-
Notifications
You must be signed in to change notification settings - Fork 53
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Browserprint.info Detects True Family of Browser & OS #55
Comments
Did you toggle the about:config option to limit detectable fonts? I think that's how it's detecting your OS and browser. There's a few about:config entries you will need to enable to enhance your security. Check the wiki for more info if you haven't already. |
I have tested with the preference browser.display.use_document_fonts set to 0. Pretending with Chameleon 0.8.16 to be Chrome 69 on Ubuntu, Browserprint.info correctly guessed I was some Firefox version on some Windows version. I added CanvasBlocker to the combo, because browserprint.info seems to test some AudioContext and CanvasBlocker is able (in "expect option") to spoof it, but without success. (Firefox on Windows always detectected). Then I tried with an heavily customized profile (using Chameleon, Canvas Blocker and many others addons, one of these others being BP Privacy Block All Font and Glyph detection. In that case, Browserpring.info correctly guessed that my browser belonged to FF family, but was fooled concerning the OS, considering it belonged to the Linux family (as spoofed). BP Privacy Block All Font and Glyph detection is intend to
Problem: I found BP Privacy Block All Font and Glyph detection no more on AMO, only on Google Store. But it was on AMO at least on 7 september, as about:addons is indicating it as been updated this day. |
It seems that BP Privacy Block All Font and Glyph detection is now renamed as BP Block Font Fingerprint on AMO. |
Sorry) And sorry for my english, I'm russian ) As I understand it - the Sereneblue has nothing to do with it. The FireFox has a unique signature itself, how not to change useragent. Example on php (function createHeaderSignature) https://svn.jondos.de/svn/anontest/inc/helper.php . And the protocol TCP\IP - gives the operating system (bypassing the browser, Chameleon, etc.) Proofs: Moreover, as a “bonus” - mobile devices send tap, and not click, so you don’t have to pretend to be mobile. https://patrickhlauke.github.io/touch/tests/event-listener_naive-touch-or-mouse.html But it can do itself FireFox: https://developer.mozilla.org/en-US/docs/Tools/Responsive_Design_Mode Therefore, in add-ons like the Windscribe, the substitution is limited to the versions of the FierFox versions and the versions of the original OS. But that sites with this info (browser and os, especially if only versions are changed) will do? Cry, that they seem deceived again? :) I think they don’t need it and Windows with FierFox are millions https://www.w3schools.com/browsers/browsers_firefox.asp . Now if FF61 more first version add :) IMHO - the spoofing of these parameters, with the exception of scammers, security services, etc., no one needs (by the way, problems may arise, for example, with anti-fraud systems, since a simple user will not do this). And in order to get rid of "advertisers" - the Chameleon is a fantastic extension :) |
@3ibsand Your English is fine and thanks for the compliment. :) As you've mentioned, there are some things that can't be 'fixed' with WebExtensions. I do think the current version of Chameleon with a few addons, VPN/proxy and good practices should be enough for most people. I'm still looking into this since it seems like an interesting feature to add. :) |
Hello :) Yes, the opportunity is interesting. It’s a pity, I don’t write in Java, but I’m reading the code, since I’m writing in C # and other dotNet languages and C ++, otherwise I would love to help. You can delete one of the headers, just as it is implemented in simple-modify-headers (for example - Spoof Accept-Language, it will not break the sites, and the signature will change). But then the FireFox will be defined as an "unknown browser", because of which they may not be allowed on sites :) As for the operating system, in my opinion, nothing can be done, but can change the stack as in the TCPOptimizer program, but can also break Windows) As for mobile operating systems - can probably activate the touchpad and touchscreen emulation in FireFox, but I don’t know how :) |
True, if you want, I can translate the interface into Russian, maybe it will increase the number of users :) And even your hackers reading in English can not always understand how to use the Chameleon, although they realize that it is useful. And so our hackers, which do not read English either, especially))) One issue that you may run into when configuring the headers options is that no explanation is provided. While it is easy enough to understand some options, Enable Do-Not-Track does exactly that, it is unclear what others like Disable Authorization or Spoof via do exactly. :) |
Accept-Language could be useful if you want to browse the web in a different language. I could try to rewrite some of the interface labels to make them more descriptive but it's a bit difficult fitting that in the popup window. I think I'll open the wiki page when the extension is first installed. I appreciate the offer to translate the interface. I'm going to begin work in the near future to make it easier to add languages to Chameleon. There's a few things I want to finish first. ;) |
Oк. Thanks) Well, about the removal of header, I for example)) Who really wants to completely disguise - checkbox. Or answer that "you can use simple-modify-headers , but it will end badly") |
OS is also still detectable via navigator.platform |
@kevgk Do you have script injection enabled? That should be spoofed if you select a browser profile (or one of the random options) |
@sereneblue worked, thanks. |
Me too. browserprint.info, Telegram web and Fake Vision detect my Real OS. PLATFORM Even I turned on Enable script injection, and checked Firefox 65 (Win 10). I use Firefox 65.0 and Chameleon v0.11.3. |
For browserprint and Fake Vision, I think it's the font that leaks the true OS. That's something I plan to work on. I don't use Telegram, so I'm not sure how they're detecting the real OS. |
I turned on resistFingerprinting. |
Resist fingerprinting is working properly. I did some research into the passive fingerprint that Fake Vision uses; I believe it's using this for the fingerprint. That's beyond the capabilities of a WebExtension. If you enable resist fingerprinting, It limits the fonts detected but I think the fonts are still unique per platform. I've had mixed results (incorrect OS) with browserprint. |
[edit: grammar, typos]
privacy.resistFingrprinting does not do anything to stop font fingerprints, and it won't for at least another year, even it it decides to actually do something (straight from the horses mouth - I have contacts!). The current thinking is to follow Tor Browser's bundling of fonts. This has two parts
Note that TB have slightly different bundled fonts per platform (i.e major platform: windows/linux/mac/droid)
Just to let OP know that you CANNOT hide your OS or browser (or even your browser version) if anyone really wanted to know - see https://arkenfox.github.io/TZP/tzp.html#useragent - you can see I have a TCP/IP item (but haven't coded it). But math, chrome://, resource://, error messages, and feature detection all leak you are on Firefox, feature detection shows your version: math alone leaks your OS. Outside of this active FP'ing is passive FP'ing, such as TCP/IP stack, TLS and ciphers, etc - all leak things server side. Don't overthink it. While I'm not a fan of randomizing & raising entropy (vs lowering entropy) due to all the information paradoxes it brings (which also adds more FP'ing and causes breakage), the fact is that the vast bulk of FP'ing is using "simple" libraries like fingerprintjs2 because they're small, fast and contain enough complexity and stability to be usable, and they get 95% of people (easy free low hanging fruit) - not to mention all the other ways tracking is done to link your activities (3rd party cookies, ssl session ids, header referrers, etc) |
The fingerprint testing site browserprint.info is able to guess my OS belogs to Windows family and my browser to Firefox whatever user-agent I select with Chameleon.
The text was updated successfully, but these errors were encountered: