| Do you have a better idea than the visual basic method proposed here?
| https://www.iptest.club/blog/fingerprinting/font-fingerprinting-protect/
|
I use a combination of HOSTS file and NoScript. So very
few sites have script enabled in my browser. And most of
the spwyware domains are blocked altogether. If you're
going to let the likes of Google access your system, especially
with script enabled, then they already know everywhere you're
going and what you're doing. Randomizing fonts is then like
locking your side window while the front wall of your house is
missing. People come up with this kind of nonsense
because they want to pretend they can have privacy and
convenience with no mitigation of either. That won't work.
If you're
going to let the likes of Google access your system, especially
with script enabled, then they already know everywhere you're
going and what you're doing.
| That doesn't deal with fonts though...
You don't understand.
Enumerating your fonts requires
enabling javascript, and it's only done by companies
trying to track you.
If you block those companies and limit
script, then no one's enumerating your fonts.
Take a look at the source code of a few commercial websites.
At most you'll find code calling out to google
fonts, maps, jquery, google analytics, google
tag manage, doubleclick, facebook, and so on.
If you don't block access to those domains in a HOSTS
file then they're tracking you everywhere you go.
If you're going to use Google, gmail, maps, etc
and you need to enable script, then they will track you.
Enumerating you fonts won't be necessary.
Your browser will call them everywhere you go.
Even if you manage to hide your IP, they'll be tracking you.
Many things will break if you disable javascript, but if
you use NoScript then you can enable only what's
absolutely necessary.
It's up to you, but you're
fooling yourself if you think a font mixer-upper is
going to make a difference.
I disable javascript for both privacy and security.
It simply isn't safe. In terms of privacy, I've seen virtually
no ads in decades, with a HOSTS file of about 300
entries. It works quite well, because the ads and
trackers are a very small number of entities. So why
would anyone NOT use a HOSTS file for things like google
analytics and doubleclick?
I recently was advised that browser fingerprinting can be done using (among many other metrics) your C:WindowsFonts such that, for example, you can try to use different browsers but your fonts will be exactly the same for all. https://webbrowsertools.com/font-fingerprint/
The complexity of the FONT fingerprinting methods are partially in the specific set of fonts that any one user has accrued up to this moment. https://browserleaks.com/fonts
Exactly. Privacy is not philosophy. It's a practical
matter. You may want to randomize your fonts, but others
have a right to know it's not a useful thing to do.
Easier for me to just configure my web browser, Firefox, to resist font fingerprinting.
On 21-03-2023 23:38 VanguardLH <V@nguard.LH> wrote:
Easier for me to just configure my web browser, Firefox, to resist font
fingerprinting.
I have nothing against Firefox and that's a nice feature of Firefox.
But what good is a solution that only works with one browser?
And which likely breaks the Internet?
When you can come up with a solution that works with all browsers.
And which does not break the Internet.
Randomizing fonts works with all web browsers.
And it doesn't break the Internet.
On 22-03-2023 10:26 VanguardLH <V@nguard.LH> wrote:
Unless a developer testing their web site or web app on multiple web
browsers to ensure compatibility with all, what's the point of using
multiple web browsers? Do you really bounce between web browsers on
your own personal hosts? Firefox is my primary web browser.
Edge-Chromium is a backup. It is very rare that I am forced away from
using my primary web browser.
Regardless of how you might use a multitude of web browsers, how much
have you helped others with problems on their computers? If you had,
you would realize the norm is for users to focus on one web browser.
But, in the case of actually and actively employing multiple web
browsers, and doing so repeatedly, yes, there is an advantage of
deploying a solution that is globally effected on all web browser,
including all of those you never get around to using yourself as a
solution to everyone else using different web browsers than your
choices.
You may be the only person on Windows who has only one browser installed.
Unless a developer testing their web site or web app on multiple web
browsers to ensure compatibility with all, what's the point of using
multiple web browsers? Do you really bounce between web browsers on
your own personal hosts? Firefox is my primary web browser.
Edge-Chromium is a backup. It is very rare that I am forced away from
using my primary web browser.
Regardless of how you might use a multitude of web browsers, how much
have you helped others with problems on their computers? If you had,
you would realize the norm is for users to focus on one web browser.
