/tech/ - Technology★

I saw this. this is kind of cool in a devious way.

I wonder how CLI browsers like lynx, w3m, elinks deal with this. I'm a little new to them.

>I wonder how CLI browsers like lynx, w3m, elinks deal with this

They don't. They have custom interpreters for CSS which is even more easily fingerprintable as you can't ever abuse the CSS in them.

Although this brings to mind browsing the web using soley the keyboard so that CSS couldn't track mouse movements on a modern browser. Or you could just install ublock/umatrix and block the CSS.

>>853910 (OP)

Duh. Sites already do this for styling differently for mobile devices.

>>853926

ah you know what you make a point come to think about it umatrix could block it.

>>853935

If you are using firecucks or a derivative you can change the reported resolution by pressing CTRL+ or CTRL- . It zooms in and out of the screen and changes the reported resolution on the fly. Not sure how you would do this with a phone though.

>phoneposting

>>853942

>being a phonecuck

Mozilla will never fix this, because it would make web apps slower. Dynamic content was a mistake.

>However, using my method it's only possible to track when a user visits a link the first time or hovers over a field the first time.

Click tracking might be useful but hovering is pretty useless. Lots of false positives from people jerking their mouse around or swiping on a phone/tablet (?)

What's worrying is that you can track browser, fonts, and resolution from it. It's more pernicious since turning JS off is a good indicator of someone like us, and worrying about a small, ad- and purchase-unfriendly minority's information is of no practical benefit to the website. Is that spoofed by existing methods?

>>853958

Tor in windowed mode works.

>>853958

>fonts

No way to spoof those except to change your system fonts. I think there was something for linux that lets you spoof fonts but it is a run as root thingy.

>browser

You can block, fake, and or spoof all related functionaly and that makes it impossible to track the browser, just lurk moar to learn how.

>resolution

Change your resolution or use CTRL+ or CTRL- to change it in firecucks.

Really the only thing you can't spoof is fonts and functions related to mozilla.navigator or the chrome counterpart. But you can block those functions from being read/used. Someone should make a webkit and .xpi addon to spoof those.

>>853910 (OP)

https://arthuredelstein.github.io/tordemos/media-query-fingerprint.html

Related.

I also wonder why doesn't Tor browser have protection against resizing it's window or built-in set of default window sizes like maximized browser on windows 7/10 @ 768p or 1080p / OS X 1600p (OS X has weird "full screen" modes) giving the fact that most normies use it that way ignoring the warning even scroll bar width matters, but only can be fingerprinted with javascript.

Or is there a way to fix window size in X-server settings or something like that?

---obligatory 4chan space----

I think this is a proper browser thread. We need to discuss privacy issues on most common browsers and ways to mitigate them instead of screeching "muh boootnet" and installing goynauseam for "muh privacy".

We should address the fact that most web users today are phonecucks and we need to mimic them.

I've also seen a proposal to load all CSS media variables in bulk on Tor mailing list.

Here are some interesting links for those unfamiliar with them:

http://samy.pl/evercookie/

Profiling audio playback capabilities of your computer:

https://audiofingerprint.openwpm.com/

http://ubercookie.robinlinus.com/

Better than panopticlick:

https://browserleaks.com/

Gives more raw data and less meme scores.

Search engines and lots of sites obfuscate links or add tracking data to them, here is deobfuscator for Google/Yandex search results:

https://addons.mozilla.org/en-US/firefox/addon/google-search-link-fix/?src=userprofile

However, I think that Google can even put you on a list as user of this extension since lots of sites have Google analytics and it will see you visiting a link from search results without getting data from tracking obfuscation.

Fun thing is that "Tracking protection" built into Firefox is pure botnet (who would have thought).

First: it sends "suspicious links" to Google and Disconnect Remember that proxy search page for google in Tor browser before duckduckgo became a thing?

Second: it sends "do not track me" http header to websites. You got it right, a website knows when a normie desires not to be tracked.

Third: it acts as poor ad-blocker with outdated malverizing lists from Disconnect.

Then there is such thing as "fraud score", mostly common among people who do webcasino/payment fraud or some shit like that. As you have already guessed, web-casinos have the most advanced ways of automatically detecting their users, they even compare your TCP SYN frame size (unique for different OS-es and kernels) with your browser's UA for example, this is how Windows users (or "smart guys" spoofing their user agent as Windows) with VPN are detected for example, or if your VPN exit has "data center IP" contrary to "residential IP" is a red flag for fraud detection systems too.

I have also noticed that lots of websites either give http 403 error page or straight up reject request (Chinese firewall) when accessing from tor. Does anyone know a way to cope with first use a list of fresh exits not yet included in blocklists those websites usually rely on or automatically refresh circuit until it gets valid answer, but when connection is rejected I somehow can't refresh the circuit, only creating new identity helps.

>>854002

>https://addons.mozilla.org/en-US/firefox/addon/google-search-link-fix/?src=userprofile

>?src=userprofile

fuckfuckfuck this is what I was talking about, sites like ebay do this often to track users lurking through site and even users sharing links between each other.

