🆕 Software Suggestion | CanvasBlocker Firefox Addon #1006

New Issue

2019-06-23T10:06:25Z

zero77 commented

2019-06-23 10:06:25 +00:00

(Migrated from github.com)

I think it would be more helpful to have CanvasBlocker addon in https://www.privacytools.io/browsers/#addons and under the For Experts Only part.

Because, at the moment its easy to miss as it is easily overlooked also, its an addon and the current section that it is in is mostly browser fingerprint testing and informational, https://www.privacytools.io/browsers/#fingerprint.

I think it would be more helpful to have CanvasBlocker addon in `https://www.privacytools.io/browsers/#addons` and under the `For Experts Only` part. Because, at the moment its easy to miss as it is easily overlooked also, its an addon and the current section that it is in is mostly browser fingerprint testing and informational, `https://www.privacytools.io/browsers/#fingerprint`.

👎 1

beerisgood commented

2019-06-23 12:48:18 +00:00

(Migrated from github.com)

Blocking Canvas makes you more unique.
Better solution is using "privacy.resistFingerprinting" in Firefox which send only a Tor browser ID and this is the same for all users.

Blocking Canvas makes you more unique. Better solution is using "privacy.resistFingerprinting" in Firefox which send only a Tor browser ID and this is the same for all users.

zero77 commented

2019-06-23 13:01:15 +00:00

(Migrated from github.com)

@beerisgood
Thanks but i think that's just the name, i think it does do things like this and more.
But, correct me if i am wrong.
https://github.com/kkapsner/CanvasBlocker

@beerisgood Thanks but i think that's just the name, i think it does do things like this and more. But, correct me if i am wrong. https://github.com/kkapsner/CanvasBlocker

beerisgood commented

2019-06-23 14:35:07 +00:00

(Migrated from github.com)

What do you mean with "more and more"?
Their is no need for this addon

What do you mean with "more and more"? Their is no need for this addon

zero77 commented

2019-06-23 15:06:26 +00:00

(Migrated from github.com)

@beerisgood
I think its name is misleading, reed through what it does.

@beerisgood I think its name is misleading, reed through what it does.

beerisgood commented

2019-06-23 15:25:18 +00:00

(Migrated from github.com)

Okay i do, but don't recommend it now.
If you wan't make your Firefox less trackable, take a look at gHacks user.js which do the same stuff this addon do and more.

Okay i do, but don't recommend it now. If you wan't make your Firefox less trackable, take a look at gHacks user.js which do the same stuff this addon do and more.

Mikaela commented

2019-06-23 16:04:33 +00:00

(Migrated from github.com)

What does CanvasBlocker do that Privacy.Resistfingerprinting doesn't?

👍 1

zero77 commented

2019-06-23 18:46:14 +00:00

(Migrated from github.com)

I can't find everything Privacy.Resistfingerprinting covers, does it cover audio, history, window and navigator for example.

I can't find everything `Privacy.Resistfingerprinting` covers, does it cover audio, history, window and navigator for example.

beerisgood commented

2019-06-23 19:10:35 +00:00

(Migrated from github.com)

@zero77 From https://github.com/ghacksuserjs/ghacks-user.js/blob/master/user.js - [SECTION 4500]: RFP (RESIST FINGERPRINTING)