But, in the case of actually and actively employing multiple web
browsers, and doing so repeatedly, yes, there is an advantage of
deploying a solution that is globally effected on all web browser,
including all of those you never get around to using yourself as a
solution to everyone else using different web browsers than your
choices.
The fonts getting divulged for fingerprinting are those installed on
your computer. Well, you can randomize which fonts you have, or you
could pare down all those extra fonts down to the basic set that
Windows, or your choice of OS, comes pre-bundled.
You're denying web
sites from falling back to your fonts other than some standard set that everyone has and supposedly would reduce your fingerprint (but do users really only have a basic set of fonts that never change?). What happens
to all your other programs installed on your computer?
You randomize the font set while you are web browsing. When web
browsing, you never ever run any other program? You never open an
editor, word processor, spreadsheet, or load ANY other program while you
have the web browser loaded? Well, randomizing the font set for the web browser means you are doing the same for every other program you may
open at the same time. If concurrently opening multiple programs was
not a wanted feature, Windows nor any other OS would have to bother with multi-tasking, running a dispatcher, assigning priority, or all the
other functions of a multi-tasking OS. Running a single program that is always foregrounded with no opportunity to load any other program is not
how users use Windows, Linux, or any other OS. To do so would mean
having to cripple the OS back to single-process operation, like DOS.
Your solution impacts more than just the web browser.
You may be the only person on Windows who has only one browser installed.
I think the great majority of Windows users have only one browser installed--the one that comes with Windows (Edge, or IE in older
versions). Most of them probably don't even know that there are other browsers to choose from. My wife, for example, has only Edge
installed, and I know many other such people.
If you don't count Edge, which I only use when Firefox doesn't work on
a particular web page, I have only Firefox installed.
Thinking of all my friends and relatives who use Windows, as far as I
know, they all have only Edge installed. I know that there are those
on these newsgroups with more than one, but having more than one never
makes sense to me. I pick the one I like best and that's what I use
all the time (almost all the time). I don't want any others.
On 22-03-2023 22:21 Ken Blake <Ken@invalid.news.com> wrote:
You may be the only person on Windows who has only one browser installed.
I think the great majority of Windows users have only one browser
installed--the one that comes with Windows (Edge, or IE in older
versions). Most of them probably don't even know that there are other
browsers to choose from. My wife, for example, has only Edge
installed, and I know many other such people.
Well, that might be true, now that you mentioned it, for all the mom and
pop PC owners out there who maybe don't know any better.
But I feel sorry for anyone who only has Edge as their browser.
Don't you?
If you don't count Edge, which I only use when Firefox doesn't work on
a particular web page, I have only Firefox installed.
Obviously the next most used browser is probably Chrome.
Thinking of all my friends and relatives who use Windows, as far as I
know, they all have only Edge installed. I know that there are those
on these newsgroups with more than one, but having more than one never
makes sense to me. I pick the one I like best and that's what I use
all the time (almost all the time). I don't want any others.
What about proxy and/or tor browsers?
You never need privacy and/or anonymity?
Well, that might be true, now that you mentioned it, for all the mom and >>pop PC owners out there who maybe don't know any better.
I'm almost sure of it.
But I feel sorry for anyone who only has Edge as their browser.
Don't you?
Yes. As far as I'm concerned, it's clearly the worst of all the
choices I've tried, and I've tried most of them.
If you don't count Edge, which I only use when Firefox doesn't work on
a particular web page, I have only Firefox installed.
Obviously the next most used browser is probably Chrome.
Yes, the next worst one to me.
Thinking of all my friends and relatives who use Windows, as far as I
know, they all have only Edge installed. I know that there are those
on these newsgroups with more than one, but having more than one never
makes sense to me. I pick the one I like best and that's what I use
all the time (almost all the time). I don't want any others.
What about proxy and/or tor browsers?
You never need privacy and/or anonymity?
No.
<V@nguard.LH> wrote:
Unless a developer testing their web site or web app on multiple web
browsers to ensure compatibility with all, what's the point of using
multiple web browsers? Do you really bounce between web browsers on
your own personal hosts? Firefox is my primary web browser.
Edge-Chromium is a backup. It is very rare that I am forced away from
using my primary web browser.
Regardless of how you might use a multitude of web browsers, how much
have you helped others with problems on their computers? If you had,
you would realize the norm is for users to focus on one web browser.
