Add AudioContext Fingerprint Blocking?

[ChthonVII]

It looks like the world could really use a per-site blocker/spoofer for the AudioContext API. (See https://audiofingerprint.openwpm.com/) Maybe blocking/spoofing this API could be added to CanvasBlocker? Or, if that's too much a departure, maybe a separate extension using the same per-site blocker/spoofer model as CanvasBlocker?

[kkapsner]

I think this fingerprinting could be handled the same as canvas fingerprinting. But I'm not sure if this should be done in a separate addon. Both aproaches have benefits.

[secureemail]

What's the state on this? It is still talked about (https://webtransparency.cs.princeton.edu/webcensus/#audio-fp) and I think solving this would be good.

Anyone interested to post his results from https://audiofingerprint.openwpm.com/ ?

PS:
If this addon is called "CanvasBlocker", you may either rename it to something like FingerprintBlocker, or create a separate addon if AudioContext is solved. Just my opinion.

Also it's not going to be present in uBlock Origin: gorhill/uBlock#1647 [closed].
So this is one more reason to go ahead and then having more users to use your addon.

[kkapsner]

There is no state yet. Had no time to dig into this subject.

[secureemail]

No problem, I see that even the TorBrowser guys are still working on this: https://trac.torproject.org/projects/tor/ticket/13017

[jetwhiz]

From what I can tell, the most popular fingerprinting methods here involve the usage of:

• AudioBuffer.getChannelData() (and AudioBuffer.copyFromChannel())
• AnalyserNode.getFloatFrequencyData() (and AnalyserNode.getByteFrequencyData())

I'm not sure if the same fingerprinting could be pulled off with time-domain data (AnalyserNode.getFloatTimeDomainData() / AnalyserNode.getByteTimeDomainData()).

See:

• https://developer.mozilla.org/en-US/docs/Web/API/AudioBuffer
• https://developer.mozilla.org/en-US/docs/Web/API/AnalyserNode

I wouldn't be surprised if there are other methods of obtaining audio data in the API, though.

[L-a-n-g-o-l-i-e-r-s]

Has anyone identified an extension that has been created to address this issue yet? Thanks

[Fraponi]

I don't know about any addon but Mozilla has made it possible to disable the AudioContext API by setting dom.webaudio.enabled to false (https://bugzil.la/1288359). It's marked for being included in Firefox 51 which is schedules for 2017-01-24 (https://wiki.mozilla.org/RapidRelease/Calendar) so if you want to use it now you'll have to use beta/aurora/nightly. I also haven't really looked into where AudioContext is used so disabling it might break something.

[L-a-n-g-o-l-i-e-r-s]

If it is opt out by default, it would make you more track-able or no?

[kkapsner]

So you're mainly interested in the faking modes?

[L-a-n-g-o-l-i-e-r-s]

I guess, I'm not convinced an opt out is the way. I don't know enough about it though, you tell me.

[kkapsner]

I totally agree that an opt out is not the best way. Faking would be better.

[jugi1]

There is SIlverdog extension for chrome regarding audio fing.
Maybe it can help implementing this in CanvasBlocker
http://www.ghacks.net/2017/01/06/silverdog-a-sound-firewall-for-chrome/

[L-a-n-g-o-l-i-e-r-s]

@jugi1 are we sure this extension is directly related to this issue? It sounded a bit different from what I read there. I could be totally wrong, anyone test it on FF yet?

Awaiting eagerly for your response, thank you.

Edit:
Can anyone confirm https://audiofingerprint.openwpm.com/ is still working for them? Even enabling flash ended with no result for the upper portion, not sure if an extension or protection was developed in use on my side or the website is just broken, thanks.

[spodermenpls]

The mentioned site works fine on my end.

[L-a-n-g-o-l-i-e-r-s]

I tried it again today, it's working again, this is still, unfortunately, a problem, at least in Waterfox, not sure if FF 57 fixed it, but I doubt it.

Thanks

[Helpper]

@jetwhiz Do you know how to reconstruct function AnalyserNode.getFloatFrequencyData() to add some noise to the data?

[davidhedlund]

Perhaps you can reuse the source code from the WebExtension AudioContext Fingerprint Defender?

[Helpper]

Thank you!

[kkapsner]

I'll have a look.

[kkapsner]

Well... I had a look and am not impressed. I think I can do better.

[crssi]

Nice to hear and happy to get two in one. :)

Cheers

[crssi]

@kkapsner
Do you might have any ETA? Assuming that you will take this road.

Thank you and cheers

[kkapsner]

The basics are already finished, but I have to rethink some RNG things.

I think I can provide an alpha within the next week.

[crssi]

OMG... you made my day. 😄

[kkapsner]

https://github.com/kkapsner/CanvasBlocker/releases/tag/0.4.6-Alpha1
You should deactivate the normal CanvasBlocker when using the CanvasBlocker-Beta. You can port your settings by the following:

• activating the expert mode
• clicking on export settings
• copy the content you see
• go to CB-Beta
• activating the expert mode
• clicking on export settings
• delete everything and paste

Please test and give feedback.

[kkapsner]

Just imported to my main profile and already found a bug... you must not activate storeImageForInspection...