418986 - limit window.screen & CSS media queries leaking identifiable info (FF41+)
[NOTE] Info only: To set a size, open a XUL (chrome) page (such as about:config) which is at
100% zoom, hit Shift+F4 to open the scratchpad, type window.resizeTo(1366,768), hit Ctrl+R to run.
Test your window size, do some math, resize to allow for all the non inner window elements
[TEST] https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#screen
** 1281949 - spoof screen orientation (FF50+)
** 1281963 - hide the contents of navigator.plugins and navigator.mimeTypes (FF50+)
FF53: Fixes GetSupportedNames in nsMimeTypeArray and nsPluginArray (1324044)
** 1330890 - spoof timezone as UTC 0 (FF55+)
FF58: Date.toLocaleFormat deprecated (818634)
FF60: Date.toLocaleDateString and Intl.DateTimeFormat fixed (1409973)
** 1360039 - spoof navigator.hardwareConcurrency as 2 (see 4601) (FF55+)
This spoof shouldn't affect core chrome/Firefox performance
** 1217238 - reduce precision of time exposed by javascript (FF55+)
** 1369303 - spoof/disable performance API (see 2410-deprecated, 4602, 4603) (FF56+)
** 1333651 & 1383495 & 1396468 - spoof Navigator API (see section 4700) (FF56+)
FF56: The version number will be rounded down to the nearest multiple of 10
FF57: The version number will match current ESR (1393283, 1418672, 1418162, 1511763)
FF59: The OS will be reported as Windows, OSX, Android, or Linux (to reduce breakage) (1404608)
FF66: The OS in HTTP Headers will be reduced to Windows or Android (1509829)
FF68: Reported OS versions updated to Windows 10, OS 10.14, and Adnroid 8.1 (1511434)
** 1369319 - disable device sensor API (see 4604) (FF56+)
** 1369357 - disable site specific zoom (see 4605) (FF56+)
** 1337161 - hide gamepads from content (see 4606) (FF56+)
** 1372072 - spoof network information API as "unknown" when dom.netinfo.enabled = true (see 4607) (FF56+)
** 1333641 - reduce fingerprinting in WebSpeech API (see 4608) (FF56+)
** 1372069 & 1403813 & 1441295 - block geolocation requests (same as denying a site permission) (see 0201, 0201b) (FF56-62)
** 1369309 - spoof media statistics (see 4610) (FF57+)
** 1382499 - reduce screen co-ordinate fingerprinting in Touch API (see 4611) (FF57+)
** 1217290 & 1409677 - enable fingerprinting resistance for WebGL (see 2010-12) (FF57+)
** 1382545 - reduce fingerprinting in Animation API (FF57+)
** 1354633 - limit MediaError.message to a whitelist (FF57+)
** 1382533 - enable fingerprinting resistance for Presentation API (FF57+)
This blocks exposure of local IP Addresses via mDNS (Multicast DNS)
** 967895 - enable site permission prompt before allowing canvas data extraction (FF58+)
FF59: Added to site permissions panel (1413780) Only prompt when triggered by user input (1376865)
** 1372073 - spoof/block fingerprinting in MediaDevices API (FF59+)
Spoof: enumerate devices reports one "Internal Camera" and one "Internal Microphone" if
media.navigator.enabled is true (see 2505 which we chose to keep disabled)
Block: suppresses the ondevicechange event (see 4612)
** 1039069 - warn when language prefs are set to non en-US (see 0207, 0208) (FF59+)
** 1222285 & 1433592 - spoof keyboard events and suppress keyboard modifier events (FF59+)
Spoofing mimics the content language of the document. Currently it only supports en-US.
Modifier events suppressed are SHIFT and both ALT keys. Chrome is not affected.
FF60: Fix keydown/keyup events (1438795)
** 1337157 - disable WebGL debug renderer info (see 4613) (FF60+)
** 1459089 - disable OS locale in HTTP Accept-Language headers (ANDROID) (FF62+)
** 1479239 - return "no-preference" with prefers-reduced-motion (FF63+)
** 1363508 - spoof/suppress Pointer Events (see 4614) (FF64+)
FF65: pointerEvent.pointerid (1492766)
** 1485266 - disable exposure of system colors to CSS or canvas (see 4615) (FF67+)
** 1407366 - enable inner window letterboxing (see 4504) (FF67+)
** 1540726 - return "light" with prefers-color-scheme (FF67+)

