Audio, Fonts & WebRTC Tracking You

Discussion of other internet issues.

Moderator: EasyList authors

Post Reply
gotitbro
Postaholic
Postaholic
Posts: 801
Joined: Sat Jul 09, 2016 8:33 pm
Reputation: 4

Audio, Fonts & WebRTC Tracking You

Post by gotitbro » Thu Dec 28, 2017 7:18 pm

Many different methods are being employed these days to track users. I came across a Princeton study which analyzed the tracking methods being employed today.

The most prominent and persistent trackers are from Google followed by Facebook and Twitter. Unsurprisingly News, Sports and Recreational websistes have the highest amount of trackers. The thing I found most interesting about this study is the analysis of new tracking methods. These are:
  • Canvas Fingerprinting: The Canvas element allows websites to draw graphics according to the device. Since different devices will render the graphics differently this rendered graphic is used as a fingerprint.
  • AudioContext Fingerprinting: The most interesting of these tracking methods is the use of Audio to fingerprint a device. No audio is actually played or recorded but it is calculated how exactly the audio processed on a particular device's software using the AudioContext interface. This is then hashed and used for fingerprinting the device. You can test this here (Princeton tool): https://audiofingerprint.openwpm.com
  • WebRTC: I think this is known. WebRTC can show your real IP address to websites even if you are behind a VPN, it also dhows your local IP address. While legitimate uses include finding the best peers to connect to such as in messaging, it is also used to track the users and sometimes even display ads.
  • Canvas-Font Fingerprinting: Another interesting technique being used to fingerprint users is by checking how and which fonts are rendered on the device via the Canvas API. Using the obtained results to track users.
Audio fingerprinting is definitely an unusual way to track users but I have seen it being used on websites such as here:

Code: Select all

https://www.mapsofindia.com/my-india/travel/khari-baoli-asias-largest-wholesale-spice-market
The tracking on the above website via Audio fingerprinting is being done by cdn-net.com (domain mentioned in the Princeton study). This domain seems to belong to InAuth which is a fraud detection company. The study does mention that the unusual tracking methods are mostly being use for fraud detection but this is only due to backlash from uses.

Princeton Study:

Code: Select all

https://webtransparency.cs.princeton.edu/webcensus/
Study Presentation:

Code: Select all

https://senglehardt.com/presentations/2017_01_cosic_online_tracking.pdf
While I do not try to actively protect myself from tracking this does make me reconsider things.

-Mark-
Postaholic
Postaholic
Posts: 315
Joined: Tue Jul 05, 2016 7:46 pm
Reputation: 14

Post by -Mark- » Fri Dec 29, 2017 7:01 pm

ScriptSafe covers all of this if you're or anyone else is interested.

gotitbro
Postaholic
Postaholic
Posts: 801
Joined: Sat Jul 09, 2016 8:33 pm
Reputation: 4

Post by gotitbro » Wed Jan 03, 2018 7:45 pm

@-Mark- Is this the Chrome version of Noscript?

-Mark-
Postaholic
Postaholic
Posts: 315
Joined: Tue Jul 05, 2016 7:46 pm
Reputation: 14

Post by -Mark- » Thu Jan 04, 2018 8:31 am

No, this blocks more than just scripts. It covers all known Fingerprinting features and you can do a lot more privacy wise with this extension.

gotitbro
Postaholic
Postaholic
Posts: 801
Joined: Sat Jul 09, 2016 8:33 pm
Reputation: 4

Post by gotitbro » Thu Jan 04, 2018 9:10 pm

@-Mark- So, what is better Firefox+NoScript or Chrome+Scriptsafe?

-Mark-
Postaholic
Postaholic
Posts: 315
Joined: Tue Jul 05, 2016 7:46 pm
Reputation: 14

Post by -Mark- » Fri Jan 05, 2018 9:14 am

You can't just pair/group them like that. ScriptSafe is also available for Firefox, but NoScript is not available for Chromium/Chrome. For Chromium, I recommend uBO + uMatrix and if you're fingerprinting conscious then add ScriptSafe to the mix. I don't use Firefox, so I can't recommend a good fit. Though if I was to suggest, I would say go with NoScript and Script Safe both and see which one fits you the better.

You should do an exploratory investigation of both extensions to get a sense of which suits you the best.

-Mark-
Postaholic
Postaholic
Posts: 315
Joined: Tue Jul 05, 2016 7:46 pm
Reputation: 14

Post by -Mark- » Wed Jan 31, 2018 5:34 pm

There's another extension by the name WebAPI Manager which covers browser APIs including, but not limited to tracking and new ones being added with each new release. Featured on ghacks as well.

Post Reply