[crssi]

At first glace it looks that this works as it shoud.
Very good job.

[kkapsner]

New alpha: https://github.com/kkapsner/CanvasBlocker/releases/tag/0.4.6-Alpha2

Please test and give feedback.

@DRigby26: now it should not be persistent.

[DRigby26]

It looks like those two fingerprints are still persistent for me.

[kkapsner]

Weird - I get non persistent values. What are your CB settings?

[crssi]

Same here, they are persisten... default settings.

[DRigby26]

Same here

{
"logLevel": 1,
"urlSettings": [],
"whiteList": "",
"blackList": "",
"blockMode": "fakeReadout",
"minFakeSize": 1,
"maxFakeSize": 0,
"rng": "nonPersistent",
"apiWhiteList": {},
"useCanvasCache": true,
"ignoreFrequentColors": 0,
"minColors": 0,
"fakeAlphaChannel": false,
"persistentRndStorage": "",
"storePersistentRnd": false,
"persistentRndClearIntervalValue": 0,
"persistentRndClearIntervalUnit": "days",
"lastPersistentRndClearing": 1529776484900,
"askOnlyOnce": "individual",
"askDenyMode": "block",
"showCanvasWhileAsking": true,
"showNotifications": true,
"storeImageForInspection": false,
"notificationDisplayTime": 30,
"ignoreList": "",
"showCallingFile": false,
"showCompleteCallingStack": false,
"enableStackList": false,
"stackList": "",
"protectAudio": true,
"audioFakeRate": "10",
"audioNoiseLevel": "high",
"audioUseFixedIndices": true,
"audioFixedIndices": "0",
"displayAdvancedSettings": true,
"displayDescriptions": false,
"isStillDefault": false,
"storageVersion": 0.3
}

[kkapsner]

Can you please set the logging level to "warning" and tell me if you see any messages in the browser console (to open hit F12 and go to console) that have a "[CanvasBlocker]" in it?

Which Firefox version are you using?

[kkapsner]

Additional you can set the fixed indices to "0,1" which should force the first two numbers of these two fingerprints to change.

[DRigby26]

Oh okay that seemed to work for the first two number which are not persistent. I also checked the browser console, and found no warnings. I set it back to 9 and noticed only the 9th index was changing along with the the 4th index in the Oscillator Node fingerprint, but the other numbers seem to be mostly the same.

[DRigby26]

So I went ahead and set it fixed to spoof all the indices and it did that!

[crssi]

If Fixed indices = 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29 then all numbers of Fingerprint using OscillatorNode and Fingerprint using hybrid of OscillatorNode/DynamicsCompressor method are different, which is OK, but the method is slow.
Problem is that in that case the Fingerprint using DynamicsCompressor (sum of buffer values) and Fingerprint using DynamicsCompressor (hash of full buffer) remains the same every time, which is not OK.

[DRigby26]

Oh yeah it stays the same for me too.

[kkapsner]

The point is that I cannot change all numbers as this would be way too slow (each request contains 44100 datapoints).
Therefore only some of the datapoints are faked. If you do not use fixed indices the used indices are randomized and the amount is controlled by the fake rate.

I have to look into the sum and the hash to check why they stay the same.

[kkapsner]

This test page... I will create my own as it is slow and badly written.

[kkapsner]

I figured out the problem and will provide a new alpha soon.

[DRigby26]

Awesome! Thank you!

[kkapsner]

I created this test page which provides the same hash and sum, but is much faster: http://kkapsner.github.io/CanvasBlocker/test/audioTest.html

There you can see that the other addon does not fully protect you. The second hash will stay constant.

[kkapsner]

New alpha: https://github.com/kkapsner/CanvasBlocker/releases/tag/0.4.6-Alpha3
You will have to disable the audio cache if you want to use the other test page.

[crssi]

This looks super cool now :)
What exactly are Fixed indices?
Why there is only value 24 and not all in the array?

[DRigby26]

It looks great to me so far! Thank you!

[kkapsner]

@crssi: the indices that are changed in the audio data are usually picked at random. With the "fixed indices" you can pick some by yourself. The default is to chose one from 0-30 at random by browser start.
The basic idea there was that apparently some fingerprinters are only using the first 30 entries in the audio data and the you are always somewhat protected there. Otherwise it could by random that you are tracked because the random indices were not in that range.

If I would always fake all audio data entries CB would render the other test page not useable - my test page is actually fine... so I will also add a 10% and 100% buffer fake rate.

[kkapsner]

The new release is out.

[DRigby26]

Thank you!!!

[davidhedlund]

No videos on the most popular Swedish new sites play with CV 0.5.1.0b enabled.

Examples

• https://www.aftonbladet.se/tv/a/260479
• https://www.expressen.se/nyheter/ny-skogsbrand-hotar-trafiken-pa-e4/
• https://www.svt.se/nyheter/lokalt/sormland/fem-fakta-om-fetma-och-overvikt

[kkapsner]

Please try 0.5.1.1b

[davidhedlund]

I can now play all three videos thanks to your bug fix in that version.

[kkapsner]

You're welcome.