[linux-elitists] Browser fingerprinting

Eugen Leitl

7 Oct 2013 7 Oct '13

6:07 a.m.

----- Forwarded message from Don Marti ----- Date: Sun, 6 Oct 2013 11:11:46 -0700 From: Don Marti To: linux-elitists@zgp.org Subject: [linux-elitists] Browser fingerprinting Message-ID: <20131006181146.GA21225@zea.gateway.2wire.net> User-Agent: Mutt/1.5.21 (2010-09-15) Corporate speak: "Tawakol and Ingis both said the new technology, which is still under development, would allow companies to use alternative approaches that are sometimes called statistical or probabilistic tracking, while remaining in compliance with industry privacy standards." Translation: "Fine, you smug cookie-blocking nerds. We're going to go all browser fingerprinting on you." http://blog.sfgate.com/techchron/2013/10/04/ad-groups-prepare-for-cookieless... Mozilla has been working on cleaning up the third-party cookie problem, and making a dent in it, as you can tell by the complaints from the creepy adtech business. Unfortunately, Firefox appears to be highly fingerprintable. https://panopticlick.eff.org/ says "Your browser fingerprint appears to be unique among the 3,458,043 tested so far." Ouch. Got to get my act together here. But of course the more that I customize, the more unique my browser looks. Who's got a browser that comes up reasonably generic on Panopticlick, and what did you do? -- Don Marti +1-510-332-1587 (mobile) http://zgp.org/~dmarti/ Alameda, California, USA dmarti@zgp.org _______________________________________________ Do not Cc: anyone else on mail sent to this list. The list server is set for maximum one recipient. linux-elitists mailing list linux-elitists@zgp.org http://zgp.org/cgi-bin/mailman/listinfo/linux-elitists ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5

Show replies by date

coderman

7 Oct 7 Oct

7:09 a.m.

On Sun, Oct 6, 2013 at 11:07 PM, Eugen Leitl wrote:

...

... Who's got a browser that comes up reasonably generic on Panopticlick, and what did you do?

Tor Browser... just use it in an isolated environment like Qubes, Whonix, Tails, etc.

coderman

8:16 a.m.

On Mon, Oct 7, 2013 at 12:09 AM, coderman wrote:

...

[... re: panopticlick ... ] Tor Browser... just use it in an isolated environment like Qubes, Whonix, Tails, etc.

to be clear, this is true when running Tor and the browser on the same computer, or having a Tor router / proxy appliance that you connect to as transparent proxy. in the latter case, you would still be best served by running a copy of the Tor Browser in "Transparent Tor" mode[0], which delegates routing through Tor to another service, while providing a browser environment with all of the useful protections[1] to avoid this very problem and many others. 0. "Tor Browser - Whonix" transparent proxy mode https://www.whonix.org/wiki/Tor_Browser NOTE: even in this mode, you may want to have the Tor router provide local access to the SOCKS port directly. 1. "The Design and Implementation of the Tor Browser" https://www.torproject.org/projects/torbrowser/design/

Stephan Neuhaus

11:20 a.m.

On 10/07/2013 09:09 AM, coderman wrote:

...

On Sun, Oct 6, 2013 at 11:07 PM, Eugen Leitl wrote:

...
... Who's got a browser that comes up reasonably generic on Panopticlick, and what did you do?

Firefox with NoScript and Ghostery. About 10 bits of entropy. Not perfect, but not bad either. Stephan

Adam Back

9:57 a.m.

Scary numbers. Even with chrome incognito unique to 1 in 1.7 m on linux. Maybe better on windows. I wonder if no-script would help or is this passive headers only? Seems like the leak was fonts, plugins and user agent in that order at 1 in 128k, 266k, and 1.7m respectivey. Need less chatty browsers. Adam On Mon, Oct 07, 2013 at 08:07:56AM +0200, Eugen Leitl wrote:

...