@zero77 From https://github.com/ghacksuserjs/ghacks-user.js/blob/master/user.js - [SECTION 4500]: RFP (RESIST FINGERPRINTING) > 418986 - limit window.screen & CSS media queries leaking identifiable info (FF41+) [NOTE] Info only: To set a size, open a XUL (chrome) page (such as about:config) which is at 100% zoom, hit Shift+F4 to open the scratchpad, type window.resizeTo(1366,768), hit Ctrl+R to run. Test your window size, do some math, resize to allow for all the non inner window elements [TEST] https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#screen ** 1281949 - spoof screen orientation (FF50+) ** 1281963 - hide the contents of navigator.plugins and navigator.mimeTypes (FF50+) FF53: Fixes GetSupportedNames in nsMimeTypeArray and nsPluginArray (1324044) ** 1330890 - spoof timezone as UTC 0 (FF55+) FF58: Date.toLocaleFormat deprecated (818634) FF60: Date.toLocaleDateString and Intl.DateTimeFormat fixed (1409973) ** 1360039 - spoof navigator.hardwareConcurrency as 2 (see 4601) (FF55+) This spoof *shouldn't* affect core chrome/Firefox performance ** 1217238 - reduce precision of time exposed by javascript (FF55+) ** 1369303 - spoof/disable performance API (see 2410-deprecated, 4602, 4603) (FF56+) ** 1333651 & 1383495 & 1396468 - spoof Navigator API (see section 4700) (FF56+) FF56: The version number will be rounded down to the nearest multiple of 10 FF57: The version number will match current ESR (1393283, 1418672, 1418162, 1511763) FF59: The OS will be reported as Windows, OSX, Android, or Linux (to reduce breakage) (1404608) FF66: The OS in HTTP Headers will be reduced to Windows or Android (1509829) FF68: Reported OS versions updated to Windows 10, OS 10.14, and Adnroid 8.1 (1511434) ** 1369319 - disable device sensor API (see 4604) (FF56+) ** 1369357 - disable site specific zoom (see 4605) (FF56+) ** 1337161 - hide gamepads from content (see 4606) (FF56+) ** 1372072 - spoof network information API as "unknown" when dom.netinfo.enabled = true (see 4607) (FF56+) ** 1333641 - reduce fingerprinting in WebSpeech API (see 4608) (FF56+) ** 1372069 & 1403813 & 1441295 - block geolocation requests (same as denying a site permission) (see 0201, 0201b) (FF56-62) ** 1369309 - spoof media statistics (see 4610) (FF57+) ** 1382499 - reduce screen co-ordinate fingerprinting in Touch API (see 4611) (FF57+) ** 1217290 & 1409677 - enable fingerprinting resistance for WebGL (see 2010-12) (FF57+) ** 1382545 - reduce fingerprinting in Animation API (FF57+) ** 1354633 - limit MediaError.message to a whitelist (FF57+) ** 1382533 - enable fingerprinting resistance for Presentation API (FF57+) This blocks exposure of local IP Addresses via mDNS (Multicast DNS) ** 967895 - enable site permission prompt before allowing canvas data extraction (FF58+) FF59: Added to site permissions panel (1413780) Only prompt when triggered by user input (1376865) ** 1372073 - spoof/block fingerprinting in MediaDevices API (FF59+) Spoof: enumerate devices reports one "Internal Camera" and one "Internal Microphone" if media.navigator.enabled is true (see 2505 which we chose to keep disabled) Block: suppresses the ondevicechange event (see 4612) ** 1039069 - warn when language prefs are set to non en-US (see 0207, 0208) (FF59+) ** 1222285 & 1433592 - spoof keyboard events and suppress keyboard modifier events (FF59+) Spoofing mimics the content language of the document. Currently it only supports en-US. Modifier events suppressed are SHIFT and both ALT keys. Chrome is not affected. FF60: Fix keydown/keyup events (1438795) ** 1337157 - disable WebGL debug renderer info (see 4613) (FF60+) ** 1459089 - disable OS locale in HTTP Accept-Language headers (ANDROID) (FF62+) ** 1479239 - return "no-preference" with prefers-reduced-motion (FF63+) ** 1363508 - spoof/suppress Pointer Events (see 4614) (FF64+) FF65: pointerEvent.pointerid (1492766) ** 1485266 - disable exposure of system colors to CSS or canvas (see 4615) (FF67+) ** 1407366 - enable inner window letterboxing (see 4504) (FF67+) ** 1540726 - return "light" with prefers-color-scheme (FF67+)

Mikaela commented

2019-06-24 19:13:24 +00:00

(Migrated from github.com)

I can't find everything Privacy.Resistfingerprinting covers, does it cover audio, history, window and navigator for example.

Sorry, I got stuck on the name and haven't actually took a look at CanvasBlocker yet.

From https://github.com/ghacksuserjs/ghacks-user.js/blob/master/user.js - [SECTION 4500]: RFP (RESIST FINGERPRINTING)

I think this is the official list, but yours seems a lot more detailed.

> I can't find everything Privacy.Resistfingerprinting covers, does it cover audio, history, window and navigator for example. Sorry, I got stuck on the name and haven't actually took a look at CanvasBlocker yet. > From https://github.com/ghacksuserjs/ghacks-user.js/blob/master/user.js - [SECTION 4500]: RFP (RESIST FINGERPRINTING) I think [this is the official list](https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting), but yours seems a lot more detailed.

kkapsner commented

2019-06-24 21:54:06 +00:00

(Migrated from github.com)

The name CanvasBlocker is legacy. That's what it did at the beginning. Now it spoofs data by default (but you can block if really want to...). This generates more entropy but this entropy is changing so it's reducing the tracking potential.

Thorin highlighted already some things and he has more insight of RFP than me. Two things I want to add are that CB can be a second layer of defence for canvas (e.g. you have a page that needs canvas to work properly so you have to allow them from RFP and then CB still protects you against fingerprinting - CB also has a more detailed whitelisting system.) and the navigator protection of RFP is horrible (visit https://canvasblocker.kkapsner.de/test/navigatorTest.php on a non windows machine:

inconsistent data are increased entropy!)

