Comment by codedokode

Comment by codedokode 9 hours ago

9 replies

View on Hacker News

Does it hide GPU name that is exposed via WebGL/WebGPU? Does it hide internal IP address, available via WebRTC?

> block all third party content

It's not going to work, because the fingerprinting script can be (and is often served) from first-party domain.

Also imagine if browser didn't provide drawing API for canvas (if you would have to ship your own wasm rendering library). Canvas would become useless for fingerprinting and its usage would drop manyfold. And the browser would have less code and smaller attack surface.

drnick1 9 hours ago

> Does it hide GPU name that is exposed via WebGL/WebGPU? Does it hide internal IP address, available via WebRTC?

My GPU is reported as simply "Mozilla" by https://abrahamjuliot.github.io/creepjs/.

The number of cores is also set to 4 for everyone using this config and/or Tor.

> It's not going to work, because the fingerprinting script can be (and is often served) from first-party domain.

This may be true, but allowed third party content makes it trivially easy for Google and others to follow people around the Internet through fonts delivery systems among others.

Reply View 3 replies
  • tempest_ 6 hours ago

    I had forgotten I was running Ublock origin / Privacy Badger / Ghostry so I was a bit confused with the results from that site.

    I think it is Ghostry that is faking the responses but I still have a pretty unique fingerprint according to https://coveryourtracks.eff.org/kcarter?aat=1

    Reply View 2 replies
    • ifh-hn 3 hours ago

      Isn't ghostry compromised? Having been bought out by an ad company?

      Reply View 1 reply
      • nativeit 2 hours ago

        As near as I can tell, it’s always been owned by Cliqz, who produced some privacy-focused browsers (named Dawn or Lumen) and a search engine (Tailcat) that was ultimately purchased by Brave. The whole thing is majority owned by a German media group, Hubert Burda Media, and while its missions towards increased privacy seem to be sincere, I don’t know if I’d trust them implicitly.

        All that said, the main project looks to be open sourced under a GPL3 license, so distrust and verify: https://github.com/ghostery

        Reply View 0 replies
dminuoso 9 hours ago

If I infiltrate someone else’s computer, secretly run code in order to to exfiltrate data I risk prison time because objectively it seems to satisfy criminal laws over where I live.

How do prosecutors in any modern country/state not charge this behavior when done by a website owner?

Reply View 4 replies
  • gruez 8 hours ago

    The difference is that there's implied consent to run arbitrary (albeit sandboxed) code when you visit a website. Moreover it's not the website causing the code to be executed, it's your browser. Otherwise if the bar is "code is being run but the user doesn't know about it", it would lead to either any type of web pages with javascript being illegal (or maybe without javascript, given that CSS turing complete), or a cookie banner type situation where site asks for consent and everyone just blindly accepts.

    Reply View 3 replies
    • mh- 7 hours ago

      > if the bar is "code is being run but the user doesn't know about it",

      .. would lead to all modern electronics being illegal, not just web pages with javascript.

      Reply View 1 reply
      • nativeit 2 hours ago

        I guess it’s fortunate that this quote only includes a portion of the assertion they’re making. What happens when you include the rest?

        Reply View 0 replies
    • bandrami 5 hours ago

      > any type of web pages with javascript being illegal

      Inshallah

      Reply View 0 replies