If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
|
Thread Tools | Display Modes |
#16
|
|||
|
|||
Changed browser and noticed system fonts are making me unique
On Fri, 28 Apr 2017 19:54:08 -0500, VanguardLH wrote:
Nowadays it's pretty hard to avoid Javascript. That. Even flash is required sometimes although I can't believe that it has that kind of staying power. |
Ads |
#17
|
|||
|
|||
Changed browser and noticed system fonts are making me unique
On Sat, 29 Apr 2017 03:36:26 -0400, Paul wrote:
"Circumventing the Fingerprint A better approach is to make your browser fingerprint as common and generic as possible. You can do that by running the browser inside a clean and un-customized virtual machine. It¢s only in this kind of environment that it¢s feasible to revert to the clean state at the end of every use, preventing the accumulation of identifying changes. This approach gives the browser a truly generic identifier, while eliminating all other kinds of tracking techniques." The idea is, you install the OS, install the browser, shut down the VM and make a backup copy. Now, unpack a fresh copy of the OS image, before using the browser in it. This prevents cookies from being collected (even in DOM). And by using an out-of-the-box setup with minimal customization, your panopticlick should be "better but not perfect". I probably should learn about VM machines. Is there one that you recommend? |
#18
|
|||
|
|||
Changed browser and noticed system fonts are making me unique
On Sat, 29 Apr 2017 11:04:29 -0300, Shadow wrote:
YW. The only problem is that some installed programs require special fonts. I have a Brazilian dictionary that needs it's own set of hand brewed fonts. So I went to font frenzy's backup folder, (FontFrenzy\Fonts) and copied the necessary fonts over to windows\fonts. I then defrenzied and gave the backup the name of the dictionary. So whenever I have to use the dictionary, I just restore that backup (over 20 fonts) with a click, use the dictionary, then "defrenzy" again. It's annoying, but works. I agree with you that some programs may need some fonts, and, also, I guess, some MS Office documents may ask for certain fonts (especially business documents where they use trademarked fonts). That defrenzy tool you suggested though was super simple to back up the fonts, just one button, and you name the backup, and that's it. I haven't tried the restore, but I'll assume from what you said that it's as simple since everything else was really simple. Thanks for that wonderful find. You'd think we'd stop learning at some point, but we keep learning about great new software for Windows! Ccleaner Irfanview CutePdf IZarc etc .... and now ... FontFrenzy |
#19
|
|||
|
|||
Changed browser and noticed system fonts are making me unique
Jonas S Schneider wrote:
VanguardLH wrote: Nowadays it's pretty hard to avoid Javascript. That. Even flash is required sometimes although I can't believe that it has that kind of staying power. The volume of Flash content is huge. It takes years to convert that content to HTML5 video, and some just won't bother. A lot of good content would be lost if it were just dumped in favor of HMTL5 video. I have not investigated if there is a server-side means of converting Flash streams into HTML5 video streams; however, that would still mean all that Flash content still survives. Although you're used to electronic media for storage of media, there is still a ton of movies still on film. It was a huge effort taking decades to move movies off the old acetate tape that deteriorated onto longer lasting tape. Also, just like books printed on paper, electronic media is not always the best choice for longevity. The process of conversion is still going to take awhile. Two decades of generating Flash content is not going to instantly disappear because of the emergence of HMTL5 video in the last couple of years. My choice for the conversion would be to get Flash plug-ins (or as an extension) that tosses all the scripting inside of Flash. Users already have the choice of whether or not to allow LSOs (local storage objects), aka Flash cookies, so give them a choice of disabling scripting (ActionScript, now a dialect of EMCAscript to which Javascript also belongs). Make Flash safe. Preserve the content, not all the other crap that is not part of the content. Just provide the content with no control. Then focus on preserving content while migrating to alternate format. There is no user-mode setting to disable or prompt to allow script in Flash. Imagine how irate users would become if they could no longer disable Javascript in web browsers. In fact, that did happen. Mozilla took away the config UI option to disable Javascript in Firefox. Users now have to dig into about:config to change the javascript.enabled setting (or use an extension to make it easier). Mozilla has a history of removing useful settings that reduces the configurability of Firefox. Unlike plug-ins where the user can configure it to prompt when a site wants to use it, none of the web browsers offer a choice to prompt the user to allow Javascript when a page wants to use it. |
#20
|
|||
|
|||
Changed browser and noticed system fonts are making me unique
Jonas S Schneider wrote:
On Sat, 29 Apr 2017 03:36:26 -0400, Paul wrote: "Circumventing the Fingerprint A better approach is to make your browser fingerprint as common and generic as possible. You can do that by running the browser inside a clean and un-customized virtual machine. It¢s only in this kind of environment that it¢s feasible to revert to the clean state at the end of every use, preventing the accumulation of identifying changes. This approach gives the browser a truly generic identifier, while eliminating all other kinds of tracking techniques." The idea is, you install the OS, install the browser, shut down the VM and make a backup copy. Now, unpack a fresh copy of the OS image, before using the browser in it. This prevents cookies from being collected (even in DOM). And by using an out-of-the-box setup with minimal customization, your panopticlick should be "better but not perfect". I probably should learn about VM machines. Is there one that you recommend? I tested it out, and wasn't able to make much progress on Panopticlick. I was still getting a report that my fonts were pretty unique, even though they're just the standard OS ones. I think I might be making things worse, on the Canvas test, because the graphics on a VM are a bit strange (the emulated video card), so the signature when rendering graphical objects might not be helping. Because, of course, not that many people will be web surfing using a VM. I wonder if the people who wrote that web page, have any idea yet, what the "best" setup is. Finding it by "poking at it", is going to take a long time. Paul |
#21
|
|||
|
|||
Changed browser and noticed system fonts are making me unique
On Sat, 29 Apr 2017 16:06:17 -0400, Paul wrote:
I tested it out, and wasn't able to make much progress on Panopticlick. I was still getting a report that my fonts were pretty unique, even though they're just the standard OS ones. I think I might be making things worse, on the Canvas test, because the graphics on a VM are a bit strange (the emulated video card), so the signature when rendering graphical objects might not be helping. Because, of course, not that many people will be web surfing using a VM. I wonder if the people who wrote that web page, have any idea yet, what the "best" setup is. Finding it by "poking at it", is going to take a long time. Thanks for running the tests for us and for taking the time and energy not only to run them, but to report back to us your results! You're a good Usenet netizen for doing that. The canvass gotcha is a surprise, for example, as is the fact that your fonts, if they're "normal" are a gotcha also. I guess that my fonts now (after I cleaned them up) indicate I'm a WinXP user (which they can tell by other means also) which is already a smaller subset of the total population than I would like it to be. What are most people on nowadays? Windows 7 or 10? Anyway, I would guess the "best setup" from a browser fingerprinting standpoint has to be the Tor Browser Bundle because that TBB is specifically set up to NOT be fingerprinted. |
#22
|
|||
|
|||
Changed browser and noticed system fonts are making me unique
Jonas S Schneider wrote:
On Sat, 29 Apr 2017 16:06:17 -0400, Paul wrote: I tested it out, and wasn't able to make much progress on Panopticlick. I was still getting a report that my fonts were pretty unique, even though they're just the standard OS ones. I think I might be making things worse, on the Canvas test, because the graphics on a VM are a bit strange (the emulated video card), so the signature when rendering graphical objects might not be helping. Because, of course, not that many people will be web surfing using a VM. I wonder if the people who wrote that web page, have any idea yet, what the "best" setup is. Finding it by "poking at it", is going to take a long time. Thanks for running the tests for us and for taking the time and energy not only to run them, but to report back to us your results! You're a good Usenet netizen for doing that. The canvass gotcha is a surprise, for example, as is the fact that your fonts, if they're "normal" are a gotcha also. I guess that my fonts now (after I cleaned them up) indicate I'm a WinXP user (which they can tell by other means also) which is already a smaller subset of the total population than I would like it to be. What are most people on nowadays? Windows 7 or 10? Anyway, I would guess the "best setup" from a browser fingerprinting standpoint has to be the Tor Browser Bundle because that TBB is specifically set up to NOT be fingerprinted. Well, I wonder why the canvas (rendering) test is allowed to take a snapshot of the rendered image created by the browser. What purpose does that serve, except to snoop ? That's not just a "lucky accident". They must be putting stuff like that in the standards on purpose. That has nothing to do with making *regular* web operations work properly. If the developers want a "test" mode, I don't have a problem with browsername.exe --test http://www.testserver.com/rendertest.js And if you look at the folder structure on the browser, it's got DOM storage all over the place. Why isn't there just one database ? One file ? This just seeks to hide stuff from users, via obfuscation. It's a lot harder to clean modern browsers after you use them, and even the "delete" button in the preferences, in some cases it doesn't do anything. On my oldest browser, if you use the delete button, the cache is properly cleared. I have another browser, it has trouble deciding whether to call the folder "trash9233" or "cache2", and it's quite unpredictable. Who writes stuff like that ? They've turned these browsers into an Easter Egg hunt. And there's only one reason for doing that. Paul |
#23
|
|||
|
|||
Changed browser and noticed system fonts are making me unique
Paul wrote:
Well, I wonder why the canvas (rendering) test is allowed to take a snapshot of the rendered image created by the browser. What purpose does that serve, except to snoop ? All their test does is see if HTML5 Canvas is enabled or not. Not much for identifying YOU. Some canvas blocker extensions work by blocking the Canvas read to the hash cannot be returned - except the number of users blocking canvas reads is so small that this will actually identify you. Some randomize the hash on each read but that also identifies you if the site tries multipe reads on the same sent object. Disabling Javascript will obviously put you into a smaller community from which to pick you out via other fingerprinting (but DOM storage works so much easier than fingerprinting). About the only way to thwart tracking via Canvas reads is to use separate web browser sessions for each visited site. When you use browserleaks.com/canvas which tests Canvas reader, you need to do a test, unload your web browser and reload, and then do the test again to see if the same read value gets returned in another session. They used to have a "found in DB" output but it's not there anymore. Guess you'll have to record the PNG read hash and then note if it is the same in the another web browser session. Canvas read hashes are not going to be unique to each host+client, anyway, and why they probably removed the "Found in DB" status. Multilogin has their Canvas Defender extension (for Firefox and Google Chrome). As with DOM Storage, trying to avoid tracking during a web browser session is futile. Disabling DOM storage results in way too many sites not working or misbehaving. So I leave it enabled but purge it upon exit from the web browser. It's tracking across web browser sessions (or in separate sessions) that can thwart that tracking method. With the Canvas Defender extension, the read hash returned by browserleaks.com/canvas remains the same when I load more tabs to revisit the same test page, so it is remaining constant within a web browser session. Loading an incognito instance of the web browser gives me one more session (but only one even if more incognito windows are opened). The read hash changes for the incognito session but is the same amongst multiple incognito sessions. Unloading the web browser, making sure there are no lingering processes for it, and reloading the web browser to retest, I still get the same read hash. I was expecting a different hash on a web browser reload (for a new web browser session). Just in case they figure revisiting sites might look for a changing (noisy) Canvas read hash between visits, I waited 5 minutes after unloading the web browser before reloading it. Nope, didn't help. Same read hash between web browser sessions. I noticed the extension shows a popup (one reason why I'd like user config settings to get rid of this) that shows what "noise" (bias) it adds to the read hash. It was the same bias each time. With the same bias, the effected read hash would still be the same. Then I noticed from one its reviews, "you can change your hash at the click of a button". That triggered me to click on the extension's toolbar icon. That lets me change to a new randomized bias that the extension uses to alter the read hash. That worked but I'd have to keep clicking the toolbar button everything time I wanted to change the bias on the read hash. Nah, I don't want to do this manually - but it does work as browserleaks.com/canvas showed the read hash changed (and I didn't even have to reload the web browser). Security and privacy tools should work in the background, not require user interaction. They do have a helpful article at: https://multiloginapp.com/how-canvas...ily-trackable/ So I'm still hunting for a Canvas blocker extension that calculates a random bias each time it is loaded so it is different in the next web browser session. There is to many other "features" in web browsers, some that are needed to get sites functional, that permit tracking to worry about Canvas fingerprinting within the same web browser session. Alas, the others that I've seen do not use effective methods to thwart HATML5 Canvas read hash tracking (outright blocking and altering on every read don't work). Options for automatic randomizing of the bias on extension load or on page load/refresh and an option to hide the bias value popup would make viable the Canvas Defender extension. I'm not going to click a toolbar button every time I load the web browser. They've received similar requests but the extension has not been updated in a year. While all this sounds scary, it's not as bad as it sounds regarding this fingerprinting. Far worse is the hosts that are networked together to share database information. You login at one site, they know your IP address and when you connected there, and share that info with another site via the shared database. When you visit the other site then they know you were are the prior site and when. Tracking is not all client-side driven. You having a fingerprint that hides you in a crowd of millions will not thwart the server-side tracking mechanisms. So don't get too obscene in your fervor to eliminate your fingerprint. |
|
Thread Tools | |
Display Modes | |
|
|