Jump to content

A "potentially devastating and hard-to-detect threat" - "Gummy Browsers,"


XPerceniol

Recommended Posts

I have to ALLOW javascript in order for all three of those to "fingerprint" me.

SELF-DEFEATING.

That's like telling a hoodlum, "I want to test if you can break into my house, I'll leave the back door open, not just unlocked, I'll leave it wide open, all you need to do is find my house."

Link to comment
Share on other sites


Total javascript blocking is impractical on websites where you need to interact, so you are registered and login.
In that case your protection against fingerprint is left to the browser itself (in the best case scenario) + some extensions (less is more).

Link to comment
Share on other sites

Agreed.

So the "test" is NOT about whether or not your browser "itself" is vulnerable to fingerprinting.

The "test" SHOULD BE "does this website engage in fingerprinting" and if the answer is YES, then boycott the $h!t out of that website.

Otherwise, if you trust that website to the extent of becoming a member, registering, and logging in, then, um, you have OPTED IN to that website "knowing" who you are, fingerprint or not.

The point really boils down to this, if your level of paranoia wants to live in a cardboard box under a bridge, by all means, it's not for me to tell you were to pitch your tent.

But let's stop acting like dogs trying to bite a flea on the tip of its tail.

If you don't trust the website you are visiting, then HELLO, why did you visit it?  Really seems that simple to me.

Moving on...  I have my paradigm, others have theirs...  MSFN threads don't alter people's perspectives...

Link to comment
Share on other sites

You've kinda proven my point.

Even a website boasting and bragging that they can fingerprint me without javascript FAILED TO DO SO while Mypal without javascript did indeed fingerprint me.

It did get as far as knowing I'm on Chrome-based browser, but all I get are instructions on how to disable javascript (you can see my NoScript icon blocking javascript, blocking 2 of 3, I allow gstatic but then uMatrix blocks it because it's not from Google Voice or Google Sheets) and tells me to refresh the page, which I did five or six times.

This "test" FAILED TO FINGERPRINT ME...  Keep hunting for something that can fingerprint me without javascript, I will conclude myself as "right" until proven otherwise  :ph34r:

spacer.png

Edited by ArcticFoxie
Link to comment
Share on other sites

Additional experimenting with the no-js test site.

I do need NoScript and uMatrix to block the fingerprinting.

Experimenting with the settings and what is or is not being blocked by NoScript and/or uMatrix and I can get THREE different fingerprint results on that test site.

I did not experiment if I could get MORE than THREE.

Because a "fingerprint" is supposed to be UNIQUE, not "narrowed down to three".

I do chuckle when you read through the "See more details" and one of the metrics used to fingerprint your browser is whether you are using a dark theme or not.

Fingerprinting is a matter of only requiring 6 to 10 out of 30 to 40 metrics.  I do not think it is possible to connect to the internet and block all 30 to 40 metrics.

But even if you do manage to block all 30 to 40, you have UNIQUELY identified yourself by being one of a very tiny handful of folks that has succeeded in blocking all 30 to 40.

There is a fine line between being privacy-conscious and walking around in a mental ward holding up two fingers and shouting out, "Four!".  (Patch Adams reference)

Edited by ArcticFoxie
Link to comment
Share on other sites

On 10/30/2021 at 10:06 AM, ArcticFoxie said:

I do need NoScript and uMatrix to block the fingerprinting.

No I think you have it backwards. It is more likely as I said, the fingerprinting (or some portion of it) is still happening, but since JS is disabled and the site is using JS to show the test results, you just can't see it.

Quote

Total javascript blocking is impractical on websites where you need to interact, so you are registered and login.

Block all and allow as necessary, even if temporary. If the site requires JS to function but it is not that important, then it may not be that important for me to even use it. If I really do want to use it, then I will use a different browser and/or computer entirely.

Link to comment
Share on other sites

1 hour ago, Tripredacus said:

No I think you have it backwards. It is more likely as I said, the fingerprinting (or some portion of it) is still happening, but since JS is disabled and the site is using JS to show the test results, you just can't see it.

Agreed.

I didn't go into that much detail, but that is exactly what is happening.

uMatrix is blocking the <frame> that contains the results.

BUT that doesn't explain why I can get THREE DIFFERENT "RESULTS" all based SOLELY on just changing what is and what is not being blocked by NoScript and uMatrix.

 

My best friend (late 90's, early 2000's) is a retired FBI Agent.

Her "job" was quite literally to spend weeks upon weeks on teenager-websites and act like a teenager.

You might call it "entrapment" but there are very strict protocols she had to follow and very lengthy documentation.

Her "job" was to literally catch criminals inviting teenage girls to become porn stars.

 

So I view all of this "fingerprinting" from a CRIMINAL PERSPECTIVE.

I do feel that only CRIMINALS need to be THAT concerned with a browser "fingerprinting" their online activities.

