Anti Fingerprinting

After some testing, it appears to me that the stance Orion has taken may not bother sophisticated fingerprinting tools, such as fingerprint pro (aka fingerprint.js). The URL for the CDN can be blocked but that doesn't stop the library from being bundled in a website's own first party scripts.

See https://fingerprint.com/demo/ to show how Orion users seem to be easily fingerprintable in the wild using today's technology.

It doesn't seem to matter whether I use Orion's built in content blocking, or uBlock with lots of lists - I am accurately fingerprinted every time. However this is not the case with a hardened copy of LibreWolf using containers; with this I am not uniquely fingerprinted. LibreWolf browser utilises uBlock AND the evasion techniques disregarded by Orion.

Assuming that most sites won't go to the lengths the demo site has to not load scripts from identifiable domains or URLs for their libraries, I checked to see how the paid version of Fingerptint Pro tool might be used in practice. If the developer included the script using npm and bundles their javascript, it would be undetectable by a content blocker. I dont know how the intelligent tracking prevention works so I am unable to say if thius could detect the code and isolate it. It would be good to create a website where this technology is put to use in order to test Orion against it, since apparently 12% of the top largest 500 websites use this fingerprinting library.

I feel like the way to settle this is "proof is in the pudding". If we can build a site that uses commly available fingerprinting libraries to show that Orion can evade them, that would settle the privacy argument. As it stands, I do feel a little uneasy using the browser - even though I love it.

Excerpt from "What Works (Sometimes) to Prevent Browser Fingerprinting":

There are a few ways to mitigate browser fingerprinting techniques, but these are not foolproof. Some browsers offer browser fingerprinting mitigation strategies as an in-built feature. For example, Firefox allows users to block third-party requests to sites known to utilize fingerprinting, providing added protection but would not be able to catch first-party scripts.

Excerpt from "Creating a Fingerprint":

It is worth restating that Fingerprint generates an accurate visitor for each browser-device combination and not for each device. Because Fingerprint visitorIDs are derived from many browser attributes—some universal, others vendor-specific—a website visitor using both Chrome and Firefox will most likely be assigned a separate, unique visitorID for each browser type. This means a user could escape being associated with a previous visit if they used a different browser, though this trick would only work as long as they had new browsers.

More info on how it works: https://dev.fingerprint.com/docs/understanding-our-995-accuracy

The only solution I see to this is for there to be some way to scan the contents of scripts to discover bundled trackers (unless this is what ITP does?), and/or introducing the same mitigation methods as Firefox/LibreWolf/Tor do that obfuscate their browser signals and prevent certain third-party cookies from being set.

Update:

I found this about ITP within Fingerprint Pro's own documentation:

From "Safari ITP":

Fingerprint Pro and other services use both 3rd-party (Secure, HttpOnly) and client-side cookies (set with document.cookie), which are both affected by ITP. To fix this, we require using our Cloudflare Integration or Custom subdomain.

From "The benefits of using a custom subdomain":

Significant increase to accuracy in browsers with strict privacy features such as Safari or Firefox.
Cookies are now recognized as “first-party.” This means they can live longer in the browser and extend the lifetime of visitorIds.
Ad blockers will not block our JS Agent from identifying the browser. Attempts to connect to an external URL will be stopped by most ad blockers while attempts to connect to an internal URL (like a subdomain) will be allowed.
Fingerprint becomes harder to detect. Requests made directly to our website domain can be easily detected. By routing through a subdomain on your domain, Fingerprint becomes harder for automated blockers and fraudsters to detect.

I hope this is of some help to Orion developers.

I've been digging in to this and it appears content blockers are no longer a final solution to fingerprinting. Using cloudflare workers or custom subdomains, websites can sidestep all the protections of ITP and content blockers.

The only thinjg I have come up with so far is to create a feature that scans javascript for markers used in fingerprinting libraries, and disallow that code to execute.

Vlad thank you Vlad - yes I understand the above. I agree, also.

I also understand you don’t have time to play cat and mouse.

The point is, it’s not a popular fingerprinting demo. It’s a real (and popular) fingerprinting product, in use in the wild, who are able to get around the traditional “not allowing it to run” technique.

Hopefully you were able to read what I wrote above.

I was just trying to help Orion be the best privacy focussed browser there can be. That’s what I’m interested in, and I’m sure it’s what draws many users.

I felt you should be aware that your ”don’t run it” solution (as it is) isn’t watertight, and increasingly this will be the case as these methods get further adoption. Sadly I don’t think 99% protection is a realistic figure anymore, given the discoveries above.

Maybe I’ll find the time one day to write an extension that mitigates these new methods (subdomain, cloudflare worker), as I think it’s important.

robrecord

The point is, it’s not a popular fingerprinting demo. It’s a real (and popular) fingerprinting product, in use in the wild, who are able to get around the traditional “not allowing it to run” technique.

A difference to understand is that their script is allowed to run on their site because it may not have been flagged as malicious (because it is clearly a technology demo). That does not mean it will be allowed to run in wild, when ad/tracking companies package it into their scripts, which are already well documented and publicly known and a part of many blocklists that Orion uses. This is what I meant by 99% protection.

Yes, one can incorporate this into new scripts, custom subdomains etc, but these either:

a) get detected by the broad privacy community fast (if they are impactful/used by a large ad/tracking network it will be in a matter of hours)
b) if a random small site did this - well there is also no harm because you are likely to not visit it ever (and fingerprinting only makes sense when deployed at large scale anyway, which is what a) considers)

Because this statement holds true:

"If a sophisticated fingerprinter is allowed to run, it will fingerprint the browser."

It is clear that the best and only defense against fingerprinting is to block it (we will be adding feature for custom block list so you can stay up to date in a matter of minutes in the future), and not try to avoid it once it is running with stuff like masking your screen resolution and what not, which are basically just gimmicks as proven by those two whitepapers I linked to earlier.

tmp339 Please read the entire thread here for our stance on fingerprinting and why all the methods in other browsers are basically a marketing gimmick.

spicysalmon I've called anti-fingerprinting marketing in browsers a gimmick, not the tests. The tests are also largely irrelevant, I do not know of tests that employ tactics uncovered in cutting edge tracking research like inicated here https://orionfeedback.org/d/2450-anti-fingerprinting/5 which most powerful ad-tech that we should be afraid of certainly does. The only protection against fingerprinting is not to allow the fingerpritner to run in the first place which is the strategy Orion employs.

Soum Because you can't. If a sophisticated fingerprinter (not talking about vanity/promotional tests found on many websites) is allowed to run, it WILL fingerprint you. These are massive corporations with billions to spend doing only that. We are a small team doing million other things. At the cutting edge level, we can not outrun them (and I'd argue no browser vendor can).

The absolutelty best strategy is not to allow the fingerprinter to run in the first place.