But, in the case of actually and actively employing multiple web
browsers, and doing so repeatedly, yes, there is an advantage of
deploying a solution that is globally effected on all web browser,
including all of those you never get around to using yourself as a
solution to everyone else using different web browsers than your
choices.
You may be the only person on Windows who has only one browser
installed.
The fonts getting divulged for fingerprinting are those installed on
your computer. Well, you can randomize which fonts you have, or you
could pare down all those extra fonts down to the basic set that
Windows, or your choice of OS, comes pre-bundled.
That's not as easy as you seem to think it is. Each program you
install can add its own fonts.
You're denying web sites from falling back to your fonts other than
some standard set that everyone has and supposedly would reduce your
fingerprint (but do users really only have a basic set of fonts that
never change?). What happens to all your other programs installed
on your computer?
That comment indicates you don't understand how font fingerprinting
works. They tabulate ALL the fonts on your computer. Not just what
you use.
You randomize the font set while you are web browsing. When web
browsing, you never ever run any other program? You never open an
editor, word processor, spreadsheet, or load ANY other program while you
have the web browser loaded? Well, randomizing the font set for the web
browser means you are doing the same for every other program you may
open at the same time. If concurrently opening multiple programs was
not a wanted feature, Windows nor any other OS would have to bother with
multi-tasking, running a dispatcher, assigning priority, or all the
other functions of a multi-tasking OS. Running a single program that is
always foregrounded with no opportunity to load any other program is not
how users use Windows, Linux, or any other OS. To do so would mean
having to cripple the OS back to single-process operation, like DOS.
Your solution impacts more than just the web browser.
Run this program please. <https://amiunique.org/fp> and save the results
to text, and paste your results into the reply like I did and we can solve the fingerprinting issues together using real world data of our own.
The way you normally approach fingerprinting usually is you start with the worst entropy and when you fix that, you move down to the next worst
entropy, and so on, until you're no longer unique or nearly unique.
In the best case, you want to blend in with the crowd.
Here are my current AmIUnique.txt values using one Firefox browser.
My browser fingerprint
Are you unique ?
Yes!
You are unique among the 1529201 fingerprints in our entire dataset.
The following informations reveal your OS, browser, browser version as
well as your timezone and preferred language.
...
We use cookies and other storage mechanisms to make sure you can have
the best experience on our website. If you continue to use this site,
we assume that you will be happy with it.Ok <#>
You may be the only person on Windows who has only one browser
installed.
You're making up what I said. I said, again, that Firefox is my
primary, and Edge-Chromium is my backup. I had Chrome as the backup,
but since Microsoft moved to Blink for the rendering engine and V8 for
the Javascript interpreter, both from Chromium, and because
Edge-Chromium gives me more options than Chrome, there was no point in keeping Chrome installed.
As a matter of fact, most users do NOT install an addition web browser.
They use what was bundled in the OS. For Windows, that's Edge (now Edge-Chromium). For Android, that's Chrome. For Apple stuff, it's
Safari. So, for the vast majority of users, they do only have a single
web browser on their computing platform. It's the only one they need to configure - but most don't tweak anything of the web browser. They
don't need the global solution you seek across multiple web browsers,
because they only have one. But then your inquiry isn't addressed to
the vast majority of users since they don't visit here. The audience
here is different, so, yes, they may have more than one web browser. I
have 2 of them. How many do you have?
That I have 2 web browsers does not mean I'm constantly switching
between them. Nor does having umpteen web browsers means I used anymore
than just one of them. Only one web browser needs to be tweaked how you
like - the one you use all the time. The others should be left in their install-time state, because they are backups should there be a problem
with your primary web browser, and a backup choice should be plain to
ensure you aren't fucking it up the same way as you did the primary.
This is the same way you create your own Windows account for logging in
for your dailing computing sessions, and leave Administrator alone
except for use only in emergencies.
You are still hiding why you need umpteen web browsers for why you need
a global solution that affects all of them regarding fingerprinting. If
you are a developer then there is a reason to *test* with multiple web browsers. You have shown no cue that you are a web developer. So, how
many web browsers do you have installed, how many do you use, and why do
you have more than one primary web browser? Why would you be screwing
with your backup/emergency web browsers that you aren't using anyway?
