[HN Gopher] Are top websites using WebGL for fingerprinting?
___________________________________________________________________
Are top websites using WebGL for fingerprinting?
Author : jonatron
Score : 324 points
Date : 2021-04-17 15:24 UTC (7 hours ago)
(HTM) web link (jonatron.github.io)
(TXT) w3m dump (jonatron.github.io)
| youngtaff wrote:
| The sites that are looking for the GPU details may have been
| trying to detect which CPU an iOS device has - until Apple
| obscured the information it used to be pretty reliable way of
| discovering that
| f430 wrote:
| i think they are because I used to google "enjo kosai love
| hotels" in 2015 and it used to show me several establishments but
| now they block the results saying it is offensive.
|
| since when the hell did Google an American corporation become the
| arbitrator of morality and truths?
|
| This fingerprinting is closely tied to this. The sad part is that
| the web scraping technology that I've been invited access to
| easily bypasses this.
| superkuh wrote:
| Most bare metal features introduced into what used to be
| browsers, but are now virtual machines for running applications,
| are and will be used for malicious purposes. The idea that you
| should allow random strangers to run code on your machine,
| especially this low level, is even more crazy than opening every
| email attachment you get.
| goodpoint wrote:
| It's appalling that these kinds of privacy invasion are still
| considered legal.
| goodpoint wrote:
| What's up with the silent downvotes?
| dmitriid wrote:
| WebKit and Mozilla simply refuse to implement many of the APIs
| because they cant' figure out how to prevent them from being
| abused.
|
| See e.g.https://webkit.org/tracking-prevention/#anti-
| fingerprinting (Mozilla's positions are more spread out over
| various issues, see e.g. https://webapicontroversy.com )
| pjmlp wrote:
| Except Firefox is getting irrelevant, with Edge Chromium
| overtaking it, and Apple naturally would rather developers to
| use iOS APIs exactly for the same purpose, while collecting
| some revenue in Apple hardware for development purposes.
| dmitriid wrote:
| > Except Firefox is getting irrelevant, with Edge Chromium
| overtaking it
|
| And this is a huge problem.
|
| > and Apple naturally would rather developers to use iOS
| APIs
|
| You're missing the point where Firefox _agrees_ with Apple
| on these APIs.
|
| But sure. "Apple bad" and all that.
| deltron3030 wrote:
| FF should focus on a better UX. Try FF and Edge on
| Windows 10, Edge seems much snappier because it boosts
| the mouse scroll speed. A friend wanted to switch because
| of that, and increasing the overall mouse scroll speed on
| W10 did the trick for FF. It's little tricks like those
| that make non techy people switch.
| pjmlp wrote:
| I don't agree with "Apple bad" at all, if you see my
| comments history.
|
| My point was that contrary to Mozilla, they do have an
| agenda regarding how much Web Safari should support on
| iOS.
| gfodor wrote:
| How would you define bare-metal? WebGL is proxied via ANGLE, so
| there's no risk of crashing or other forms of leaky processes,
| which is typically the primary thing I think of when I worry
| about low-level APIs.
| tedunangst wrote:
| I'm not optimistic. https://medium.com/@afd_icl/crashes-
| hangs-and-crazy-images-b...
| choeger wrote:
| Regardless of how you define bare-metal, OP has a point here.
| Besides from bespoke web applications (which should be fully
| packages and signed, btw.), execution of turing-complete code
| inside the browser is pointless. At best, it helps to
| workaround certain limitations (bandwidth, browser quirks),
| or proves the UX of a page. But mostly it is just getting in
| the way or outright used against the user.
| lifthrasiir wrote:
| ANGLE is not a virtual machine but a translation layer from
| OpenGL ES (on which WebGL is based) to Direct3D.
| Inappropriate translation would result in a direct exploit
| unlike VM, since AFAIK there is no practical means to sandbox
| shaders. In some sense it is akin to JIT in a kernel which
| has the roughly same security ramification.
| cptskippy wrote:
| What's used on platforms where Direct3D doesn't exist?
| jcelerier wrote:
| OpenGL directly, no ?
| cptskippy wrote:
| What about MacOS? Isn't OpenGL deprecated?
| olliej wrote:
| ANGLE is used to to a source to source translation
| irrespective of backend - it normalizes the source input
| to various GPUs (dropping things that have historically
| been funky like comment parsing, #controls, dodgy
| constructs, disallowed constructs, etc)
|
| [Source: I worked on the original spec and spent a lot of
| time trying to prevent the more egregious security and
| privacy problems]
| turminal wrote:
| There's no need to translate?
| cptskippy wrote:
| MacOS?
| skymt wrote:
| ANGLE has OpenGL and OpenGL ES backends in addition to
| Direct3D, as well as partial Metal support.
|
| https://chromium.googlesource.com/angle/angle/+/master/RE
| ADM...
| kevingadd wrote:
| OpenGL or Vulkan as appropriate. AFAIK there's a Metal
| backend in development for macs but it's not finished
| yet.
| labawi wrote:
| Don't forget bugs in the driver and/or GPU firmware.
| TazeTSchnitzel wrote:
| Note that most of a GPU driver runs in user mode, trapped
| inside the browser's process sandbox.
| reader_mode wrote:
| >Inappropriate translation would result in a direct exploit
| unlike VM, since AFAIK there is no practical means to
| sandbox shaders.
|
| What does it mean to sandbox shaders in this context ? GL
| ES shaders are sent down in a high level language and can't
| really do much besides do computation on input parameters
| to generate output in a pipeline. I wish they were more
| general purpose and worthy of sandboxing but the web GL
| shaders are really limited.
| TazeTSchnitzel wrote:
| Modern GPUs have process isolation just like CPUs, and if
| that is not enough for you, GPU APIs allow an application
| (in this case the browser) to request bounds-checked
| execution for extra safety.
| marchided wrote:
| Yes. All of them and the rest are liars.
