!EDwdFmQKqjziagKwgN:matrix.org

redux.resistant.tech

122 Members
Privacy is Hard. Surveillance is Easy. Let's fix that. Say Hi and introduce yourself! Tell us about your projects. Posting interesting papers is encouraged. Questions are encouraged! Posting cool prototypes and code also encouraged.17 Servers

Load older messages


SenderMessageTime
5 Mar 2021
@sarahjamielewis:matrix.orgsarahjamielewisA new Discreet Log on Flutter/Cwtch: https://openprivacy.ca/discreet-log/02-porting-qwtch-to-flwtch/20:16:23
@sarahjamielewis:matrix.orgsarahjamielewisAlso a twitter thread documenting the last few months of Cwtch dev and why Beta was delayed: https://twitter.com/SarahJamieLewis/status/136791789834633625720:17:22
6 Mar 2021
@jeff:web3.foundationjeffApple and Mozilla should explore stronger techniques for preventing browser fingerprinting probably. 01:16:26
@braedon:resisty.comBraedon
In reply to @jeff:web3.foundation
Apple and Mozilla should explore stronger techniques for preventing browser fingerprinting probably.

I use Firefox Beta on Ubuntu, so my fingerprint is pretty comprehensively unique, unfortunately. That said, FireFox's ETP fingerprinter blocker should be
helping somewhat.

The fingerprinting mitigations Google is proposing as part of the Privacy Sandbox look useful on the surface - haven't dug into them yet.

05:06:20
@braedon:resisty.comBraedonGoogle's repeated FUD about Apple and Mozilla causing fingerprinting by blocking 3rd party cookies REALLY rubs me the wrong way though. Yeah, more trackers have moved to fingerprinting as a result, but whether they're using cookies or fingerprinting, they're still tracking you - it's in no way an increase in tracking. In fact, at least based on ETP's reports, there are FAR more trackers still using cookies than fingerprinting - it's inherently harder to implement. The idea that leaving cookie tracking alone was better because users have "control" is laughable - fingerprinting arose precisely because users exercised that control!05:12:29
@braedon:resisty.comBraedon * Google's repeated FUD about Apple and Mozilla causing fingerprinting by blocking 3rd party cookies REALLY rubs me the wrong way though. Yeah, more trackers have moved to fingerprinting as a result, but whether they're using cookies or fingerprinting, they're still tracking you - it's in no way an increase in tracking. In fact, at least based on ETP's reports, there are FAR more trackers still using cookies than fingerprinting - it's inherently harder to implement. The idea that cookie tracking is better because users have "control" is laughable - fingerprinting arose precisely because users exercised that control!05:12:54
@braedon:resisty.comBraedon * Google's repeated FUD about Apple and Mozilla causing fingerprinting by blocking 3rd party cookies REALLY rubs me the wrong way though. Yeah, more trackers have moved to fingerprinting as a result, but whether they're using cookies or fingerprinting, they're still tracking you - it's in no way an increase in tracking. In fact, at least based on ETP's reports, there are FAR more trackers still using cookies than fingerprinting - it's inherently harder to implement. The idea that leaving cookie tracking alone was better because users have "control" is laughable - fingerprinting arose precisely because users exercised that control!05:17:44
@braedon:resisty.comBraedon
In reply to @sarahjamielewis:matrix.org
A new Discreet Log on Flutter/Cwtch: https://openprivacy.ca/discreet-log/02-porting-qwtch-to-flwtch/
Did you seriously consider any other frameworks before picking Flutter, or were they all ruled out due to being browser based?
05:24:07
@sarahjamielewis:matrix.orgsarahjamielewis
In reply to @braedon:resisty.com
Did you seriously consider any other frameworks before picking Flutter, or were they all ruled out due to being browser based?
Yeah we went through half a dozen or so lists of frameworks. Personally, I was the most sceptical about flutter and pushed hard for us to consider any and all other options - but nothing else honestly came close, and the de-risking sealed it.
05:28:24
@braedon:resisty.comBraedonHave you found many drawbacks? (or is that a future blog post?)05:29:28
@sarahjamielewis:matrix.orgsarahjamielewisHonestly, if anything it has exceeded my expectations. The abstractions are very well engineered and in many cases things that took a few days in our old setup are taking a couple of hours to figure through now. The Googliness of it is slightly concerning given their love of trashing projects without much warning and privacy stance but compared with everything else even those risks are respectively easy to mitigate.05:34:01
@sarahjamielewis:matrix.orgsarahjamielewis * Honestly, if anything it has exceeded my expectations. The abstractions are very well engineered and in many cases things that took a few days in our old setup are taking a couple of hours to figure through now. The Googliness of it is slightly concerning given their love of trashing projects without much warning and privacy stance but compared with everything else even those risks are respectively easy to mitigate.05:34:30
@jeff:web3.foundationjeffI think browsers can simply lie about many fingerprinting questions, but window size gets harder.06:29:08
@agnostic-apollo:matrix.orgagnostic-apolloScreenshot_2021-03-06-13-36-49.png
Download Screenshot_2021-03-06-13-36-49.png
08:41:14
@agnostic-apollo:matrix.orgagnostic-apollo

Would have to be lot of lying for phones...

https://helda.helsinki.fi/handle/10138/273478

08:41:39
@agnostic-apollo:matrix.orgagnostic-apollo

blink had some interesting ideas by using docker containers for switching fingerprints at an os level. Not been updated in a while. And I haven't used it though.

