Canvas Defender, uBlock Origin: General page protection.



  • I've just become aware of this https://chrome.google.com/webstore/detail/canvas-defender/obdbgnebcljmgkoljcdddaopadkifnpm?hl=en-GB Canvas Defender. Given i've long been hoping for V to implement native blocking of Canvas Fingerprinting, i thought i'd look into this. I've tested it in Chromium & V-SS. It seems to work [i set the timer to 6-hrs, but also i tested with manual noise changes]. Am i missing something? Does anyone have any opinions on this extension's:

    1. Effectiveness
    2. Safety / Integrity / Bona Fides


  • This looks interesting. It seems to work properly; successive tests with 1 minute change interval show unique but constantly-changing canvas IDs, so they might get worthless.

    I can't say much about the safety of the extension; a first look didn't reveal any obvious or obviously-hidden data exfiltration code (which seems of most concern with unknown extensions).

    I can recomment the change to the extension code which is described in one of the reviews (disable notifications), as it does spam notifications imho...

    I'll continue trying out this one, but I'll still continue browsing with JS disabled ;)



  • Definitely seems interesting, but like this company mentions on one of their blog posts, unless you combine it with a bunch of other anti-fingerprinting measures it won't be a total solution.

    Perhaps useful in the meantime, but I await the day that Vivaldi builds in more measures against fingerprinting.

    I also wonder if there would be a way to identify the presence of whatever script they are using to modify the canvas. If you can detect that, then it renders the whole extension useless.

    The best solution is probably to (as @Morg42 says) just disable as many scripts as possible.



  • @morg42 said in Canvas Defender:

    browsing with JS disabled

    Inspired by this idea, i disabled JS in Settings. Some of my regular sites still work, but others are broken, including...

    0_1516567149200_20180122_001.png

    I could not even make this Reply, til i re-enabled it for this site. Sigh.

    "a first look didn't reveal any obvious or obviously-hidden data exfiltration code" --> yes, this is exactly what i was wondering about. It would be horrible if using this extension resulted directly in data-theft, but i am not skilled enough to know how to test for it.



  • Steffie, disabling JS completely might be safest, but is prone to leave an internet quite dull...:)

    I'm using Scriptblock (https://chrome.google.com/webstore/detail/scriptblock/hcdjknjpbnhdoabbngpmfekaecnpajba), which allows to temporary and selectively enable JS while generally disabling it. You can whitelist sites you trust or "need to use" with JS. A predecessor of this extension provided good services also in early Opera.

    In addition, my settings in uBlock Origin disable inline scripts, 3rd party scripts and 3rd party resources generally and will only be enabled for selected sites (and even then mostly only temporary, though UO supports storing site preferences).

    I would guess that a bit over 1/2 of all sites work if 3rd party resources (static images, static CSS or similar) are enabled, but with JS completely blocked. Another 20-25% work if JS only for that site are enabled. The rest (about a quarter) need external scripts. I found that on sites where I don't feel good enabling JS, I mostly get to decide I don't need this specific site. Not too shabby a feeling ;)



  • @morg42 OMZ, this is really good info - thank you. The trouble with helping me, as you have done, is that i'm likely to just come back with more questions. Sorry, but...

    1. After my previous post, i was a few hours away from the V forum, doing some tests as follows [after these numbered points], so i didn't see your post til now. I've now [c/o your heads-up] looked at Scriptblock, & from one comment there also ScriptSafe. i feel inclined to install one or other, possibly the latter, but i'd like to ask... do these extensions give better overall performance [balance of protection but still with reasonable site efficacy] than what i tested [below], namely disabling JS globally in V then whitelisting sites that are broken?
    2. Did you specifically rule out ScriptSafe in lieu of Scriptblock?
    3. "my settings in uBlock Origin disable inline scripts, 3rd party scripts and 3rd party resources generally" ... i've just glanced at my uO settings but didn't notice such things. Would you be kind enough pls to share how you did this?

    Here's the clumsy test i was doing. It made me so frustrated, coz i hadn't even finished testing anywhere near all my important regular sites, yet of those i did test most were broken & had to be whitelisted... which begs the question; what's the damn point? Sad face. I mean, if JS exploits are invisible to users, or at least to numpties like me, & if potentially any site might be able to be infected, then any of my whitelisted sites now or in future could begin harvesting my data & i'd never know, meaning that globally blocking JS but then exempting heaps of sites important to me, offers NO better protection to simply leaving JS globally enabled. I am not a tinfoil person, but honestly i find this stuff truly demoralising.

    0_1516582663191_20180122_002.png

    Another sad face, just because.



  • @steffie It is demoralizing in the sense that there's really nothing you can do short of yanking that ethernet cable that will reduce your threat risk to zero. Switching over to glass-half-full mode, though, you can do an awful lot to insulate yourself from some of the more common attack vectors without making your internet experience unbearably inconvenient, so there's that.

