9uYWwv L0VOIiAiaHR0cDovL3d3dy53My5vcmcvVFIvUkVDLWh0bWw0MC9sb29zZS5kdGQiPgo8aHRtbD48 Ym9keT4KPGRpdj5Pbmx5IGlmIHlvdSB3aXNoIGl0IHdhcyAidGhlIGdvb2Qgb2xkIGRheXMiIGJ1 dCB0aGVuIHRoaXMgaXMgdGhlIGxpc3Qgd2l0aCBmb2xrcyB0aGF0IHJlZnVzZSB0byBydW4gSmF2 YVNjcmlwdCBhbmQgZG9uJ3QgdW5kZXJzdGFuZCB3aHkgYW55b25lIHdvdWxkIHdhbnQgdG8gdXNl IHR3aXR0ZXIsIGFzIEkgcmVjYWxsLjxicj48YnI+CjwvZGl2Pgo8ZGl2IGlkPSJvcmMtZW1haWwt c2lnbmF0dXJlIiBzdHlsZT0iZGlzcGxheTogYmxvY2s7Ij4KPGJyPjxkaXYgY2xhc3M9Im1haWxi b3hfc2lnbmF0dXJlIj5BbDwvZGl2Pgo8L2Rpdj4KPGJyPjxzcGFuIGlkPSJvcmMtZnVsbC1ib2R5 LWluaXRpYWwtdGV4dCIgc3R5bGU9ImRpc3BsYXk6IGlubGluZTsiPk9uIE1vbiwgT2N0IDE0LCAy MDEzIGF0IDEwOjMwIEFNLCBBZGFtIEJhY2sgJmx0OzxhPjxocmVmIHRhcmdldD0iX2JsYW5rIj5h ZGFtQGN5cGhlcnNwYWNlLm9yZzwvaHJlZj49Im1haWx0bzphZGFtQGN5cGhlcnNwYWNlLm9yZyIm Z3Q7PC9hPiZndDsgd3JvdGU6PGJyPjwvc3Bhbj48YmxvY2txdW90ZSBjbGFzcz0iZ21haWxfcXVv dGUiPldlbGwgeW91IHNob3VsZCBzYXkgdGhlIHdlYiBkZXZlbG9wZXJzIHJlZ3Jlc3NlZCBzaW5j ZSB0aGVuLiAgCjxicj48YnI+QWRhbQo8YnI+CjwvYmxvY2txdW90ZT4KPC9ib2R5PjwvaHRtbD4K --===============7603355230545827494==-- From eugen@leitl.org Tue Oct 15 05:08:32 2013 From: Eugen Leitl To: cypherpunks@lists.cpunks.org Subject: Re: [linux-elitists] Browser fingerprinting Date: Tue, 15 Oct 2013 11:08:29 +0200 Message-ID: <20131015090829.GQ10405@leitl.org> In-Reply-To: <1381804027490.ae5de89b@Nodemailer> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2123602712740252652==" --===============2123602712740252652== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Mon, Oct 14, 2013 at 07:27:07PM -0700, Al Billings wrote: > Only if you wish it was "the good old days" but then this is the list with = folks=20 The future that never was was built with Lisp machines and NeWS. > that refuse to run JavaScript and don't understand why anyone would want to= use twitter, as I recall. Twatr who? --===============2123602712740252652==-- From cathalgarvey@cathalgarvey.me Tue Oct 15 05:54:33 2013 From: Cathal Garvey To: cypherpunks@lists.cpunks.org Subject: Re: [linux-elitists] Browser fingerprinting Date: Tue, 15 Oct 2013 10:54:04 +0100 Message-ID: <20131015105404.097eac36@Neptune> In-Reply-To: <1381804027490.ae5de89b@Nodemailer> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3176381994045690668==" --===============3176381994045690668== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit > with folks that refuse to run JavaScript Not "JavaScript"; "Unverified, potentially malicious code with a rich history of exploits inside a frame I use to navigate the online world". It wouldn't matter if the code was LISP or Python; the problem isn't the language, it's the context. That said, I do run Javascript, albiet through NoScript. I just wish there were more fine-grained policy restrictions I could place on it, such as "No XmlHttpRequest/Websocket" or "No browser introspection (fonts, boundaries, etc.)", and let webapps that are trying to fingerprint me without my permission just crash and burn. On Mon, 14 Oct 2013 19:27:07 -0700 (PDT) "Al Billings" wrote: > Only if you wish it was "the good old days" but then this is the list > with folks that refuse to run JavaScript and don't understand why > anyone would want to use twitter, as I recall. > > > > > > Al > > > > > On Mon, Oct 14, 2013 at 10:30 AM, Adam Back > > wrote: Well you > should say the web developers regressed since then. > > > Adam --===============3176381994045690668== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjEuNC4xMiAoR05V L0xpbnV4KQoKaVFJY0JBRUJDZ0FHQlFKU1hSQzhBQW9KRUwwaU5nU1lpNUNaT2dNUUFLUkpwbFB0 QXd5eXpML1ZjQ2VwWTdtWApQZDh1UGlRQjZZTXpJeW9HUmhyMkhLZE1hcjVvRlhtS1VyMFJwT0Vu MDEvakxaQTJQdld1djZ2ZFBKamtGQWd0CkE3cGhlNm9FOEpPYUgwSS9aMGFFTXZGejVxZkVGMEx3 V2QvSXJoTEpnalBsV0VaRHkwQnpIclN3NGFGam5ZemMKaUk4RndRenMvc05pWE9wbHpneE8rWWhx Vzh4a3FOeWU1c2lVNkgweStJc0FOdjZnVFZZZ3JDZlV0N1V2RmdIUQpKMkRGazh2WTlWVWZmc01q ZEZxaU5pM2grMVNTR0phQXA0N1ROZ2tnV3VVaWlIQy9LUkFYOS9XVThmZmtRNHRTCmNOcWVRZTJp TUI0aVMwa0psamFYRDR1OHNMZGtaTnI5ZnlmR3ZRVnZLYTlnejBWaVlEcUovaGY1MnlMNXdOdmUK R0c5NnFDZEhiNG9uY016cGZPaXNCcU8zMWhUZ0JiZFB3cjFpamtXbXBSU3dhZXRvWHBqU2psLyto R1kxdHFlbwpncE4wdnN5eHBnWEVzbWprUGFZWG1ma014NmlMUXdSR085UjlWbDE0Y3ovenpJWDhC SHN4SnJyZUlKV25CSEEzCkxaeVk1alJjRldhMDVyY0xHQUtWUTVaS3JUbXZRNXpuYksyYUFuZ2c0 RlNyMVZtTGpRUU1WV1p6MVBIWmJXRjEKbklFMDNlZENYQzl5Mm80VFQ3M0dpSHJSamc2NnZieUxy bUVFbkY1VGZEQ1pwYUVuN3Y1aWxSUW9nVFlydmpnRgp4S1k5c1pDcGlua3MyRld3Z1JTd09FSTdz amhwNmltYUY4a1gxMXduMFBJbjgvT2o1S1VwalJrOGJ1dmx2eXVQCnZibnFNMUh3NmJDaDlYUnNy UUpDCj0rNDVHCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============3176381994045690668==-- From jamesd@echeque.com Tue Oct 15 07:33:38 2013 From: "James A. Donald" To: cypherpunks@lists.cpunks.org Subject: Re: [linux-elitists] Browser fingerprinting Date: Tue, 15 Oct 2013 21:33:22 +1000 Message-ID: <525D2802.8080302@echeque.com> In-Reply-To: <20131015090829.GQ10405@leitl.