----- Forwarded message from Don Marti -----

Date: Sun, 6 Oct 2013 11:11:46 -0700 From: Don Marti To: linux-elitists@zgp.org Subject: [linux-elitists] Browser fingerprinting Message-ID: <20131006181146.GA21225@zea.gateway.2wire.net> User-Agent: Mutt/1.5.21 (2010-09-15)

Corporate speak: "Tawakol and Ingis both said the new technology, which is still under development, would allow companies to use alternative approaches that are sometimes called statistical or probabilistic tracking, while remaining in compliance with industry privacy standards."

Translation: "Fine, you smug cookie-blocking nerds. We're going to go all browser fingerprinting on you."

http://blog.sfgate.com/techchron/2013/10/04/ad-groups-prepare-for-cookieless...

Mozilla has been working on cleaning up the third-party cookie problem, and making a dent in it, as you can tell by the complaints from the creepy adtech business.

Unfortunately, Firefox appears to be highly fingerprintable.

https://panopticlick.eff.org/ says "Your browser fingerprint appears to be unique among the 3,458,043 tested so far."

Ouch. Got to get my act together here. But of course the more that I customize, the more unique my browser looks.

Who's got a browser that comes up reasonably generic on Panopticlick, and what did you do?

-- Don Marti +1-510-332-1587 (mobile) http://zgp.org/~dmarti/ Alameda, California, USA dmarti@zgp.org _______________________________________________ Do not Cc: anyone else on mail sent to this list. The list server is set for maximum one recipient. linux-elitists mailing list linux-elitists@zgp.org http://zgp.org/cgi-bin/mailman/listinfo/linux-elitists

----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5

Carsten N.

10:45 a.m.

On 07.10.2013 06:07, Eugen Leitl wrote:

...

Who's got a browser that comes up reasonably generic on Panopticlick, and what did you do?

Hello, Panopticlick is a demonstration project, how browser fingerprinting works and not a scientific up2date database for actual used browsers. - The database is not a representative database, because most users, who know something about the project and visit it, use a privacy-friendly browser configuration. - Old entries in the database were not deleted. Firefox 3.5.3 has one of the best ratings in this database. But nobody uses this old browser version any more. You will be unique with this user agent in real life. - It is easy to manipulate the database. You can call the page with your preferred browser multiple times and your preferred browser will be higher rated. Best regards Carsten

Bill Stewart

14 Oct 14 Oct

12:06 a.m.

...

Date: Sun, 6 Oct 2013 11:11:46 -0700 From: Don Marti

Translation: "Fine, you smug cookie-blocking nerds. We're going to go all browser fingerprinting on you." ... Unfortunately, Firefox appears to be highly fingerprintable.

One reason Firefox is highly fingerprintable is that it sends a list of your available fonts to the web server so the server can format its pages with cool fonts instead of boring fonts if you're able to read them. That often turns out to be surprisingly unique, at least if you like fonts, and AFAIK it's not just the fonts you've configured into your browser, it's the fonts configured into your computer. For instance, my work PC has a font for the $DAYJOB corporate logo, and has since acquired a couple more fonts so I can display their newer marketing presentations correctly in Powerpoint, plus it's got the dozen or two different monospace console fonts I was trying out to find a good one for programming use, and the usual collection of Bocklin and Dwarvish and Tibetan that old hippies usually have on our computers, just in case we might need to count to nine billion or have an appropriate password entry form. When I first tested it with the panopticlick tool, it was unique; there are now a couple other similar machines (but that's "my machine's IE", "my machine's Firefox", and "my machine running Win7 with the Long Term Support version of Firefox that Corporate IT department makes us use", so it's still unique in reality.) Sure would be nice if Mozilla had an option for "only announce the standard vanilla web fonts".

Cathal Garvey

12:28 a.m.

...

Sure would be nice if Mozilla had an option for "only announce the standard vanilla web fonts".

