Announcement

Epic for iOS and Android are live in the App Store and the Android Play Store. We're EpicBrowser on Twitter and on Facebook. Please feel free to also email our Founder directly with issues or questions: alok at hiddenreflex dot com

#1 2014-02-27 21:47:40

alax15
Guest

Browser Fingerprinting

Hi Epic

I really like what you have done with the browser. One thing i would like to get added if possible. Is if you can implement functions to make the browser less trackable?
The general test of it is here: https://panopticlick.eff.org/
Which comes up around 20 bits of information on it as of now.

Is it something that would be possible?

Offline

#2 2014-03-05 12:23:16

alok
Administrator

Re: Browser Fingerprinting

Alax -- here's your post...it ended up as a new thread...I'll re-post my response here as well -- it's also in the panopticlick thread where you had posted. 

Regarding browser fingerprinting, we'd like to make Epic much less trackable but stopping browser fingerprinting is tough.  You do have protection in Epic right now as we block many many known fingerprinters!  That's one way to stop fingerprinting.  The other way is to make fingerprinting impossible so that all browsers show the same data on tests like panopticlick.  That's much tougher.  We have tried this and even have some partial solutions ready to go--but we haven't implemented them as there's one big impediment to stopping fingerprinting -- Flash!  We can control js responses and browser data and such so that we could make fingerprinting via that impossible BUT Flash is out of our control and releases all sorts of data about your system to fingerprint you.
We've done/you can do thought experiments -- what if I were a fingerprinter -- and actually most of the data in panopticlick for example I'd probably ignore if I was -- probably the best way to fingerprint a system/user would be via flash and os-level data like installed fonts.  Unfortunately Flash at this point is out of our control.
Note how to defeat fingerprinting.  I believe we've mentioned this thought before but it's something no one really mentions in this subject and that most understand...but it's one of the most important thoughts in terms of defeating fingerprinting & one too important to just keep to ourselves.  To fingerprint a system, there must be two things:  uniqueness and stability.  Even if you come up as a unique browser, but if your data keeps changing every week or over some time period, then you can't be tracked by fingerprinting.  Vice versa, if you look un-unique, then you also can't be tracked by fingerprinting.  We believe that the best fingerprinting solutions will probably be the former...increasing uniqueness perhaps, but making your data unstable/changing...from our work to date.
We hope to have more fingerprinting protection -- keep sharing your thoughts!
Alok, Epic Privacy Browser Team

Offline

#3 2014-07-16 09:54:39

this01
Guest

Re: Browser Fingerprinting

alok wrote:

probably the best way to fingerprint a system/user would be via flash and os-level data like installed fonts.

Thanks for bringing this topic up.

Fortunately, Epic gives me the option to turn flash off.

Unfortunately, there is no such option for installed fonts information! Does it or does it not provide this info? Can this not be prevented by design?

Offline

#4 2014-07-17 15:50:31

sathi
Administrator

Re: Browser Fingerprinting

Hi this01,

Yes, There is no information to user on fonts.

We can design such that browser can block system fonts info and flash info to out side world.
But if we do this, lots of web sites will broke.

Offline

#5 2014-07-17 18:36:19

this01
Guest

Re: Browser Fingerprinting

Can you make the browser report a set or subset of fonts that will be the same for all users of Epic?

Thanks!

Offline

#6 2014-07-18 07:22:34

sathi
Administrator

Re: Browser Fingerprinting

this01,

Using same set of fonts for every user may leads to identify the epic users easily. We feel like adding some random fonts to the existing fonts.

Offline

#7 2014-07-25 21:26:46

JimTurney
Guest

Re: Browser Fingerprinting

This may be of interest to this thread:
http://boingboing.net/2014/07/23/web-tr … h-pic.html

"Canvas fingerprinting can be defeated by not allowing JavaScript to read image data that it has created, an option that's part of the Tor Browser. Allowing case-by-case access on trusted sites in which one is using some form of graphics-based interaction might make sense, and browser makers and plug-in designers could add these options for those concerned."

