
Canvas fingerprinting on the web - avastel
https://antoinevastel.com/browser%20fingerprinting/2019/02/19/canvas-fingerprint-on-the-web.html
======
pcwalton
This made me realize that my Pathfinder (vector graphics on GPU) work may have
an unexpected benefit—unifying font and vector rendering paths across OS's to
mitigate a bunch of these fingerprinting techniques.

(My font rendering reads the OS settings to determine which rendering mode to
use to match the underlying OS, but I think there's no need to do that for
canvas.)

~~~
jancsika
> (My font rendering reads the OS settings to determine which rendering mode
> to use to match the underlying OS, but I think there's no need to do that
> for canvas.)

Not sure I understand. Are you saying that HTML and SVG text would match the
OS's font rendering but HTML5 canvas text would not?

~~~
pcwalton
Correct. OS's are converging on font rendering modes these days anyway (e.g.
subpixel AA was dropped in Edge and on macOS Mojave).

------
ypolito
I have enabled the resistFingerprinting in my firefox about:config settings
and this technique no longer seems to work on me.

The only downside is that verifying ReCaptcha takes me around a minute to
solve.

~~~
svantana
Wouldn't that just put you in the "no fingerprint" category? Presumably fairly
few people use such techniques, so couldn't that make you more trackable, not
less?

------
lewiscollard
I'm actually shocked, though maybe I shouldn't be. I'd always assumed that
canvas fingerprinting was some theoretical technique that nobody would be evil
enough to use, not one in active use in thousands of top websites.

This is why we can't have nice things. :/

------
FabHK
Any good defence against this for Safari on macOS?

(There is this javascript blocker, JS Blocker, but when I last used it, the
Safari memory usage would explode every other day, to the extent of rendering
the machine unusable unless you managed to kill the process very quickly.)

------
CJefferson
While this is an interesting website, which is it asking to take photos me
record audio?

~~~
avastel
Hi, I am the author of the post. I run some fingerprinting tests sometimes for
research purposes. Nevertheless I don't see which of the tests would ask for
any audio or photos permissions. Which browser were you using?

~~~
johndough
> I run some fingerprinting tests

Is that still legal considering the GDPR?

~~~
jakeogh
Only applies to subjects of the EU.

------
mattferderer
I'm curious of what the benefit of Canvas is over just a random string of
characters generated based on OS, browser, etc?

~~~
the_pwner224
It can't be changed. You can fake the user agent and JavaScript-accessible
properties (Tor browser does this so every Tor user is indistinguishable), but
canvas rendering depends on your actual OS, GPU, etc. Browsers could implement
a software renderer to consistently draw canvases on all devices, but then you
lose half the reason to use canvas - speed.

~~~
pcwalton
GPU differences don't show up very well—the OpenGL spec and the D3D "spec"
have standardized behavior across GPUs fairly well at this point. What _does_
show up are text rendering differences and the different software vector
renderers (Core Graphics vs. Skia vs. Cairo vs. Direct2D).

A lot of Canvas is still in software. I'm working to change that, but it's a
work in progress…

~~~
est31
> fairly well

Don't we still live in an age where GPU drivers need game-specific driver
fixes in order to work correctly? Being _bug free_ is a different question
than being _free from any noticeable difference in the output_ , and we seem
to not even have reached the bug freedom stage yet.

I mean even Firefox Webrender is only available to Nvidia GPUs at the start,
no?

~~~
kevingadd
The driver fixes are usually performance improvements where the vendor
rewrites shaders to make the game run better or add support for weird vendor
features (like SLI). If the vendor had to hack around the game to make it work
at all, the developers wouldn't have been able to even test the game during
development.

WebRender was locked to NVIDIA as a known target with a known set of driver
bugs. They could've chosen AMD or Intel as the target instead and worked to
figure out all the relevant driver bugs and worked around them, but for
whatever reason they picked NV.

------
ivanhoe
Funny moment is that Canvas Defender extension for Chrome warns about
fingerprinting on this very site :)

------
appleflaxen
can anyone explain how the web site reads out the information that the browser
fingerprint provides? I get that the first step is to create a specific canvas
image. but how does the server know what the result was?

