🆕 Software Suggestion | Trace - anti fingerprint #1801

New Issue

2020-03-26T13:23:47Z

Hxmwqk79 commented

2020-03-26 13:23:47 +00:00

(Migrated from github.com)

I would like to suggest the Trace browser extension,
the feature rich anti-browser fingerprint extension,
https://github.com/jake-cryptic/AbsoluteDoubleTrace/
https://absolutedouble.co.uk/trace/
https://addons.mozilla.org/en-US/firefox/addon/absolutedouble-trace/

Trace is the best of the best for making Firefox anti-fingerprint-able. Compared to others like CanvasBlocker or Chameleon, Trace is very feature rich, and more exhaustive.

I am making this suggestion because browser fingerprinting, similarly to cookies and IP address, are the ways website are able to track you.

I had the honour of contacting the developer (email) to report 2 fingerprinting aspects Trace is yet to adequately defend against, CSS screen size (different from other screen size tests) and Character Sizes. I used the browserprint.info site to test and find these weaknesses. It was the most sophisticated browser fingerprint tester I've ever seen, but the website is since down. Github: https://github.com/CryptoCubik/browserprint

My connection with the software

I am enthusiastic about the software as I was an early user and I want to spread the news as I believe it is a great project.

I would like to suggest the Trace browser extension, the feature rich anti-browser fingerprint extension, https://github.com/jake-cryptic/AbsoluteDoubleTrace/ https://absolutedouble.co.uk/trace/ https://addons.mozilla.org/en-US/firefox/addon/absolutedouble-trace/ Trace is the best of the best for making Firefox anti-fingerprint-able. Compared to others like CanvasBlocker or Chameleon, Trace is very feature rich, and more exhaustive. I am making this suggestion because browser fingerprinting, similarly to cookies and IP address, are the ways website are able to track you. I had the honour of contacting the developer (email) to report 2 fingerprinting aspects Trace is yet to adequately defend against, CSS screen size (different from other screen size tests) and Character Sizes. I used the browserprint.info site to test and find these weaknesses. It was the most sophisticated browser fingerprint tester I've ever seen, but the website is since down. Github: https://github.com/CryptoCubik/browserprint ## My connection with the software I am enthusiastic about the software as I was an early user and I want to spread the news as I believe it is a great project.

👍 1 👎 1

beerisgood commented

2020-03-27 07:49:05 +00:00

(Migrated from github.com)

Using browser add-ons against fingerprint doesn't help as the add-on itself increase the fingerprint.
This need to be done at browser level and enabled by default so all user have same config instead of create your own, unique fingerprint

Using browser add-ons against fingerprint doesn't help as the add-on itself increase the fingerprint. This need to be done at browser level and enabled by default so all user have same config instead of create your own, unique fingerprint

Hxmwqk79 commented

2020-03-27 23:14:25 +00:00

(Migrated from github.com)

Using browser add-ons against fingerprint doesn't help as the add-on itself increase the fingerprint.
This need to be done at browser level and enabled by default so all user have same config instead of create your own, unique fingerprint

There are two ways to resist browser fingerprinting. One, by having a common fingerprint (what you are referring to). And two, by spoofing and changing your fingerprint frequently (what Trace does).

I am suggesting Trace for privacy.resistFingerprinting doesn't give you a common enough fingerprint.

> Using browser add-ons against fingerprint doesn't help as the add-on itself increase the fingerprint. > This need to be done at browser level and enabled by default so all user have same config instead of create your own, unique fingerprint There are two ways to resist browser fingerprinting. One, by having a common fingerprint (what you are referring to). And two, by spoofing and changing your fingerprint frequently (what Trace does). I am suggesting Trace for privacy.resistFingerprinting doesn't give you a common enough fingerprint.

Thorin-Oakenpants commented

2020-03-28 06:27:43 +00:00

(Migrated from github.com)

First of all, no disrespects to the developer: this is just my opinion, and I haven't really deep dived this extension, but I have looked at it a few times in the past .. and my conclusion is

it's trying to do too much (jack of all trades and master of none)
it doesn't do it well (AT ALL)
it's not as exhaustive as you think (it only partially protects and only against some methods)
and there are lots of little things that indicate a lack of "experience" (for lack of a better word), such as the giant huge interface, the gaudy gradient, etc
I also don't like the presence of a premium option

So I installed it in practically a vanilla profile on Firefox Nightly, and immediately found several flaws without even looking very hard: here's some

UA: ~service~ web workers leak (and probably service workers)
UA: the spoofed navigator properties are not plausible for Firefox (I only looked at FF)
- the buildID is missing
- the oscpu contains a fucking language string and is missing the OS architecture
- the appVersion is the same ^^
- the userAgent is the same ^^
domrect
- Element.getBoundingClientRect is not protected at all
hardware
- I can tell an extension is blocking VR devices
screen resolution
- leaks via matchMedia
- without looking at the code (and I'm not going to), I can also tell via another method that it's a lie, because the extension is incorrectly changing values it shouldn't in one of my tests
canvas
- does not protect against isPointinPath
- does not protect against isPointInStroke
audio
- OMG .. I turned on all audio protections and it didn't do anything AFAICT
- it failed to protect getChannelData
- it failed to protect copyFromChannel
- it failed audioContext properties, OscillatorNode, DynamicCompressor tests

^^ all that in 10 minutes

I'm not even going to dig any deeper. It's all well and good to protect against some methods, but you need to protect against all of them. I'd hate to see what exactly really leaks in his canvas, webgl, domrect, audio. Because if he can't even get something as basic as navigator properties right, then I doubt the other measures are any good.

