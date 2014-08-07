I wonder if we can come up with a widely adopt(able|ed) fingerprint that we can mask ourselves with, do any of these identifying bits actually make the web more usable for us?
One could also introduce confusers -- e.g., setup some "light anonymizing portals" that will add / swap / scramble non-critical cookie data. Done right it should be possible to keep almost all of web functionality intact without introducing a security nightmare, but to work well this also needs a viable business model.
Sure you can disable js, but for the majority the Web would be really broken without js.
As a culture, tracking is everywhere. Disabling js still logs your up, referrer and a bunch of other things.
I do like what uorigin/adblock and other extensions are doing.
I don't want people to track me on the internet, I think the main reason they bother is that they can show me ads that will be more interesting to me and make them more money. I can resist this by not showing the adverts to myself.
I'd like to make it harder for them to track me at all, though this is always an arms war it seems like I'm labeling myself at the moment. I'm not familiar with the technology they use to detect adblockers, does it detect "U-Block Origin (Firefox) Ver 17.3" or does it just detect "I can't seem to see the ad I know should be here, this user is blocking my ads." if it's the latter then my proposal to adopt a blank/universal fingerprint is willing to confess the single bit of information of whether the user has decided to refuse adverts.
In my generation (I'm 28), and even more in my cousins' (early twenties) it looks like the hurd is using an adblocker. And I'm talking about art students, acountants and chefs not IT engineers.
You just can't spend hours on YouTube videos without an adblocker on …
...actually, you can. But those hours won't be filled with the videos you wanted to watch. ;)
Browsing the web with NoScript is far more pleasant, even if I have to sometimes open a menu to enable a couple domains to make a poorly developed website usable. I'd highly recommend it to anyone even remotely technical.
The complaint isn't with the scripting language, but with the blatantly unnecessary use of it.
One of the principles of human-friendly design is graceful degradation. For instance, you might design a museum for people that can walk. But some visitors might not be able to walk, so for them you install ramps and elevators when the stairs are not usable.
At the very minimum level, where someone is manually typing in HTTP requests, over a direct TCP connection to port 80 of your site, you should be returning something that can be read. Some people (or bots) may be fetching your site with curl or wget or links. Some people may be using screen readers. Some people may need machine assistance with pointer movement or scrolling. Some people may have extremely limited bandwidth, and won't automatically download images or frame contents.
If you can't degrade gracefully, your website is "poorly developed". So if you are utterly reliant on scripting to display anything at all, that certainly qualifies.
Some websites need more than text or images.
1. Is there anything the site owner can do to turn that off?
2. Is it because they inject some kind of DDoS prevention/tracking thing? This suggests crawlers load JS, which I wouldn't have necessarily assumed.
For the fourth or fifth time this year, in response to a thread about browser privacy, I am reminded that what I really want is the ability to jail/chroot a browser.
Firing up a full-blown VM for a browser ("banking profile", "twitter profile", "sketchy online store profile") is way too heavyweight and resource intensive. I want a totally, totally clean slate (restored to post-install defaults) to restart certain browsing sessions with (and dispose of when I am done) but a full virtual machine is too expensive in time and resources.
But if I could jail a GUI application ... then there would be almost zero resource overhead and the jail would die quickly when you're done.
jailing a GUI application is not that well developed of a use-case. Further, OSX doesn't even have a jail command.
I wish this was an established use-case - I would really like a totally throwaway browser profile that I could reset and re-use.
If you like, you can uncheck the "Use the selected profile without asking at startup" checkbox to have the window show up every time you start Firefox (which is defined as loading Firefox when there's no Firefox window already open). Doing this has the additional side benefit that if an application tries to open Firefox and load a new URL when you don't have any Firefox windows open, you'll be alerted to it by the Choose User Profile box - very useful if your normal profile takes a long time to load!
If you want, you can add the "-no-remote" switch to tell a new Firefox process not to connect with any existing one, which will allow you to open a new profile in a different browser window while you've still got the original running in other windows. However, those windows will share the same taskbar grouping, so I'd recommend you apply a different theme to the new profile to allow you to distinguish the two.
(Note: You should not use "-no-remote" by default, as a browser profile can only be open by one process at a time and you won't be able to open new windows through your shortcut icon.)
Of course, none of this will defeat the multiple-browser fingerprinting techniques mentioned in the article, but it's still incredibly useful.
I'm not sure if there's an equivalent in Chrome, or at least one that goes as far as Firefox does.
Sounds a bit like local Docker for browsing?
Everyone would download the same Chrome container with the exact same clean config and software rendering so the canvas/WebGL fingerprinting yielded nothing?
No ...
That is, unless I can easily script the destruction and recreation of the guest account, and automated install and configuration of my chrome setup ...
The idea here is that I set up chrome just how I want it and deploy and redeploy that "container" over and over - destroying it and recreating it after each use. Possibly with multiple instances running simultaneously ...
https://anonymous-proxy-servers.net/en/jondofox.html
JonDofox with JS turned off and uBlock origin installed. There's actually a small pool of users with this config but it needs to be bigger. As you said, as soon as we get consensus on what config to use, we can all switch to it en-masse.
Running unknown programs from random hosts on the internet - even in a limited environment - is a bad idea. Fortunately, documents (including images, audio, video, etc.) do not need Turing completeness. A lot of people will react strongly against the idea of not using JS, often because their income depends on tricking users into running spyware/malware,
Curious. This goes completely against the sentiment in all of the discussions around modern SPA frameworks and JS libraries I've seen on this very website. It seems that for most fronted devs today JS is a natural prerequisite for using their product. Progressive enhancement is often sneered at[1] as impractical and unnecessary. This leads me to believe that there are two mostly disjoint groups of people commenting on this issue in different threads.
---
[1] - Good example: https://www.viget.com/articles/the-case-against-progressive-...
I don't know which world JS devs are dragging us in, but it certainly looks shitty and ignoring every single thing software engineers have learned in the past thirty years.
If a site shows me nothing but a blank screen when I load it up with scripts disabled, I am very reluctant to enable 14 different script domains just to see a paged article, or worse, a slide show.
Allowing scripts to run only from whitelisted domains makes the web a better place.
If a site requires JavaScript, it already doesn't work. If a site requires JavaScript, its owner clearly doesn't care about either your security or your privacy.
Why use a site which requires JavaScript?
JavaScript delenda est.
It might be more practical to work towards browsers that do not have access to data that is not relevant to the web experience. I do need to know the size of your browser window. I do not need to know anything more about your video capabilities. In an ideal world, I wouldn't even need to know your browser, I would just need to know its capabilities. Your browser needs to know which fonts it can display, but my web server doesn't need to know that.
Isn't that info still enough for finger printing the browser, if they have enough different capabilities?
> If you intend to test for leaks using other third-party sites, I recommend using Tor browser, because it's been hardened to block WebGL fingerprinting, and otherwise to report the same fingerprints for all users. But you obviously don't want to use Tor while testing your VPN. First, download Tor browser for your OS. Do that with your VPN connected, so your ISP doesn't see. After extracting, start Tor browser. You can probably accept all defaults. Go to advanced network settings, and select "No proxy". Browse about:config, and toggle both "extensions.torlauncher.starttor" and "network.proxy.socksremote_dns" to "false". Then browse check.torproject.org. You should see "Sorry. You are not using Tor." and your VPN exit IP address.
0) https://www.ivpn.net/privacy-guides/how-to-perform-a-vpn-lea...
Have a look at the parameters that bring the highest amount of fingerprinting bits in your config https://panopticlick.eff.org/
then see if it possible to disable them. I think it's just plain hard.
https://addons.mozilla.org/en-US/firefox/addon/random-agent-...
https://addons.mozilla.org/en-US/firefox/addon/trackmenot/
https://addons.mozilla.org/en-US/firefox/addon/adnauseam/ (doesn't work well for me, though, YMMV)
I my view requiring Javascript just to display text or pictures is completely brain-dead, web "designers" that think this is a good idea should probably no be allowed to design anything. It also makes it hard for disabled people that rely on accessibility tools to use the web.
I don't expect "web apps" like a video player to work without Javascript, but basic things like reading text, viewing pictures or clicking on links should never depend on it.
Do I understand correctly that the simple tool to block javascript (noscript) is not available on chrome ?
I'd like to disable javascript but the non-noscript recipes seem very complex ...
They could, they could even use click-to-play like interfaces or similar for pretty much everything that might hurt user experience or weaken their privacy, but enabling by default all of the features required to show ads is much more important for all major browsers. They are only interested in helping users as long as their backers can benefit from it, i.e. can show them ads or drmed content. Even Mozilla is like that. There is no incentive for privacy there, except for PR purposes, but PR is not something you can install on your computer. Best bet is probably to donate to privacy oriented forks and use them.
Then again, seeing what's trending and the topics of many bootcamp courses, I see that is moving towards SPAs which are all just JS (non-lite javascript)
As a web developer I can see that introducing a painful troubleshooting process, lots of confused jira tickets (explaining caching is bad enough).
It would be nice to simply have websites that can function within the scope of light javascript functin without it at all. For those that have the complex JS, well they get a bren experience but a browser notice that informs them why. Chrome does part of this with a whitelist JS feature. Now if only it were as noticeable as the click to play flash feature is.
We have 5 big browsers and 3 OS's that we need to support (different rendering, different canvas rendering, not to mention 3d rendering quircks, different installed fonts), I think we don't need yet another way to make our lives difficult.
I understand that privacy is a big issue, but think about "normal" web developers who just want to show a cool working website to their users, but need to display this message to them: "Thank you for looking at our website, but unfortunately your browser is in lite JavaScript mode. Please set it to full functionality again and restart your browser en go to our site once more.".
I have already used dirty hacks to support the default setting of 3rd party cookies in Safari, while developing facebook apps or some apps inside an iframe that have different domains. It's there to make users feel more secure, but there are always ways around it.
It would be better to add the functionality you are suggesting as an option and not by default, so people, who understand the "risks" of not viewing some sites properly in favor of more privacy, will turn it on by themselves.
Your comment feels like a restaurant saying 'Ok, I understand cleanliness is important, but as a cook washing dishes all the time is really annoying so I only wash them if customers ask for clean dishes'
I don't think it's in Google best interest to add anti tracking features into Chrome browser (and same with MS and Apple). So for now on we must bring our own cloth to clean out the dishes or go to another restaurant where the dishes are always clean.
The problem is that it's impossible to change the current behaviour of the browsers without breaking the whole internet. It would be much easier and better to create a new browser (look at Tor Browser for example), that has a lot of anti tracking features enabled by default.
People know that if they want privacy, they can use this browser. But it's still a "big" hassle to install it, not to mention my grandmother knows Chrome/Firefox, but not Tor Browser so she will never use it.
We do not need to change the browsers to let them defend us, but to teach folk what privacy is and what to do if you don't want to get tracked.
PS: keep in mind that browser is 1 item in the big picture of "tracking private data". IoT devices are really booming now, and everything is tracking us, our watches, refrigerators, thermostats, ... we can't just install a AdBlocker there.
That just doesn't track, sorry.
For one thing, plenty of sites would continue to work just fine if browsers (for example) wouldn't allow any JS to upload anything without the user's explicit consent. That would immediately solve a significant part of the problem, for a cost of one click the first time a user visits a site where they do want to allow it.
For another thing, web developers respond plenty quick enough to new opportunities to exploit browser functionality. If the major browser developers told them where to go, they'd fix their broken sites plenty quickly too.
IoT devices are really booming now, and everything is tracking us, our watches, refrigerators, thermostats, ... we can't just install a AdBlocker there.
Maybe they're booming where you are. I've yet to see anyone, from my most gadget-obsessed geek friends to my least technical family members, actually use one, other than devices specifically made for some communications purpose or whose main/only function is to provide access to some remote service. Certainly I've yet to meet anyone who thought everyday household appliances like their fridge or thermostat needed to phone home to do their jobs.
As for installing a blocker, I've already seen multiple places interested in implementing something that is essentially a privacy firewall for home devices and/or building a database of which devices try to communicate with which remote hosts for which purposes. If IoT really does outgrow the marketing hype, tools to limit its capabilities for privacy and security reasons will surely follow, maybe even at ISP level in the same way that a lot of spam no longer even reaches our junk folders.
Using JavaScript to deploy content-focused websites is like a restaurant which uses its cookpots for urinals: sure, it can be done hygienically, but it's Just Wrong.
My brain melted out of my ears when I read this sentence. Why on Earth do you need JavaScript to display a "cool" website? So you can make the text fade in for no reason? I think you need to re-think what the Internet is for.
It is to validate forms with ajax, it is to display ajax loaded content, it is to upload a file without needing a page refresh, to create a simple image slider/viewer, ...
Of course the content is king, but do not forget that there are a lot of stuff going around content. Look at Facebook, Youtube, Pinterest, ... Sure they could work without any Javascript at all, but it will not be the same experience.
Like somebody here already said, we beginning to create web apps because it's possible and because it's cheaper to do directly in the browser than to hire a native device developer (another discussion).
We can't forget Javascript nowadays, it's a big and popular language for a reason, it allows the developers to create interesting user experiences (and apps) inside a browser. There are a lot of fine examples of good javascript implementations, but of course there are also companies that use it the "bad" way.
Don't use cookies.
Don't use Javascript.
And to use your own words:
<quote>
"It would be better to add the functionality you are suggesting as an option and not by default, so people, who understand the "risks" of not viewing some sites properly in favor of more privacy, will turn it on by themselves."
</quote>
Turning off all the cruft makes websites MORE usable not less. Plain text, offers the highest information density available. So do you want dancing monkeys on your screen, or do you want information?
What needs to stop is the idea that just because JS is useful for interactive aspects of sites, it should also provide access by default to 1,945,255 other features that 99.9999% of sites have no legitimate use for.
Do you realise that every item on your list wasn't just possible but flourished without JavaScript, and works fine without third-party cookies?
JavaScript is a cancer on the web, a metastasised extension language which is swallowing up what was a thriving hypertext infrastructure.
No, I don't realise that at all.
Imagine how tedious it would be even to use a relatively simple discussion forum like HN if you had to wait for a full page reload every time you hit a voting button or expanded/contracted a thread.
That's about as simple an interaction as you can get, but there are countless other simple examples where JS-based interaction is much more responsive and easier to use than a round-trip to the server. Think real-time form validation, for example.
At the more complicated end of the spectrum, how exactly would you implement a web app like, say, a spreadsheet, without any client-side interaction?
JavaScript is ... swallowing up what was a thriving hypertext infrastructure.
Sure it was, 20 years ago, but the technology has evolved to serve new purposes, as technologies do. The Web of 2017 is unquestionably far more useful for far more people than the Web of 1997, and the interactivity offered by JS is a significant contributory factor.
You don't need a full page reload to implement voting; that's what the 204 No Content response is for: your browser sends the vote & doesn't refresh the page.
If javascript did not exist HTML/CSS/SVG would have evolved simple features like submitting a POST when an element is clicked without reloading a page.
Iframes were already enabling something similar and CSS supports animations.
Perhaps it would. Perhaps if JavaScript did not exist then we would have developed better tools for building what we now call web apps instead. Perhaps if JavaScript did not exist, those apps would be using something separate to the Web, and the Web would have remained a mostly non-interactive, read-only medium. I'm quite sure that with the wisdom of hindsight that we enjoy today we could have designed much, much better ways to do what web apps are doing.
But the thing is, JavaScript does exist, and it's being used to provide sites/apps that many people find useful, arguably much more useful by now than the original purpose of the Web. Meanwhile, those hypothetical alternatives do not exist, and so obviously they aren't providing any of that desirable functionality to users.
This being the case, I think reverting to the Web being a very limited medium that doesn't offer those benefits is no longer plausible. It would set the development of useful and/or enjoyable technologies used by billions of people back 10-15 years, and there's no guarantee that whatever would actually evolve to replace it would be any better.
I'm been developing for the Web professionally for many years, and a programmer for many years more. I'd be the first to agree that what we have today has problems, some of them serious, and that we should try to do something about them. But no-one's going to stop the train or turn back time, so any realistic solutions have to start from where we actually are and provide better practical alternatives, not start from where some of us might have preferred to be and provide wishful thinking.
You're overestimating the importance of JavaScript here. phpBB didn't start using JavaScript until phpBB2 was released, and I believe that UBB, the forum software phpBB was based on, didn't use JavaScript either at the time. (Of course, this was partially because JavaScript was so limited back then.)
A case in point: I'm typing this on HN, which is a forum I read often and enjoy for its content and for the interactions with fellow contributors. However, the interface to HN is unquestionably less efficient than the interface to Reddit, which offers similar functionality but without limitations like needing to open a new page that only shows the immediate parent comment when replying to something.
1) full mode (all JS is enabled)
2) lite mode (only the bare JS is enabled, no tracking possible)
3) suggested mode (a machine learning algorithm decides what is really needed to be enabled and what is there for tracking purposes)
4) manual mode (somewhere in the settings you can tick and untick verious JS APIs that you want enabled and disabled, like websockets, WebGL etc)
However, even that can be vulnerable. Browsers in all Debian-based VMs have the same HTML5 canvas fingerprint on given hardware. Because the fingerprint is based on both the VM's graphics driver and the host's graphics hardware. To avoid that, you can use unrelated OS in your VMs. In my experience, Windows, OSX, Fedora, PC-BSD and Debian VMs have distinct HTML5 canvas fingerprints on given hardware.
Not being able to defend ourselves doesn't mean that we should give up.
A crowd can gather in front of a building and demand changes, unarmed and shouting. They may be heard or not, but still they fight. Sometimes the crowd is really huge and the other side has no option but to hear.
Use Firefox. Use uBlock Origin. Use uMatrix or NoScript if you can. Use HTTPS Everywhere. Use DecentralEyes and Privacy Settings (an addon to streamline setting the cryptic browser settings in favor of your security and privacy).
If you can, edit text fields through an external editor using things like Vimperator/Pentadactyl C-i command or extensions such as Its All Text or Wasavi.
Use a firewall. Use a firewall in your phone as well.
Search through DuckDuckGo or Startpage. Use F-Droid apps on your Android device, it even has a privacy conscious browser called Privacy Browser, a great and encryption friendly email client called K-9 and key wallet called OpenKeychain. Use Free Software.
Drop the use of Google Drive and Dropbox in favor of solutions such as Syncthing.
Use a password manager and strong passwords.
Fight the good fight. Using this tools you can still enable resources for websites where you need them, literally unblocking the web with each use case. It works if you need to work and learn through browsers. For anything else, use Tor Browser. Maintain an installed version. Open it and update it often.
Privacy is a right that we must fight for everyday and, sincerely, its an honor to be part of the resistance in this dark age.
User rights actvists know how hard it can be to teach people the importance of this things. Its hard and not always effective and often backfires.
If you are a developer, don't put your tail between your legs and accept that you must for monetary reasons circumvent user rights, talk with your team, be the guy with weird thoughts and be proud. You know the importance and they don't. Isn't it like this when a math teacher struggles with his younglings? They just don't know. Be patient.
We can BE the change we want.
Edit: Use Signal. Support Riot. SUPPORT THE EFF! There are so many beautiful people fighting the fight with us. Thanks to everyone involved in the development of this products and services, often left in the shadows and unpaid. You are love.
That'd be a startup or nonprofit project, not necessarily anything any of us can individually do and not stick out like a sore thumb unless somebody capitalizes on anti-privacy revelations which can galvanize the population in favor of self-education on privacy hygiene.
Paraphrasing (probably inaccurately) Bruce Schneier's answer to a question of mine on this topic at DEF CON: the best privacy solutions are the ones embraced by many people.
You can always use techniques such as blending in if you really must, tools such as Tails or QubesOS.
If they want to put a red pin on me with the words activist and "conscious of us", let them while and if they can.
Edit: changed the word "secure" to "invisible" because they are different things entangled in this scenario.
I don't really see an industry adoption of these fingerprinting techniques. The linked page took 20 seconds and 100% CPU before getting a fingerprint ID, so running that at scale seems pretty useless?
My browser works against me these days. Sad times.
If it's not Javascript, any functionality that offers access to the hardware (via however many layers) to "apps" from the "cloud" can be exploited this way. Maybe we should disallow hardware access, how will YouTube play videos? Should we all install youtubeplayer.exe ?
It really doesn't. There are severe limits on what JS downloaded from some random site can do via a browser on your local device. A few tricks to detect some environment-based signals and invade privacy might be undesirable, but that intrusion is nothing compared to the kind of stunts native software has pulled over the years, and the major desktop and mobile operating systems are pathetically ineffective at sandboxing that software compared to what browsers do with JS, even taking into account the unwanted side effects of recently expanded capabilities that we're discussing here.
That's missing the point.
With respect to tracking a user, most of those restrictions don't matter. Your browser does download/execute untrusted, unsigned, arbitrary, ephemeral code that can do any kind of tracking it wants.