Offline

#8 2014-07-30 12:07:59

Heretic
Guest

Re: Browser Fingerprinting

Im starting to think that a combination of both being very unique and very random as well as absolutely not unique might work.  Randomizing certain aspects of fingerprint signatures that shift around might create a very confusing situation for those trying to fingerprint.  This signature popped up here (randomly) then its over there, then it went that way.  Confuse to the point of total failure of fingerprinting methods?

Fonts

Perhaps another way to muck with fonts is another program that reports back to any font requests to any program other than "authorized" programs a phony list that is made to be generic (or random, above paragraph).  One version of Flash might be tricked by this data, but another might not be.  Im thinking the key isnt to go after Flash itself, but where Flash actually gets its data from, the real fonts.  Personally, I could care less if I have to alter my Real Fonts for Privacy.  Lots are installed by games or other programs.  Screw it.  Dump em.  Or restore as needed.  Just tossing ideas around.

Canvas

I Aaree with Jim.  Not sure if its possible or easier to block drawing Canvas through JS.  My primary target right now is Youtube, and I suspect they are using something other than Canvas.  I could be wrong.  Perhaps a blacklist for the Noscript addon that targets the location of the script on their servers?  Why not?  They target us because we are for sale.  Why not take a stab at it with the Block Ads concept?  Leave the functionality of sites, but block anything that has to do with Fingerprinting, which Youtube is definitely now doing.  Might this work?

Offline

#9 2014-08-23 06:33:45

alok
Administrator

Re: Browser Fingerprinting

Great thoughts!!

We have a solution for canvas data -- which is very scary -- will be out next week in a new update.  For attempts to read that data we return 0s...so the image will become blank.  We haven't found very many websites using this data so we feel that's an acceptable solution (that some images will go blank) -- just on rare occasions some images will go blank in Epic...and you'll know why!

We're working on making the responses to some js functions a bit unstable from session to session to thwart fingerprinting. 

We've also been trying to get Flash to "behave" so to speak...if anyone can put us in touch with someone at Adobe who could help us, that would be fantastic.  They flash player they provide for the Yandex browser seems to actually have a way to stop font-data leakage...unfortunately it keeps crashing when we use it in Epic...

Offline

#10 2014-08-31 12:48:34

Heretic
Guest

Re: Browser Fingerprinting

@alok

Im not sure that getting ahold of people at Adobe will help.  They care about Money, not Privacy.

On that topic, it appears that many of the features in Flash are totally undocumented!
http://jpauclair.net/2010/02/10/mmcfg-treasure/

One way I think will stop the Flash font-data leakage is to use a "mms.cfg" file in the Windows folder and set a param to read: "DisableDeviceFontEnumeration=1"  It seems to work just fine on Panopticlick, but I suck with packet sniffing so I cant verify.

Sathi replied elsewhere and said Flash didnt like to obey its mms.cfg by attaching a Peeper plugin to alter fonts list, but from what Ive found is that the Flash config mms.cfg file for Chrome / Epic is actually supposed to be located elsewhere, somewhere within Chrome, thus, most likely also for Epic, which could be the source of the trouble.

Im glad you have something working to fight back against the Canvas Fingerprinting, but AddThis accordingly has pulled it.  However Google has not, but I dont think they are using Canvasing techniques.  Youtube, with all local tracking blocked, is still able to fingerprint users.  Thus, youtube may work better as a testbed for fighting fingerprinting.  They're doing something else, and by comparison of Google to AddThis, Google is much more dangerous than AddThis.

I mentioned the mms.cfg and other Flash stuff other times here because I think it could be highly useful.

= = = = =

Off topic, on the concept of Proxies.  Proxies are imperfect.  They can be bypassed by various server tricks.  Such as (*sigh*) Flash phoning home to verify an IP.  And I know you guys need funding for this project.  Would it be in your interest to set up a full scale VPN network?  I guess you'd have to consider making it a paid VPN as an optional service that could supplement Epic, but just a thought...

Offline

#11 2014-11-03 00:20:12

louis
Guest

Re: Browser Fingerprinting

chameleon a great addon for better privacy ! I tested it on another chrome browser and the results are wonderful !I used the
the panopticlick  to test the results !

Here is the address where you can get this addon --> https://github.com/ghostwords/chameleon 
you should install this addon on the epic browser for a better privacy results !

Offline

Board footer