| tombert wrote:
| Forgive a bit of ignorance on this, but I'm not 100% sure I know
| what browser fingerprinting actually is. I remember reading
| something by the DuckDuckGo founder mentioning that it could be a
| problem even if you use a VPN and incognito mode, but I had some
| trouble actually figuring out what that actually meant.
| bigdict wrote:
| My understanding is it's simply checking the level of support
| for different Web APIs. Since that is invariant with respect to
| the route between you and the website, a VPN wouldn't save you
| from this.
| gfodor wrote:
| It's when a site is able to take a variety of Javascript-
| accessible state that in isolation is benign (such as your
| reported graphics driver, as the case here) but together form a
| unique identifier for a user given the high dimensionality
| involved. This allows identifying users without their consent
| and avoids some methods of anti-tracking.
| meheleventyone wrote:
| Some of the web APIs expose information that in aggregate can
| give an almost unique fingerprint to that device. Using
| fingerprinting techniques you can then track what the device is
| doing.
| dvfjsdhgfv wrote:
| Basically, each browser has an unique set of features so each
| device can be uniquely identified and profiled across different
| domains, regardless if you block cookies, use incognito mode
| and other techniques.
| have_faith wrote:
| Using the way that your browser renders a page to uniquely
| identify you amongst other visitors. This can take the form of
| measuring how your computer generates random numbers, timing
| how long it takes to compute certain things, minute differences
| in how your your gpu renders some pixels via webgl etc. With
| enough signals you can pierce through the noise.
| goalieca wrote:
| Imagine gathering screen size, installed fonts, graphics card,
| processor model, extensions, plugins, operating system, ... and
| so on. Perhaps you could gather enough system properties to
| actually identify someone uniquely. It's like a fingerprint.
| everdrive wrote:
| Hmm, would disabling hardware acceleration in Firefox provide
| any privacy benefit, then?
| srg0 wrote:
| if you're the only person in the world who has disabled
| hardware acceleration, you will be uniquely identified by
| not having hardware acceleration
| everdrive wrote:
| I'll bet a lot of computers have it disabled: VMs,
| perhaps Tor Browser, kids who tweak settings for no good
| reason.
| dehrmann wrote:
| Some of these are more interesting than others. OS is exposed
| through the user agent. I'm not sure if you can actually
| capture processor model an graphics card, and plugins were
| more interesting when people installed plugins like Flash and
| Java.
|
| WebGL fingerprinting usually works by rendering something
| off-screen that exposes GPU differences, then captures the
| rendered image as the fingerprint.
| goalieca wrote:
| If you're really clever you can figure timings out using
| JavaScript.. to the point spectre was remotely exploitable.
| LOL.
| seaghost wrote:
| I do participate in research project at https://browser-
| fingerprint.cs.fau.de as a user. You can find more info about
| fingerprinting here https://browser-
| fingerprint.cs.fau.de/faq?lang=en
| Gravyness wrote:
| This tracking method (WebGL) disregards VPNs, user agent
| changes and incognito mode.
|
| Browser fingerprinting is the ability of the website you are
| accessing to differentiate between you and other people because
| of a "fingerprint": A hash string that uniquely identifies your
| current browser, and since its using WebGL, your computer,
| because of its configuration and graphical capabilities.
| Sayrus wrote:
| Browser fingerprinting allows you to identify uniquely a
| browser and thus the user. This usually means that VPN and
| incognito mode will not help you to "change you identity".
|
| One example I know well is AudioContext fingerprinting with a
| demo available here: https://audiofingerprint.openwpm.com/
|
| There are also worse fingerprinting methods that work cross-
| browsers.
| gruez wrote:
| audiocontext fingerprinting is less identifying than you
| think. It pretty much boils down to "what's your browser
| complied with and what FPU implementation you're running"
|
| https://github.com/WebAudio/web-audio-
| api/issues/1500#issuec...
|
| https://github.com/w3cping/tracking-
| issues/issues/53#issueco...
| [deleted]
| SuchAnonMuchWow wrote:
| basically no two systems are the same, and if the website can
| gather enough information about your system, it can identify
| you, even through a VPN or in incognito mode. Popular
| information for fingerprinting include: your browser, the
| country you are in, your language(s), your graphic card
| (through webgl), the fonts installed on your computer, the size
| of your screen (or your browser window), ...
| crazygringo wrote:
| Sorry, but this is nonsense, as presented.
|
| There is _zero_ evidence any of these are being used for
| fingerprinting, which is defined as building up an entire set of
| capabilities to _uniquely identify_ a user.
|
| Essentially all of these seem to be attempting to identify the
| graphics card, and all of these could be related to feature
| detection for an embedded video player, for example. Feature
| detection is _not_ fingerprinting.
|
| Fingerprinting is pretty easy to confirm, because it collects a
| large combination of data points (fonts installed, canvas
| rendering quirks, etc.) and either reports or hashes them _all
| together_. (That doesn 't mean it's easy to _find_ the code that
| does the fingerprinting, but once you 've found it it's quite
| obvious what it's doing.)
|
| It is _deeply_ irresponsible and misleading of the author to
| claim fingerprinting without looking for that type of
| _combination_. And slapping "No claims made about accuracy" at
| the top of the page isn't an excuse.
| MarblePillar wrote:
| It appears that your null hypothesis embraces the benevolence
| of tech companies. Is this a reasonable assumption? How, after
| all, do they make their money?
| fabian2k wrote:
| WebGL is a very useful feature, but the top sites by traffic are
| not exactly where I'd look for good examples of WebGL use. It is
| a bit more of a niche feature, but for some use cases you can't
| really replace it at all.
| modulus1 wrote:
| Author doesn't actually know what this information is being used
| for. Sure there can be a discussion about whether this
| information should be recorded at all (say, to determine if your
| site doesn't work on certain hardware), but claiming it _is_
| fingerprinting is baseless.
| w4rh4wk5 wrote:
| Just noticed, why isn't there a site setting for WebGL in Chrome?
| mikeiz404 wrote:
| I have found this extension helpful for helping mitigate WebGL
| fingerprinting on Firefox -- https://addons.mozilla.org/en-
| US/firefox/addon/webgl-fingerp...
