We have worked long and hard in the Information Security world to keep ourselves anonymous for many reasons on the internet, and yet, he were are, with some new revelations, that we’re being tracked yet again.
We have seen may articles on the use of TOR, it’s beginnings, and how the CIA, DARPA and others have actually funded it to enable their resources to use the internet with anonymity, and that they have methods available to actually find the actual end user communicating using the service. (see Almost everyone involved in developing Tor was (or is) funded by the US government) for more info.
However, what I’m talking about here, is something that I heard this morning on the SANS Daily InfoSec Podcast for July 22, 2014, There is a topic of great interest to me. Recently, I disabled flash in my browser, (Firefox on Linux), and moved to HTML5. I did this to make my browsing more secure, however, the report from the Podcast showed me that this comes with a new privacy leak. Meet the Online Tracking Device That is Virtually Impossible to Block, is the title of the writeup, and it shows, that in HTML5, there is;
“A new kind of tracking tool, canvas fingerprinting, is being used to follow visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.”
Basically, as I understand it, canvassing is a method in HTML5 that allows a website to draw pixels in your browser, meant for drawing objects, and the difference in fonts, operating systems, and many other variables, there are now methods to fingerprint the system, and potentially the end user. One of the primary offenders is the popular blog plugin called “AddThis”
“First documented in a forthcoming paper by researchers at Princeton University and KU Leuven University in Belgium, this type of tracking, called canvas fingerprinting, works by instructing the visitor’s Web browser to draw a hidden image. Because each computer draws the image slightly differently, the images can be used to assign each user’s device a number that uniquely identifies it.”
The article is very disturbing, and they include a proof of concept URL to test your own browsers. If you want to see an example of fingerprinting, also take a look at http://www.browserleaks.com/canvas.
The only method that I can use to prevent this action is to use No-Script in Firefox, however, it makes any HTML5 page useless.
Stay tuned, I’m hopeful someone will create a browser plugin to selectively stop HTML5 from rendering pixels on your canvas, in a hidden format. I’m proposing the name NO-CANVAS, something that works like No-Script, and allows you to whitelist sites, and or objects that request access to the HTML5 canvas.
Until then, I’m going to be taking a much closer look at what sites are doing with HTML5, and I’ve already added “AddThis” to my Adblock and No-Script plugins.
What are your thoughts, is this paranoia, or a significant risk?
- How companies use Canvas Fingerprinting to track you online(ghacks.net)
- The hidden threat in your browser: Share buttons reveal personal information each time you visit certain popular sites (and even the White House is affected)(dailymail.co.uk)
- What You Need to Know About the Sneakiest New Online Tracking Tool(gizmodo.co.uk)
- Canvas fingerprinting is like a cookie you can’t block, and thousands of sites are using it(geek.com)
- 404 – New online consumer tracking tool is virtually impossible to block(welsh.typepad.com)