Some time ago I’ve written a post about Tor Onion Services (formerly known as hidden services), and how to host them on a spare android smartphone.Continue…
On 25th May 2018, the GDPR (General Data Protection Regulation) enacted by the EU has come into effect.
What is Domain Fronting? How it works? How can be used to evade internet censorship?
Some thought about Cambridge Analytica and Facebook privacy settings.
Arsalan Mosenia, Xiaoliang Dai, Prateek Mittal and Niraj Jha, in paper recently published, describe a new user-location mechanism that exploits non-sensory/sensory data stored on the smartphone to estimate the user’s location when all location services are turned off.
The technique, tested on iPhone 6, iPhone 6S and Galaxy S4, is dubbed “PinMe“.
RadioCarbon is an interesting tool developed by Florian Roth, focused on checking age and origin of a credential leak:
Typically you get leaked credentials in form of list of email addresses or user names, cleartext passwords or password hashes, and you have no idea how relevant they are and who to inform about the leak: for example, usually you don’t have information about the origin of the leaked credential, and these data could be obsolete.
UPDATE – Apple released the security patch for the bug:
The security fate discovered in MacOS High Sierra by Lemi Orhan Ergin is so serious that it is hard to believe it’s real: you can become root without typing a password.
NOTHING TO HIDE is an independent documentary dealing with surveillance and its acceptance by the general public through the “I have nothing to hide” argument.
The documentary is written, produced and directed by two journalists living in Berlin, Marc Meillassoux and Mihaela Gladovic that launched this project in response to what they think is the keystone of modern surveillance: its acceptance by the general public through the Nothing to Hide statement.
The “Nothing to Hide” logic
We generally all agree that surveillance regimes are inherently dangerous and authoritarian; at the same time we use an increasing number of free online services and apps, giving up our privacy rights and building our Big Data. As E. Snowden’s revelations showed, this private & “friendly” surveillance provides the raw material for the state surveillance. In the actual context of terrorism, many of us also agree to give up privacy rights for the promise of increased security. To justify our compliance, most of us usually repeat: “Anyway, I don’t interest anyone” and finally “I don’t really care, I have Nothing to Hide”.
We have tried to understand what this logic implies for us individuals, but also for our societies. Is what we do online really irrelevant? Does mass surveillance help fighting terrorism? Do we really have Nothing to Hide? We found this fundamental question had not yet been addressed. Its answer, though, involves a real choice for society.
Recently Mozilla planned to display permission prompts if a website attempt to use HTML5 Canvas Image Data in the Firefox web browser: in fact, this HTML5 element is often used to tracking users with a technique called “Canvas Fingerprinting”
What is “Canvas Fingerprinting”?
Canvas fingerprinting is a type of “browser fingerprinting” techniques of tracking online users that allow websites to uniquely identify and track visitors using HTML5 canvas element instead of browser cookies or other similar means.
A “fingerprint” is primarily based on browser, operating system, and installed graphics hardware, so not sufficient to uniquely identify users by itself: therefore, this fingerprint could be combined with other sources of entropy to provide a unique identifier.
Canvas fingerprinting works by exploiting the HTML5 canvas element: when a user visits a website their browser is instructed to “draw” a hidden line of text or 3D graphic that is then rendered into a single digital token, a potentially unique identifier to track users without any actual identifier persistence on the machine.
Generated token can be stored and shared with advertising partners to identify users when they visit affiliated website and can be used to create a profile in order to customize the advertising.
We have demonstrated that the behavior of <canvas> text and WebGL scene rendering on modern browsers forms a new system fingerprint.
The new fingerprint is consistent, high-entropy, orthogonal to other fingerprints, transparent to the user, and readily obtainable.
If you need a full-features library for browser fingerprinting, tou can take a look at Fingerprintjs2:
List of fingerprinting sources
- Color Depth
- Screen Resolution
- Has session storage or not
- Has local storage or not
- Has indexed DB
- Has IE specific ‘AddBehavior’
- Has open DB
- CPU class
- DoNotTrack or not
- Full list of installed fonts (maintaining their order, which increases the entropy), implemented with Flash.
- A list of installed fonts, detected with JS/CSS (side-channel technique) – can detect up to 500 installed fonts without flash
- Canvas fingerprinting
- WebGL fingerprinting
- Plugins (IE included)
- Is AdBlock installed or not
- Has the user tampered with its languages
- Has the user tampered with its screen resolution
- Has the user tampered with its OS
- Has the user tampered with its browser
- Touch screen detection and capabilities
- Pixel Ratio
- System’s total number of logical processors available to the user agent.
How the companies use this information?
Like other tracking tools, canvas fingerprints are used to build profiles of users based on the websites they visit — profiles that shape which ads, news articles, or other types of content are displayed to them.
The researchers found canvas fingerprinting computer code, primarily written by a company called AddThis, on 5 percent of the top 100,000 websites. Most of the code was on websites that use AddThis’ social media sharing tools. Other fingerprinters include the German digital marketer Ligatus and the Canadian dating site Plentyoffish.
A list of all the websites on which researchers found the code is here.
How I can avoid the tracking?
Currently there is no native option available to turn off the Canvas functionality in Firefox, add-ons are available that block sites from using Canvas.
These add-ons (CanvasBlocker and Canvas Defender) displays notifications and blocks requests depending on how they are configured.
Mozilla plans to integrate a permissions prompt natively in the Firefox web browser.
Otherwise, you can use TorBrowser that already has this feature:
“In Tor Browser, we have opted to have the canvas return white image data until the user has accepted a doorhanger UI that flips a site permission to either enable or permanently block canvas access from that site,”
developers wrote. Now that feature comes to Firefox, Mozilla said.
- Canvas data fingerprinting: yet another way to track you on the web (and Firefox fighting back)
- Firefox to Block Canvas-based Browser Fingerprinting
- Meet the Online Tracking Device That is Virtually Impossible to Block
- Fingerprinting demonstration by Browserleaks