I visited the developer's profile and then clicked link to extension page.

>>854009

If you are using ff57 google analytics (and the invisible captcha iirc) on amo runs even if your addons says its blocked, mozilla uses the webextensions api to lie, check the network tab.

>>854002

>TCP SYN

This can be faked if you recompile your kernel on *nix with a custom one to imitate winblows.

>even scroll bar width matters, but only can be fingerprinted with javascript

You can disable javascript or fake this faggot. Just press CTRL+ or CTRL- and it changes in firefucks along with resolution.

>Profiling audio playback capabilities of your computer:

Change your audio driver from ALSA to OSS and vice versa. Occasionally use pulseaudio ontop of whatever you switch too to trick it ever the more. Or if you want to blend in just run it with pulseaudio enabled all the time. This isn't a big deal as you can't test for silicone peculeraties other then driver version with these techniques.

>or if your VPN exit has "data center IP" contrary to "residential IP" is a red flag for fraud detection systems too.

Get a bettter VPN or get a better website to browse then.

>>853935

>Sites already do this for styling differently for mobile devices

Load invisible images via CSS element states? I don't think thats widespread, too many people have js enabled for anyone to go to such lengths

>>853957

>Mozilla will never fix this

This can't be fixed because its not a bug. CSS is intended to be able to show images. The only solution is the one Thunderbird uses for its emails, just don't load any images.

>>853940

>umatrix could block it

If you block pseudo elements alltogether, you will break almost every website. You could block url content from pseudo elements, but even then you're going to break a lot of shit.

>>854018

How do you recompile a kernel of 2-dollar VPS or VPN?

Scaled resolution can be easily measured as it grades by 10%.

Literally 0,0001% of web users depending on website disable JavaScript. It is more profiling than leaving it enabled. Sure, obscure boards like 8ch/tech have a significant amount of visitors with disabled JS or even Tor browser over hidden services, however if we pick something what normies visit, in order to blend in, we have to pretend to look like normies.

>>854013

Using latest version is not the best solution, since anti-botnet settings are not updated as quickly as dicks in Mozilla's devs' arseholes. ESR is preferable.

Here are some links for further researching into about:config settings:

https://github.com/pyllyukko/user.js

https://github.com/The-OP/Fox/blob/master/header.md (slavrunes, beware)

http://kb.mozillazine.org/About:config_entries

http://kb.mozillazine.org/Category:Preferences

I also discourage from using IceCat since instead of simply re-licensing Firefox which is not really needed, it also adds it's own snowflake add-ons that affect your fingerprint in unpredictable ways. Even disabling default browser home phoning might affect your OPSEC because your VPN hoster/ISP will notice this change in browser behavior.

Thought of this shit long ago.

You can even do server-side fingerprinting and tracking of sites browsed by feeding them identifiable images assuming cache is turned on.

>>854052

>Load invisible images via CSS element states?

Why do they need to be invisible. Either way they can see in their logs if it was requested or not.

I don't see how you would actually record this information without some PHP or whatever server-side language you want to use.

>>853918

They don't use the vast majority of CSS, so I doubt this would even register with them.

>>854052

>>Mozilla will never fix this

>This can't be fixed because its not a bug. CSS is intended to be able to show images.

It could load everything that could be lazy-loaded by css initially.

>>854060

Is that you, Jim? Is tracking users with identifiable image names not reliable enough for ya?

>>854149

This would increase load times tremendously, you have no idea how gigantic CSS files or "suites" are nowadays. I would also assume that it goes against the grain of how optimized CSS engines work

>>853910 (OP)

>Privacy Protector™ uBlock® from Gorhill Corp. (subsidiary of Dehlisoft corporation) loads 5GiB FLIF image suitable for UltraRetina64K displays found in average low-power Apple iRaspberry LGBTQTPi+- standard personal Cloud Appliance popular among lower castes of Eurasian Caliphate as personal 6G tracking device in 2030 on my pre-blackout 20-year-old Thinkpad with nig-rigged overclocked PCIe bus-to fiber converter just to not get fingerprinted by server as a user of "problematic non-diverse" 1440:900 screen resolution and get vanned by a feminist Sharia Whale Antifascist Tolerant (SWAT) patrol squad for using prohibited technology

I asked for this

>>854057

>if we pick something what normies visit, in order to blend in, we have to pretend to look like normies

why do you need to pretend though?

any real life use cases?

>>854057

>How do you recompile a kernel of 2-dollar VPS or VPN?

dont' use VPS's that used a shared kernel, like OpenVZ. Use KVM.

Guys please, next time let's build a WWW that runs on static HTML only?

>>854396

You can use gopher. It basically only allows a small amount of server-side scripting, and nothing on the client.

The guy that runs gopher.su tried to make a chan with it, but it's not well-suited for that. Might as well just run an NNTP server, or a BBS.