Check out firegloves. It's outdated, and I'd love to see it getting some love, but it's a great POC for anti-fingerprinting in Firefox. Still works with Iceweasel 20, so it's aged well for an apparently unmaintained academic project. Among the key features; a restricted set of fonts sent to sites, possibly including cycling the fonts randomly to confuse fingerprinting by recurrent font-lists. Note though, it breaks some websites in a manner akin to fascist-maxima-noscript. So you'll sometimes need to disable it; Paypal is a good example. User-agents are the devil, though, because whatever about other sources of browser entropy, the User Agent is a big honking bonus score every site gets for zero effort. Worse, most efforts to minimise User-Agents can end up maximising them instead, and there don't seem to be any *current* lists of "most common user-agent string" to work from to reduce entropy. I've set mine to a super-generic-looking Windows/Firefox setting, but as other people upgrade their browsers and OSes and as architectures get more diverse, browser UAs are getting more and more diverse, too.. I vote we ditch them entirely and just assume that all browsers to HTML5 or GTFO. On Sun, 13 Oct 2013 17:06:22 -0700 Bill Stewart wrote:

...

...
Date: Sun, 6 Oct 2013 11:11:46 -0700 From: Don Marti

Translation: "Fine, you smug cookie-blocking nerds. We're going to go all browser fingerprinting on you." ... Unfortunately, Firefox appears to be highly fingerprintable.

One reason Firefox is highly fingerprintable is that it sends a list of your available fonts to the web server so the server can format its pages with cool fonts instead of boring fonts if you're able to read them. That often turns out to be surprisingly unique, at least if you like fonts, and AFAIK it's not just the fonts you've configured into your browser, it's the fonts configured into your computer.

For instance, my work PC has a font for the $DAYJOB corporate logo, and has since acquired a couple more fonts so I can display their newer marketing presentations correctly in Powerpoint, plus it's got the dozen or two different monospace console fonts I was trying out to find a good one for programming use, and the usual collection of Bocklin and Dwarvish and Tibetan that old hippies usually have on our computers, just in case we might need to count to nine billion or have an appropriate password entry form. When I first tested it with the panopticlick tool, it was unique; there are now a couple other similar machines (but that's "my machine's IE", "my machine's Firefox", and "my machine running Win7 with the Long Term Support version of Firefox that Corporate IT department makes us use", so it's still unique in reality.)

Sure would be nice if Mozilla had an option for "only announce the standard vanilla web fonts".

Alfie John

12:45 a.m.

On Mon, Oct 14, 2013, at 11:28 AM, Cathal Garvey wrote:

...

...
Sure would be nice if Mozilla had an option for "only announce the standard vanilla web fonts".

That would be great, along with: - "only use mandatory required headers" (e.g. Host, eTags*) - "use custom request headers" (without resorting to Live HTTP Headers for each request) *thinking about this more, eTags could also be used to track users if MITMed.

...

User-agents are the devil, though, because whatever about other sources of browser entropy, the User Agent is a big honking bonus score every site gets for zero effort. Worse, most efforts to minimise User-Agents can end up maximising them instead, and there don't seem to be any *current* lists of "most common user-agent string" to work from to reduce entropy. I've set mine to a super-generic-looking Windows/Firefox setting, but as other people upgrade their browsers and OSes and as architectures get more diverse, browser UAs are getting more and more diverse, too..

Speaking of User-Agents being evil: http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/ Alfie -- Alfie John alfiej@fastmail.fm

katana

7:27 a.m.

Hi,

...

Check out firegloves. It's outdated, and I'd love to see it getting some love, but it's a great POC for anti-fingerprinting in Firefox.

In http://www.cosic.esat.kuleuven.be/publications/article-2334.pdf about their FPDetective Framework http://homes.esat.kuleuven.be/~gacar/fpdetective/, the authors wrote about Firegloves: "Additionally, Firegloves limits the number of fonts that a single browser tab can load and reports false dimension values for the offsetWidth and offsetHeight properties of HTML elements to evade JavaScript-based font detection. We evaluated the effectiveness of Firegloves’ as a countermeasure to fingerprinting, and discovered several shortcomings. For instance, instead of relying on offsetWidth and offsetHeight values, we could easily use the width and the height of the rectangle object returned by getBoundingClientRect method, which returns the text’s dimensions, even more precisely than the original methods. This enabled us to detect the same list of fonts as we would without the Firegloves extension installed. Surprisingly, our probe for fonts was not limited by the claimed cap on the number of fonts per tab. This might be due to a bug, or to changes in the Firefox extension system that have been introduced after FireGloves, which is not currently being maintained, was first developed. Although Firegloves spoofs the browser’s user-agent and platform to pretend to be a Mozilla Firefox version 6 running on a Windows operating system, the navigator.oscpu is left unmodified, revealing the true platform. Moreover, Firegloves did not remove any of the new methods intro- duced in later versions of Mozilla Firefox and available in the navigator object, such as navigator.mozCameras and navigator.doNotTrack." I add: OK, the naviagtor.oscpu issue can be fixed easily, but the timezone feature doesnt't work too with enabled JavaScript. --- Katana

Cathal Garvey

12:10 p.m.