|
| You can test its effectiveness here --
| https://coveryourtracks.eff.org/
| gruez wrote:
| > I have found this extension helpful for helping mitigate
| WebGL fingerprinting on Firefox --
| https://addons.mozilla.org/en-US/firefox/addon/webgl-fingerp...
|
| It might work for simple fingerprinting scripts, but not for
| anti-anti-fingerprinting scripts. See:
| https://palant.info/2020/12/10/how-anti-fingerprinting-
| exten.... Since you're already on firefox, you're probably
| better off enabling resistfingerprinting instead.
| kristofferR wrote:
| That blog post doesn't seem valid, that extension randomizes
| the fingerprint each time.
| iudqnolq wrote:
| Getting a random value each time is trivially detectable.
| That's a better signal that what you're blocking if more
| people share your video card model than install the
| extension.
| gruez wrote:
| It fails the first section ("Barking the wrong tree"). If I
| install the addon and then run
| gl.getParameter.toString()
|
| I get "function () {
| window.top.postMessage(\"webgl-fingerprint-defender-
| alert\", '*'); // if
| (arguments[0] === 3415) return 0; else if
| (arguments[0] === 3414) return 24; else
| if (arguments[0] === 36348) return 30;
| else if (arguments[0] === 7936) return \"WebKit\";
| else if (arguments[0] === 37445) return \"Google Inc.\";
| else if (arguments[0] === 7937) return \"WebKit WebGL\";
| else if (arguments[0] === 3379) return
| config.random.number([14, 15]); else if
| (arguments[0] === 36347) return config.random.number([12,
| 13]); else if (arguments[0] === 34076)
| return config.random.number([14, 15]);
| else if (arguments[0] === 34024) return
| config.random.number([14, 15]); else if
| (arguments[0] === 3386) return config.random.int([13, 14,
| 15]); else if (arguments[0] === 3413)
| return config.random.number([1, 2, 3, 4]);
| else if (arguments[0] === 3412) return
| config.random.number([1, 2, 3, 4]); else
| if (arguments[0] === 3411) return config.random.number([1,
| 2, 3, 4]); else if (arguments[0] ===
| 3410) return config.random.number([1, 2, 3, 4]);
| else if (arguments[0] === 34047) return
| config.random.number([1, 2, 3, 4]); else
| if (arguments[0] === 34930) return config.random.number([1,
| 2, 3, 4]); else if (arguments[0] ===
| 34921) return config.random.number([1, 2, 3, 4]);
| else if (arguments[0] === 35660) return
| config.random.number([1, 2, 3, 4]); else
| if (arguments[0] === 35661) return config.random.number([4,
| 5, 6, 7, 8]); else if (arguments[0] ===
| 36349) return config.random.number([10, 11, 12, 13]);
| else if (arguments[0] === 33902) return
| config.random.float([0, 10, 11, 12, 13]);
| else if (arguments[0] === 33901) return
| config.random.float([0, 10, 11, 12, 13]);
| else if (arguments[0] === 37446) return
| config.random.item([\"Graphics\", \"HD Graphics\",
| \"Intel(R) HD Graphics\"]); else if
| (arguments[0] === 7938) return config.random.item([\"WebGL
| 1.0\", \"WebGL 1.0 (OpenGL)\", \"WebGL 1.0 (OpenGL
| Chromium)\"]); else if (arguments[0] ===
| 35724) return config.random.item([\"WebGL\", \"WebGL
| GLSL\", \"WebGL GLSL ES\", \"WebGL GLSL ES (OpenGL
| Chromium\"]); // return
| getParameter.apply(this, arguments); }"
|
| without the addon I get "function
| getParameter() { [native code] }"
| rizz0 wrote:
| Title is misleading
| Gravyness wrote:
| True, a better would be:
|
| "WebGL is used for fingerprinting on most major websites"
|
| But if we wanted to create click bait:
|
| "Most major website implement browser fingerprinting that
| completely disregard VPNs and the Browser's Incognito Mode"
|
| But I bet VPN companies wouldn't like that.
| biryani_chicken wrote:
| Is there an extension that blocks webgl until I click something
| like the old Flash blocking extensions?
| stonesweep wrote:
| I've had WebGL disabled forever, I don't use Twitch (as the other
| comment describes a valid use for) and really have never missed
| having it enabled for many years.
|
| It's frequently included in "secure yourself" tuning guides:
| Firefox -> about:config -> webgl.disabled: true
| criddell wrote:
| Ironically, disabling WebGL in a browser that typically has it
| on is itself a pretty valuable signal when fingerprinting.
| gherkinnn wrote:
| Well that's inconspicuous
| stonesweep wrote:
| It's been awhile, but IIRC the recommendation to disable it
| is based on security, not privacy. Other comments here
| explain it better than I could, not a programmer by trade.
| Gravyness wrote:
| I propose a "This website wants to use WebGL" browser dialog
| before returning `getContext("webgl")`
| [deleted]
| kjeetgill wrote:
| The hard part is that WebGL is a pretty narrow to concept to
| communicate this way for most users. It's hardly a Camera or
| Microphone.
|
| Most not technical users have no basis for action here.
| devit wrote:
| "Do you want to let the website use WebGL? It's either for
| rendering 3D graphics, such as 3D games, or an attempt to
| exploit bugs in WebGL to maliciously take full control over
| your machine, which may succeed if you consent"
| modsmustgo wrote:
| Full control only if the exploit works, otherwise you may
| end up with some data loss from the proprietary NVIDIA
| black screen of death on a linux.
| hackcasual wrote:
| The problem with popups like that is too many, or ones where
| the user doesn't understand why it's blocked leads to fatigue
| where they just start approving everything
| SavantIdiot wrote:
| Agreed, but it would be nice to have an "advanced (paranoid)
| mode". E.g., I run little snitch and while it is super noisy,
| I don't mind the overhead, but I wouldn't force it on
| everyone.
| quenix wrote:
| Paradoxically, that backfires. If we only let a small
| subset of users disable WebGL... well, having WebGL
| disabled _becomes_ the identifying characteristic.