The fonts getting divulged for fingerprinting are those installed on
your computer. Well, you can randomize which fonts you have, or you
could pare down all those extra fonts down to the basic set that
Windows, or your choice of OS, comes pre-bundled.
That's not as easy as you seem to think it is. Each program you
install can add its own fonts.
Yep, you'll have to be the admin of your computer and perform the maintenance. You want to setup a rotation of font folders (simpler than trying to modifying the font files in one folder), so you are already
doing the same maintenance. For example, you will need to ensure when installing programs that you reset the font folder rotation back to the original \Fonts folder to ensure the program deposites its fonts into
that folder into one of your obscuring rotation font folders.
You're denying web sites from falling back to your fonts other than
some standard set that everyone has and supposedly would reduce your
fingerprint (but do users really only have a basic set of fonts that
never change?). What happens to all your other programs installed
on your computer?
That comment indicates you don't understand how font fingerprinting
works. They tabulate ALL the fonts on your computer. Not just what
you use.
Answer the question rather than evade the subject. You want to rotate between different sets of fonts (like renaming \Fonts to \Fonts.Original
and some other font folder, like \Fonts2 to \Fonts), but obviously that
DOES affect all your other programs. You're focusing on how to obscure
font fingerprinting *only* in the web browser without regarding the
effect such action does on other programs.
Oh, and as to web fonting, did you configure your web browsers to NOT
allow remote fonts? Those can easily be used for tracking, especially
if the site you visit gets those fonts from a 3rd-party, like Google, or
some other font foundry. The web page you load requests font resources
from elsewhere, so the request for the fonts goes to the font foundry
who redirects the resource elsewhere that can see where you visited for
the request and also your IP address to deliver the font resources to
your client. You want to obscure all your system fonts, but you're
allowing remote font loading which allows easy tracking.
https://github.com/gorhill/uBlock/wiki/Per-site-switches#no-remote-fonts (That's using uBlock Origin, but there's likely other ways to block web fonts.)
You doing all this work to hide what Javascript in a web doc can detect
for your font set. Yet you're allowing even easier tracking if you
allowing download of web fonts. Have you yet addressed that method of tracking? Just be aware that if you disable remote fonts that many web
docs won't be correct. Often the fonts are to use graphical characters within them, like chevrons, arrows, geometric shapes, and so forth for
the icons on elements in a web doc, like buttons you click on. Without
the remote fonts, you'll get a generic placeholder for the element's
icon, and won't have a clue what the element does. You can guess until
you error enough times to remember what each unidentified element does
for an action being content that you've blocked that tracking method, or
you can allow remote fonts, suffer any tracking, if any, and better
interpret the intent of iconified elements in a web doc.
You randomize the font set while you are web browsing. When web
browsing, you never ever run any other program? You never open an
editor, word processor, spreadsheet, or load ANY other program while you >>> have the web browser loaded? Well, randomizing the font set for the web >>> browser means you are doing the same for every other program you may
open at the same time. If concurrently opening multiple programs was
not a wanted feature, Windows nor any other OS would have to bother with >>> multi-tasking, running a dispatcher, assigning priority, or all the
other functions of a multi-tasking OS. Running a single program that is >>> always foregrounded with no opportunity to load any other program is not >>> how users use Windows, Linux, or any other OS. To do so would mean
having to cripple the OS back to single-process operation, like DOS.
Your solution impacts more than just the web browser.
Run this program please. <https://amiunique.org/fp> and save the results
to text, and paste your results into the reply like I did and we can solve >> the fingerprinting issues together using real world data of our own.
Do you even read the replies to your thread? Look at my very first
reply. I already reported the effects of various methods of obscuring
fonts at EFF, amiunique, and browserleaks.
The way you normally approach fingerprinting usually is you start with the >> worst entropy and when you fix that, you move down to the next worst
entropy, and so on, until you're no longer unique or nearly unique.
You do realize that the stats reported at those sites are based solely
on their database of visitors. That you are unique within 200K other visitors doesn't really represent your uniqueness across all web
browsing users visiting all web site. Theirs is just a small database.
It's a sample, and one that is biased due to the intent of the visitors
to their test sites.
In the best case, you want to blend in with the crowd.