Well, crap. Thanks for that! Anyone with FF-plugin chops care to make a better version? This all seems a bit backwards, though. Wasn't the whole idea of browser rendering that the server would send one canonical page to the client, and the client is responsible for rendering? Our browsers shouldn't even be telling the server their dimensions, CPUs and OSes; if we can't render the page sent by the site, either we or the site are at fault but not our architectures and OSes. This internet is broken, make me a new one. On Mon, 14 Oct 2013 09:27:41 +0200 katana wrote:

...

Hi,

...
Check out firegloves. It's outdated, and I'd love to see it getting some love, but it's a great POC for anti-fingerprinting in Firefox.

In http://www.cosic.esat.kuleuven.be/publications/article-2334.pdf about their FPDetective Framework http://homes.esat.kuleuven.be/~gacar/fpdetective/, the authors wrote about Firegloves:

"Additionally, Firegloves limits the number of fonts that a single browser tab can load and reports false dimension values for the offsetWidth and offsetHeight properties of HTML elements to evade JavaScript-based font detection. We evaluated the effectiveness of Firegloves’ as a countermeasure to fingerprinting, and discovered several shortcomings. For instance, instead of relying on offsetWidth and offsetHeight values, we could easily use the width and the height of the rectangle object returned by getBoundingClientRect method, which returns the text’s dimensions, even more precisely than the original methods. This enabled us to detect the same list of fonts as we would without the Firegloves extension installed. Surprisingly, our probe for fonts was not limited by the claimed cap on the number of fonts per tab. This might be due to a bug, or to changes in the Firefox extension system that have been introduced after FireGloves, which is not currently being maintained, was first developed. Although Firegloves spoofs the browser’s user-agent and platform to pretend to be a Mozilla Firefox version 6 running on a Windows operating system, the navigator.oscpu is left unmodified, revealing the true platform. Moreover, Firegloves did not remove any of the new methods intro- duced in later versions of Mozilla Firefox and available in the navigator object, such as navigator.mozCameras and navigator.doNotTrack."

I add: OK, the naviagtor.oscpu issue can be fixed easily, but the timezone feature doesnt't work too with enabled JavaScript.

--- Katana

Jacob Appelbaum

1:46 p.m.

Cathal Garvey:

...

Well, crap. Thanks for that!

Anyone with FF-plugin chops care to make a better version?

The Tor Browser, of course! https://www.torproject.org/torbrowser/design These may be interesting to you: https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-... https://blog.torproject.org/blog/deterministic-builds-part-two-technical-det... Source and binary releases are available - I suggest using the 3.0 alphas to help us improve them for general use: https://blog.torproject.org/category/tags/tbb-30 All the best, Jacob

Mike Kuketz

2:30 p.m.

...

Cathal Garvey:

...
Well, crap. Thanks for that!

Anyone with FF-plugin chops care to make a better version?

The Tor Browser, of course!

https://www.torproject.org/torbrowser/design

These may be interesting to you:

https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-...

https://blog.torproject.org/blog/deterministic-builds-part-two-technical-det...

Source and binary releases are available - I suggest using the 3.0 alphas to help us improve them for general use:

https://blog.torproject.org/category/tags/tbb-30

All the best, Jacob

As an alternative to the Tor Browser i suggest the following: On this site you can check your browser "visibility": http://ip-check.info/?lang=en I think with the JonDo Firefox profile (https://anonymous-proxy-servers.net/en/jondofox.html) and these addons it's not easy to fingerprint you: - Adblock Edge - BetterPrivacy - CookieMonster - Disconnect - NoScript - RequestPolicy About a week i published an article about RequestPolicy on my IT security blog: RequestPolicy – Mehr Kontrolle beim Surfen It explains some tracking and why RequestPolicy is a fine Firefox addon. It's in german, but you can use Google Translate. Best regards, Mike Kuketz

Griffin Boyce

2:55 p.m.

