getClientRects() provides a persistent fingerprint #236
Comments
|
Again a page the uses the very bad audio fingerprinting code... copy/paste without brain is not good. But to your "problem". getClientRects() is not a Canvas-function and that's why it's not protected. Or is this just a feature request to protect that as well? |
|
Can I humbly vote this issue to be a feature request? ❤️ Thank you |
|
Yes, I guess this would be a feature request. Sorry for not making that clear. |
|
No Problem. Do you have any research about the usability of this fingerprint? How much does this vary? |
|
Yeah I found some stuff about it, and I'll quote: |
|
I didn't know that you get subpixel precision with this... Protecting this is a good idea and I have a way to do this. The question is how to protect... I think we should only fake if the value is not an integer - otherwise detection would be simple. |
|
Yeah that sounds like a good approach to me. |
|
Does @Thorin-Oakenpants have some more knowledge about this to drop? |
|
It makes sense that opera and chrome are the same as they use the same rendering engine. The big differences between the FFs is quite surprising. |
|
The rabbit hole of this API is quite deep... And Google ads do weird stuff with it as well (got up to over 10000 notifications on the browserleaks test page from an ad - so I had to change the way the notifications work for this API). Now it's time to polish and test. |
|
Awesome good work!! |
Pixel fractions can be controlled by CSS. These fractions must not be faked. For #236.
|
It has been passing all the tests for me so far. Thank you! |
|
No complaints here either, seems to work flawless on the CB test page. |
|
Great. Then I will merge to master and close this issue. |
|
I just had to deactivate the DOMRect API protection for twitter.com, it made videos in the feed flicker while scrolling and unplayable. I noticed on Twitter, as well as on Youtube that those sites use massive amounts of DOMRects requests (up to 1600 times per page), are those amounts a significant drain on resources (and hence laptop battery..), or rather insignificant? And what for do these sites use the DOMRects API so massively? |
|
@kkapsner While adding the exception for twitter.com, I noticed that the German locale string "inputURL" isn't translated, I propose to replace it with "Domain oder URL (RegExp) eingeben:". Maybe you can enclose "RegExp" in brackets in the English locale as well, I think it would make it a bit easier to understand, since "RegExp" is probably a term 90 % of users never heard of.. |
|
I think they use it to determine the positions of all the elements so they know were to display the overlays. |
|
https://twitter.com/NFL_Memes has a lot of videos in its feed that start to flicker when you scroll a bit up and down. They're usually still playable when scrolled to the right position, but not always (one video in my personal feed was zoomed in after flickering and wouldn't play anymore). |
|
A similar flickering happens with the right column of facebook.com, when scrolling.. there's no such issue on youtube.com though, despite both two using "getBoundingClientRect" in 4-figure amounts after scrolling around for a bit. |
|
OK - I see the flickering as well. No idea what happens there... The faking is done under 0.01 pixel. But I also see it when I completely disable CB. |
|
Should we also disable DOMRect by default? It's really heavy on performance (as the API is used very much). |
Really? That's weird, after a refresh (after whitelisting twitter.com) I don't get a single flicker anymore, when scrolling.
I think so. |
|
It's less obvious and requires fast pace scrolling. But I see it.
@DRigby26 and @Thorin-Oakenpants: What are your opinions? |
|
Yeah I'd say that would be a good idea. |
Entry No. 3 for Instagram.com ... |
|
Maybe it get's better when the RAM usage is lowered. The new setting is almost finished. |
|
Please try the new alpha: https://github.com/kkapsner/CanvasBlocker/releases/tag/0.5.4-Alpha2 |
|
Facebook works 98 % without flickering now (well enough for me), Twitter and Instagram are still not useable. Did you already test how much the RAM consumption increases with just the counter (without details) now, with 1000+ requests? |
|
Everything seems good on my end. When I test it on Twitter I don't notice any problems. |
|
@DRigby26 The problems on Twitter still "only" concern videos. The "2018-2017-2016.." bar on Github's profile sites bounces around like hell too btw (edit: if it contains too many years), when scrolling, but that's tolerable.. |
|
I do not see an increase: |
|
I found the issue for the github bouncing. New alpha will follow soon. |
|
Excellent job, the flickering and bouncing issues are gone everywhere! 🍾 |
|
Great. Then this API protection has finally landed. |
|
It has been working great for me so far. |
|
Great - thanks for testing. |
|
So I just started testing the RC2 release and noticed that for the detection test CB is able to be detected for function code along with known pixel value 1 &10. I have resistFingerprint enabled and I know that the detection with known pixel value is inevitable but I haven't noticed the function code detection before. @kkapsner |
|
Thanks for pointing this out. I have to fix that. |
|
Found the issue: NoScript - please open an issue there. |
1 similar comment
|
Found the issue: NoScript - please open an issue there. |
|
What is the issue exactly? |
|
They alter some functions (in this case the getter and setter of window.name) in a way that is detectable. You can simply direct them to my detection test page. |
|
Awesome! and I just submitted that bug report with NoScript. |
@kkapsner care to elaborate? |
|
https://www.bromite.org/fp/audio.js: and for (var i = 4500; 5e3 > i; i++) {
pxi_output += Math.abs(event.renderedBuffer.getChannelData(0)[i]);
}call You can have a look at https://canvasblocker.kkapsner.de/test/audioTest.html on how much faster this fingerprinting can be (and it does 19 finterprints...). EDIT: just dug out the original source of the bad code: https://audiofingerprint.openwpm.com/ EDIT2: CB does no longer has the problem that it hangs massively. But the code is still slow - you even have a notice about the audio fingerprint being slow. |
When using the testing page https://www.bromite.org/detect I found that the API getClientRects() will provide a persistent fingerprint.
The text was updated successfully, but these errors were encountered: