Hacker News new | past | comments | ask | show | jobs | submit login
Evaluating the privacy implications of a canvas fingerprinting countermeasure (antoinevastel.com)
36 points by avastel on July 3, 2018 | hide | past | favorite | 9 comments

OK, so how does one interfere with canvas fingerprinting?

I mean, we know that simply blocking it doesn't work.[0]

0) https://multiloginapp.com/how-canvas-fingerprint-blockers-ma...

Mozilla is planning to block it (and the APIs it relies on) by default for all content, I think, regardless of how many apps it breaks. That seems like a reasonable countermeasure since people with canvas fingerprinting blocked will not be a small identifiable group.

That's great news. Thanks.

And that reminds me, Apple too in macOS: https://www.engadget.com/2018/06/05/apple-safari-canvas-fing...

Yeah, that's great. Blocking/spoofing fingerprinting is a bit like wearing a mask. If it's only a handful of people, it may even be worse from a privacy/tracking perspective -> look, the guy with the mask

Well, if Canvas Defender actually worked, you could change fingerprints daily or weekly or whatever. So you'd still have a valid fingerprint. Just not invarient.

Still, you'd get a pretty unique fingerprint, so even if it changes, it can help reduce the entropy bits if the trackers are half smart (hey, this is the guy with the Nixon mask, now he's wearing an Obama mask instead). You don't need to just hide your real fingerprint, you need to make it look like everybody else's.

Would limiting the bit-depth returned by that function help?

It doesn't seem like canvas defender replaces HTMLCanvasElement.prototype.getImageData anyway, so one could simply use that to generate a hash.

Hiding the fact that the function in non-native requires replacing Function.prototype.toString with something that will return a fake result if the function being tested is one of the modified ones. If an userscript replaces that toString prototype before you can grab it, I'm unaware of any other way to test if a function is native.

How does canvas fingerprinting work when Javascript is disabled in the browser?

What if the HTTP client used to fetch the page does not run third party Javascript?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact