Silkenweb Example: Hackernews Clone

Detecting Noise in Canvas Fingerprinting

41 points by avastel 4 months ago | 64 comments

Etheryte 4 months ago
While this field is always interesting to read about, I absolutely refuse to give any technical input on how to improve fingerprinting, even if it's to fight bots. If you work on tracking, my opinion of you as a person is well summarized by apenwarr [0]:
> Can I work for a bad company and still be a good person?
> No.
[0] https://apenwarr.ca/log/20201121
- batch12 4 months ago
  The quote is throwaway nonsense. No argument is made.
  I counter it with my own- Yes.
  By what standard are bad companies or good people measured? Do you define that? Religion? The current popular opinion?
  - Etheryte 4 months ago
    By your own moral compass of course. There is no such thing as objective good or objective bad, it's all in the eye of the beholder. Surely you would've covered this in literature class in your youth? Likewise, me thinking someone is a bad person doesn't mean it's some objective and universal truth. It's literally, like, my opinion, man.
    - gruez 4 months ago
      >Likewise, me thinking someone is a bad person doesn't mean it's some objective and universal truth. It's literally, like, my opinion, man.
      There's literally an entire branch of study that tries to formalize it so it's not just "It's literally, like, my opinion, man".
    - 4 months ago
    - jgalt212 4 months ago
      Don't be so cynical. There are universal truths.
- hugodellinger 4 months ago
  To be honest, they are focusing here on detecting tweaks used by scrappers to bypass bot protection, not on building an unique and stable fingerprint of a browser.
  - genewitch 4 months ago
    I scrape sites from time to time to back them up. I am kind of annoyed that this is going to get more difficult as time goes on thanks to societal leeches that have more rights than everyone (read "at least facebook, but probably X, and any other AI company not attached to a bookstore or book archival project") pirating content in 1998-2003.
    I know i have "no right" to archive content, but it comes in handy.
- AndrewThrowaway 4 months ago
  What is "a bad company"? Google? Amazon? Facebook? Tesla? Tinder? Boeing? Rheinmetall? Lockheed Martin? Pfizer?
  - a-french-anon 4 months ago
    "Would the world be better without it (inb4 it'll be replaced in all but name)?"
    Google? Amazon? Facebook? Tinder? Yes.
    Boeing? Lockheed Martin? No.
    Tesla? Pfizer? Unknown.
    You're welcome.
    - internetter 4 months ago
      Under what criterion were your answers decided?
      To play the devil's advocate: Google has vastly improved access to information. Facebook has allowed hundreds of millions of people to remain in each other's lives even while separated by oceans. Amazon made it much easier to acquire very specific items. Tinder has helped people find love.
    - immibis 4 months ago
      Why is making planes that drop bombs on brown people not bad?
- immibis 4 months ago
  Bad people win, as evidenced by almost everything. If you want to be good later you probably have to be bad now. Good on you if you don't, though.
xnx 4 months ago
Fingerprinting is terrifying. That a device (and therefore a specific person) can be reliably identified across all sites and across time is a major failure of browser design.
- Rastonbury 4 months ago
  It seems so powerful, all I need is to have my browser have js with canvas enabled and I can be matched across websites? I know you can disable canvas in firefox, how does one do it in Chrome
  - gruez 4 months ago
    >It seems so powerful, all I need is to have my browser have js with canvas enabled and I can be matched across websites?
    Note the fingerprint isn't unique, it's basically a property of your graphics hardware + operating system. If you have a M4 macbook pro, in all likelihood you'll have the same fingerprint as all the other M4 macbook pro users.
    >I know you can disable canvas in firefox, how does one do it in Chrome
    Bad news. Disabling features is also a fingerprint vector, and having it disabled probably makes you more suspicious. Imagine you're at a border checkpoint that fingerprints you (many countries do that), and your fingerprints were burned off. How do you think the border guard will react?
    - genewitch 4 months ago
      > in all likelihood you'll have the same fingerprint as all the other M4 macbook pro users.
