 | redux.resistant.tech | 122 Members |
| Privacy is Hard. Surveillance is Easy. Let's fix that. Say Hi and introduce yourself! Tell us about your projects. Posting interesting papers is encouraged. Questions are encouraged! Posting cool prototypes and code also encouraged. | 17 Servers |
| Sender | Message | Time |
|---|---|---|
| 5 Mar 2021 | ||
 sarahjamielewis | A new Discreet Log on Flutter/Cwtch: https://openprivacy.ca/discreet-log/02-porting-qwtch-to-flwtch/ | 20:16:23 |
| sarahjamielewis | Also a twitter thread documenting the last few months of Cwtch dev and why Beta was delayed: https://twitter.com/SarahJamieLewis/status/1367917898346336257 | 20:17:22 |
| 6 Mar 2021 | ||
 jeff | Apple and Mozilla should explore stronger techniques for preventing browser fingerprinting probably. | 01:16:26 |
 Braedon | In reply to @jeff:web3.foundation I use Firefox Beta on Ubuntu, so my fingerprint is pretty comprehensively unique, unfortunately. That said, FireFox's ETP fingerprinter blocker should be The fingerprinting mitigations Google is proposing as part of the Privacy Sandbox look useful on the surface - haven't dug into them yet. | 05:06:20 |
| Braedon | Google's repeated FUD about Apple and Mozilla causing fingerprinting by blocking 3rd party cookies REALLY rubs me the wrong way though. Yeah, more trackers have moved to fingerprinting as a result, but whether they're using cookies or fingerprinting, they're still tracking you - it's in no way an increase in tracking. In fact, at least based on ETP's reports, there are FAR more trackers still using cookies than fingerprinting - it's inherently harder to implement. The idea that leaving cookie tracking alone was better because users have "control" is laughable - fingerprinting arose precisely because users exercised that control! | 05:12:29 |
| Braedon | * Google's repeated FUD about Apple and Mozilla causing fingerprinting by blocking 3rd party cookies REALLY rubs me the wrong way though. Yeah, more trackers have moved to fingerprinting as a result, but whether they're using cookies or fingerprinting, they're still tracking you - it's in no way an increase in tracking. In fact, at least based on ETP's reports, there are FAR more trackers still using cookies than fingerprinting - it's inherently harder to implement. The idea that cookie tracking is better because users have "control" is laughable - fingerprinting arose precisely because users exercised that control! | 05:12:54 |
| Braedon | * Google's repeated FUD about Apple and Mozilla causing fingerprinting by blocking 3rd party cookies REALLY rubs me the wrong way though. Yeah, more trackers have moved to fingerprinting as a result, but whether they're using cookies or fingerprinting, they're still tracking you - it's in no way an increase in tracking. In fact, at least based on ETP's reports, there are FAR more trackers still using cookies than fingerprinting - it's inherently harder to implement. The idea that leaving cookie tracking alone was better because users have "control" is laughable - fingerprinting arose precisely because users exercised that control! | 05:17:44 |
| Braedon | In reply to @sarahjamielewis:matrix.orgDid you seriously consider any other frameworks before picking Flutter, or were they all ruled out due to being browser based? | 05:24:07 |
| sarahjamielewis | In reply to @braedon:resisty.comYeah we went through half a dozen or so lists of frameworks. Personally, I was the most sceptical about flutter and pushed hard for us to consider any and all other options - but nothing else honestly came close, and the de-risking sealed it. | 05:28:24 |
| Braedon | Have you found many drawbacks? (or is that a future blog post?) | 05:29:28 |
| sarahjamielewis | Honestly, if anything it has exceeded my expectations. The abstractions are very well engineered and in many cases things that took a few days in our old setup are taking a couple of hours to figure through now. The Googliness of it is slightly concerning given their love of trashing projects without much warning and privacy stance but compared with everything else even those risks are respectively easy to mitigate. | 05:34:01 |