I don't really care if my CHURCH website and Pornhub links this computer as having visited both, that isn't "criminal".

 

You can NOT, I repeat, can NOT prevent a browser from being "fingerprinted".

Look at it as a credit card number.

SIXTEEN digits but the first FOUR only indicate the bank.

It is really only TWELVE digits that make a credit card number "unique".

 

So an untrusting website really only needs like TWENTY PERCENT of data that can be obtained via "fingerprinting" and they have you uniquely identified.

Even though you have successfully blocked EIGHTY PERCENT of that data.

 

You can not prevent "fingerprinting" - period.

And knowing what sorts of criminals my friend has nabbed during her career as an FBI Agent, I fully support "fingerprinting" and the CRIMINALS it has caught over the years.

 

 

But I digress...

Edited by ArcticFoxie
Link to comment
Share on other sites

7 hours ago, ArcticFoxie said:

Agreed.

I didn't go into that much detail, but that is exactly what is happening.

uMatrix is blocking the <frame> that contains the results.

BUT that doesn't explain why I can get THREE DIFFERENT "RESULTS" all based SOLELY on just changing what is and what is not being blocked by NoScript and uMatrix

I was going to say ... I tried V12 with javascript disabled globally and still was fingerprinted so I presume uMatrix is the key, but I've never used it so will have to learn another new thing if I try it, but now, I'm not that worried about it. As you said, I'm not doing anything illegal.

Link to comment
Share on other sites

7 hours ago, ArcticFoxie said:

... CHURCH website and Pornhub links this computer as having visited both

Besides, you can pretty much do anything all week so long as you go to church on Sundays and donate when they pass around the basket .. so I hear anyway. I'm pretty evil so I hesitate to step into a church =P

~Damian

Edited by XPerceniol
Link to comment
Share on other sites

  • 2 months later...
On 10/27/2021 at 9:38 PM, Mr.Scienceman2000 said:

you cant. Content delivery networks are from big companies like google and exist on many sites. Blocking connection to them with umatrix helps partially but decentraliseye does better job by redirecting code running on CND into local browser cache. In short CND is (from cloudflare)

ironic they say improve security when it can risk someone site if main CDN is compromised. Instead of being compromised all does

Sorry to drudge up an old thread and posting, but I've been reading over and researching CND and didn't realize that I'm oxymoron trying to get results from but also block so I am confused now. Obviously I need to learn umatrix. Will try this week but don't find much on decentraliseye recently.

Regardless, I did the check/test and get results from (both) serpent 52 and 360 Chrome V11 and am wondering can this test be trusted. Again, sorry just didn't know where to post this question and its likely been already asked by members; but I can't locate it.

Sort of wondering about "but not over a secure connection. Anybody listening on the 'wire' can see the DNS queries" part ... and "Anybody listening on the wire can see the exact website you made a tls connection to"

Firstly; who is "Anybody" and lastly 'on the wire' ... wouldn't that take some malware on the device or router?

If I said something that I shouldn't, please delete this.

spacer.png

Link to comment
Share on other sites

I am now using the flags:

Strict Site Isolation in 360 Chrome V11 Arctic Foxie

and in Serpent 52

privacy.firstparty.isolate (true)

layout.css.isolation.enabled (true -default)

 

But I guess that isn't the solution.

Thanks in advance :)

 

 

Edited by XPerceniol
Link to comment
Share on other sites

24 minutes ago, XPerceniol said:

and am wondering can this test be trusted

In my humble view, a shout-from-the-rooftops NO, this test can NOT be trusted.

I say that because I can get THREE DIFFERENT RESULTS all in the same exact web browser from the same exact computer on the same exact wi-fi network.

Change a NoScript or uMatrix setting and the test "result" CHANGES.  So that is NOT a "unique fingerprint", plain and simple.

HOWEVER, just narrowing a "fingerprint" from thousands down to THREE does still basically have you "identified".

So I guess the answer is "yes and no".

Link to comment
Share on other sites

Thank you very much :)

I won't bother with that test again as I've read its more of a scam type thing to get people to use a vpn that is tied into cf and secure sni isn't even reliable yet.

Strange:

Today I discover 2 dns files on my computer. One dnsapi.dll is ms signed and so its the other but no browser will work without dnsapi.dll. Chrome I know needs windows but I'm surprised that Serpent needs it too (reads breakpoint error). However, I don't need (and don't want) a resolver on the local PC (sorry I'm not explaining this correctly, I realize that) especially from m$. I've moved it from the system32 folder for now, but still unsure whats going on.

DNS Caching Resolver Service V5.1.2600.5797

spacer.png

PS: I guess I'm still surprised just how much telemetry is still in windows. Gosh, I can only imagine what 8 or 10 must be filled with. Otherwise, I like XP and will stay with is as long as I can.

Edited by XPerceniol
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...