Changed browser and noticed system fonts are making me unique

On Fri, 28 Apr 2017 19:54:08 -0500, VanguardLH wrote:

Nowadays it's pretty hard to avoid Javascript.

That.

Even flash is required sometimes although I can't believe that it has that
kind of staying power.

On Sat, 29 Apr 2017 03:36:26 -0400, Paul wrote:

"Circumventing the Fingerprint

A better approach is to make your browser fingerprint as common
and generic as possible. You can do that by running the browser
inside a clean and un-customized virtual machine. It¢s only in
this kind of environment that it¢s feasible to revert to the clean
state at the end of every use, preventing the accumulation of
identifying changes. This approach gives the browser a truly
generic identifier, while eliminating all other kinds of tracking
techniques."

The idea is, you install the OS, install the browser, shut down the
VM and make a backup copy. Now, unpack a fresh copy of the OS image,
before using the browser in it. This prevents cookies from being
collected (even in DOM). And by using an out-of-the-box setup with
minimal customization, your panopticlick should be "better but not perfect".

I probably should learn about VM machines.
Is there one that you recommend?

On Sat, 29 Apr 2017 11:04:29 -0300, Shadow wrote:

YW. The only problem is that some installed programs require
special fonts. I have a Brazilian dictionary that needs it's own set
of hand brewed fonts. So I went to font frenzy's backup folder,
(FontFrenzy\Fonts) and copied the necessary fonts over to
windows\fonts.
I then defrenzied and gave the backup the name of the
dictionary. So whenever I have to use the dictionary, I just restore
that backup (over 20 fonts) with a click, use the dictionary, then
"defrenzy" again. It's annoying, but works.

I agree with you that some programs may need some fonts, and, also, I
guess, some MS Office documents may ask for certain fonts (especially
business documents where they use trademarked fonts).

That defrenzy tool you suggested though was super simple to back up the
fonts, just one button, and you name the backup, and that's it.

I haven't tried the restore, but I'll assume from what you said that it's
as simple since everything else was really simple.

Thanks for that wonderful find. You'd think we'd stop learning at some
point, but we keep learning about great new software for Windows!

Ccleaner
Irfanview
CutePdf
IZarc
etc
.... and now ...
FontFrenzy

Jonas S Schneider wrote:

VanguardLH wrote:

Nowadays it's pretty hard to avoid Javascript.

That.

Even flash is required sometimes although I can't believe that it has that
kind of staying power.

The volume of Flash content is huge. It takes years to convert that
content to HTML5 video, and some just won't bother. A lot of good
content would be lost if it were just dumped in favor of HMTL5 video. I
have not investigated if there is a server-side means of converting
Flash streams into HTML5 video streams; however, that would still mean
all that Flash content still survives.

Although you're used to electronic media for storage of media, there is
still a ton of movies still on film. It was a huge effort taking
decades to move movies off the old acetate tape that deteriorated onto
longer lasting tape. Also, just like books printed on paper, electronic
media is not always the best choice for longevity.

The process of conversion is still going to take awhile. Two decades of
generating Flash content is not going to instantly disappear because of
the emergence of HMTL5 video in the last couple of years. My choice for
the conversion would be to get Flash plug-ins (or as an extension) that
tosses all the scripting inside of Flash. Users already have the choice
of whether or not to allow LSOs (local storage objects), aka Flash
cookies, so give them a choice of disabling scripting (ActionScript, now
a dialect of EMCAscript to which Javascript also belongs). Make Flash
safe. Preserve the content, not all the other crap that is not part of
the content. Just provide the content with no control. Then focus on
preserving content while migrating to alternate format. There is no
user-mode setting to disable or prompt to allow script in Flash.

Imagine how irate users would become if they could no longer disable
Javascript in web browsers. In fact, that did happen. Mozilla took
away the config UI option to disable Javascript in Firefox. Users now
have to dig into about:config to change the javascript.enabled setting
(or use an extension to make it easier). Mozilla has a history of
removing useful settings that reduces the configurability of Firefox.
Unlike plug-ins where the user can configure it to prompt when a site
wants to use it, none of the web browsers offer a choice to prompt the
user to allow Javascript when a page wants to use it.

Jonas S Schneider wrote:
On Sat, 29 Apr 2017 03:36:26 -0400, Paul wrote:

"Circumventing the Fingerprint

A better approach is to make your browser fingerprint as common
and generic as possible. You can do that by running the browser
inside a clean and un-customized virtual machine. It¢s only in
this kind of environment that it¢s feasible to revert to the clean
state at the end of every use, preventing the accumulation of
identifying changes. This approach gives the browser a truly
generic identifier, while eliminating all other kinds of tracking
techniques."

The idea is, you install the OS, install the browser, shut down the
VM and make a backup copy. Now, unpack a fresh copy of the OS image,
before using the browser in it. This prevents cookies from being
collected (even in DOM). And by using an out-of-the-box setup with
minimal customization, your panopticlick should be "better but not
perfect".

I probably should learn about VM machines. Is there one that you recommend?

I tested it out, and wasn't able to make much progress on Panopticlick.
I was still getting a report that my fonts were pretty unique, even
though they're just the standard OS ones.

I think I might be making things worse, on the Canvas test, because
the graphics on a VM are a bit strange (the emulated video card),
so the signature when rendering graphical objects might not be helping.
Because, of course, not that many people will be web surfing
using a VM.

I wonder if the people who wrote that web page, have any idea
yet, what the "best" setup is. Finding it by "poking at it",
is going to take a long time.

Paul

On Sat, 29 Apr 2017 16:06:17 -0400, Paul wrote:

I tested it out, and wasn't able to make much progress on Panopticlick.
I was still getting a report that my fonts were pretty unique, even
though they're just the standard OS ones.

I think I might be making things worse, on the Canvas test, because
the graphics on a VM are a bit strange (the emulated video card),
so the signature when rendering graphical objects might not be helping.
Because, of course, not that many people will be web surfing
using a VM.

I wonder if the people who wrote that web page, have any idea
yet, what the "best" setup is. Finding it by "poking at it",
is going to take a long time.

Thanks for running the tests for us and for taking the time and energy not
only to run them, but to report back to us your results!

You're a good Usenet netizen for doing that.

The canvass gotcha is a surprise, for example, as is the fact that your
fonts, if they're "normal" are a gotcha also. I guess that my fonts now
(after I cleaned them up) indicate I'm a WinXP user (which they can tell by
other means also) which is already a smaller subset of the total population
than I would like it to be.

What are most people on nowadays?
Windows 7 or 10?

Anyway, I would guess the "best setup" from a browser fingerprinting
standpoint has to be the Tor Browser Bundle because that TBB is
specifically set up to NOT be fingerprinted.

Jonas S Schneider wrote:
On Sat, 29 Apr 2017 16:06:17 -0400, Paul wrote:

I tested it out, and wasn't able to make much progress on Panopticlick.
I was still getting a report that my fonts were pretty unique, even
though they're just the standard OS ones.

I think I might be making things worse, on the Canvas test, because
the graphics on a VM are a bit strange (the emulated video card),
so the signature when rendering graphical objects might not be helping.
Because, of course, not that many people will be web surfing
using a VM.

I wonder if the people who wrote that web page, have any idea
yet, what the "best" setup is. Finding it by "poking at it",
is going to take a long time.

Thanks for running the tests for us and for taking the time and energy not
only to run them, but to report back to us your results!

You're a good Usenet netizen for doing that.

The canvass gotcha is a surprise, for example, as is the fact that your
fonts, if they're "normal" are a gotcha also. I guess that my fonts now
(after I cleaned them up) indicate I'm a WinXP user (which they can tell by
other means also) which is already a smaller subset of the total population
than I would like it to be.

What are most people on nowadays?
Windows 7 or 10?

Anyway, I would guess the "best setup" from a browser fingerprinting
standpoint has to be the Tor Browser Bundle because that TBB is
specifically set up to NOT be fingerprinted.

Well, I wonder why the canvas (rendering) test is allowed to take a
snapshot of the rendered image created by the browser.
What purpose does that serve, except to snoop ?
That's not just a "lucky accident". They must be
putting stuff like that in the standards on purpose.
That has nothing to do with making *regular* web
operations work properly.

If the developers want a "test" mode, I don't have a problem with

browsername.exe --test http://www.testserver.com/rendertest.js

And if you look at the folder structure on the browser,
it's got DOM storage all over the place. Why isn't
there just one database ? One file ? This just seeks
to hide stuff from users, via obfuscation. It's a lot
harder to clean modern browsers after you use them,
and even the "delete" button in the preferences,
in some cases it doesn't do anything. On my oldest browser,
if you use the delete button, the cache is properly cleared.
I have another browser, it has trouble deciding whether
to call the folder "trash9233" or "cache2", and it's
quite unpredictable. Who writes stuff like that ?