    Extensions like uBlock and Noscript (I know much less about Scriptsafe and Scriptblock, but I would assume they're similar) are capable of dynamic filtering, which basically (and my knowledge only extends to 'basically') means that it's a whole lot easier to block riskier/more privacy-compromising stuff without also breaking the functionality of sites. For instance, you can set up uBlock to allow scripts from first-party domains by default so that if you already trust the site itself, but not necessarily the networks the site might be pulling stuff from, there's already a good chance that the site will work pretty well. Further, if you wanted to be able to view embedded YouTube videos specifically on that site for whatever reason, but didn't necessarily want YouTube following you around the web wherever you went, you could set a local rule whitelisting frames containing content from YouTube that applied to that site only, and to YouTube only.

    Furthermore, the interface provided by these extensions tends to make it a lot easier to selectively allow third-party domains based on what type of content (if any) they're serving. So, for instance, you might notice that even though you've allowed imdb.com as a domain (despite the fact that they don't use HTTPS, hisss) you don't see any images for movie titles, actors/actresses, and so on. Scrolling through the list of domains that IMDB is connecting to, you notice a couple of 'cdn' (content-delivery networks) sub-domains which serve up the images and decide to allow them through, while being extra-glad that 'google-analytics' is not being allowed through.

    Over on Firefox land, I really think that NoScript (still) provides the most user-friendly approach to dynamic filtering, but in Chrome-derivative land, I think that if you already have UBO installed, it makes more sense to leverage the functionality it offers instead of installing yet another extension that may or may not be more user-friendly than UBO itself---and like you, I'm always pretty hesitant about installing any extension, especially given the state of the Chrome store nowadays.

    The thing about UBO, though, is that it doesn't expose this functionality to the user by default. Firstly, you have to decide what level of blocking you want (most people in the various discussions that come up about this stuff seem to think that Medium represents a good balance), and then follow the instructions on how to enable it. To enable Medium blocking, for instance, you need:

    Settings pane:

    • I am an advanced user: checked.

    3rd-party filters pane:

    • All of uBlock Origin's filter lists: checked
    • EasyList: checked
    • Peter Lowe’s Ad server list: checked
    • EasyPrivacy: checked
    • Malware Domain List‎: checked
    • Malware domains: checked
    • All other filter lists: unchecked

    My rules pane:

    • Add * * 3p-script block
    • Add * * 3p-frame block

    Then you need to read up on dynamic filtering, which, again, I still don't quite understand myself---I know the difference between setting 'local' and 'global' rules but still don't quite understand the distinction between 'allow' and 'noop' for instance; I think it's that setting an 'allow' rule bypasses even the static filters UBO is subscribed to, whereas 'noop' will still mean that ads and things are blocked even for domains you whitelist in this fashion.



  • @purgatori Thanks heaps! OK, post-lunch i now have my afternoon project :-) Let the [/my] headache commence [soon].

    Expect more feeble questions, later...



  • @purgatori It's taken a few more hours of re-re-re-reading https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-quick-guide then experimenting with lots of my fav sites, but finally i think this is making some workable degree of sense to me. Consequently, i've still not [yet?] installed either of those script-blocking extensions, still do have Canvas Defender installed & enabled [timer still 6 hrs], have re-enabled JS in chromium Settings, & wrt my uO [yellow highlight denotes new changes from today's exercise; also, some of my fav sites didn't break after globally enabling the 3rd-party frame & script blocks, but for the ones that did, the settings below show the solutions (being dim, it took me ages to grasp the functional difference between Green (Allow) & Grey (NoOp))]:

    0_1516603672561_20180122_003.png
    .
    0_1516603442082_20180122_005.png
    .
    0_1516603471666_20180122_006.png
    .
    0_1516603720366_20180122_007.png
    .
    Thank you again!


  • Vivaldi Ambassador

    My fingerprint only detects my SO, Vivaldo is not even displayed as my browser, but like Chrome, according to this test

    https://browserleaks.com/canvas

    I use only Genesis Plus adblocker (and Quad9 DNS), nothing else, I don´t have desactivated Java



  • @steffie No problem! You figured it all out a lot quicker than I did. What I'd be interested to find out---and I haven't been at all successful so far---is a general idea of how much threat reduction is actually achieved by different script-blocking schemes, and whether the practice confers much benefit generally. I sorta go back and forth on observing said practice myself, because while I want to be security conscious, I also get annoyed when, say, some transaction between two sites (e.g., some shop front or other and PayPal) fails because of the security and/or privacy measures I have in place. I actually think the advent of the ad blocker is a good step in the direction of relatively painless (for the user) protection against a wide range of threats, but neither ad-blocking lists or the spyware/malware/anti-phishing technologies seem like enough anymore, and this obligates users to take additional measures that are far harder for them to grok successfully.



  • @purgatori You also have to consider that some first party sites might be serving tracking scripts like canvas fingerprinters.

    I think that would be unlikely as most tracking / big data analysis is probably going to be outsourced for smaller sites, but some of the bigger ones might well be doing it.



  • @purgatori Yeah, what you said !! :-)

    Another few hours of testing, & though lots more of my regular sites work fine w/o needing any finessing of uO, i have had to further enlarge my dynamic filtering rules list for several others. The current status of said list now includes 10 x 3p-script noop entries.

