My apologies to the Bugzilla team for wasting their time holding my hand on this one. Would have honestly never noticed the little “HTML5” info icon to the left of the URL bar though without their help.

  • Pennomi@lemmy.world
    link
    fedilink
    English
    arrow-up
    47
    arrow-down
    1
    ·
    8 months ago

    Surely this is a user experience that could be improved, no? Awesome feature but confusing solution.

    • cmnybo@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      28
      ·
      8 months ago

      The resist fingerprinting mode scrambles canvas read out to prevent sites from using it to create a fingerprint. Because of that, any site that needs to read the canvas back for legitimate purposes will also receive scrambled data. You get more privacy for the minor inconvenience of having to manually allow canvas usage for the sites that actually need it.

      • Pennomi@lemmy.world
        link
        fedilink
        English
        arrow-up
        16
        ·
        8 months ago

        Yes I’m aware, but the user interface doesn’t make it easy to understand A) why the canvas looks scrambled, and B) how to permit it on a per-site basis.

        The technical implementation is fine, it’s just the user workflow that needs fixed.

    • Vincent@feddit.nl
      link
      fedilink
      arrow-up
      7
      arrow-down
      2
      ·
      8 months ago

      Not really, because doing this will make you more fingerprintable (see my other comment). That’s why the default settings are striking a balance between making all users look similar and not breaking too many things (that would cause users to use user-specific overrides that make them more unique), and why resistFingerprinting is in about:config rather than a user-facing setting or enabled by default.

      • N0x0n
        link
        fedilink
        arrow-up
        1
        arrow-down
        1
        ·
        8 months ago

        Or use something like Chameleon and mess with about:config which makes every unique fingerprint, different as your data is scrambled. Firefox still has webRTC leakage, font fingerprinting, audio fingerprinting… That’s the reason why people use arkenfox’s user.js !

      • sep@lemmy.world
        link
        fedilink
        arrow-up
        5
        arrow-down
        1
        ·
        8 months ago

        A popup sounds like an annoyance you must deal with on every webpage. Not just the ones that use the canvas for useful things

  • Vincent@feddit.nl
    link
    fedilink
    arrow-up
    30
    ·
    8 months ago

    And when you do this, you are now more fingerprintable than you were with resistFingerprinting off, as the specific combination of anti-fingerprinting measures and canvas-enablement makes you more unique. Which is why it’s hidden in about:config.

    • heavybootsOP
      link
      fedilink
      English
      arrow-up
      4
      ·
      8 months ago

      Yeah, as stated, only for sites you trust.

      I was enabling it on at a cycling site that uses HTML5 Canvas to make their charts of how long chain lubricants last zoomable, haha.

    • delirious_owl@discuss.online
      link
      fedilink
      arrow-up
      2
      arrow-down
      2
      ·
      8 months ago

      If you’re fingerprintable and your fingerprint changes every 60 seconds then it doesn’t really matter

      You’re still better off hardening these settings

        • delirious_owl@discuss.online
          link
          fedilink
          arrow-up
          4
          arrow-down
          1
          ·
          8 months ago

          I use the plugin Chameleon to chagney my browser attributes every 60 seconds so my fingerprint changes constantly.

          • N0x0n
            link
            fedilink
            arrow-up
            2
            ·
            8 months ago

            Will I agree and are also a Chameleon user… There are so many attributes that makes you finger printable that I’m slowly thinking to switch to Tor.

            • SinkingLotus @lemmy.world
              link
              fedilink
              English
              arrow-up
              6
              ·
              8 months ago

              In that case remember not to use any plugins, don’t change any of the default settings, and run with a 1080p resolution, never maximize the TOR window either. Since even screen size and resolution is used for your fingerprint.

    • junepf@lemmy.blahaj.zone
      link
      fedilink
      arrow-up
      30
      ·
      8 months ago

      https://en.m.wikipedia.org/wiki/Canvas_fingerprinting

      When a user visits a page, the fingerprinting script first draws text with the font and size of its choice and adds background colors (1). Next, the script calls Canvas API’s ToDataURL method to get the canvas pixel data in dataURL format (2), which is basically a Base64 encoded representation of the binary pixel data. Finally, the script takes the hash of the text-encoded pixel data (3), which serves as the fingerprint …

      Variations in which the graphics processing unit (GPU), or the graphics driver, is installed may cause the fingerprint variation. The fingerprint can be stored and shared with advertising partners to identify users when they visit affiliated websites. A profile can be created from the user’s browsing activity, allowing advertisers to target advertise to the user’s inferred demographics and preferences.

      By January 2022, the concept was extended to fingerprinting performance characteristics of the graphics hardware, called DrawnApart by the researchers.

      • 🇦🇺𝕄𝕦𝕟𝕥𝕖𝕕𝕔𝕣𝕠𝕔𝕕𝕚𝕝𝕖@lemm.ee
        link
        fedilink
        English
        arrow-up
        9
        arrow-down
        1
        ·
        edit-2
        8 months ago

        Hmm seems like their would be ways to mitigate this. Why not just introduce some random human undetectable changes to every pixel ie change breightness color alpha etc by 1 or something so every time u call the ToDataURL it returns different data? Might break some things but since canvases dont seem to be predictable systems anyway whats the harm?

        • junepf@lemmy.blahaj.zone
          link
          fedilink
          arrow-up
          14
          ·
          edit-2
          8 months ago

          Yes, that is one method to resist canvas fingerprinting, but only resist it. Notice the portion about GPU performance testing, that would work even if the data was fuzzed. The best method seems to be to return fake data that changes frequently, but even that is contested.

          Here’s a good document with other methods (but not focusing on just canvas fingerprinting): https://2019.www.torproject.org/projects/torbrowser/design/#fingerprinting-linkability

          For what it’s worth, Firefox does protect against canvas fingerprinting by default it seems. I am not exactly sure how, however.

    • ReversalHatchery@beehaw.org
      link
      fedilink
      English
      arrow-up
      5
      ·
      8 months ago

      Different graphics stacks (graphics hardware, their drivers (of which there are different ones for all major OSes), the display server (on Linux)) draw things slightly differently. As I remember this especially applies to text rendering using different fonts, but slightly tilted lines, bent lines, and color blending is probably also part of it, and more.

  • heavybootsOP
    link
    fedilink
    English
    arrow-up
    4
    ·
    8 months ago

    Yeah if it even drew something like “Canvas approval needed to see this image” or just the dang icon in the location bar that would be a start.

    • Carighan Maconar@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      8 months ago

      I suspect the assumption is that if you are okay digging into about:config to turn on the feature, you’re okay with all further interactions veins similarly hidden.

      • heavybootsOP
        link
        fedilink
        English
        arrow-up
        1
        ·
        8 months ago

        Yeah, I guess to a degree? This all came about because I went to fingerprint.com and realized they could track across VPN etc. was trying to figure out how to block it and that came up. And since not many sites use HTML5 canvas, I had long forgotten I enabled it by the time I hit a corrupted looking graphics site.

        I think in the end it shows they really need a better way to inform you what is going in than striped lines instead of a canvas graphic. Something that prompts you to either allow HTML5 canvas or that at least has a message/image you can google for further info in the issue easily.

    • heavybootsOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      8 months ago

      HTML5 is a perfectly valid technology when used for good purposes though? Their zoomable charts are fine as long as it is enabled. I don’t think they’re using them for tracking, just to make it easier to enable certain technologies.

      The company I work for does all our interactive lessons in HTML5 Canvas via Animate CC. When Flash was EOL’d it saved us from having to redo literally thousands of lessons completely.