Tor users, beware: 'Scheme flooding' technique may be used to deanonymize you FingerprintJS, maker of a browser-fingerprinting library for fraud prevention, on Thursday said it has identified a more dubious fingerprinting technique capable of generating a consistent identifier across different desktop browsers, including the Tor Browser. That means, for example, if you browse the web using Safari, …
But the protocol should be implemented in the browser (as ftp protocol is), not passed off to a completely different application. IMO this should include "mailto://" - either the browser should bring up a "not available" message or should implement an outgoing mail client in the browser itself (or browser add-on) rather than opening the OS default mail client.
That rather breaks the point of the link doesn't it.
Not everyone wants their browser to do everything, but having a mailto link is pretty darned useful.
What ought to happen is that you get a "choose what program you want to use to open this URL, since I don't know anything about it", and that should be the same prompt for any unknown protocol, and the webpage should have no idea what's happened to it. The browser says "OK, mine now", and then decides what to do.
"Not everyone wants their browser to do everything, but having a mailto link is pretty darned useful."
That's the point though, isn't it. Others may not see the point in their browser being able to follow a mailto:// link because they never use a mail client, but are very happy that it will follow/launch a skype:// link.
And what about my suggestion prevents that?
The "unknown protocol" (which is probably anything other than http(s)/ftp(s)) should be taken by the browser and the page returns as normal. Then the browser asks "what do I do with this?", and you tell it (possibly saving a default behaviour as well).
Then the browser does the right thing (opens the relevant program to access the URI provided, or asks, or drops it) and the page on which that link was clicked is none the wiser as to what happened, the browser just said "Ok, I've got this".
I saw that in my main browser, which prompted me to re-try it in the "safe-surfing sandboxed" browser that has script enabled.
I tested it with chrome on FreeBSD [a version built from ports a while back]. I initially used my "kill history" script that deletes LOTS of those files that chrome tries to use to save data across sessions. I recently increased the size of that list of files to be deleted, when I discovered that I wasn't deleting enough of them any more (certain things were starting to persist across browser sessions).
*ahem*
In any case, I did the "deanonymizing" test twice and got two completely different IDs. It does seem to take a while, though. You'd have to do this completely in the background for it to be effective, and over a fairly long period of time.
But a social media giant that "keeps you on the page" for a while (or runs a web bug script even after a trackable page closes) might still find it practical...
The fact you (or the privacy conscious) don't have these apps but I do, is what would make our "fingerprints" different. Therefore this could still be used to differentiate your cohorts interactions from mine.
The fact the app is detected or not is the trigger. I think the article was trying to say that a bit of JS shouldn't be able to determine that fact, one way or another, however, not having the apps is no real defence.
Happy to be corrected.
This is true to the extent that you're the only person who doesn't install the stuff. But in fact there are millions, possibly billions, of browser instances out there (including ours) that support only the default set of URI schemes. The safety lies not in not having the crapware (though that provides safety against other kinds of attacks) but in being one of a huge number of people who don't. This method cannot by itself distinguish you from any of them. Realistically it may at best offer another bit or two of uniqueness in identifying the relatively small number of people who have unusual sets of add-on scheme support.
This is so ineffective that I suspect it may instead be a research project to learn what the distribution of installed schemes looks like; I'd expect a barbell shape with the majority having only the default set and various "christmas tree profiles" at the opposite end for people who never see a link without clicking it and haven't reinstalled their single-user OS since Windows XP came out. In between there will be a smaller number with a single extension they use because their employer mandates it and then not a whole lot else in between. If so, this fingerprinting method can distinctly identify only a very small number of browsers/users (possibly that number is as small as zero). But I may be wrong!
TL; DR: When it comes to this kind of fingerprinting, there is safety in numbers.
"Happy to be corrected."
My impression from the article is that it can fingerprint you on your normal travels through the web and match that to a fingerprint when you use Tor. So the privacy conscious will use different browsers or instances in a sandbox/jail/VM and get a different fingerprint through "normal" browsing and Tor browsing.
Also happy to be corrected.
This post has been deleted by its author
The tor site makes it extremely clear that tor is not of itself sufficient to ensure anonymity. However you are completely incorrect to say that it is likely to get your real IP address banned - the destination site is highly unlikely to know what your IP address is. It might get an online *account* banned. It may well also get you flagged with law enforcement as a "person of interest" if your ISP monitors and logs all connections made via a tor entry node, though the more people who use tor at least occasionaly the less this will be the case. There was a time when anyone sending any encrypted data over the Internet would be flagged as a potential ne'er-do-well. But these days almost all web sites use SSL so encrypted traffic is the norm rather than the exception.
1) Your IP knows you're using Tor, but not what site you're browsing. If they are not targeting you personally this might afford some privacy.