      er... maybe if they're using metamask or something with the viewport pixel WxH set arbitrarily. canvas size/window size, fonts installed (are you a graphic designer or typographer?), who knows what else. the EFF has a site that shows you all the nonsense we can be tracked with.
      open safari on a second monitor? at the same time? probably globally unique WxH between the two windows.
    - Rastonbury 4 months ago
      If a site deems me too suspicious that it blocks me because it cannot track me so be it, close tab
- Klaster_1 4 months ago
  While I agree that browser vendors could potentially have handled this better, I am more incline to view this as a regulation failure - that fingerprinting is permitted in the first place. By acting in this manner, ad companies offload the cost of to browser vendors, general public and reduce overall societal trust. This is especially concerning when Google exploits its positions as an ad company and browser vendor, see the Menifest V3 situation for an example.
  - Tade0 4 months ago
    > I am more incline to view this as a regulation failure - that fingerprinting is permitted in the first place.
    In the EU it's not without explicit consent outside of a few, clearly defined cases.
    Of course compliance is not 100%.
  - dale_glass 4 months ago
    Regulation isn't universal, so it won't fix the issue. A company wanting to work around that can just contract with another running out of a country without such regulations.
    Browsers should do their best to make fingerprinting a non-viable approach.
    - StilesCrisis 4 months ago
      I don't think fingerprinting can be stopped as long as JavaScript exists. There will always be some minor difference you can exploit or some cache you can misuse.
nprateem 4 months ago
According to this post the only people who care about not being tracked are running bots and fraudsters.
AndrewThrowaway 4 months ago
I feel conflicted about this. On one hand canvas being client side will always lead to cat and mouse game where fraudsters can always generate required "answer". On the other hand innocent users will always be fingerprinted by ad networks and similar.
- jonatron 4 months ago
  The purpose is important, if my fingerprint is used to detect fraud (eg my browser has just tried 100 other credit cards), I'm less bothered than if cloudflare are reading my fingerprint then blocking me viewing a web page for no good reason.
  - Ukv 4 months ago
    Castle.io's customers seem to include marketing platforms, and their listed use-cases include preventing account sharing and alt accounts. Can understand why a company would want to be able to uniquely identify users, but also from a user/privacy perspective it's something I'd very much like my browser/extensions to block.
    - jgalt212 4 months ago
      Detecting account sharing is a tricky business. It's pretty easy to detect if one account is using two different machines. But it's quite hard to unambiguously say it's one person using both machines or two different people each using one machine each.
Bengalilol 4 months ago
What if I do:
delete CanvasRenderingContext2D.prototype.toDataURL;
Shouldn’t delete set the function back to native code?
Same with:
const offscreen = new OffscreenCanvas(1, 1); const nativeToDataURL = Object.getPrototypeOf(offscreen.getContext("2d")).toDataURL;
Object.defineProperty(CanvasRenderingContext2D.prototype, "toDataURL", { value: nativeToDataURL, writable: true, configurable: true });
Or:
const iframe = document.createElement("iframe"); document.body.appendChild(iframe); const nativeToDataURL = iframe.contentWindow.CanvasRenderingContext2D.prototype.toDataURL; document.body.removeChild(iframe);
CanvasRenderingContext2D.prototype.toDataURL = nativeToDataURL;
I beg your pardon if my question is full of innocence.
hoseja 4 months ago
"fraudsters" and "bots"
Sure, Jan. Whatever lets you sleep at night.
jgalt212 4 months ago
I've never heard of Castle before. Do any current Castle clients care to share opinions of their service as compared to Cloudflare Turnstile or Google ReCaptcha?
EfficientDude 4 months ago
Wow I didn't realize that Canvas Fingerprinting was exclusively used to detect fraudsters! Especially the wily ones who figured out how to delete their cookies! That's really cool - like how they scan everybody's files now to detect pedophiles (exclusively!).