| hackcasual wrote:
| Probably not that hard to build an extension for.
| panic wrote:
| Even simpler would be something like what Apple did with the
| clipboard in iOS, where it displays a message whenever it's
| used.
| olliej wrote:
| except that as this post shows many sites will produce that,
| causing notification exhaustion
| seba_dos1 wrote:
| Exactly this. WebGL has plenty of legitimate use cases, but
| those won't really suffer much from such a dialog (as long as
| it's reasonably phrased).
| kevingadd wrote:
| You'd be surprised how many websites use WebGL now. You'd
| probably end up with some sort of whitelist like the Google
| one for web audio, otherwise end users would complain
| incessantly.
| seba_dos1 wrote:
| Web Audio's autoplay block was implemented in a very poor
| way though, basically guaranteeing that existing content
| will be broken with the user having no way to unbreak it.
| nerdponx wrote:
| Until poorly-constructed websites and/or 3rd-party ad spyware
| added by the marketing dept starts requiring it or the site
| breaks. Just like Javascript, third-party cookies, canvas,
| localstorage...
|
| Also Google runs the browser standards by way of their Chrome
| market share, and they would surely never implement something
| like this until they were confident that they didn't need
| WebGL for fingerprinting, at which point they'd just stop
| supporting WebGL entirely in favor of something that they
| invented.
|
| It's not Embrace Extend Extinguish with Google; it's more
| like Embrace Replace Extinguish.
| olliej wrote:
| Safari did this in the original implementation - it turns out
| to be absolutely useless. A person cannot know whether they
| should be clicking yes, even if they are well versed in the
| technology.
| surround wrote:
| Firefox already the same thing for html5 canvas [1], enabled I
| think via privacy.resistFingerprinting (in about:config). A
| similar feature would make sense for webGL. In the meantime,
| power users can disable webGL entirely via webgl.disabled (but
| without a user-friendly prompt to warn you when it's being
| blocked).
|
| [1] https://www.ghacks.net/2017/10/28/firefox-58-warns-you-if-
| si...
| gcoguiec wrote:
| I definitely agree with you.
| viseztrance wrote:
| It's quite tough to know for certain if you're being
| fingerprinted.
|
| I worked on finding ways around fingerprinting at a previous job.
| The problem is that sites go out of their way to hide
| fingerprinting like performing it in an arbitrary redirect and
| then never do it again or only after using the site for a bit,
| and prefer doing it before an important operation like making a
| payment.
| da_big_ghey wrote:
| Did you find any realistic way person can prevent being
| fingerprint? most idea i have seen, like a tor browsing, is
| focusing on changing fingerprint and not so much on making
| fingerprint non-unique. But it always are easy for to connect
| change fingerprint to former fingerprint, so what we are really
| need is blending in with same fingerprint as other persons.
| viseztrance wrote:
| I don't know how it can be fully prevented other than
| disabling javascript, but in my opinion firefox with
| "privacy.resistFingerprinting" is a good start, though you'll
| still stand out because few people are using it.
|
| I've seen a script that performed two canvas fingerprints - a
| complex, and a simpler one. The latter being so simple always
| returned the same value regardless of the browser, so it was
| there to see if you have altered the canvas value. That's why
| changing your fingerprint might still leave you trackable.
| akalsz wrote:
| > most idea i have seen, like a tor browsing, is focusing on
| changing fingerprint and not so much on making fingerprint
| non-unique.
|
| Not sure if I exactly understand what you're trying to say
| here, but the Tor Browser itself certainly focuses on making
| its users' fingerprints identical. At least it's the only
| browser I know of that passes fingerprint tests (Panopticlick
| and friends) with JavaScript enabled.
| iamleppert wrote:
| This is why we really need to have some kind of source
| obfuscation when deploying these fingerprint codes. So we won't
| get caught.
| talknewswale wrote:
| empii meN shukrvaar ko koronaa vaayrs ke sbhii rekoNrdd ttuutt ge
| haiN / https://talknewswale.com/News_detils/124
| tibiahurried wrote:
| They say .. don't be evil ... yeah sure!
| animex wrote:
| Chrome: Add "/path/to/chrome.exe" --disable-webgl Firefox:
| about:config webgl.disabled true Edge: easiest seems to be
| install Disable WebGL Chrome Extension
|
| Test your browser here FIRST, then disable and test again:
| https://testdrive-archive.azurewebsites.net/graphics/webglst...
| fallingknife wrote:
| Wouldn't this backfire since having webgl disabled is an
| outlier, and you will be fingerprinted that way?
| alkonaut wrote:
| How is this possible at all? Don't allow readout of canvas (or
| similar) _at all_ without asking me if it's ok. Problem solved. I
| don't care if it becomes annoying on the off website that does
| have a valid use case for it. This just shouldn't happen.
| hogFeast wrote:
| There are some valid reasons for using fingerprinting.
|
| In the UK, gambling companies use fingerprinting to enforce
| exclusion lists (i.e. gambling addicts who self-exclude from
| gambling websites), and stop people from outside the UK
| gambling illegally (the latter is used generally, although
| desktop apps are generally more secure).
|
| I believe it is also used in online retail to combat bots
| (self-evidently, not everyone is doing this).
|
| I think it is a concern when websites use this kind of thing
| indiscriminately. I have worked in web development roles, and I
| have had devs tell me point blank (once, a lead dev) that
| fingerprinting is impossible whilst using products that expose
| their customers to fingerprinting...so it is important to be
| aware of it. But there are legitimate uses to fingerprinting
| specifically, exclusive of the APIs that some apps rely on
| certain features (i.e. WebGL). It is sometimes important to
| know who someone is.
| kevingadd wrote:
| Sadly this sort of readback is necessary for various features
| and scenarios, so disabling it across the board is a big
| hassle. Brave has an approach to this where they scramble the
| output some to undermine its usefulness for fingerprinting, at
| least.
| alkonaut wrote:
| Again - I don't care if it's a hassle. It should be a hassle.