The name Canvas*Blocker* is legacy. That's what it did at the beginning. Now it spoofs data by default (but you can block if really want to...). This generates more entropy but this entropy is changing so it's reducing the tracking potential. Thorin highlighted already some things and he has more insight of RFP than me. Two things I want to add are that CB can be a second layer of defence for canvas (e.g. you have a page that needs canvas to work properly so you have to allow them from RFP and then CB still protects you against fingerprinting - CB also has a more detailed whitelisting system.) and the navigator protection of RFP is horrible (visit https://canvasblocker.kkapsner.de/test/navigatorTest.php on a non windows machine: ![image](https://user-images.githubusercontent.com/1105157/60054547-2ee0cf00-96db-11e9-8ae1-60c31369a4dc.png) - inconsistent data are increased entropy!)

kkapsner commented

2019-06-29 16:57:07 +00:00

(Migrated from github.com)

The "hide in the masses" makes totally sense to me. I just think that having different values for the same property (userAgent), depending on the way you retrieve it, is bad. If you have to report 4 OSes to not break things it should be done consistently (I also guess that the HTTP-Header with the pretended OS will break pages. At least this issue was related to it: https://github.com/kkapsner/CanvasBlocker/issues/362)
But having four sets instead of two makes you less protected.

The "hide in the masses" makes totally sense to me. I just think that having different values for the same property (userAgent), depending on the way you retrieve it, is bad. If you have to report 4 OSes to not break things it should be done consistently (I also guess that the HTTP-Header with the pretended OS will break pages. At least this issue was related to it: https://github.com/kkapsner/CanvasBlocker/issues/362) But having four sets instead of two makes you less protected.

zero77 commented

2019-07-01 20:34:33 +00:00

(Migrated from github.com)

@Thorin-Oakenpants @kkapsner
Thank you for the explanations.

@beerisgood @Mikaela
I think the name CanvasBlocker has proven misleading but, i think it is more user friendly, simply because of the interface which makes it easier for less technical users.

That's why i think it should be moved from where it is now to addons > For Experts Only so as not to alienate less technical users.

That's not to say one is better than the other as thats, a very different conversation.

@Thorin-Oakenpants @kkapsner Thank you for the explanations. @beerisgood @Mikaela I think the name CanvasBlocker has proven misleading but, i think it is more user friendly, simply because of the interface which makes it easier for less technical users. That's why i think it should be moved from where it is now to `addons` > `For Experts Only` so as not to alienate less technical users. That's not to say one is better than the other as thats, a very different conversation.

Mikaela commented

2019-07-02 10:00:23 +00:00

(Migrated from github.com)

PPS: can we add the firefox label to this?

Yes. sorry, I had a bit busy time apparently and no one else seems to have came here.

That's why i think it should be moved from where it is now to addons > For Experts Only so as not to alienate less technical users.

Where is it now?

(I have 813 emails and I guess I am not that interested in this issue. CC: @privacytoolsIO/editorial )

> PPS: can we add the firefox label to this? Yes. sorry, I had a bit busy time apparently and no one else seems to have came here. > That's why i think it should be moved from where it is now to addons > For Experts Only so as not to alienate less technical users. Where is it now? (I have 813 emails and I guess I am not that interested in this issue. CC: @privacytoolsIO/editorial )

zero77 commented

2019-07-22 19:45:03 +00:00

(Migrated from github.com)

Sorry for the delay.

It is in https://www.privacytools.io/browsers/#fingerprint and under the "Firefox Addon: CanvasBlocker" part.

But, i think it should be under https://www.privacytools.io/browsers/#addons and then the "For Experts Only" part.

Sorry for the delay. It is in https://www.privacytools.io/browsers/#fingerprint and under the "Firefox Addon: CanvasBlocker" part. But, i think it should be under https://www.privacytools.io/browsers/#addons and then the "For Experts Only" part.

blacklight447 commented

2019-09-03 12:59:44 +00:00

(Migrated from github.com)

To be fair, I think canvas blocker does not provide enough extras as we already recommend RFP. Every extra add on we recommend is another add on that can slow the browser down, go bad, and discourage the user from installing the tweaks at all because its so much work. I am closing this issue, if someone else has more arguments on why they think it should still be listed, feel free to comment below to reopen the issue again for further discussion.

🎉 1

This repo is archived. You cannot comment on issues.