And why I said you need to figure out which is the base font set for a
new Windows installation. However, that would represent a sample of
users that install Windows, and install nothing thereafter. There are
some users like that, but doesn't seem the norm for most users. Windows
is a general-purpose OS, so the intent is more programs will get
installed. Those that have only the base font set are not the crowd you
want to hide within. My guess is that isn't the dominate crowd. I've
yet to find anyone gathering statistics on fonts to determine what the average user has for a fonts set to let you hide in the biggest crowd.
Here are my current AmIUnique.txt values using one Firefox browser.
I found amiunique was inaccurate in the fonts count, and which could be discovered after making tweaks in the web browser. EFF and browserleaks
were more compliant with web browser tweaks on font accessibility.
My browser fingerprint
Are you unique ?
Yes!
You are unique among the 1529201 fingerprints in our entire dataset.
Unique in a database of visitors which is a small sample of users (only
those that visited their web site AND ran the test) represents highly
skewed results.
Also, depends on how the test site performed its fingerprinting tests. Without unusual tweaking of font accessibility in Firefox, both EFF and browserleaks report:
EFF: you have strong protection against web tracking
16.54 bits of identifying information
one in 95262.5 browsers have the same fingerprint as yours
amiunique: Almost! Only 2 browsers out of the 1532682 observed browsers fingerprints in our entire dataset (<0.01 %) have exactly the same fingerprint as yours.
Depends on who you use for a fingerprinting score. Browserleaks breaks
up the testing into separate tests, so no overall score. You would
think "1 or 2 in <millions> of other visitors" sounds bad (you're unique
is a small sample). Yet 1.5 million out of 5.4 *billion* users is a
very small sample (0.03%). Your being measured by a skewed database.
You can get paranoid by using these sites and online security articles
on how to lock down your web browser, but remember the more security you
have then the less convenient becomes the Web. Security and convenience
are the antithesis of each other. The more you have of one, the less
you have of the other. You have to decide what level of security is
still comfortable to you, and sensitivity is far ranging amongst users.
The following informations reveal your OS, browser, browser version as
well as your timezone and preferred language.
...
If Firefox is among your set of multiple web browsers, have you yet
tried its privacy.resistFingerprinting setting? That would give you far better fingerprint rankings, but at the expense of the features that I mentioned, and restriction or throttling of features in the referenced Mozilla wiki article.
We use cookies and other storage mechanisms to make sure you can have
the best experience on our website. If you continue to use this site,
we assume that you will be happy with it.Ok <#>
Firefox can be configured to purge ALL its locally cached data on its
exit, so none of it remains for reuse in the next web session. I purge
all locally cached data on exit. For example, there was a canvas
exploit that used DOM Storage to retain info across web sessions to
allow tracking by a unique ID generating by canvas code. I used an
add-on back when this was a big deal, and there POC sites to show the vulnerability, that didn't disable all of Canvas (which you can do to
smash all of Canvas using a Firefox setting) but just randomized the ID
that canvas code would generate to make the ID unusable for tracking. Eventually I decided for other reasons, and this, to purge all locally
cached data on Firefox's exit. So, cookies disappear, too, as well as
DOM Storage, history (which Javascript can retrieve), and other info I consider personal and usually unrelated to a visited site, so it's none
of their business getting at all that user data.
For Chrome, I had to install the Click&Clean add-on to get the same purge-on-exit function. However, Google doesn't allow the delayed
action when Chrome exits, so the add-on would do the purge when it was
loaded which is when Chrome loads. Didn't need an add-on for
Edge-Chromium since there are similar purge-on-exit options, and why Edge-Chromium, even with the migrate to Blink and V8 of Chromium, is
more secure than Chrome (but still doesn't have the deep settings
available in about:config of Firefox).
I'm pretty sure we (you and I) are at an impasse on how best to secure
the web client. You want to do it outside the web client for a solution
that is global across multiple web browsers. You're only focusing on
font fingerprinting which is only a small measure as part of the entire fingerprinting spectrum. You haven't even noted if you are blocking
remote fonts which are far better for tracking than trying to pick you
out of all web visitors based on system fonts.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 297 |
Nodes: | 16 (2 / 14) |
Uptime: | 02:07:34 |
Calls: | 6,666 |
Calls today: | 4 |
Files: | 12,212 |
Messages: | 5,335,600 |