[linux-elitists] Browser fingerprinting
Cathal Garvey
cathalgarvey at cathalgarvey.me
Mon Oct 14 05:10:33 PDT 2013
Well, crap. Thanks for that!
Anyone with FF-plugin chops care to make a better version?
This all seems a bit backwards, though. Wasn't the whole idea of
browser rendering that the server would send one canonical page to the
client, and the client is responsible for rendering? Our browsers
shouldn't even be telling the server their dimensions, CPUs and OSes;
if we can't render the page sent by the site, either we or the site are
at fault but not our architectures and OSes.
This internet is broken, make me a new one.
On Mon, 14 Oct 2013 09:27:41 +0200
katana <katana at riseup.net> wrote:
> Hi,
>
> > Check out firegloves. It's outdated, and I'd love to see it getting
> > some love, but it's a great POC for anti-fingerprinting in Firefox.
>
> In <http://www.cosic.esat.kuleuven.be/publications/article-2334.pdf>
> about their FPDetective Framework
> <http://homes.esat.kuleuven.be/~gacar/fpdetective/>, the authors wrote
> about Firegloves:
>
> "Additionally, Firegloves limits the number of fonts that a single
> browser tab can load and reports false dimension values for the
> offsetWidth and offsetHeight properties of HTML elements to evade
> JavaScript-based font detection. We evaluated the effectiveness of
> Firegloves’ as a countermeasure to fingerprinting, and discovered
> several shortcomings. For instance, instead of relying on offsetWidth
> and offsetHeight values, we could easily use the width and the height
> of the rectangle object returned by getBoundingClientRect method,
> which returns the text’s dimensions, even more precisely than the
> original methods. This enabled us to detect the same list of fonts as
> we would without the Firegloves extension installed. Surprisingly,
> our probe for fonts was not limited by the claimed cap on the number
> of fonts per tab. This might be due to a bug, or to changes in the
> Firefox extension system that have been introduced after FireGloves,
> which is not currently being maintained, was first developed.
> Although Firegloves spoofs the browser’s user-agent and platform to
> pretend to be a Mozilla Firefox version 6 running on a Windows
> operating system, the navigator.oscpu is left unmodified, revealing
> the true platform. Moreover, Firegloves did not remove any of the new
> methods intro- duced in later versions of Mozilla Firefox and
> available in the navigator object, such as navigator.mozCameras and
> navigator.doNotTrack."
>
> I add: OK, the naviagtor.oscpu issue can be fixed easily, but the
> timezone feature doesnt't work too with enabled JavaScript.
>
> ---
> Katana
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20131014/74cbd5f7/attachment-0002.sig>
More information about the cypherpunks
mailing list