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5368628286500612953==" --===============5368628286500612953== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit My web site returns the same result regardless of what browser hits it, so all that stuff is wasted bandwidth. I don't see that there is much use in providing that information. --===============5368628286500612953==-- From jamesd@echeque.com Tue Oct 15 07:51:58 2013 From: "James A. Donald" To: cypherpunks@lists.cpunks.org Subject: Re: [linux-elitists] Browser fingerprinting Date: Tue, 15 Oct 2013 21:51:46 +1000 Message-ID: <525D2C52.1020801@echeque.com> In-Reply-To: <20131015105404.097eac36@Neptune> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7578733395400426734==" --===============7578733395400426734== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit On 2013-10-15 19:54, Cathal Garvey wrote: >> with folks that refuse to run JavaScript > Not "JavaScript"; "Unverified, potentially malicious code with a > rich history of exploits inside a frame I use to navigate the online > world". It wouldn't matter if the code was LISP or Python; the problem > isn't the language, it's the context. > > That said, I do run Javascript, albiet through NoScript. I just wish > there were more fine-grained policy restrictions I could place on it, > such as "No XmlHttpRequest/Websocket" or "No browser introspection > (fonts, boundaries, etc.)", and let webapps that are trying to > fingerprint me without my permission just crash and burn. Javascript can be controlled by being recompiled into the Caja subset of javascript. In practice, however, this is only done when a server controlled by one organization is generating a web page containing javascript controlled by another organization - Caja is used to protect one website against another, but not used to protect the client against the website. --===============7578733395400426734==-- From dan@geer.org Tue Oct 15 08:01:19 2013 From: dan@geer.org To: cypherpunks@lists.cpunks.org Subject: Re: [linux-elitists] Browser fingerprinting Date: Tue, 15 Oct 2013 08:01:11 -0400 Message-ID: <20131015120111.290F22282F1@palinka.tinho.net> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4761641727739933317==" --===============4761641727739933317== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Cathal Garvey > Wasn't the whole idea of browser rendering that the server would > send one canonical page to the client, and the client is responsible > for rendering? If only. The client is now the server's server. And, yeah, I am one of those who refuses Javascript, so the web is shrinking fast from where I sit. Oh, well. --dan --===============4761641727739933317==-- From cathalgarvey@cathalgarvey.me Tue Oct 15 08:16:45 2013 From: Cathal Garvey To: cypherpunks@lists.cpunks.org Subject: Re: [linux-elitists] Browser fingerprinting Date: Tue, 15 Oct 2013 13:16:21 +0100 Message-ID: <20131015131621.005755a8@Neptune> In-Reply-To: <525D2C52.1020801@echeque.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4025435686684537138==" --===============4025435686684537138== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit > Javascript can be controlled by being recompiled into the Caja subset > of javascript. I've been thinking along these lines, all right. So what functions of Javascript are nonessential to the concept of a "rich webapp" but useful for abuse and fingerprinting? If you could strip JS down to a set of awesome functions that reduce the abuse potential, what stuff would you strip out? A lot of the nasty stuff isn't even JS engine stuff, it's DOM stuff from the browser being made available to JS, so it's not entirely linguistic. A lot of it's bad API, probably much harder to fix. Still, reduced-set JS, with an in-browser standard for verifying signed JS code, would be great. I'm often boggled when I think this over that RMS forgot to include code signing in his suggestion for how to markup non-trivial JS with source code and license text; I figured "code verification" would be a crucial part of the Free Software philosophy when it comes to drive-by code. Another crucial change I'd like to see: immutable javascript. When including a script with the