Yes, the browser executes JS code from untrusted sources, but only if you visit a page that loads scripts from those sources, and always (barring security bugs) within a sandbox that limits their capabilities.
I fail to see how this can possibly be any worse than installing software in other ways such as running a native executable you downloaded from somewhere, or following a "curl | sh" installation process as advocated by plenty of popular OSS tools, or allowing native software that you already installed to install arbitrary automatic updates that it fetches from remote sources.
The argument netsharc made was essentially that turning off JS would disable a lot of useful functionality for a lot of people, and that providing that functionality would still involve similar risks if it were done some other way. The reply from mikegerwitz argued that JS is different, but I still don't see how. The relevant comparison isn't against just turning JS off, it's against turning JS off and implementing the same functionality some other way, and compared to the sandboxed environment of JS, the most likely alternatives with today's technology would be even worse in terms of security and privacy.
Compared to the damage a logging truck can do to my car, a snow plow is very limited. I still don't want to be hit by a snow plow.
The threats to privacy posed by JS are severe and constantly evolving. Being able to profile based on hardware is effectively breaking the sandbox.
> (barring security bugs)
Which are far from uncommon. But you can't predicate a security discussion with the phrase "barring security bugs".
> I fail to see how this can possibly be any worse than installing software in other ways such as running a native executable you downloaded from somewhere, or following a "curl | sh" installation process as advocated by plenty of popular OSS tools, or allowing native software that you already installed to install arbitrary automatic updates that it fetches from remote sources.
Each of these requires explicit user authorization at some point (barring malicious operating systems). In the case of automatic updates, the initial install required user consent.
That isn't the case on the Web when you click on some random link I send you and automatically download and execute a program.
What exactly are the big threats you see here?
Yes, JS can be used to track whether the same computer is being used to visit different web sites. But there are other tracking techniques based on other web technologies that are also very accurate and require no cooperation from JS in the browser. The ultimate risk is the same in both cases: being tracked from one web site to another, and therefore potentially identified in real life if the other data held by those web sites in combination is sufficient to remove anonymity.
As I've said elsewhere in this discussion, I'd be the first to agree that this is undesirable, and that we should try to do something about it by limiting the access that is available by default and now being exploited for unintended purposes. I just don't see that the general risk is unique to JS or that JS is qualitatively worse in the danger than other web or general software technologies.
Each of these requires explicit user authorization at some point (barring malicious operating systems). In the case of automatic updates, the initial install required user consent.
Again, how is this any different to giving a user a link to a web site, which they then choose to follow? If you want to use some interactive functionality, how does it make the slightest bit of difference whether you're trusting JS code that runs directly or indirectly from a web site you voluntarily visit, scripts that run directly or indirectly via a script you curl|sh, or whatever is in some executable that you download and run? There is an inherent element of trust in all of these cases, and unscrupulous actors have betrayed that trust with nasty results in all of these cases. Again, I'm not saying the situation with JS is good, I'm just saying it's not significantly different to the situation with other current technologies that might be used to provide similar functionality in alternative ways.
Javascript is not the only way to provide interactivity. CSS, for example, provides some form validation methods in a declarative style. Sometimes you can do it server-side. Many types of interactivity were possible before the current JS mess.
If there is a type of common interactivity that is not supported without JS, we can always add it as a new browser features, just like we did with everything else in the browser.
> any functionality that offers access to the hardware (via however many layers) to "apps" from the "cloud" can be exploited this way
That's why you don't provide an runtime environment for "apps". Rendering data (a document, an image, video, etc.) does not need arbitrary software. It only needs a way to send a media file to the appropriate renderer. <img> and <video> tags should work fine.
> how will YouTube play videos?
Why is this even a question? They can serve an mp4 (or whatever) at some URL, and reference it in the <video> tag. Video playback doesn't require running arbitrary software, because we already have local video players.
The alternative is cleanly separating web browsing (a passive activity requiring no code execution) and using distributed apps.
I'm not at all against the idea of a common, cross-platform execution environment; I'm 100% against the idea of executing cross-platform code when all I want to do is read an article.
I disagree with the idea that computers == JavaScript, and furthermore with the idea that JavaScript helps me be more productive.