    To ask a revised version of a question of many hours ago, what stops me being exploited in future, if any of those 10 sites gets hacked, now that i have had to allow 3rd party scripts there [otherwise, the sites simply don't work]?

    My presumed answer is... nothing; if that happens, i'm screwed.

    ?



  • @lonm said in Canvas Defender:

    @purgatori You also have to consider that some first party sites might be serving tracking scripts like canvas fingerprinters.

    I think that would be unlikely as most tracking / big data analysis is probably going to be outsourced for smaller sites, but some of the bigger ones might well be doing it.

    Yep. Absolutely. There's even technology out there now that can disguise third-party request as first-party requests (see here).

    @Steffie My presumed answer is... nothing; if that happens, i'm screwed.

    Exactly. Unless some other security feature you have in place takes care of whatever threat is delivered by the compromised third party, you're as just as exposed as you would be without using dynamic filtering.



  • Sorry for deleting this elaborate piece of work - but seeing that I have additional sources to make you afraid of JS and it really didn't belong in this thread, I rewrote the whole thing and posted it here:

    External JS scripts and a guide to safer browsing...



  • @morg42 That is a masterful exposition - hearty thanks to you.

    I have now modified the thread title, so i think it's ok to continue herein.

    As of the end of my experimenting yesterday, this was/is my current uO status for Guardian [to keep using this example]:
    0_1516667001287_20180123_005.png
    &
    0_1516667042481_20180123_006.png

    Guardian [& all my other usual sites so far] are still working well even with this extra protection [once i deduced how to "unbreak" various sites]. However as you can see, i had not thought to experiment with 3rd party resources, Inline scripts, & 1st-party scripts. Having seen that you use 2 of those 3 as well. i'm now wondering if i should extend my experimentation to play with them... including of course then deducing how to fix all the sites that would probably break initially.

    Tbh i do not understand any of that jargon [per italics above], so grasping the benefits & downsides is tricky for me. Still, no worries, with the kind help here i've already learned a lot of handy new stuff, so maybe a bit more dabbling also might be ok.



  • Thanks for your praise :)

    @steffie said in Canvas Defender, uBlock Origin: General page protection.:

    However as you can see, i had not thought to experiment with 3rd party resources, Inline scripts, & 1st-party scripts. Having seen that you use 2 of those 3 as well. i'm now wondering if i should extend my experimentation to play with them... including of course then deducing how to fix all the sites that would probably break initially.

    Sure. At least for learning experience, play around with the different settings all you like. You'll never be off worse than before using them at all ;)

    I would recommend setting "3rd party" to "globally deny" though (this is what I called 3rd party resources in my text). Be aware that this will probably break some sites initially, but now you know how to get them working again ;)

    Tbh i do not understand any of that jargon [per italics above], so grasping the benefits & downsides is tricky for me. Still, no worries, with the kind help here i've already learned a lot of handy new stuff, so maybe a bit more dabbling also might be ok.

    3rd party generally means that the (website / javascript / stylesheet / image / whatever) is not hosted on our active site (theguardian.com), but on some other server (e.g. googleanalytics.com) and therefore not under direct control of "your" website. This doesn't mean that it might be malicious per se - but it might mean that you don't need it. So try disabling it and see what happens.

    The point is not to allow anything and forbid what is written in some list, but forbidding everything and only allowing what you want/need. Most ad-/tracking resources will be disabled by this method without any list subscriptions anyway.

    For completion:

    • 1st party scripts are javascript files hosted by the current website itself (here: only those on theguardian.com). The loading of these files can be denied by setting this item to red.
    • inline scripts are javascript items, which are delivered as part of the current website HTML file. They are loaded from the webserver in any case, so you can't stop getting them - with the appropriate setting you can disable them. Often these are used for menu effects, selection boxes or - sometimes - for image loading. Often as not the page works well without these.

    I might try putting this in an image, but knowing my abilities... ;)



  • Hello. I've continued using Canvas Defender, & monitoring it. It seems to live up to its claim of changing the fingerprint at my specified intervals, as verified with https://browserleaks.com/canvas. In parallel with this i have continued to actively experiment with & greatly expand my finessing of uBlock Origin, although i think now i'll restrict any further posts on that to @Morg42's branched https://forum.vivaldi.net/topic/23893/external-js-resources-and-a-guide-to-safer-browsing.

    My next CD query is this: i'd appreciate any interested users posting below with their views on ideal usage of the timer setting. Pls regale me with pros & cons of longer vs shorter change intervals. The Comments on its Dev's Chrome Webstore site span the gamut, which i find confusing. Ta.



  • I don't see any real downsides on short intervals. It doesn't take up constant CPU load and (up til now) didn't actively interfere with browsing experience (in contrast to User Agent changers, which can totally ruin your sessions...)

    If you stay on one site (not page), it might not matter; if you change/jump frequently, I'd just dial it down to the minimum of 1 minute and be done with it.



  • @morg42 Many thanks :-)


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.