Jump to content

The wretched Chrome Client Hints, another Doomsday of privacy: ways out of it.


Dixel

Recommended Posts

So, after fiddling with chrome.dll, I was able to edit out most of the values ClientHints API sends to servers.

But the API shows as working, I think it's a good result.

CH.png

Link to comment
Share on other sites


11 hours ago, NotHereToPlayGames said:

You should take serious consideration to the fact that you just created a UNIQUE fingerprint.

If you want to stand out like a sore thumb, you succeeded.

If your intention is to blend in with the crowd, then you should actually send the most popular field content.

I agree with you, I'm still testing. But like I said, it's already a good result. I want to achieve all fields empty. But I, at least for now, don't know how to block the whole API.

Link to comment
Share on other sites

11 hours ago, NotHereToPlayGames said:

If your intention is to blend in with the crowd, then you should actually send the most popular field content.

Which one do you prefer more, mine, or Dave's: NT 5.1 x86 + Chrome 124.

And what exactly do you think makes it unique? The space between the brackets is empty in mine.

Thanks,

https://msfn.org/board/topic/185045-supermium/?do=findComment&comment=1268273

Link to comment
Share on other sites

11 hours ago, NotHereToPlayGames said:

I'll answer that.  But first, can you answer why you are jumping through all of these hoops to deactivate/disable/defuse "client hints"?

No problem, as may already know, ClientHints are invoked by javascript, so search for the area around the browser navigator.

There are also many other useless entries like 

navigator.userAgentData

Navigator.usb.get

Navigator.bluetooth.get

navigator.userAgentData is the one responsible.

 
Link to comment
Share on other sites

That's not what I was asking.

Why do you see ClientHints as "evil and must be done away with"?

I have to assume that you see them as some form of "privacy issue", that ClientHints themselves FINGERPRINT the web site visitor, is that correct?

Link to comment
Share on other sites

11 hours ago, NotHereToPlayGames said:

That's not what I was asking.

Why do you see ClientHints as "evil and must be done away with"?

I have to assume that you see them as some form of "privacy issue", that ClientHints themselves FINGERPRINT the web site visitor, is that correct?

Privacy issue, yes, but the most annoyance is when modern sites detect Vista and ask you to upgrade the browser, when the browser is not needed to be upgraded.

Probably, you don't use those sites, I'd give some links, but you won't use them anyway, one good example is Nvidia site, it was already discussed at github.

Link to comment
Share on other sites

As we all know, starting with Chrome 122 (Final release), they can't be forced off via the known cmd flag.

Members are welcome to post their ways of dealing with 'em. Probably, someone already knows a crx extension?

I tend to edit each Chrome browser manually, but it's not convenient for most of the users.

Also, it has some disadvantages, sometimes leading to a unique fingerprint, In all, we need a working fake CH switcher.

Link to comment
Share on other sites

This is a false problem.
Low entropy (CH) values transmitted by the client without a request from the server are deducible by the User Agent itself:

https://developer.mozilla.org/en-US/docs/Web/API/User-Agent_Client_Hints_API

It is possible to fake the User Agent from the browser development tools and then modify the Client Hints.

Disabling javascript from the browser itself blocks all client hints because the API is js.
Of course, the User Agent is equally broadcast.

Note that disabling javascript from an extension such as uBlock Origin does not achieve the goal as does disabling js in the browser itself.

If such a "problem" is insurmountable, it is recommended to change browsers.
r3dfox which can be used in your OS does not have the Client Hints API.

 

Edited by Sampei.Nihira
Link to comment
Share on other sites

27 minutes ago, Sampei.Nihira said:

This is a false problem.

I agree.

This seems to me to be just one of those things where "undue paranoia" gets the best of us and we run in circles to prevent "theoreticals" that don't actually exist in "reality".

To each their own, of course.  I personally HAVE A MEANS  to SPOOF CLIENT HINTS  --  PROXOMITRON.

I have no problem in the least in getting more MSFN Members to use PROXOMITRON - so if ClientHint "undue paranoia" is what gets us there, no skin off my back, lol.

 

"half full" versus "half empty".  Nothing more.  Nothing less.

Edited by NotHereToPlayGames
Link to comment
Share on other sites

If I search-engine-of-choice search for "client hints privacy concern", most (if not all) of the results are SEVERAL years old!

Wikipedia has the below - note that it specifically cites that they are talking about when the proposal was originally published.

So perhaps all of this "undue paranoia" is based on what Client Hints were ORIGINALLY supposed to be versus what they ACTUALLY ended up being  ???  ???  ???

While I *do* consider this "undue paranoia", I DO SPOOF THEM VIA PROXOMITRON if nothing more than a "verification" that I CAN, not that I "need to".

No clue, to be perfectly honest.  As I've always stated, if you are ON the internet, then you have been FINGERPRINTED.  No "if's, and's, or but's".

 

image.png.c2961da21509bfbaec6c0af9dbace766.png

Edited by NotHereToPlayGames
Link to comment
Share on other sites

14 hours ago, Sampei.Nihira said:

If such a "problem" is insurmountable, it is recommended to change browsers.
r3dfox which can be used in your OS does not have the Client Hints API.

Thanks, but I specifically pointed out to Chrome only browsers in the topic's title.

Link to comment
Share on other sites

13 hours ago, NotHereToPlayGames said:

If I search-engine-of-choice search for "client hints privacy concern", most (if not all) of the results are SEVERAL years old!

It's because they were boiling the frog very slow, now it's used up to the much wider extent.

Link to comment
Share on other sites

14 hours ago, Sampei.Nihira said:

This is a false problem.
Low entropy (CH) values transmitted by the client without a request from the server are deducible by the User Agent itself:

https://developer.mozilla.org/en-US/docs/Web/API/User-Agent_Client_Hints_API

Thanks for your opinion, unfortunately people wouldn't agree, and one the cases is documented here. probably you didn't see it yet.

https://github.com/win32ss/supermium/issues/779

 

Link to comment
Share on other sites

14 hours ago, NotHereToPlayGames said:

I have no problem in the least in getting more MSFN Members to use PROXOMITRON - so if ClientHint "undue paranoia" is what gets us there, no skin off my back, lol.

Thanks, I will maybe consider your suggestion later on, now I bit pre-occupied with real life, I'm looking for a simple solution like modifying headers on the fly and make them switchable from presets.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...