My apologies to the Bugzilla team for wasting their time holding my hand on this one. Would have honestly never noticed the little “HTML5” info icon to the left of the URL bar though without their help.

  • junepf@lemmy.blahaj.zone
    link
    fedilink
    arrow-up
    30
    ·
    9 months ago

    https://en.m.wikipedia.org/wiki/Canvas_fingerprinting

    When a user visits a page, the fingerprinting script first draws text with the font and size of its choice and adds background colors (1). Next, the script calls Canvas API’s ToDataURL method to get the canvas pixel data in dataURL format (2), which is basically a Base64 encoded representation of the binary pixel data. Finally, the script takes the hash of the text-encoded pixel data (3), which serves as the fingerprint …

    Variations in which the graphics processing unit (GPU), or the graphics driver, is installed may cause the fingerprint variation. The fingerprint can be stored and shared with advertising partners to identify users when they visit affiliated websites. A profile can be created from the user’s browsing activity, allowing advertisers to target advertise to the user’s inferred demographics and preferences.

    By January 2022, the concept was extended to fingerprinting performance characteristics of the graphics hardware, called DrawnApart by the researchers.

    • 🇦🇺𝕄𝕦𝕟𝕥𝕖𝕕𝕔𝕣𝕠𝕔𝕕𝕚𝕝𝕖@lemm.ee
      link
      fedilink
      English
      arrow-up
      9
      arrow-down
      1
      ·
      edit-2
      9 months ago

      Hmm seems like their would be ways to mitigate this. Why not just introduce some random human undetectable changes to every pixel ie change breightness color alpha etc by 1 or something so every time u call the ToDataURL it returns different data? Might break some things but since canvases dont seem to be predictable systems anyway whats the harm?

      • junepf@lemmy.blahaj.zone
        link
        fedilink
        arrow-up
        14
        ·
        edit-2
        9 months ago

        Yes, that is one method to resist canvas fingerprinting, but only resist it. Notice the portion about GPU performance testing, that would work even if the data was fuzzed. The best method seems to be to return fake data that changes frequently, but even that is contested.

        Here’s a good document with other methods (but not focusing on just canvas fingerprinting): https://2019.www.torproject.org/projects/torbrowser/design/#fingerprinting-linkability

        For what it’s worth, Firefox does protect against canvas fingerprinting by default it seems. I am not exactly sure how, however.