I use this regularly, the problem I have is that it doesn't give you any suggestions to be 'less unique' - things like suggesting a similar User Agent to yours, but one that is much more common, or even something as simple as linking to things like Canvas Defender for Firefox, which adds random noise to hidden canvas invocations so that your canvas render isn't identifiable.
I tend to fail these uniqueness tests pretty catastrophically, and I hadn't heard of Canvas Defender. But solutions like that seem a bit heavyweight to me (and more likely to affect the UX negatively). Is this really the only way to get around this problem?
Yeah, I do too, my useragent string is somehow almost completely unique. I try using a more "common" one and suddenly everything locks me out.
Canvas Defender only adds noise on hidden canvases, ones that are obviously being used for fingerprinting.
But yeah there's no perfect solution. If you simply block canvas rendering, like some plugins do, that is a 100% identifiable signal. So the best you can do is make the fingerprinting "unsure" that that is you, by having the fingerprint be different every time.
"adds random noise to hidden canvas invocations" sounds as clearly signaling you're using something-like-canvas-defender, which is likely very unusual and thus makes you more unique.
The noise is different every hour, meaning that basically the canvas can't be used as a signal. It's not a perfect solution (my useragent string is more unique, which annoys me) but it is better than a 100% identifiable canvas.
My understanding is that these don't actually help. Even their own blog suggests that there is a lot of limitations[0]. And they even talk about how TOR just returns 0. But if everyone did that (say FF did that overnight), then wouldn't that help solve the problem?
Or does there need to be a way to force these things to be pixel perfect (data perfect for the other fingerprinting things like battery, mic, etc)?
Thank you for this - I'd often assumed Canvas Defender was no good but I couldn't quite put my finger on why. I would encourage anyone with even a passing interest to read this truly illuminating post because there is some fascinating stuff that even as a web developer I did not know:
It is really fascinating how all this works. And I'm really happy that multilogin writes these blog posts. I think it brings up questions of how necessary is this information and is it worth the cost (loss of privacy). I'm not a web developer so I'm not sure how useful these metrics are. Or is it just limitations? How much of an impact would implementing pixel perfect renders be (as in page load time)? I'd love to know what people that work in these areas think. Pros and cons.
Canvas Defender is Multilogin's product :) Other canvas plugins block the canvas, which is a much clearer signal, and they go to lengths to point out how simply blocking the canvas is worse.
By adding random noise every hour, it basically means that the confidence in the canvas as a signal is going to be 0. That's about the best you can do.
Basically everything meaningful used for fingerprinting requires JS. If you don't have JS running, that's a signal, but a really weak one. About all they have after that is your useragent and IP address.
Too bad most of the web isn't written to be without JS (or that we don't have stronger protections against fingerprinting, so it wouldn't matter....)
I know, it's a really crappy situation all around. I went and spent a few hours trying to see how to prevent fingerprinting and the answer is you basically can't. That sucks.
The response header shows, that nginx is used already.
There is no need to put static assets to some cheap vps if you have already a server. Depending on the bootleneck, it might be much better to upgrade ram or optimise the code or finetune some database cache or whatever happens at the BE.
But without knowing details, it doesn't make much sense to move assets or use memcache. Often enough, people do shitty sqls or are not even aware that there is something like a query cache (which you can also use lightweight without adding memcache to your stack).
When you look at there about page and also make a lookup on there ip, you will see that it is hosted by them from there own network https://www.inria.fr/. So this project was probably build by some researchers, which some agenda on how well that service should actually run and a budget. They probably got a VM from there IT Department (or are part of it) and are in theory capable of fixing there issues but the working student is on a new project and no one really cares about it (the domain was registered 2014).
34 comments
[ 3.9 ms ] story [ 80.0 ms ] threadAnyone aware of something comparable for Safari (on macOS)?
Canvas Defender only adds noise on hidden canvases, ones that are obviously being used for fingerprinting.
But yeah there's no perfect solution. If you simply block canvas rendering, like some plugins do, that is a 100% identifiable signal. So the best you can do is make the fingerprinting "unsure" that that is you, by having the fingerprint be different every time.
My understanding is that these don't actually help. Even their own blog suggests that there is a lot of limitations[0]. And they even talk about how TOR just returns 0. But if everyone did that (say FF did that overnight), then wouldn't that help solve the problem?
Or does there need to be a way to force these things to be pixel perfect (data perfect for the other fingerprinting things like battery, mic, etc)?
[0] https://multilogin.com/blog/
https://multilogin.com/everything-you-need-to-know-about-can...
By adding random noise every hour, it basically means that the confidence in the canvas as a signal is going to be 0. That's about the best you can do.
According to the wayback machine, this is what it looks like when it's up: https://web.archive.org/web/20190217053927/https://amiunique...
No functionality to tell you if you're unique or not though, unfortunately.
Github page here: https://github.com/DIVERSIFY-project/amiunique
"An extension to follow the evolution of your browser fingerprint! Be notified as soon as a change is detected!"
[1] https://chrome.google.com/webstore/detail/amiunique/pigjfndp...
However, does Panopticlick actually do canvas fingerprinting?
Typically fingerprinting is used by advertisers for tracking in order to retarget you.
Too bad most of the web isn't written to be without JS (or that we don't have stronger protections against fingerprinting, so it wouldn't matter....)
It eliminates probably 99% of the population. Throw in some css fingerprinting and you could probably be identified uniquely.
Copy all your static assets to another server[1]. You can use a cheap digitalocean server or any vps really. Have them served using nginx.
This will relieve your main server from all those extra connections and it can focus on your application.
And use some caching mechanism. Memcache drivers are available for many languages.
Good luck
[1]:https://idiallo.com/blog/handling-1-million-web-request
The response header shows, that nginx is used already.
There is no need to put static assets to some cheap vps if you have already a server. Depending on the bootleneck, it might be much better to upgrade ram or optimise the code or finetune some database cache or whatever happens at the BE.
But without knowing details, it doesn't make much sense to move assets or use memcache. Often enough, people do shitty sqls or are not even aware that there is something like a query cache (which you can also use lightweight without adding memcache to your stack).
When you look at there about page and also make a lookup on there ip, you will see that it is hosted by them from there own network https://www.inria.fr/. So this project was probably build by some researchers, which some agenda on how well that service should actually run and a budget. They probably got a VM from there IT Department (or are part of it) and are in theory capable of fixing there issues but the working student is on a new project and no one really cares about it (the domain was registered 2014).