So we have three fingerprint mechanisms:
One I had not even heard of or frankly suspected, but it explains a lot about why many designers who strive for pixel perfection are constantly frustrated. The original paper is fascinating (cseweb.ucsd.edu/~hovav/dist/canvas.pdf) but one simple takeaway - testing 300 different user systems (Mechanical Turk - quite clever) a simple sentence in Arial rendered 50 different ways! So by combining different renderings (like sentences, drawing a line on a canvas element) they find that user systems - hardware, drivers etc, give off different results unique enough to tag you.
I would be interested in their results on iPhones (in fact any one interested in a quick experiment here in HN?)
I propose two solutions:
Cookies should be limited to no more than 128bits - enough to store one randomly generated UUID. Screw the backward compatibility.
Have I just reinvented Microsoft code signing?
But boy I am in a bad mood
Then the browser-plugin component could be entirely optional, just a more-convenient way to command the proxy (via some HTTP call that it recognizes and intercepts) to block a given URL or pattern.
On the other hand page modification that involves DOM manipulation/JS interactions would definitely be better handled in a browser plugin, since a proxy is more of a streaming filter device.
SSL is a bit of a pain (especially certificate pinning) since this is essentially a "benevolent MITM attack" but there are workarounds for it.
I guess its an effect of having much money or people willing to potentially spend money in one giant network - internet. You just cant make a review site or forum which is immune to scamming, that is when sellers start hiring people to puppet around their marketing message.
> its a hellhole just to finda good router for example
In fact, I'm not sure what the bare minimum is anymore, nor do I know whether or not a cookie manager even makes a dent in privacy intrusions.
it's also super quick to install and update. just snapshot before browsing anything and restore to there. you can install anything you like, before browsing anything (flash etc). there's no logical way to save any state if you throw away the hard drive snapshot.
It is incredibly alarming to consider how much control over our own damned gear we've lost over the past 10-15 years.
Of course, things don't have to have been designed as tracking mechanisms in order to end up as tracking mechanisms. One of my favorite (?) examples is HSTS, which can be used as a cookie because you can tell a browser to load 00001.example.com, 00100.example.com, and 01000.example.com securely (while not mentioning 10000.example.com or 00010.example.com). Then if you tell a browser to load one-pixel images from the HTTP versions 00001, 00010, 00100, 01000, and 10000.example.com, you can see which subdomains it adds the HTTPS on and which it doesn't. (This risk is mentioned in section 14.9 of RFC 6797.)
An example that shows completely unintended tracking consequences were sneaking into web protocols a long time ago was Martin Pool's "meantime", described back in 2000. (He has a broken link that suggests that someone may have expressed concern about this back in 1995.)
It's apparently possible to break many of these tracking methods, as the Tor Browser systematically tries to do, but you have to give up a lot of local history and a bit of web platform functionality.
Given what I've heard about web developer pushback against fixing the CSS history query bug, I'm scared to imagine the response to trying to mainstream some of the Tor Browser's fixes in popular browsers!
I'm also somewhat shocked at how much JS seems to be directly included from a third-party domain. Again, I understand why you'd want a separate domain for some things (many larger sites tend to have some JS hosted on the main domain and some offloaded to a CDN domain, for example), but a shocking amount of sites are offloading basic design elements of their site to some Google Ajax server for whatever reason.
The other big part of it is that I'm much more used to seeing a site, noticing if something's missing, then making the decision about whether I really want to let it execute arbitrary code on my machine. I'm not all that confused when a new site I go to is subtly broken.
The biggest headaches I've run into so far with it are sites that use multiple cloudfront addresses or that pull in required content from host or domain names that don't bear any resemblance to the original site. I can figure out if I'm on "chicagotribune.com" that "trbimg.com" and "trb.com" are probably related to it, but there are a lot of sites where there's no clear name relationship.
If you block the known trackers, it doesn't really matter what techniques they try to use on you.
Big takeaway is to avoid AddThis.com, and that NoScript - along with other tools - is an effective defense.
It's also noteworthy how this is at odds with the White House's own policy on cookies.
As usual, Bruce Schneier (and his commenters) has a useful thread on the topic:
Safari on iOS will have the same hardware, renderer and fonts as every other user with the same iOS version and device type. So surely it can't track an individual user?
See Pixel Perfect: Fingerprinting Canvas in HTML5 (http://cseweb.ucsd.edu/~hovav/papers/ms12.html).
Both Internet Explorer and Chrome have supported "Click to play" natively since forever. Only Firefox shamefully doesn't.
Unlike many other security measures it is pretty intuitive. Just click on the applets you wish to load or unblock them like a pop-up blocker from the URL bar.
In Chrome you can also whitelist entire domains like this:
However be careful not to go too whitelist crazy, as I think this article makes clear a lot of those "Share this" applets are tracking you and many otherwise innocent sites host them.
Of course it does. It had "Ask to activate" option for every plug-in since some mid-20s release if not earlier.
It wasn't quite as simple as click-to-play or controllable per site until a few versions later; it was an application-wide toggle to enable plugins or not, but always very easy to use just one click away on the right-click quick preference menu.