Jump to content

The wretched Chrome Client Hints, another Doomsday of privacy: ways out of it.

Dixel

By Dixel
in Web Browsers

 Share

Recommended Posts

Dixel

Dixel

Posted
  • Author
Posted
11 hours ago, NotHereToPlayGames said:

But let's be as real and honest as we can here.  If we REALLY want to isolate this as UACH, then that should be the ONLY "variable" changed!

Technically, to be truly scientific, win32 should re-release a v122 that broadcasts a UACH of Chrome 128 on Win11.  MAKE NO OTHER CHANGES EXCEPT THAT ONE VARIABLE.  Then test in XP SP3 !!!

He's not going to!  Because I am 100% positive that even he himself doesn't really think UACH is the issue here.  He hasn't done anything to prove or disprove, he merely threw out a "probably" response to appease the audience.

Sorry, that's what it looks like from "this perspective".  Again, I have no problem whatsoever in "being wrong".  But I also have no problem whatsoever in saying "I told you so".  :cheerleader:

Good, constrictive discussion, I appreciate that, really. The other two things that I can think of right now are (besides the beaten to death canvas).

1 - JA3 Hash

https://browserleaks.com/ip

2 - or HTTP/2 Fingerprint (Akamai Hash)

https://browserleaks.com/http2

or both, in conjunction, to make an iron fingerprint. Some modern versions can spoof the first one, mind you.

 

 

4

NotHereToPlayGames

NotHereToPlayGames

Posted
Posted

And we can not rule out *elliptic curve* encryption.

Remember, this cloudflare-cycle is in XP only!

I cannot replicate in 7, I cannot replicate in 10.  Regardless of UACH-capable version or not.  And again, Ungoogled v122 and Supermium v122 are *identical* as far as a server looking at their UACH alone, I see no UACH discrimination.

I cannot uncycle this cloudflare-cycle in XP with a fake UACH.

UACH is not the culprit here, not in my investigation.  I have still yet to witness anything but "undue paranoia" regarding UACH.

TO ME, everything still seems to point to *elliptic curve* encryption!  Turning off certificate errors client-side has no effect on server-side.

Unfortunately, Proxomitron even has issues with Cloudflare Crap, so my best tool for debug is handicapped.

1
NotHereToPlayGames

NotHereToPlayGames

Posted
Posted
1 hour ago, Dixel said:

The other two things that I can think of right now are (besides the beaten to death canvas).

1 - JA3 Hash

2 - or HTTP/2 Fingerprint (Akamai Hash)

or both, in conjunction, to make an iron fingerprint.

If these WORK in XP, then we have to RULE THEM OUT AS CULPRITS.

Our focus has to be with "technologies" that DO NOT WORK in XP.

The only one I am seeing thus far is *elliptic curve*.

I'd have to research these, but a quick search for if they do NOT work in XP has revealed NOTHING - so I have to assume that these DO work in XP.

NotHereToPlayGames

NotHereToPlayGames

Posted
Posted

I am hereby very THANKFUL that other folks have chimed in on the original OPs non-MSFN post that this is not a UACH issue.  "Told you so."

And HILARIOUS how MSFN gets a mention for ad nauseam speculations.

Klemper

Klemper

Posted
Posted
On 8/18/2024 at 10:54 PM, NotHereToPlayGames said:

Unfortunately, Proxomitron even has issues with Cloudflare Crap, so my best tool for debug is handicapped.

Generally, you seem to be writing alot without providing the alternative view on what really happens when Cloudflare protection kicks in. Nevertheless, give you a like only for another point of view.

I'm tired reading about CH, it's everywhere now, a lot of noise. On the other hand, I like the others are trying to get to the bottom.

D.Draker

D.Draker

Posted
Posted
15 hours ago, NotHereToPlayGames said:

I am hereby very THANKFUL that other folks have chimed in on the original OPs non-MSFN post that this is not a UACH issue.  "Told you so."

I want proof what then.

3
D.Draker

D.Draker

Posted
Posted
15 hours ago, NotHereToPlayGames said:

And HILARIOUS how MSFN gets a mention for ad nauseam speculations.

The dude who wrote that  "ad nauseam speculations" nonsense also wrote it worked in 124 (where the client hints are obviously different).

The same dude requested those who deny client hints tell what it is then.

3
D.Draker

D.Draker

Posted
Posted
11 hours ago, NotHereToPlayGames said:

Me too!

I only change one variable at a time and all I can tell you with 123,456,789% confidence is that this is not UACH-related.

 

11 hours ago, D.Draker said:

The dude wrote it worked in 124 (where the client hints are obviously different).

 

 

4
D.Draker

D.Draker

Posted
Posted
11 hours ago, NotHereToPlayGames said:

I can tell you with 123,456,789% confidence is that this is not UACH-related.

Gut feeling?

2
D.Draker

D.Draker

Posted
Posted
12 hours ago, NotHereToPlayGames said:

Nope.  I measured with calibrated instrumentation.

There was no need to "measure" per se, what do you get under JA3 Hash and Akamai Hash?

3
NotHereToPlayGames

NotHereToPlayGames

Posted
Posted
2 hours ago, D.Draker said:

what do you get under JA3 Hash and Akamai Hash?

Technically, NOTHING, not so much as even a "space".  Because these both come in under IFRAMES and I block iframes by default.

And, um, I don't see the point of turning off all of my default defenses just to see what I get then.

But you don't need to load the full page if you want to test these across several browsers, skip the iframe and load the content directly.

 

JA3 Hash:  https://tls.browserleaks.com/iframe/ja3_hash

Akamai Hash:  https://tls.browserleaks.com/iframe/akamai_hash

D.Draker

D.Draker

Posted
Posted
11 hours ago, NotHereToPlayGames said:

Technically, NOTHING, not so much as even a "space".  Because these both come in under IFRAMES and I block iframes by default.

Well, then you can't say fingerprinting for the masses is the same for you. I'm sure those who posted on github do the same (block by default), and they get fingerprinted rather differently.

 

4
NotHereToPlayGames

NotHereToPlayGames

Posted
Posted

Here's a Blast From The Past that you may be interested in  --  https://www.defensive-security.com/blog/hiding-behind-ja3-hash

I used to dive into all of this much deeper than nowadays.  If you are on the internet, you have been fingerprinted, PERIOD.

It's more about BLENDING IN WITH THE CROWD these days.  Don't "block" these fingerprints, turn them into a blend-in-with-the-crowd instead.

By "blocking", you stand out like a sore thumb, you've made yourself ONE in BILLIONS.  Don't make youself UNIQUE, make yourself a blend-in.

I thought we already went over this?  Several times.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...