Jump to content

Web Fingerprinting Sees Through VPNs and Incognito Mode

msfntor

By msfntor
in Technology News

 Share

Recommended Posts

msfntor

msfntor

Posted
  • Author
Posted

I only have two privacy extensions left: Browser Fingerprint Protector, and Reject Service Worker. All other are removed.

To see your Service Workers (before clearing browser data) look on this chrome page: chrome://serviceworker-internals/

Service Worker test: https://simple-push-demo.vercel.app/ - if you have, on this Simple Push Demo test page: 

"Unable to Register SW

Sorry this demo requires a service worker to work and it failed to install - sorry :( " 

- so all is good for you...

Read: Service Worker Security FAQ: https://www.chromium.org/Home/chromium-security/security-faq/service-worker-security-faq/

Link to comment
Share on other sites

msfntor

msfntor

Posted
  • Author
Posted (edited)

Hmm @Sampei.Nihira - why I have on this defo.ie ECH check pagehttps://defo.ie/ech-check.php

SSL_ECH_STATUS: not attempted x

- in my all Chrome forks?..

 

EDIT:

From stats page of: https://defo.ie/

"OpenSSL with ECH

ECH not attempted

TLS Session details:

This TLS version forbids renegotiation.

---

no client certificate available"

- From support.netsweeper.com article: https://support.netsweeper.com/hc/en-us/articles/7115508502804-Encrypted-Client-Hello-ECH-

"What is ECH?

TLS Encrypted ClientHello (ECH) is an experimental mechanism for Transport Layer Security version 1.3 (TLS 1.3) that is designed for encrypting ClientHello messages under a server public key. 

The intent of ECH is to protect the privacy of users by preventing someone who is monitoring network traffic to able to determine the domain name of a website that a user is browsing to.

What major browsers support ECH?

ECH is currently available In Mozilla's Firefox browser as an experimental feature that can only be enabled in about:config.  For more information about Mozilla's ECH implementation, visit the Mozilla Security Blog.

For Edge Version 105 and above, ECH can only be enabled for test purposes with the following option for the command.

edge.exe --enable-features=EncryptedClientHello

For more information about ECH in Edge : You can now Enable Encrypted Client Hello (Encrypted SNI or ESNI/ECH) in Microsoft Edge - Microsoft Tech Community

For Chrome ECH is not currently available."

Chrome Platform Status: Feature: TLS Encrypted Client Hello (ECH): https://chromestatus.com/feature/6196703843581952

 

- From the windowsclub.com article: Enable Encrypted Client Hello in Microsoft Edge to improve privacy: https://www.thewindowsclub.com/enable-encrypted-client-hello-in-microsoft-edge

"Microsoft is always looking for new ways to improve Edge browser, and the latest is all about adding support for Encrypted Client Hello or ECH. For those who are not fully aware, Encrypted Client Hello is a mechanism found in Transport Layer Security protocol, or TLS, that improves privacy by encrypting every privacy-sensitive factor of the TLS connection."

- so (for now...) it's implemented for new browser called Edge, not for our Chrome forks... :boring:

 

CheckMyHTTPS extensions for Firefox, Chrome, Edge: https://checkmyhttps.net/index.php?language=en

TEST page on tls-ech.dev: https://tls-ech.dev/ says: "You are not using ECH. :("

Manually check an HTTPS connectionhttps://checkmyhttps.net/check.php?language=en

Not important to me, these padlock stories...

Edited by msfntor
EDIT addition
Link to comment
Share on other sites
msfntor

msfntor

Posted
  • Author
Posted

Why not focus on the benefits of the Reject Service Worker extension instead of that annoying ECH that I can't implement (and you should know this), please?

Have you read the first post on this page?

Link to comment
Share on other sites
Sampei.Nihira

Sampei.Nihira

Posted
Posted (edited)

Because you don't need a browser extension, moreover outdated,to block SW.
A simple rule in uBlock Origin is enough:

  

||$csp=worker-src 'none',domain=~whitelistthisdomain.com

But the biggest problem is understanding when a malfunctioning website needs Service Workers.

It is difficult especially if you have subjected the browser to considerable customization.

 

Edited by Sampei.Nihira
Link to comment
Share on other sites
msfntor

msfntor

Posted
  • Author
Posted
2 hours ago, Sampei.Nihira said:

Because you don't need a browser extension, moreover outdated,to block SW.
A simple rule in uBlock Origin is enough:

This Reject Service Worker extension: https://chrome.google.com/webstore/detail/reject-service-worker/falajmifjcihbmlokgomiklbfmgmnopd?hl=en-US  - works very good: blocks service workers on ALL domains ...

Your rule example is for one domain only.

Link to comment
Share on other sites
Sampei.Nihira

Sampei.Nihira

Posted
Posted

I have a question.

Why do you question (mistakenly) my expertise in security/privacy?

You get the opposite purpose.

I understand (well) the degree of expertise of others.
It would probably be more useful to ask for explanations or to do research on the net.

Having clarified the above,the explanation that should not be necessary, the rule I wrote has general validity.
Only the rule for whitelisting is obviously specific.

Every website that needs a consent rule,then,must be added with the exact same syntax.

 

Link to comment
Share on other sites
msfntor

msfntor

Posted
  • Author
Posted (edited)
3 hours ago, Sampei.Nihira said:

I have a question.

Why do you question (mistakenly) my expertise in security/privacy?

You get the opposite purpose.

WHY you think this? NO, I don't question nothing.

I don't use Windows 10 (or 11), I don't use Edge browser...

 

3 hours ago, Sampei.Nihira said:

the rule I wrote has general validity.
Only the rule for whitelisting is obviously specific.

Every website that needs a consent rule,then,must be added with the exact same syntax.

 

So each website has its time to add consent rule, with your rule above?

My extension work silently, for all websites, without unnecessary changes...

Edited by msfntor
I don't use Windows 10 (or 11), I don't use Edge browser...
Link to comment
Share on other sites
msfntor

msfntor

Posted
  • Author
Posted (edited)

In DCBrowser, MiniBrowser, 360Chrome:

Is it really blocked or not by the extension? I begin to have doubts, passing the other HTML5 workers test: https://www.w3schools.com/HTML/html5_webworkers.asp - or better: https://www.w3schools.com/HTML/tryit.asp?filename=tryhtml5_webworker

- this number counter is still shown, with extension enabled... Why?

But my first test, from the first post on this page: https://simple-push-demo.vercel.app/ - says that 

"Unable to Register SW

Sorry this demo requires a service worker to work and it failed to install - sorry :( " - so says that service worker is not here... thanks to my extension.

So web worker is here or not ?... Which test is the most effective?

-and what are these "Service worker demo" image examples: https://mdn.github.io/dom-examples/service-worker/simple-service-worker/

EDIT:

In uBlock, after add this to the "My filters" tab:

||$csp=worker-src 'none'

*$csp=worker-src 'none'

##$csp=worker-src 'none'

- none of these works. Worker is here....

Edited by msfntor
EDIT added
Link to comment
Share on other sites
msfntor

msfntor

Posted
  • Author
Posted (edited)

Another WORKER TEST! Web Push Notifications Demo: https://webpushdemo.azurewebsites.net/

Without extension, "Initiate push" button is here, and after click on it, has blue frame... and nothing happens here... maybe because I don't enabled in chrome://flags experimental-web-platform-features

With extension enabled, this button is called: "Initiating..." - and nothing happens. So my Reject Service Worker extension works!

 

Another test (which don't work here): HTML5 worker test:  https://nolanlawson.github.io/html5workertest/

 

Read this article: Using Service Workershttps://reference.codeproject.com/dom/service_worker_api/using_service_workers

 

Read: Disable Service Workerhttps://www.bugbugnow.net/2022/01/disable-service-worker.html

"Disable ServiceWorker in browser settings.

Chrome (cannot be disabled)

We have not found a way to disable ServiceWorker in Chrome. If you want to disable ServiceWorker in Chrome, it is best to use the above user script or extension."

Voilà.

Edited by msfntor
added
Link to comment
Share on other sites
Sampei.Nihira

Sampei.Nihira

Posted
Posted

It is very simple to check if the blocking rule (inserted in my filters) is working.
Open the browser development tools and reload our MSFN forum.
In the images below I show you how this is done.

Rule up and running:

image.jpg

uBO without the blocking rule:

2.jpg

Then it is obvious that if you check the API (BrowserLeaks.com  - test Features Detection) this is present and working.

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...