New subject: Browser fingerprinting

Mike Kuketz wrote:

...

As an alternative to the Tor Browser i suggest the following: On this site you can check your browser "visibility": http://ip-check.info/?lang=en

Yeah, if you don't need or want location anonymity, there are a lot of really good options out there. RequestPolicy takes a lot of tinkering (which can be *really* aggravating), but it's incredibly useful for blocking tracking scripts. Modifying one's user-agent string was found to be a CFAA violation during Weev's trial. Who knew? Ashkan Soltani wrote a really great opinion piece on this [1]. In addition to the other great recommendations, I'd highly recommend blocking Flash if you're concerned about privacy. Not only do flash cookies persist longer / are hard to block / are harder to remove, but it's easy to fingerprint someone via a tiny bit of flash. Flash is also enabled by default on Google Chrome, so check out FlashBlock [2]. It also offers more granularity in case you like gaming :D best, Griffin [1] http://www.wired.com/opinion/2013/07/the-catch-22-of-internet-commerce-and-p... [2] https://chrome.google.com/webstore/detail/flashblock/gofhjkjmkpinhpoiabjplob... -- "Cypherpunks write code not flame wars." --Jurre van Bergen #Foucault / PGP: 0xAE792C97 / OTR: saint@jabber.ccc.de My posts are my own, not my employer's.

Moon Jones

19 Oct 19 Oct

2:33 p.m.

New subject: Browser fingerprinting

On 14.10.2013 16:55, Griffin Boyce wrote:

...

In addition to the other great recommendations, I'd highly recommend blocking Flash if you're concerned about privacy. Not only do flash cookies persist longer / are hard to block / are harder to remove, but it's easy to fingerprint someone via a tiny bit of flash. Flash is also enabled by default on Google Chrome, so check out FlashBlock [2]. It also offers more granularity in case you like gaming :D

Flash is proprietary. Meaning licensing problems with the media. Flash is closed source. Meaning it can contain anything. See the latest talk about DLink routers. Flash has its own bugs on top of the browser bugs. Flash asks for rights to access the webcam. Flash asks for rights to access the microphone. Flash can tell on you in so many ways, including font lists. Flash has its own way of upgrading although it's just a silly plugin and needs a browser to do its magic. Flash, as you wrote, has a particular type of storage. Flash, as you wrote, needs one extension or app to remove its storage and another extension in order to stop it from playing. Are you sure these aren't enough reasons to remove any trace of it on a system you own?

J.A. Terranson

11:02 p.m.

New subject: Browser fingerprinting

On Sat, 19 Oct 2013, Moon Jones wrote:

...

On 14.10.2013 16:55, Griffin Boyce wrote:

...
In addition to the other great recommendations, I'd highly recommend blocking Flash if you're concerned about privacy. Not only do flash cookies persist longer / are hard to block / are harder to remove, but it's easy to fingerprint someone via a tiny bit of flash. Flash is also enabled by default on Google Chrome, so check out FlashBlock [2]. It also offers more granularity in case you like gaming :D

Flash is proprietary. Meaning licensing problems with the media.

Flash is closed source. Meaning it can contain anything. See the latest talk about DLink routers.

For mozilla users, the NoScript" plugin is like having a helping hand from god (on her days off): It's super easy to use, highly rffrctive, and throughput neutral. //Alif -- Those who make peaceful change impossible, make violent revolution inevitable. An American Spring is coming: one way or another.

coderman

21 Oct 21 Oct

1:16 a.m.

New subject: Browser fingerprinting

On Sat, Oct 19, 2013 at 7:33 AM, Moon Jones wrote:

...

[... a million and one reasons to avoid Flash ...]

use a throw-away Qubes AppVM to run your flash content. route it over a Qubes Tor VM. there! nearly all your concerns address while retaining the convenience of Flash. (this technique applies to many other formats and use cases) ... i do agree with your basic premise however; Flash needs to die.

coderman

1:18 a.m.