| sarahjamielewis | * Honestly, if anything it has exceeded my expectations. The abstractions are very well engineered and in many cases things that took a few days in our old setup are taking a couple of hours to figure through now. The Googliness of it is slightly concerning given their love of trashing projects without much warning and privacy stance but compared with everything else even those risks are respectively easy to mitigate. | 05:34:30 |
| jeff | I think browsers can simply lie about many fingerprinting questions, but window size gets harder. | 06:29:08 |
 agnostic-apollo |  Download Screenshot_2021-03-06-13-36-49.png | 08:41:14 |
| agnostic-apollo | Would have to be lot of lying for phones... https://helda.helsinki.fi/handle/10138/273478 | 08:41:39 |
| agnostic-apollo | blink had some interesting ideas by using docker containers for switching fingerprints at an os level. Not been updated in a while. And I haven't used it though. https://www.ieee-security.org/TC/SP2016/poster-abstracts/59-poster_abstract.pdf https://github.com/plaperdr/blink-docker | 08:48:43 |
 Tim Panton | There is a lot of agonising about browser fingerprinting in the w3c - and some action. Most of it positive. Apple leading the way and google trailing unwillingly behind. Adtech must be worried as they tried to get a rep onto the w3cs advisory council recently. | 14:18:54 |
| Tim Panton | So, for example, a lot of finger printable webRTC features now require user consent. On the theory that a drive by data grab doesn’t want to announce its presence by asking for unrelated permissions. Personally I am a bit sceptical about how much of a deterrent that is. | 14:21:42 |
 synackpse | Fwiw I’ve had a lot of luck fingerprinting browsers via their TLS handshakes (assuming your use case includes having access to the network layer). | 15:21:41 |
| agnostic-apollo | User consent doesn't really work for the general population, especially if they don't know what they are giving access too. WebRTC would be a mystery to an average programmer too. Permission granting never worked on android, google playstore had to play a different game and didn't allow apps to be published with dangerous permissions unless they really needed it, letting users decide didn't work. Cookies is pretty much the same. With the hard to get opt-outs and annoying popups, people usually just accept. I am not saying someone else should make the decisions for us like google playstore is but its still understandable. And a lot of those features on the list would ideally be required by an average site to work properly, specially dynamic ones like today, so would be really hard to decide for each and every website visited that what should be allowed or not. | 16:22:47 |
 raeshoo (Dante) | are there better fingerprinting testing websites, other than EFF, that provide meaningful results? Been using ghacks-user.js and it seems to work pretty good against fingerprinting | 16:56:12 |
| agnostic-apollo | You can check the following. Obfuscated sophisticated techniques by tracking giants might be hard to escape. https://amiunique.org/fp https://amiunique.org/faq https://github.com/DIVERSIFY-project/amiunique | 17:38:31 |
| raeshoo (Dante) | ty very much | 17:42:42 |
| agnostic-apollo | welcome | 17:47:36 |
 sanketh_ | TorZillaPrint by Thorin (who is a Firefox/FingerprintingMitigations contributor and ircc a ghacks userjs contributor) is pretty good and imo the state-of-the-art. However, I would like to caution that | 17:54:09 |
| sanketh_ | * TorZillaPrint by Thorin (who is a Firefox/FingerprintingMitigations contributor and ircc a ghacks userjs contributor) is pretty good and imo the state-of-the-art. However, I would like to caution that | 17:58:58 |
| sanketh_ | * TorZillaPrint by Thorin (who is a Firefox/FingerprintingMitigations contributor and ircc a ghacks userjs contributor) is pretty good and imo the state-of-the-art. However, I would like to caution that | 18:01:47 |
 ryzokuken joined the room. | 18:05:21 | |
| agnostic-apollo | TorZillaPrint looks nice from a quick look. The audit seems pretty faith based though. And not sure how reliable audits can be even scaled with the amount of websites today that may need real IP addresses. | 18:33:49 |
 josiah left the room. | 23:42:21 | |