MyPal 68

[dmiranda]

On 12/25/2023 at 8:34 PM, Sampei.Nihira said:

And Canvas is not the most important test.

I worry more about fonts. Canvases I have many, and my e-oligopoly accounts are full of warning messages about weird logins. Faking fonts is much more difficult to do (but also more labor intensive on part of the spy-monkey). One interesting experiment, in the same spirit of Arkenfox, is https://github.com/da2x/fluxfonts:it creates, as advertised, fonts on the fly, changing your font profile by the hour. Unfortunately it is built for W10-11 (besides linux). In another life I would have loved to learn to build from source and try this very little (only 76kb) program in XP.

Edited December 29, 2023 by dmiranda

[NotHereToPlayGames]

Corrected link  --  https://github.com/da2x/fluxfonts

3 hours ago, dmiranda said:

it creates, as advertised, fonts on the fly, changing your font profile by the hour

This is something that Proxomitron also can do (works in XP and MyPal 68).  But even better as it can be with each and every browser session, no matter how many times you open or close your browser in an hour.

For those that use Proxomitron, the methods are very similar to what was known as the Jakx Pack.

Edited December 29, 2023 by NotHereToPlayGames

[dmiranda]

6 minutes ago, NotHereToPlayGames said:

This is something that Proxomitron also can do (works in XP and MyPal 68).  But even better as it can be with each and every browser session, no matter how many times you open or close your browser in an hour.

I will have to give proxomitron a second (or third) try. Thanks for the corrected link.

[Sampei.Nihira]

@dmiranda

Hi,a few years ago,we studied the fingerprinting of many websites.
Usually most websites use few fingeprinting techniques.
And almost all of them for one purpose,the commercial purpose.
Instead in my opinion,the most dangerous fingerprinting is the one related to security.
There is an abysmal difference with websites where you can perform these tests.
If you want to "go crazy" I will provide you with a testing website used by Brave engineers.
According to them the best fingerprinting website.
Although I believe that the website does not provide an important benchmark,thus a correct conclusion.
It is the trust score.
According to Brave engineers it would be best with a percentage equal to 0.
This, on the other hand, is Abrahamjuliot's somewhat equivocal opinion:

Quote

The trust score shows the level of trust computed from the browser fingerprint values and revision indicators. If the score is 100%, there is a high level of trust in the reported values. Values should not be trusted when the score is low. It is not always beneficial to have a high trust score, and sometimes a low trust score is not bad.

 

https://abrahamjuliot.github.io/creepjs/

Edited December 29, 2023 by Sampei.Nihira

[XPerceniol]

11 hours ago, dmiranda said:

I worry more about fonts. Canvases I have many, and my e-oligopoly accounts are full of warning messages about weird logins. Faking fonts is much more difficult to do (but also more labor intensive on part of the spy-monkey). One interesting experiment, in the same spirit of Arkenfox, is https://github.com/da2x/fluxfonts:it creates, as advertised, fonts on the fly, changing your font profile by the hour. Unfortunately it is built for W10-11 (besides linux). In another life I would have loved to learn to build from source and try this very little (only 76kb) program in XP.

The only settings I use regarding font(s) are:

browser.display.use_document_fonts;1 (Default)
font.name-list.emoji;
gfx.font_rendering.opentype_svg.enabled;false

I don't know.

[XPerceniol]

8 hours ago, NotHereToPlayGames said:

Corrected link  --  https://github.com/da2x/fluxfonts

This is something that Proxomitron also can do (works in XP and MyPal 68).  But even better as it can be with each and every browser session, no matter how many times you open or close your browser in an hour.

For those that use Proxomitron, the methods are very similar to what was known as the Jakx Pack.

Never tried Proxomitron bc I always figured it was over my head.

[XPerceniol]

1 hour ago, Sampei.Nihira said:

@dmiranda

Hi,a few years ago,we studied the fingerprinting of many websites.
Usually most websites use few fingeprinting techniques.
And almost all of them for one purpose,the commercial purpose.
Instead in my opinion,the most dangerous fingerprinting is the one related to security.
There is an abysmal difference with websites where you can perform these tests.
If you want to "go crazy" I will provide you with a testing website used by Brave engineers.
According to them the best fingerprinting website.
Although I believe that the website does not provide an important benchmark,thus a correct conclusion.
It is the confidence score.
According to Brave engineers it would be best with a percentage equal to 0.
This, on the other hand, is Abrahamjuliot's somewhat equivocal opinion:

 

https://abrahamjuliot.github.io/creepjs/

Just ran the test and don't know what to make of the results.

[Sampei.Nihira]

@XPerceniol

Indeed.
A proper testing methodology would be to check Tor's "trust score" and then check your browser.
If your browser is close to Tor's score, it is better.