| If I'm on a web based image editor I accept the readout, if
| I'm on YouTube I definitely don't.
| red_trumpet wrote:
| > for various features and scenarios
|
| What would those be?
| kevingadd wrote:
| GPU compute (things like particle systems, video decoders,
| etc), video playback, UI compositing, etc
| everdrive wrote:
| One thing that continues to confuse me is the fact that all this
| remains speculative. Surely on HN, there are people who have
| worked in FAANGs. Doesn't anyone have first hand knowledge of how
| tracking is performed at various websites, and whether people are
| really using webGL to track? And if so, how that's stored and
| correlated across different sites?
| slashink wrote:
| Some of these are probably fingerprinting but the Twitch one
| isn't (I worked on the video system at Twitch for a number of
| years).
|
| "player-core-variant-....js" is the Javascript video player and
| it uses WebGL as a way to guess what video format the browser can
| handle. A lot of the times mobile android devices will say "I can
| play video X, Y, Z" but when sent a bitstream of Y it fails to
| decode it. WebGL allows you to get a good indication of the
| supported hardware features which you can use to guess what the
| actual underlying hardware decoder is.
|
| This is sadly the state of a lot of "lower end" mobile SoCs. They
| will pretend to do anything but in reality it just... doesn't.
| rasz wrote:
| incidentally part of my anti fingerprinting script looks like
| this let UNMASKED_RENDERER_WEBGL = ["ANGLE
| (AMD Radeon HD 7900 Series Direct3D11 vs_5_0 ps_5_0)",
| "ANGLE (Intel(R) HD Graphics 4000 Direct3D11 vs_5_0 ps_5_0)",
| "ANGLE (Intel(R) HD Graphics 4600 Direct3D11 vs_5_0 ps_5_0)",
| "ANGLE (Intel(R) HD Graphics 520 Direct3D11 vs_5_0 ps_5_0)",
| "ANGLE (Intel(R) HD Graphics 530 Direct3D11 vs_5_0 ps_5_0)",
| "ANGLE (Intel(R) HD Graphics Family Direct3D11 vs_5_0 ps_5_0)",
| "ANGLE (NVIDIA GeForce GTX 960 Direct3D11 vs_5_0 ps_5_0)",
| "ANGLE (NVIDIA GeForce GTX 1070 Direct3D11 vs_5_0 ps_5_0)",
| "ANGLE (NVIDIA GeForce GTX 760 Direct3D11 vs_5_0 ps_5_0)"]
|
| those were the most popular desktop GPUs according to Steam a
| year or two ago.
| nine_k wrote:
| Won't a custom script make you special and thus very easy to
| precisely fingerprint?
|
| I can imagine that having _several_ typical configs and
| switching between them at random would help blend in.
| gruez wrote:
| >I can imagine that having several typical configs and
| switching between them at random would help blend in.
|
| You have to be careful with that too. An anti-anti-
| fingerprinting implementation can record the values and
| compare them across visits to see whether they stay the
| same. If they change every few months that's reasonable
| (eg. changing hardware), but if they change every day or
| every week there's most certainly spoofing involved.
| xsmasher wrote:
| Does it matter if they know you're spoofing, as long as
| it prevents them from linking two separate sessions
| together?
| gruez wrote:
| you'll run into this problem: https://xkcd.com/1105/
| therouwboat wrote:
| Anti-anti-fingerprinting? :/
|
| I feel like going there and telling them to stop
| following me around.
| nine_k wrote:
| It should change every few requests. The point is not to
| conceal spoofing, but to foil attempts to fingerprint.
|
| Maybe an explicit sign of spoofing is even better, it
| sends a message in a gentle way.
|
| Unspoofing on the server side, if at all possible, would
| likely be too expensive for whatever gain it might bring.
| cmeacham98 wrote:
| Unless a major anti fingerprinting solution uses the same
| list of GPUs as you doing this puts you in a tiny bucket
| and provides massive entropy to trackers, possibly even
| enough to exactly identify you given many webGL calls.
| x775 wrote:
| Would you be willing to share this script?
| gruez wrote:
| Don't bother. It's hard to do it correctly. If you look
| through the snippets (or the MDN docs[1]), the value is
| retrieved using the getParameter() function. You might be
| tempted to override the function by doing something like
| gl.getParameter = () => "test"
|
| but that's easily detectable. If you run
| gl.getParameter.toString()
|
| You get back "() => "test""
|
| whereas the original function you get back
| "function getParameter() { [native code] }"
|
| In general, don't try to fix fingerprinting via content
| scripts[2]. It's very much detectable. Your best bet is a
| browser that handles it natively.
|
| [1] https://developer.mozilla.org/en-
| US/docs/Web/API/WEBGL_debug...
|
| [2] https://palant.info/2020/12/10/how-anti-fingerprinting-
| exten...
| HWR_14 wrote:
| So the issue is that the fingerprinting code can detect
| the anti-fingerprinting code? Doesn't that mean the best
| solution is for everyone to override the same functions
| with the same dummy information?
| rasz wrote:
| gl.getParameter.toString() = () => 'function
| getParameter() { [native code] }'
| gruez wrote:
| -> gl.getParameter.toString.toString() <- "() =>
| 'function getParameter() { [native code] }'"
|
| Not to mention the iframe trick mentioned in palant's
| article.
| rasz wrote:
| is that Firefox? in Chrome I get
| gl.getParameter.toString() = () => 'function
| getParameter() { [native code] }'
| gl.getParameter.toString() "function
| getParameter() { [native code] }"
| gl.getParameter.toString().toString() "function
| getParameter() { [native code] }"
| gl.getParameter.toString().toString().toString()
| "function getParameter() { [native code] }"
|
| iframes, worker, sharedworker, serviceWorker are all
| covered. Good luck timing the difference.
| deathanatos wrote:
| You're running
| gl.getParameter.toString().toString()
|
| what the comment you're replying to is trying to tell you
| to run is:
| gl.getParameter.toString.toString()
|
| Call toString on the toString fuction, not on its result.
| rasz wrote:
| Good point. Rewriting according to https://adtechmadness.
| wordpress.com/2019/03/23/javascript-ta... now
| [deleted]
| stevehawk wrote:
| nice try NSA
| novok wrote:
| Do you present a set of 9 GPUs or pick one at random?
| rasz wrote:
| UNMASKED_RENDERER_WEBGL[Math.floor(Math.random()*UNMASKED_R
| ENDERER_WEBGL.length)]
| [deleted]
| jefftk wrote:
| Agreed: fingerprinting is using ways one browser or device
| consistently differs from others to derive a stable identifier.
|
| Several others on this list are also not used for
| fingerprinting, and are instead detecting robots/spam/abuse.
| Unfortunately, there isn't any technical way for the public to
| verify that, because client-side all it looks like is
| collecting a bunch of high-entropy signals.
|
| All the major browsers have said they intend to remove
| identifying bits to where fingerprinting is not possible, which
| will also make these other uses stop working.
| AlotOfReading wrote:
| That was always a short-term hack anyway. The limiting case
| is that spammers simply pay humans somewhere to continue
| whatever "abuse" was formerly automated, as currently happens
| with captchas.
| nerdponx wrote:
| That said, surely this "functional" information can also be
| valuable fingerprinting data, no? What's stopping an
| enterprising data science team from pulling it into their data
| lake, using to build ad models for logged-out users, maybe
| submitting it to 3rd-party machine learning vendors, etc. and
| generally making it undeletable?
| kjrose wrote:
| This is interesting. I can see how it could have legitimate
| uses to get around bad inplementations with stating what
| capabilities are possible.
|
| However that being said it's like fingerprinting to sort out
| what their system really has. Still an abuse of the system.
| nerdponx wrote:
| As per my sibling (cousin?) comment, pretty much any
| legitimate capability-determining data can be used for
| fingerprinting.
|
| This can only be solved with legislation, IMO. There is no
| way for an industry to self-regulate something like this, the
| candy bowl too big and the candy too sweet.
| throwawgler87 wrote:
| To make fingerprinting illegal, you mean? Or were you
| thinking of some other way to solve the problem with
| regulation?
| nerdponx wrote:
| More like (the spirit of) GDPR, where data collection
| itself becomes a legal and financial liability to point
| where it's not worth it to collect and retain it for a
| typical entity.
| difosfor wrote:
| Yeah, I think the world would be better off without ads
| altogether. Just allow people to search for what they need
| or want by themselves, that's enough.
| nine_k wrote:
| ...and pay out of pocket for the use of a search engine?
| Why, well, I'd do that; e.g. neeva.com is accepting sign-
| ups.
|
| Also, ads without personal targeting, much like dead-
| trees newspaper / magazine ads, could still work and prop
| up certain web publishers.
| tjpnz wrote:
| >...and pay out of pocket for the use of a search engine?
|
| That's the only way service providers will see a cent
| from me going forward. Ads present not only a privacy
| risk but they're increasingly becoming a security risk
| too. I will not allow them on any of the devices I own or
| that connect to my home WiFi.
| nine_k wrote:
| I think that static ads served from the first-party CDN
| are security-wise no worse that the content itself.
|
| Blocking scripts and requests by third-party ad networks
| makes complete sense from security perspective, though.
|
| Affiliate links going directly to relevant item pages in
| a store are fine by me, too. They have to be relevant for
| anyone to click on them, they don't play video or make
| sound, etc. They do give some tracking opportunity, but
| without third-party cookies and third-party requests,
| it's hard to achieve anything resembling the privacy-
| invading precise tracking which current ad networks
| routinely do.
|
| In any case, I much more prefer the absence of AWS and an
| honest donation button.
| slashink wrote:
| That's a fair take. In a sense it's is a "fingerprinting"
| method although I personally think fingerprinting embodies
| using this data to track devices between contexts.
|
| If you're interested why this data was exposed in the first
| place, the MDN docs has good info
| https://developer.mozilla.org/en-
| US/docs/Web/API/WEBGL_debug... . "Generally, the graphics
| driver information should only be used in edge cases to
| optimize your WebGL content or to debug GPU problems."
|
| Sadly that's the reality of some of these tools. The intent
| was good and in many cases they are a necessity to create a
| web experience that works on every device. On the flip side
| this allows people to use this data to fingerprint.
| javajosh wrote:
| JavaScript legitimately needs to know about it's runtime
| environment. The problem with fingerprinting is not the act of
| examining the environment itself, but rather sending the
| results of that examination to the server as a form of
| identification. I would rather confront the second problem more
| directly with a "per tab Little Snitch" type solution that
| eliminates communication that is not in the user's interest,
| rather than eliminate fingerprinting, for precisely the reasons
| you give, slashink.
| smolder wrote:
| Unfortunately web apps can defeat that by bundling unwanted
| telemetry type stuff in with other API calls, directly or by
| batching. So, it would need to be a complex tool to deal with
| that or suffer limited applicability. Perhaps if it stayed
| under the radar it could be effective in many cases without
| instigating countermeasures by site owners.
| javajosh wrote:
| Let's not make perfect the enemy of good. Counter-measures
| like user-interactive, request specific firewalls (like
| Little Snitch) can _always_ be defeated by a motivated
| malfactor willing to commmit resources. That does not mean
| it isn 't worth doing.
|
| Consider that virtually _all_ physical locks are trivial to
| pick by someone who knows how (see youtube.com
| /lockpickinglawyer), and yet we still use locks. Pickable
| locks improve security because they increase the cost to
| the attacker enough that it deters most attacks.
| benatkin wrote:
| Not all JavaScript does, and the kind that does isn't
| neccessarily something I asked for. I would be plenty happy
| if GitHub and Stripe couldn't show their 3D globe animations
| until I request them, for the sake of privacy.
| kjeetgill wrote:
| ... but that is sorta fingerprinting, right? Atleast, inferring
| a user's device capabilities via WebGL is hardly _using WebGL_.
|
| I think it's a beautiful, legitimate use -- but I can't fault
| the author for labeling fingerprinting.