New subject: Browser fingerprinting

On Sun, Oct 20, 2013 at 6:16 PM, coderman wrote:

...

... i do agree with your basic premise however; Flash needs to die.

Griffin Boyce

2:15 a.m.

New subject: Browser fingerprinting

Moon Jones wrote:

...

Griffin Boyce wrote:

...
[flash bad, flash gaming awesome]

Are you sure these aren't enough reasons to remove any trace of it on a system you own?

For me, no, because I enjoy using flash to play games and look at art projects. One can use a VM for gaming if they really want to, but I choose not to. The trade-offs for me are performance, hassle, and the fact that virtualbox won't run on my machine. It's probably a bit off-topic, but in the next couple of months I plan to get a dedicated Windows machine that is used only for testing and gaming. Lots of games have questionable components (flash-based and otherwise). Getting another machine the ultimate sandbox. But you've got to weigh cost, necessity, and (frankly) relative interest. If I didn't *also* need one for Windows development, I wouldn't bother with it. best, Griffin -- "Cypherpunks write code not flame wars." --Jurre van Bergen #Foucault / PGP: 0xAE792C97 / OTR: saint@jabber.ccc.de My posts are my own, not my employer's.

Cathal Garvey

14 Oct 14 Oct

2:33 p.m.

...

The Tor Browser, of course!

https://www.torproject.org/torbrowser/design

:) Fair point! I guess if I want a common user-agent from a browser that minimises fingerprinting generally, I couldn't get any better than Tor Browser with the Tor bits turned off. Come to think of it, I may just do that now for my routine-daily-browser and replace Iceweasel with a gutted version of Tor BB's Aurora build. Thanks! On Mon, 14 Oct 2013 13:46:15 +0000 Jacob Appelbaum wrote:

...

Cathal Garvey:

...
Well, crap. Thanks for that!

Anyone with FF-plugin chops care to make a better version?

The Tor Browser, of course!

https://www.torproject.org/torbrowser/design

These may be interesting to you:

https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-...

https://blog.torproject.org/blog/deterministic-builds-part-two-technical-det...

Source and binary releases are available - I suggest using the 3.0 alphas to help us improve them for general use:

https://blog.torproject.org/category/tags/tbb-30

All the best, Jacob

Al Billings

4:54 p.m.

About 19 years ago, it was. The rest of the world (and web developers) moved on since then. From: Cathal Garvey Cathal Garvey Wasn't the whole idea of browser rendering that the server would send one canonical page to the client, and the client is responsible for rendering? -- Al Billings http://makehacklearn.org

Adam Back

5:30 p.m.

Well you should say the web developers regressed since then. Adam On Mon, Oct 14, 2013 at 09:54:24AM -0700, Al Billings wrote:

...

About 19 years ago, it was. The rest of the world (and web developers) moved on since then. __________________________________________________________________

From: Cathal Garvey [1]Cathal Garvey

Wasn't the whole idea of browser rendering that the server would send one canonical page to the client, and the client is responsible for rendering?

Eugen Leitl

6:15 p.m.

On Mon, Oct 14, 2013 at 07:30:22PM +0200, Adam Back wrote:

...

Well you should say the web developers regressed since then.

The worst is that the entire trainwreck has been so predictable, right from the start.

Bill Stewart

15 Oct 15 Oct

12:24 a.m.

At 11:15 AM 10/14/2013, Eugen Leitl wrote:

...

On Mon, Oct 14, 2013 at 07:30:22PM +0200, Adam Back wrote:

...
Well you should say the web developers regressed since then.

The worst is that the entire trainwreck has been so predictable, right from the start.