And to be frank (without changing my name), when I see protection for Battery listed, I just cringe. The Battery API has been inaccessible to web content since Firefox 52 - that's over three years ago 2017-March-07 - here's the proof

I had a quick look at the repo: the dev seems to think he can block font fingerprinting (yeah, nah!). And I don't know why you would think he could block css screen leaks

There's so much more I could say, but let's just leave it at that.

tl;dr: I wouldn't touch it with a barge-pole ... social distancing and all

I used the browserprint.info site to test and find these weaknesses. It was the most sophisticated browser fingerprint tester I've ever seen, but the website is since down. Github: https://github.com/CryptoCubik/browserprint

That's not very comprehensive or sophisticated, sorry. At least not any more. A lot of it is outdated. It's over 3 years old, and not maintained, obviously. A quick search would find you far more up-to-date scripts/demos

Not sure if you're sincere, or shilling. You account is rather new, and you have no github history. Maybe you're really into this and trying to help. But when you state that you rate something better because it has more features, I can't take you seriously.

I've actually had a lot of contact with the CanvasBlocker developer, and some contact with the developer of Chameleon - and those guys know what they're doing. More so than me: I know sweet F all, but even I could tell Trace wasn't any good practically just by looking at it: now I've actually installed it and given it a 10 minute spin, my assumptions were correct

PS: sorry if I sound like a prick

First of all, no disrespects to the developer: this is just my opinion, and I haven't really deep dived this extension, but I have looked at it a few times in the past .. and my conclusion is - it's trying to do too much (jack of all trades and master of none) - it doesn't do it well (AT ALL) - it's not as exhaustive as you think (it only partially protects and only against some methods) - and there are lots of little things that indicate a lack of "experience" (for lack of a better word), such as the giant huge interface, the gaudy gradient, etc - I also don't like the presence of a premium option So I installed it in practically a vanilla profile on Firefox Nightly, and immediately found several flaws without even looking very hard: here's some - UA: ~service~ web workers leak (and probably service workers) - UA: the spoofed navigator properties are not plausible for Firefox (I only looked at FF) - the buildID is missing - the oscpu contains a fucking language string and is missing the OS architecture - the appVersion is the same ^^ - the userAgent is the same ^^ - domrect - Element.getBoundingClientRect is not protected at all - hardware - I can tell an extension is blocking VR devices - screen resolution - leaks via matchMedia - without looking at the code (and I'm not going to), I can also tell via another method that it's a lie, because the extension is incorrectly changing values it shouldn't in one of my tests - canvas - does not protect against isPointinPath - does not protect against isPointInStroke - audio - OMG .. I turned on all audio protections and it didn't do anything AFAICT - it failed to protect getChannelData - it failed to protect copyFromChannel - it failed audioContext properties, OscillatorNode, DynamicCompressor tests ^^ all that in 10 minutes I'm not even going to dig any deeper. It's all well and good to protect against some methods, but you need to protect against all of them. I'd hate to see what exactly really leaks in his canvas, webgl, domrect, audio. Because if he can't even get something as basic as navigator properties right, then I doubt the other measures are any good. And to be frank (without changing my name), when I see protection for Battery listed, I just cringe. The Battery API has been inaccessible to web content since Firefox 52 - that's **over three years ago** [2017-March-07](https://wiki.mozilla.org/Release_Management/Calendar) - here's the [proof](https://bugzilla.mozilla.org/1313580) I had a quick look at the repo: the dev seems to think he can block font fingerprinting (yeah, nah!). And I don't know why you would think he could block css screen leaks There's so much more I could say, but let's just leave it at that. tl;dr: I wouldn't touch it with a barge-pole ... social distancing and all > I used the browserprint.info site to test and find these weaknesses. It was the most sophisticated browser fingerprint tester I've ever seen, but the website is since down. Github: https://github.com/CryptoCubik/browserprint That's not very comprehensive or sophisticated, sorry. At least not any more. A lot of it is outdated. It's over 3 years old, and not maintained, obviously. A quick search would find you far more up-to-date scripts/demos Not sure if you're sincere, or shilling. You account is rather new, and you have no github history. Maybe you're really into this and trying to help. But when you state that you rate something better because it has more features, I can't take you seriously. I've actually had a lot of contact with the CanvasBlocker developer, and some contact with the developer of Chameleon - and those guys **know** what they're doing. More so than me: I know sweet F all, but even I could tell Trace wasn't any good practically just by looking at it: now I've actually installed it and given it a 10 minute spin, my assumptions were correct PS: sorry if I sound like a prick

👍 5 ❤️ 3 🚀 1

dngray commented

2020-03-28 12:53:30 +00:00

(Migrated from github.com)

I hadn't heard of this extension before.

I very much value your extensive experience on issues like this @Thorin-Oakenpants

As a result we're not going to be doing further research on this. It won't be added.

I hadn't heard of this extension before. I very much value your extensive experience on issues like this @Thorin-Oakenpants As a result we're not going to be doing further research on this. It won't be added.

👍 2

This repo is archived. You cannot comment on issues.