https://www.ieee-security.org/TC/SP2016/poster-abstracts/59-poster_abstract.pdf

https://github.com/plaperdr/blink-docker

08:48:43
@steely_glint:matrix.orgTim Panton There is a lot of agonising about browser fingerprinting in the w3c - and some action. Most of it positive. Apple leading the way and google trailing unwillingly behind. Adtech must be worried as they tried to get a rep onto the w3cs advisory council recently. 14:18:54
@steely_glint:matrix.orgTim PantonSo, for example, a lot of finger printable webRTC features now require user consent. On the theory that a drive by data grab doesn’t want to announce its presence by asking for unrelated permissions. Personally I am a bit sceptical about how much of a deterrent that is.14:21:42
@synackpse:matrix.orgsynackpseFwiw I’ve had a lot of luck fingerprinting browsers via their TLS handshakes (assuming your use case includes having access to the network layer).15:21:41
@agnostic-apollo:matrix.orgagnostic-apolloUser consent doesn't really work for the general population, especially if they don't know what they are giving access too. WebRTC would be a mystery to an average programmer too. Permission granting never worked on android, google playstore had to play a different game and didn't allow apps to be published with dangerous permissions unless they really needed it, letting users decide didn't work. Cookies is pretty much the same. With the hard to get opt-outs and annoying popups, people usually just accept. I am not saying someone else should make the decisions for us like google playstore is but its still understandable. And a lot of those features on the list would ideally be required by an average site to work properly, specially dynamic ones like today, so would be really hard to decide for each and every website visited that what should be allowed or not.16:22:47
@raeshoo:fairydust.spaceraeshoo (Dante)are there better fingerprinting testing websites, other than EFF, that provide meaningful results? Been using ghacks-user.js and it seems to work pretty good against fingerprinting16:56:12
@agnostic-apollo:matrix.orgagnostic-apollo

You can check the following. Obfuscated sophisticated techniques by tracking giants might be hard to escape.

https://amiunique.org/fp

https://amiunique.org/faq

https://github.com/DIVERSIFY-project/amiunique

17:38:31
@raeshoo:fairydust.spaceraeshoo (Dante)ty very much17:42:42
@agnostic-apollo:matrix.orgagnostic-apollowelcome17:47:36
@sgmenda:mozilla.orgsanketh_

TorZillaPrint by Thorin (who is a Firefox/FingerprintingMitigations contributor and ircc a ghacks userjs contributor) is pretty good and imo the state-of-the-art.

However, I would like to caution that privacy.resistFingerprinting (RFP) mode (which ghacks userjs enables) was designed with the Tor Browser's threat model in mind and might not be appropriate outside. For instance, fingerprinting protections don't help very much when you are using a residential IP since residential IP on its own is a pretty good identifier (Chrome, as part of the privacy sandbox, is working on preventing IP fingerprinting but the proposal seems to be in early stages). Also, it is not uncommon for RFP mode to break sites, sometimes in funny, hard to diagnose ways. For instance, a mitigation I helped add to RFP recently made drawings uploaded to a browser-based game Jackbox look like noise.

17:54:09
@sgmenda:mozilla.orgsanketh_ *

TorZillaPrint by Thorin (who is a Firefox/FingerprintingMitigations contributor and ircc a ghacks userjs contributor) is pretty good and imo the state-of-the-art.

However, I would like to caution that privacy.resistFingerprinting (RFP) mode (which ghacks userjs enables) was designed with the Tor Browser's threat model in mind and might not be appropriate outside. For instance, fingerprinting protections don't help very much when you are using a residential IP since residential IP on its own is a pretty good identifier (Chrome, as part of the privacy sandbox, is working on preventing IP fingerprinting but the proposal seems to be in early stages). Also, it is not uncommon for RFP mode to break sites, sometimes in funny, hard to diagnose ways. For instance, one mitigation I helped add to RFP recently made drawings uploaded to a browser-based game Jackbox look like noise.

17:58:58
@sgmenda:mozilla.orgsanketh_ *

TorZillaPrint by Thorin (who is a Firefox/FingerprintingMitigations contributor and ircc a ghacks userjs contributor) is pretty good and imo the state-of-the-art.

However, I would like to caution that privacy.resistFingerprinting (RFP) mode (which ghacks userjs enables) was designed with the Tor Browser's threat model in mind and might not be appropriate outside. For instance, fingerprinting protections don't help very much when you are using a residential IP since residential IP on its own is a pretty good identifier (Chrome, as part of the privacy sandbox, is working on preventing IP fingerprinting but the proposal seems to be in early stages). Also, it is not uncommon for RFP mode to break sites, sometimes in funny, hard to diagnose ways. For instance, a mitigation I helped add to RFP recently made drawings uploaded to a browser-based game Jackbox look like noise.

18:01:47
@ryzokuken:1312.mediaryzokuken joined the room.18:05:21
@agnostic-apollo:matrix.orgagnostic-apollo

TorZillaPrint looks nice from a quick look.

The audit seems pretty faith based though. And not sure how reliable audits can be even scaled with the amount of websites today that may need real IP addresses.

18:33:49
@jowj:awful.clubjosiah left the room.23:42:21

There are no newer messages yet.


Back to Room List