They've turned these browsers into an Easter Egg hunt.
And there's only one reason for doing that.

Paul

Paul wrote:

Well, I wonder why the canvas (rendering) test is allowed to take a
snapshot of the rendered image created by the browser.
What purpose does that serve, except to snoop ?

All their test does is see if HTML5 Canvas is enabled or not. Not much
for identifying YOU. Some canvas blocker extensions work by blocking
the Canvas read to the hash cannot be returned - except the number of
users blocking canvas reads is so small that this will actually identify
you. Some randomize the hash on each read but that also identifies you
if the site tries multipe reads on the same sent object. Disabling
Javascript will obviously put you into a smaller community from which to
pick you out via other fingerprinting (but DOM storage works so much
easier than fingerprinting). About the only way to thwart tracking via
Canvas reads is to use separate web browser sessions for each visited
site. When you use browserleaks.com/canvas which tests Canvas reader,
you need to do a test, unload your web browser and reload, and then do
the test again to see if the same read value gets returned in another
session. They used to have a "found in DB" output but it's not there
anymore. Guess you'll have to record the PNG read hash and then note if
it is the same in the another web browser session. Canvas read hashes
are not going to be unique to each host+client, anyway, and why they
probably removed the "Found in DB" status.

Multilogin has their Canvas Defender extension (for Firefox and Google
Chrome). As with DOM Storage, trying to avoid tracking during a web
browser session is futile. Disabling DOM storage results in way too
many sites not working or misbehaving. So I leave it enabled but purge
it upon exit from the web browser. It's tracking across web browser
sessions (or in separate sessions) that can thwart that tracking method.

With the Canvas Defender extension, the read hash returned by
browserleaks.com/canvas remains the same when I load more tabs to
revisit the same test page, so it is remaining constant within a web
browser session. Loading an incognito instance of the web browser gives
me one more session (but only one even if more incognito windows are
opened). The read hash changes for the incognito session but is the
same amongst multiple incognito sessions. Unloading the web browser,
making sure there are no lingering processes for it, and reloading the
web browser to retest, I still get the same read hash. I was expecting
a different hash on a web browser reload (for a new web browser
session). Just in case they figure revisiting sites might look for a
changing (noisy) Canvas read hash between visits, I waited 5 minutes
after unloading the web browser before reloading it. Nope, didn't help.
Same read hash between web browser sessions. I noticed the extension
shows a popup (one reason why I'd like user config settings to get rid
of this) that shows what "noise" (bias) it adds to the read hash. It
was the same bias each time. With the same bias, the effected read hash
would still be the same. Then I noticed from one its reviews, "you can
change your hash at the click of a button". That triggered me to click
on the extension's toolbar icon. That lets me change to a new
randomized bias that the extension uses to alter the read hash. That
worked but I'd have to keep clicking the toolbar button everything time
I wanted to change the bias on the read hash. Nah, I don't want to do
this manually - but it does work as browserleaks.com/canvas showed the
read hash changed (and I didn't even have to reload the web browser).
Security and privacy tools should work in the background, not require
user interaction. They do have a helpful article at:

https://multiloginapp.com/how-canvas...ily-trackable/

So I'm still hunting for a Canvas blocker extension that calculates a
random bias each time it is loaded so it is different in the next web
browser session. There is to many other "features" in web browsers,
some that are needed to get sites functional, that permit tracking to
worry about Canvas fingerprinting within the same web browser session.
Alas, the others that I've seen do not use effective methods to thwart
HATML5 Canvas read hash tracking (outright blocking and altering on
every read don't work). Options for automatic randomizing of the bias
on extension load or on page load/refresh and an option to hide the bias
value popup would make viable the Canvas Defender extension. I'm not
going to click a toolbar button every time I load the web browser.
They've received similar requests but the extension has not been updated
in a year.

While all this sounds scary, it's not as bad as it sounds regarding this
fingerprinting. Far worse is the hosts that are networked together to
share database information. You login at one site, they know your IP
address and when you connected there, and share that info with another
site via the shared database. When you visit the other site then they
know you were are the prior site and when. Tracking is not all
client-side driven. You having a fingerprint that hides you in a crowd
of millions will not thwart the server-side tracking mechanisms. So
don't get too obscene in your fervor to eliminate your fingerprint.