[dmiranda]

These are the ones I play with. font.system.whitelist is the one I'm dealing with at the moment. Do not seem to do much, but what is found by different tests sites varies and, more importantly, the hash/fingerprint extracted from the fonts varies within tests, if repeated over time with a hardened set up.

user_pref("browser.display.use_document_fonts", 1); // default, 0 doesn't expose system fonts, 1 uses all or those set in font.system.whitelist (confirm)
user_pref("font.blacklist.underline_offset", ""); // set, original was "FangSong,Gulim,GulimChe,MingLiU,MingLiU-ExtB,MingLiU_HKSCS,MingLiU-HKSCS-ExtB,MS Gothic,MS Mincho,MS PGothic,MS PMincho,MS UI Gothic,PMingLiU,PMingLiU-ExtB,SimHei,SimSun,SimSun-ExtB,Hei,Kai,Apple LiGothic,Apple LiSung,Osaka"

user_pref("font.internaluseonly.changed", true); // not sure what this is, appears on settings when the font.system.whitelist is populated, I believe

user_pref("font.name.monospace.x-western", "FontAwesome"); // many pages, including msfn, use it for buttons and such. I download those fonts manually, and "install" them in system

user_pref("font.size.variable.x-western", 14);

user_pref("font.system.whitelist", "Arial, Batang, Cambria Math, Courier New, Gautami, Georgia, Lucida Console, MS Gothic, MS Mincho, MS PGothic, MS PMincho, MV Boli, Malgun Gothic, Mangal, Meiryo, Meiryo UI, Microsoft Himal\ aya, Microsoft JhengHei, Microsoft JengHei UI, Microsoft YaHei, Microsoft YaHei UI, MingLiU, Noto Sans Buginese, Noto Sans Khmer, Noto Sans Lao, Noto Sans Myanmar, Noto Sans Yi, Nyala, PMingLiU, Plantagenet Cherokee, Raavi, Segoe UI, Shruti, SimSun, Sylfaen, Tahoma, Times New Roman, Tunga, Verdana, Vrinda, Yu Gothic UI, Sans-Serif, FontAwesome"); // [HIDDEN PREF] *-* there a number of standard lists out there. I'll play with these for a while.

user_pref("gfx.downloadable_fonts.enabled", false); // set *-*

user_pref("gfx.downloadable_fonts.woff2.enabled", false); // set *-*

user_pref("gfx.font_rendering.graphite.enabled", false); // set

user_pref("gfx.font_rendering.opentype_svg.enabled", false); // set

user_pref("layout.css.font-loading-api.enabled", false); // set *-* these 5 css.font  entries prevent coveryourtracks tests from completing.

user_pref("layout.css.font-visibility.level", 1); // set *-* 1 system fonts, 2 is 1+user fonts, 3 is whatever is there

user_pref("layout.css.font-visibility.resistFingerprinting", 1); // set *-*

user_pref("layout.css.font-visibility.standard", 1); // set *-*

user_pref("layout.css.font-visibility.trackingprotection", 1); // set *-*

user_pref("svg.disabled", false); // default, otherwise it breaks FB, probably linkedin and YT buttons
 

Edited December 29, 2023 by dmiranda

[XPerceniol]

14 minutes ago, dmiranda said:

user_pref("browser.display.use_document_fonts", 1); // default, 0 doesn't expose system fonts, 1 uses all or those set in font.system.whitelist (confirm)

Will indeed check those out and and run it through my user.js tomorrow - don't worry I'll make sure to back up my profile

Hmmm ... I'm showing on my Mypal68

browser.display.use_document_fonts as the default is 1

Thank you @dmiranda and @Sampei.Nihira

Edited December 29, 2023 by XPerceniol
Oops mypal68 not what I put

[dmiranda]

11 minutes ago, XPerceniol said:

browser.display.use_document_fonts as the default is 1

value 0 leaves you downloading every font, when available, or staring at a broken page. TOR, I think, uses value 0, since it has an inbrowser cache of fonts.

[XPerceniol]

Oh I see, appreciate it. Getting a little (more than a little) over my head; I admit that wholeheartedly. 

Edited December 29, 2023 by XPerceniol

[dmiranda]

5 hours ago, Sampei.Nihira said:

According to Brave engineers it would be best with a percentage equal to 0.

I'm quite happy with it. They know I enter 5 times (I'd prefer they had seen 5 different browsers, but hey, I don't use a vpn -will try wih TOR), but they have 0% trust on their results.

[NotHereToPlayGames]

14 minutes ago, dmiranda said:

They know I enter 5 times

Yep.  The more often you visit, the more often you prevent what you are trying to achieve.

You cannot attempt to achieve "non-uniqueness" by visiting over and over and over and becoming a "regular" to the wait-staff.

Edited December 29, 2023 by NotHereToPlayGames

[dmiranda]

Best scenario: In an hour or so, my profile would have changed enough to enter and probably be taken as a new entry. Worst: I enter and they recognize the browser anyway, but keep not knowing my real specs, In any case, looking at their results beyond the 0% trust, it's clear their fingerprinting is uncertain, preventing them from tracking me elsewhere. I'll report back.