Excel makes me productive. React.js as a service does not.
https://media.libreplanet.org/u/libreplanet/collection/resto...
The problem is browsers are made by advertising entities that also leverage these same abilities.
[1] https://clientjs.org
What is the extent of the ability to track a user between sites these days even if they blocked third party cookies? Meaning, given an advertiser with 1,000,000 users what are the chances it knows that you just visited sites A, B, C if it has ads installed on each one?
What we really need is a device/OS level "ID" that can be read by any app or website so that it is stable. Since it's controlled by the OS, resetting your identity is as simple as generating a new ID. This single change would improve security and performance across the web and remove the vast majority of fingerprinting being used today.
If you try to change the ID, trackers will use other things to try to keep tracking your browser session.
[1] https://en.wikipedia.org/wiki/Zombie_cookie
[2] https://en.wikipedia.org/wiki/Evercookie
A single website is too narrow since things like ad networks (which are the economic backbone of the web) work across many sites. A single root domain is an outdated isolation model on the modern web.
Outside of that, the only other answer is regulation. Something that is missing in many areas although some countries seem to be making good progress.
You want that centralized and made universal? An internet passport? Goodbye vpn services. Goodbye, tor. Goodbye doing anything that's not in your permanent browsing profile stored by advertisers, google, facebook, twitter.
Client-side control means that you can turn it off depending on TOR, private-mode, VPN, or whatever else. The technical aspects though would make the web faster and easier to deal with.
Then, since a TPM is effectively mandatory once the web can't be used without it, all media content can be DRM'd with less customer push-back.
I get that the web is a mess, but is this the best idea anyone can come up with to fix it? And does this actually fix it?
Easy and seamless. Why turn it off? If you do, then the networks would just generate their own ID numbers and we're back to the same scenario as today. There's nothing technically wrong with not using it but having a stable API to program against helps a lot and is the main reason this would improve the web. Android and iOS get somewhat close to this, although both are broken and unfinished.
I'm not sure why this requires any hardware TPM or DRM though.
2. In theory you can look at JavaScript served from ad sites and reverse engineer to see what they are tracking. Has anybody tried to make a database of which ad vendors run which things in browsers? (Similar to how malware is reverse engineered?)
Take a look at the work of Steven Englehardt around cookie syncing and gpu fingerprinting [0] [1]
[0]: https://freedom-to-tinker.com/2014/08/07/the-hidden-perils-o...
[1]: https://freedom-to-tinker.com/2016/01/12/retrospective-look-...
People have been doing GPU fingerprinting since the canvas APIs were available, with accuracy rates of over 90%, this further refines it by exploiting subtle differences in 3D rendering via webgl but the API surface is pretty small
And you really don't need to reverse JS, you can just run it in a controlled environment and hook into certain calls etc. not too different to how you'd do analysis of vm / packed binaries though some of the scripts that do this stuff will try to detect these sandboxed environments and deactivate themselves (google does that, for example, cause they run their fingerprinting inside a custom VM in javascript)
{ip, device pixel ratio, screen resolution, time zone}
You can then identify more unique browser features to track them across multiple locations. Even if it's not completely unique, you can build up a network graph that's probably good enough for most things - people living in the same house probably have similar interests.
To address your question, the technique is novel and more accurate.
I'm sure you know that and are just being difficult. Its because OpenGL/DirectX drivers run a large compiler in the kernel and then send the compiled code to the GPU. None of that code is inspectable. Drivers routinely have special hacks to tweak the performance of particular games or matching patterns of use that tweak special paths, making thorough testing particularly hard.
https://medium.com/@afd_icl/hey-a-web-page-just-restarted-my...
https://twitter.com/alexstamos/status/829124727289544704
Any real examples besides proofs of concept and academic concerns? As in, examples that affect the average user, not some specifically targeted person?
So?
Not having access to the video graphics processor would be an even more terrible idea. And Tor is probably the most "privacy-theater" concept.
The web is an interlinked web of documents called pages. It's not a distributed application platform: although it can be twisted into that, it turns out that no-one actually carefully considered all the potential security, privacy & performance implications of doing that — and it's no surprise that the security, privacy & performance of the single-page app web is abominably atrocious.
I wonder if we can come up with a widely adopt(able|ed) fingerprint that we can mask ourselves with, do any of these identifying bits actually make the web more usable for us?