Canvas Fingerprinting
| Project Name | Stars | Downloads | Repos Using This | Packages Using This | Most Recent Commit | Total Releases | Latest Release | Open Issues | License | Language |
|---|---|---|---|---|---|---|---|---|---|---|
| Fingerprintjs | 20,090 |  | 279 | 7 days ago | 75 | November 15, 2023 | 18 | other | TypeScript | |
| Browser fingerprinting library. Accuracy of this version is 40-60%, accuracy of the commercial Fingerprint Identification is 99.5%. V4 of this library is BSL licensed. | ||||||||||
| Dejavu | 6,108 | 3 months ago | 4 | September 20, 2022 | 123 | mit | Python | |||
| Audio fingerprinting and recognition in Python | ||||||||||
| Find | 4,743 | 4 years ago | 1 | June 02, 2021 | 86 | agpl-3.0 | Go | |||
| High-precision indoor positioning framework for most wifi-enabled devices. | ||||||||||
| Ja3 | 2,317 | a month ago | 1 | April 28, 2018 | 33 | bsd-3-clause | Python | |||
| JA3 is a standard for creating SSL client fingerprints in an easy to produce and shareable way. | ||||||||||
| Nothing Private | 2,028 | 3 months ago | 3 | gpl-3.0 | JavaScript | |||||
| Do you think you are safe using private browsing or incognito mode?. :smile: :imp: This will prove that you're wrong. Previously hosted at nothingprivate.ml | ||||||||||
| Clientjs | 1,702 |  | 33 | 61 | a year ago | 9 | October 25, 2021 | 49 | apache-2.0 | JavaScript |
| Device information and digital fingerprinting written in pure JavaScript. | ||||||||||
| Vytal Extension | 1,616 | 3 months ago | 16 | gpl-3.0 | TypeScript | |||||
| Browser extension to spoof timezone, geolocation, locale and user agent. | ||||||||||
| Utls | 1,349 | 14 | 340 | 8 days ago | 28 | October 10, 2023 | 24 | bsd-3-clause | Go | |
| Fork of the Go standard TLS library, providing low-level access to the ClientHello for mimicry purposes. | ||||||||||
| Creepjs | 976 | 2 days ago | 36 | mit | TypeScript | |||||
| Creepy device and browser fingerprinting | ||||||||||
| Jarm | 975 | 5 months ago | 10 | bsd-3-clause | Python | |||||
Demo for Canvas fingerprinting
Here you can find JS library for fetching canvas fingerprinting, testing of preventing with addons and experiment with different hash functions, basic skeleton was taken from fingerprintjs.
Abstract
Canvas fingerprinting is a techniques of tracking online users that allow websites to identify and track visitors using
HTML5 canvas element instead of browser cookies or other similar means. Consider it like a cookie on steroids.
Main responsibility of canvas fingerprinting is collecting information about a remote computing device for the purpose of identification. Even if you are browsing GitHub now, this site try to fetch as much as possible your metadata like fonts, OS, specific system properties and it tries to draw hidden 3D canvas which will be converted in unique token for further identification on another sites, advertising some bullshit goods on e-commerce sites or for recommendation system in social network.
Variation of GPU time rendering of 3D canvas allows to generate unique token for each user. Also, this approach was widely used for deanonymization of Tor's user, in force of this fact, Tor's developers made a patch for this exploit, for now, Tor notifies user of canvas read attempt and return blank image data.
The text which was pictured on a canvas for the identification and successfully blocked by CanvasFingerprintBlock
Protection
A lot of add-ons allow you to prevent attempt to fetch canvas fingerprint like Privacy Badger or Canvas Defender, as mentioned above, Tor browser protect users from it by default. From October of 2017 Firefox prevents canvas fingerprinting by default, Firefox takes a bite out of the canvas while other browsers don't prevent it.
Preventing in action:
Docker hub attempted to fetch canvas fingerprint, but was locked by add-on:
Canvas Defender allows to generate dummy noise:
Noise generated by canvas defender:
Indicators
This library uses multiple sources for generating unique token:
- Canvas fingerprinting
- Screen Resolution
- Color Depth
- Screen Resolution
- Time Zone
- UserAgent
- Languages
- CPU class
- Fact of storing/presence/facts of:
- session storage
- local storage
- indexed DB
- open DB
- IE
AddBehaviour - IE specific plugins like
RealPlayer,AcroPDF,AgControl.AgControl - for Silverlightetc. - DNT header - as ironic as it was
After collection all metadata in a single place, they are joined with MurmurHash, in result, you have integer value which represents fingerprint of your browser.
Library usage:
var fingerprint = new Fingerprint();
If you want to control drawing flag, just pass it directly canvas: true
var withCanvasDrawing = new Fingerprint({canvas: true});
var withoutCanvasDrawing = new Fingerprint({canvas: false});
Using custom hash function
var withCanvasDrawing = new Fingerprint({hasher: pearson});
Example with Java's hashcode
from java.lang.String:
var javaHashCode = function(string, K) {
var hash = 0;
if (string.length === 0) {
return hash;
}
for (var i = 0; i < string.length; i++) {
char = string.charCodeAt(i);
hash = K*((hash<<5)-hash)+char;
hash = hash & hash;
}
return hash;
};
var fingerprint = new Fingerprint({hasher: javaHashCode});