If by "right from the start" you're including "back in ~1987, when I was on standards committees that were specifying SGML for their applications", then yes, the trainwreck was around then, even before HTML or the web. "Computer-Aided Logistics Support", aka CALS, was trying to address standards for handling documentation, mainly for the aircraft business and military contractors; you couldn't fit the design and maintenance documentation for a typical cargo airplane into the airplane itself. The people who got the concept wanted to be able to do things like have maintenance manuals that you could read on whatever display you had, whether it's a high-res computer terminal or a monospaced wrist-mounted screen when you were standing on a ladder working on an engine, and you'd have objects like "a 2nd-level header". The people who didn't get it wanted to be able to have data formats that could keep track of page numbers (so you could replicate taking the old page 1435.2 out of a 3-ring binder and replace it with an updated version), and objects like "a line of 14-point bold-faced text." We ended up with some botched DTD that sort of let you do both, badly. Graphics were supposed to be in a portable vector-based format, but they didn't have that finished while I was still working on that committee. And eventually Sir Tim came up with HTML, which was sort of like a simplified DTD that did basic markup mostly correctly (plus hypertext and forms entry!), though with bitmapped pictures, and later people started to botch it up by letting you specify specific fonts and layouts (even if the reader's display didn't look like the author's), and Javascript to try to plaster over the botches, and it's been unsafely downhill from there.

Al Billings

2:27 a.m.

Only if you wish it was "the good old days" but then this is the list with folks that refuse to run JavaScript and don't understand why anyone would want to use twitter, as I recall. Al On Mon, Oct 14, 2013 at 10:30 AM, Adam Back > wrote: Well you should say the web developers regressed since then. Adam

Eugen Leitl

9:08 a.m.

On Mon, Oct 14, 2013 at 07:27:07PM -0700, Al Billings wrote:

...

Only if you wish it was "the good old days" but then this is the list with folks

The future that never was was built with Lisp machines and NeWS.

...

that refuse to run JavaScript and don't understand why anyone would want to use twitter, as I recall.

Twatr who?

James A. Donald

11:33 a.m.

My web site returns the same result regardless of what browser hits it, so all that stuff is wasted bandwidth. I don't see that there is much use in providing that information.

Eugen Leitl

12:23 p.m.

On Tue, Oct 15, 2013 at 09:33:22PM +1000, James A. Donald wrote:

...

My web site returns the same result regardless of what browser hits it, so all that stuff is wasted bandwidth. I don't see that there is much use in providing that information.

Latest TBB3: Within our dataset of several million visitors, only one in 466 browsers have the same fingerprint as yours. Currently, we estimate that your browser has a fingerprint that conveys 8.86 bits of identifying information.

Cathal Garvey

9:54 a.m.

...

with folks that refuse to run JavaScript Not "JavaScript"; "Unverified, potentially malicious code with a rich history of exploits inside a frame I use to navigate the online world". It wouldn't matter if the code was LISP or Python; the problem isn't the language, it's the context.

That said, I do run Javascript, albiet through NoScript. I just wish there were more fine-grained policy restrictions I could place on it, such as "No XmlHttpRequest/Websocket" or "No browser introspection (fonts, boundaries, etc.)", and let webapps that are trying to fingerprint me without my permission just crash and burn. On Mon, 14 Oct 2013 19:27:07 -0700 (PDT) "Al Billings" wrote:

...

Only if you wish it was "the good old days" but then this is the list with folks that refuse to run JavaScript and don't understand why anyone would want to use twitter, as I recall.

Al

On Mon, Oct 14, 2013 at 10:30 AM, Adam Back > wrote: Well you should say the web developers regressed since then.

Adam

James A. Donald

11:51 a.m.

On 2013-10-15 19:54, Cathal Garvey wrote:

...

...
with folks that refuse to run JavaScript Not "JavaScript"; "Unverified, potentially malicious code with a rich history of exploits inside a frame I use to navigate the online world". It wouldn't matter if the code was LISP or Python; the problem isn't the language, it's the context.

That said, I do run Javascript, albiet through NoScript. I just wish there were more fine-grained policy restrictions I could place on it, such as "No XmlHttpRequest/Websocket" or "No browser introspection (fonts, boundaries, etc.)", and let webapps that are trying to fingerprint me without my permission just crash and burn.

Javascript can be controlled by being recompiled into the Caja subset of javascript. In practice, however, this is only done when a server controlled by one organization is generating a web page containing javascript controlled by another organization - Caja is used to protect one website against another, but not used to protect the client against the website.