| jeffgreco wrote:
| Is fingerprinting not trying to uniquely identify a user?
| calhoun137 wrote:
| Since there is no way to 100% fingerprint a device,
| therefore there is no way to uniquely identify anyone with
| 100% confidence using pure fingerprinting techniques.
|
| My view is that fingerprinting is a set of tools which can
| be used for "good or evil" if that makes sense. If you are
| gathering meta-data to determine the capabilities of the
| device, then this is part of the wider framework of data
| points which can, in principle, be used for fingerprinting
| a user. This data can be imported into a completely
| different system by a sophisticated adversary, so it needs
| to be treated as a security vector, imho
| salawat wrote:
| >Since there is no way to 100% fingerprint a device,
| therefore there is no way to uniquely identify anyone
| with 100% confidence using pure fingerprinting
| techniques.
|
| Pedantic point, so forgive me, but 100% uniquely
| identifying a device does not imply 100% uniquely
| identifying the user of the device. We call them User-
| Agents for a reason. Anyone could be using it.
|
| It's critical people not fall into the habit of
| conflating users and user-agents. Two completely
| different things, and increasingly, law enforcement has
| gotten more and more gung-ho about surreptitiously
| forgetting the difference.
|
| Ad networks and device/User-Agent based surveillance only
| makes it worse.
|
| There are several initiatives to implement UUID's for
| devices. There is the Android Advertising ID, systemD's
| machine-id file, Intel burns in a unique identifier into
| every CPU.
|
| IPv6 (without address randomization) would also work as a
| poor man's UUID.
|
| It's frighteningly easy, and you'll be surprised how
| unintentionally one can be implementing something
| seemingly innocent and end up furthering the purposes of
| those seeking to surveil.
| calhoun137 wrote:
| This is an excellent point! Thank you for pointing that
| out +1
| nerdponx wrote:
| Fingerprinting works because devices are surprisingly easy
| to identify just by enumerating their capabilities. If you
| are collecting this data, you are likely fingerprinting
| (read: uniquely identifying) machines even if you aren't
| trying to.
|
| The same is true of humans, by the way. Even something as
| innocuous as surname, gender, and county of residence could
| be enough.
| calhoun137 wrote:
| +1 just because fingerprinting with WebGL has practical
| applications and legitimate use cases, this does not mean
| it's not fingerprinting
| BHSPitMonkey wrote:
| It would only be fingerprinting if the "fingerprint" is
| persisted alongside some other information about you as a
| user, and subsequently used in attempts to identify other
| activity as belonging to said user. That is not at all what
| was implied by the approach described above (which would
| just be used at the time of initializing every video
| streaming session).
| calhoun137 wrote:
| I stand corrected. You make a good point.
| tmpz22 wrote:
| So absolutely no data on the device obtained via webGL is used
| for marketing or other BI workloads? None of it is shared with
| 3rd parties (especially advertisers)? Its entirely used for the
| user experience and then discarded when no longer relevant?
|
| FWIW while I'm playing hardball here I really appreciate your
| answer and expertise.
| Ensorceled wrote:
| > FWIW while I'm playing hardball here I really appreciate
| your answer and expertise.
|
| You're actually just outright accusing them of lying.
| djrogers wrote:
| Do you see those question marks? Those denote questions.
| Questions are not accusations.
| wizzwizz4 wrote:
| Tell that to Socrates.
| itsananderson wrote:
| Have you stopped beating your wife?
|
| Edit: this is the typical example of a loaded question,
| not an actual accusation against the parent comment
| https://en.m.wikipedia.org/wiki/Loaded_question
| jameshart wrote:
| Really? never?
|
| So when _did_ you stop beating your wife?
| II2II wrote:
| I understand the point you are trying to make, with the
| question incorporating an accusation (i.e. that the
| person beat their wife in the past). That is different
| from asking pointed questions about potential actions
| (e.g. "have you ever beat your wife?").
| Quarrelsome wrote:
| outright is literal, this isn't outright its just
| challenging their answer and its journalistically a good
| sequence of questions.
|
| You need to be able to tell the good from the bad and IMO
| you're wearing these trousers the wrong way round.
| Nextgrid wrote:
| Considering companies have lied before when it comes to
| privacy & ad tracking (see Facebook's "promise" of not
| using 2FA phone numbers for advertising purposes) his
| concerns are totally reasonable.
| slashink wrote:
| I didn't interpret the comment as an acquisition to my
| original comment.
|
| It's good to ask the hard questions and even though I'm not
| able to answer it in detail I still think that 'tmpz22'
| brought up a good point in that data can be used for both
| good and bad at the same time.
| slashink wrote:
| I don't work at Twitch anymore so I can't answer your
| question without guessing and I rather not.
|
| There is always a likelihood that data gets used for reasons
| beyond the original purpose. In the best of world the
| hardware that runs on consumers devices would do the right
| thing which would allow the web to be a perfect sandbox. I
| think we're slowly getting there, in terms of video it's
| slowly getting to a point where H.264 support is "universally
| true" rather than a minefield although VP9 and AV1 is a bit
| of being back to square one.
|
| I think the spirit of my original comment was not to say "I
| promise that X company isn't doing Y" more to explain why
| this code existed in the first place. A search engine doesn't
| need to know what WebGL capabilities a device has as it
| doesn't deal with rendering whereas a site that has to work
| with hardware decoders most likely does need to know.
| rasz wrote:
| Just looked at it, it only triggers when player encounters an
| error while decoding video.
| Arnavion wrote:
| I'm curious if something like [1] would work for those SoCs, eg
| ask if it supports "video/mp4-liar-liar-pants-on-fire-from-
| twitchtv"
|
| [1]: https://devblogs.microsoft.com/oldnewthing/?p=40663
| slashink wrote:
| Good question!
|
| So the problem here is a bit different. It's not that devices
| will say "I can play Format X" and then not play it. It's
| that devices say "I can play Format X at Resolution A, B, C".
| When you give the device resolution A and B it succeeds but
| at resolution C it fails to decode it.