2) The site you're browsing knows you're using Tor, but not where you are. One consequence of this is you can get around regional restrictions, but not in a terribly reliable way. If you really need that, use a VPN.
3) You can access .onion sites.
That is it.
Deleting history, cookies, etc at exit can be configured in any of the regular browsers.
chrome (at least the versions I have seen) does not automatically delete privacy tracking info on exit but Firefox can. But for chrome (on Linux or BSD - windows, mac YMMV) you can either delete all of chrome's files in ~/.config and ~/.cache [which gives you back the defaults] or cherry pick and just delete MOST of them until you get all of the ones that track you, but don't actually delete settings you want to keep.
The browser I am typing this into gave different results each time I tried it. In most cases it claimed it found 23 out of the 24 it looked for - but a different 23 each time (and most of the apps are definitely not installed on this Linux system).
Another much more locked down browser I use for looking at links I am investigating (like ones I suspect are phishing) was (ironically) more stable - it gave me the same 22 out of 24 each time (although, again, most of those apps are not really present).
My Tor Browser config gave a completely repeatable 0 out of 24. Of course, without JS turned on it didn't work at all.
However, the point remains that this is a real tracking vulnerability. And the unreliability on my system may be due to unusual timings or other things which could be fixed in the javascript.
I tried 5 different browsers (Edge, Firefox, Vivaldi, Brave, Pale Moon). Edge and Brave returned the same fingerprint, Vivaldi and Firefox gave different fingerprints, Pale Moon hung wanting to know what app to open the Skype bit with. All seemed to think I had Skype (I don't), and Spotify was popular (don't have that, either). Firefox thought I had all 24 of the apps tested. So the demo isn't very threatening. Yet.
Not mentioned are two major additional shortcomings that make this all but useless in practice: first, most browser instances will support the default collection of URI schemes shipped with it (because there's no guarantee that everyone, or even anyone, will install third-party extensions that support others), which means most sessions will resolve to the same fingerprint. So maybe it should be called Bertillon numbers instead. Second, there's no real reason these should work across browsers: each browser can have its own collection of extensions installed and even expose a different set of supported schemes to different user profiles. They are relying on desktop environment (mis-)features and a shotgun approach to extension installation by third-party (mal-)software that are easily defeated by users willing to do some trivial work. Which admittedly probably has considerable overlap with the set of users who wouldn't install this crap in the first place, but still.
Bottom line: there's one more highly ineffective and inefficient way to fingerprint users who have consciously chosen to take zero interest in their own privacy by installing a fleet of third-party crapware and letting it shit all over their entire accounts. This is surely the very least of their many problems, and for the rest of us it's not a real problem at all.
This doesn't really work. For a start I see a bunch of popup windows appear in both Firefox and Edge so I can see it happen and could prevent it.
The cross-browser fingerprint doesn't work - I see different identifiers in Firefox and Edge. Firefox missed that I have MS Word installed. Edge thought I have all 24 tested apps installed when I only have 10 installed. Both results are repeatable.
I tried this on Brave, Tor, Firefox, Vivaldi, Safari and Opera. Only Brave and Tor had matching results (which is a shame as I like Brave best at the moment), though Vivaldi was close..... Safari just stalled and Opera failed to open the page at all.
I guess similar results to others here.
Have browsers only accept mailto: by default, if another app launcher is attempted it should ask for the users OK to enable it and what app to use. The rest are used by a small minority of the web browsing public, and should not be enabled - no need to confuse grandma by clicking on a "slack:" link, having it report there's no slack application, and calling her grandson for tech support over it.
This issue may bigger to me than just fingerprinting me. If a malicious web site can trick the user to into clicking something that looks like a link ("next page") they want to click, but is really an app launcher, all the malicious web site needs is some type of bug in the app they can exploit and they could take over the user's device with a single click no matter how secure the browser itself was!
I ran it on Firefox on Linux and it correctly identified I had Skype & Telegram. When I tried Chrome on Linux it warned it might not work and indeed it incorrectly identified I had Spotify installed when its not but didn't detect Telegram. So not much use to fingerprint if your using multiple browsers on Linux.
As for TOR if your serious about keeping your original IP hidden from the site you are visiting then you won't be connecting with JS enabled anyway so this fingerprint technique wouldn't work. So a bit of a click bait title to this article.
Running on desktop Firefox 88 under Linux, this web page generates a list of applications I've supposedly installed, none of which are actually installed and many of which I've never heard of. Re-running it generates a brand new set of fictitiously installed applications and a new id number every time. I heartily endorse this new tracking scheme and encourage all advertisers to spend lots of money on it.
+ Old copy of palemoon (v. rarely used) opened up 3 recognisable and correct 'what do I do with this' windows, but it detected the non-errors, and said I had those three protocols available.
+ Firefox didn't open up the windows but it did give me the same 3 protocols.
- Epiphany-browser thought I have all 24 apps
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