Cathal Garvey

12:16 p.m.

...

Javascript can be controlled by being recompiled into the Caja subset of javascript. I've been thinking along these lines, all right. So what functions of Javascript are nonessential to the concept of a "rich webapp" but useful for abuse and fingerprinting? If you could strip JS down to a set of awesome functions that reduce the abuse potential, what stuff would you strip out?

A lot of the nasty stuff isn't even JS engine stuff, it's DOM stuff from the browser being made available to JS, so it's not entirely linguistic. A lot of it's bad API, probably much harder to fix. Still, reduced-set JS, with an in-browser standard for verifying signed JS code, would be great. I'm often boggled when I think this over that RMS forgot to include code signing in his suggestion for how to markup non-trivial JS with source code and license text; I figured "code verification" would be a crucial part of the Free Software philosophy when it comes to drive-by code. Another crucial change I'd like to see: immutable javascript. When including a script with the <script> tag, there should be an attribute "immutable=true" and another saying "opaque=true" that prevents *code in the page* from reading or modifying that script, while not preventing the user from reading or auditing the code. Ability of dynamically included/injected JS to fuck up or spy on other JS on the page is the principal reason that you can't trust JS-crypto even if you trust the host. On Tue, 15 Oct 2013 21:51:46 +1000 "James A. Donald" wrote:

...

On 2013-10-15 19:54, Cathal Garvey wrote:

...
...
with folks that refuse to run JavaScript Not "JavaScript"; "Unverified, potentially malicious code with a rich history of exploits inside a frame I use to navigate the online world". It wouldn't matter if the code was LISP or Python; the problem isn't the language, it's the context.

That said, I do run Javascript, albiet through NoScript. I just wish there were more fine-grained policy restrictions I could place on it, such as "No XmlHttpRequest/Websocket" or "No browser introspection (fonts, boundaries, etc.)", and let webapps that are trying to fingerprint me without my permission just crash and burn.

Javascript can be controlled by being recompiled into the Caja subset of javascript.

In practice, however, this is only done when a server controlled by one organization is generating a web page containing javascript controlled by another organization - Caja is used to protect one website against another, but not used to protect the client against the website.

dan＠geer.org

12:01 p.m.

Cathal Garvey

...

Wasn't the whole idea of browser rendering that the server would send one canonical page to the client, and the client is responsible for rendering?

If only. The client is now the server's server. And, yeah, I am one of those who refuses Javascript, so the web is shrinking fast from where I sit. Oh, well. --dan

Eugen Leitl

12:27 p.m.

On Tue, Oct 15, 2013 at 08:01:11AM -0400, dan@geer.org wrote:

...

And, yeah, I am one of those who refuses Javascript, so the web is shrinking fast from where I sit. Oh, well.

As long as you're jailing your browser into an amnesiac compartment and run TBB (latest 3 alpha is pretty good) your risk is minimal.

staticsafe

1:20 p.m.

On 10/15/2013 08:27, Eugen Leitl wrote:

...

On Tue, Oct 15, 2013 at 08:01:11AM -0400, dan@geer.org wrote:

...
And, yeah, I am one of those who refuses Javascript, so the web is shrinking fast from where I sit. Oh, well.

As long as you're jailing your browser into an amnesiac compartment and run TBB (latest 3 alpha is pretty good) your risk is minimal.

What about the people who don't want to use TBB (like me)? A Firefox addon collection [0] would be a nice start, if it doesn't already exist. [0] - https://addons.mozilla.org/en-US/firefox/collections/ -- staticsafe O< ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post. It is not logical. Please don't CC me! I'm subscribed to whatever list I just posted on.

3987

Age (days ago)

4001

Last active (days ago)

List overview

Download

33 comments

18 participants

participants (18)

Adam Back
Al Billings
Alfie John
Bill Stewart
Carsten N.
Cathal Garvey
coderman
dan＠geer.org
Eugen Leitl
Griffin Boyce
J.A. Terranson
Jacob Appelbaum
James A. Donald
katana
Mike Kuketz
Moon Jones
staticsafe
Stephan Neuhaus