|
| In H.264 this would be the "Level"
| https://en.wikipedia.org/wiki/Advanced_Video_Coding#Levels .
| A device may say that it can decode Level 4.2 but in reality
| it can only do 4.1. That means it can play back 1080p30 but
| not 1080p60. The only way to know is to actually try and
| observe the failure (which often btw is a silent failure fro
| m the browsers point of view, meaning you need to rely on
| user reports).
| qwertox wrote:
| The official registration page for vaccinations in Germany (
| impfterminservice.de ) uses Akamai's Bot Manager, which in turn
| uses WebGL for fingerprinting. It does a lot more, computes
| timings of certain tasks and stuff, all in all, pretty impressive
| work, but it is doing fingerprinting.
|
| The privacy policy of the website doesn't mention this technique,
| which effectively is a replacement for cookies, nor the use of
| any of Akamai's services. It even CNAMEs Akamai.
|
| So basically Akamai's service is left out of this list for no
| reason at all.
|
| I stumbled upon this while trying to automate the querying for
| available slots to get notified via email, and one of the POST
| calls was sending my graphics card model to the server.
| onefortree wrote:
| What about the situations with banks or financial related field?
| I think a lot of people would prefer the site collect information
| to check for any irregularities on who is making accounts or
| logging in so they can be warned if anything stands out.
| Fraudulent accounts pass the cost to every other customer.
|
| Maybe I haven't thought of every situation but don't you want to
| be able to prevent odd behavior to an account?
| kjrose wrote:
| Does anyone know if brave browser blocks this at all?
| qart wrote:
| It does not. Check here https://browserleaks.com/webgl
| codezero wrote:
| I don't doubt this is a thing, but the place to look for anything
| concerning is information returned from these API calls going out
| over the wire. Very few places encrypt or obfuscate their network
| requests with anything but base64, URL encoding, or maybe puny
| code, I've seen a few others but nothing difficult to figure out.
| ec109685 wrote:
| Here's a site that will show you your fingerprint:
| https://browserleaks.com/webgl
| SavantIdiot wrote:
| I'm confused by this page. I ran it on two MBPros side by side
| and they got the same fingerprint. Did I miss something?
|
| EDIT: Safari and Chrome got the same prints on both machines,
| FireFox got two different prints. Huh?
| tgsovlerkhgsel wrote:
| If all hardware and software is the same, you should get the
| same print. Which doesn't make the fingerprint globally
| unique, but unique enough to make you "one of these 10000
| people" instead of "any of this billion people". Combine it
| with other data, and the combined set identifies you
| uniquely.
| tyingq wrote:
| I would guess nobody uses webgl exclusively for
| fingerprinting, but rather, in combination with other things.
| Apple machines are notoriously homogeneous hardware wise. You
| can imagine there's a much wider spread of webgl fingerprints
| for android phones and non-apple desktops/laptops.
| redandblack wrote:
| fwiw - I got different webgl report hash values between
| refreshes on firefox. I do have webgl fingerprint disabling
| addon in firefox.
|
| edit - addon faq says it injects fake values
| DDR0 wrote:
| I added a little test for this to my blog, based on Facebook's
| function. https://ddr0.ca/blog-posts/11.Graphics_Card_Test.html
|
| So far, the only things which haven't reported my graphics card
| to me are the Tor browser (good), KHTML (good, but probably
| because it doesn't support WebGL), and Lynx (of course, no js).
| Firefox reported much less info than Chrome did.
| cyberlab wrote:
| Another compelling reason to have JS disabled by default. If you
| need to browse those sites listed on the page, consider having a
| dedicated laptop that would have a specific fingerprint separate
| from the machine you would do most of your daily browsing on, and
| compartment away those sites that are known to track you across
| the web.
|
| I actually rarely have to enable JS on pages now. Most JS-only
| sites can be find in places like
| https://news.ycombinator.com/show where people showcase JS-only
| sites / apps. Most are innocuous enough and are not trying to
| track you though, so I sometimes turn on JS just to test them
| out. I have a dedicated laptop for Youtube, Reddit etc. I'm well
| aware that sites like Reddit track you via JS, so I compartment /
| silo sites like that with a dedicated machine.
| theamk wrote:
| We need more of those "do you want to allow...." confirmations.
| They are trivial to accept in the rare cases when webgl is
| actually required (online game or something), but will introduce
| enough friction and "default off" behavior that sites should stop
| using them by default.
|
| This will probably help with security as well, there has been a
| fair share of webgl exploits as well.
| mdtusz wrote:
| Yes, but also no.
|
| More granular browser API permissions would be fantastic, but
| the current interface for grant/deny in all the major browsers
| is annoying enough as is. The prompts need to be moved to a
| less in-your-face place, or at least have the option to be. I
| almost always find myself clicking "deny" because no, I don't
| want to give your recipe site permission to show notifications.
|
| Somewhat related is the new "sign in with Google" prompt I've
| been seeing on lots of websites. I accidentally clicked it when
| visiting the Seattle Times website and have been working
| inundated with spam emails even after clicking unsubscribe.
| keyringlight wrote:
| The issue with this and all similar permission dialogs is that
| they often go the other way, you're training the user to just
| hit "allow" and swat the dialog away so they can get at the
| task/site they wanted. It's one thing to give the user options
| and ask for everything, but you've got to consider whether
| they've got the knowledge/context behind it to make a decision
| and whether it's presented in a way where they won't swat it
| away.
| pitaj wrote:
| I think this can be solved via UX. When the browser wants
| WebGL, notification privs, etc:
|
| 1. Pend the request 2. Notify the user "This site wants
| access to the WebGL graphics API to display complex graphics.
| This is disabled by default to prevent browser
| fingerprinting. If the site fails to work properly, click the
| lock icon and allow it." 3. Deny access until the user
| explicitly enables it on a temporary or permanent basis
| johnyzee wrote:
| It should simply be disabled until the user performs an
| action that requires it. I believe web audio works the same
| way.
___________________________________________________________________
(page generated 2021-04-17 23:00 UTC)