How to block Canvas Fingerprinting in Firefox

Martin Brinkmann
Oct 25, 2014
Updated • Aug 7, 2019
Firefox, Firefox add-ons
|
16

Canvas Fingerprinting is a new way of tracking Internet users that came to some prominence recently. I explained the concept some time ago and suggest you check out the article for detailed information on what it is, what it does and how to prevent it.

Simply put, it makes use of the Canvas element that is part of HTML5 to create profiles and track users. The element can draw on the screen and the fingerprinting makes use of the fact that results are different depending on a number of factors including the browser and operating system that is being used.

It means in essence that Canvas can be used to identify users based on those drawings, even if they are not visible or distinguishable to the human eye. It is especially powerful when combined with other information about a device, the user agent information for example or the IP address.

There are a couple of things that Internet users can use to block the fingerprinting. One of the easiest options is to disable JavaScript for instance but it is not really practicable considering that JavaScript is used on the majority of Internet sites and that many sites won't work at all or partially only when JavaScript is disabled.

There is also a Chrome extension, and the new Firefox add-on CanvasBlocker. The add-on blocks the canvas element on pages that you visit and gives you control over the blocking as well.

It is set to ask for permission for visible canvas elements by default as sites may use the canvas element for other purposes besides user tracking.

canvas fingerprinting
CanvasBlocker options

You can change the block from that in the options if you prefer a different setting. This includes blocking all canvas elements on all pages, only allowing whitelisted elements, to block canvas only on blacklisted sites or to allow everything.

Both whitelist and blacklist are maintained in the preferences as well. CanvasBlocker supports regular expressions, and domains are separated with a "," in both lists. Google domains and the author's own domain are whitelisted by default with options to remove those from the whitelist in the options.

The last option available there is to allow canvas in PDFs. Firefox's native PDF reader pdf.js uses canvas to display contents which is why it is enabled by default. It is however possible to disable this there as well.

You can test the functionality of the extension on Browserleak's Canvas Fingerprinting test page. Canvas and Text Api for Canvas should return the value false in the test which means that the feature is not supported on that page.

Closing Words

CanvasBlocker is a useful extension for the Firefox web browser that can block the Canvas element selectively or completely in Firefox.

Summary
software image
Author Rating
1star1star1star1star1star
3 based on 8 votes
Software Name
CanvasBlocker
Software Category
Browser
Landing Page
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Inconnu said on July 14, 2018 at 11:01 am
    Reply

    Good morning,

    I don’t know how to contact the creator of this addons, because there is no email.
    It is necessary to be systematically registered on all the sites.

    Here is a translation in another language: french.
    If that Mr. Kkapsner comes through here, voilà !

    https://www.petit-fichier.fr/2018/07/14/messages-fr/messages-fr.txt

    Thank you

  2. Ray said on March 18, 2015 at 4:46 pm
    Reply

    Random Agent Spoofer blocks canvas fingerprinting on Firefox.

    However, only the Github version blocks the canvas tag and not the one on AMO:
    https://github.com/dillbyrne/random-agent-spoofer/releases/latest

    I’ve tested this on browserleaks.com and it works.

    1. PaxD76 said on October 23, 2015 at 6:29 am
      Reply

      Thanks @Ray. I’ve (superficially) seen Random Agent Spoofer for years. Never looked at the details. Tested the Canvas Tag (on by default) and it does work! R.A.S. also has a bunch of additional security features (surprising) I need to research. This extension is much more powerful than I imagined. I may opt for the CanvasBlocker (FF add-on) only because I like being asked to allow/deny as I visit each site (it let’s me see who has it enabled).

      I was using Tor Browser for a couple of months while traveling and it has Canvas Tag detection. I was surprised how often sites used this tag. Everyday, trusted sites that I visit had the tag embedded including reddit.com. I’m certain they weren’t finger-printing but it was interesting to see how often I ran into it.

  3. R567 said on February 25, 2015 at 2:36 pm
    Reply

    Starting from version 0.1.4, CanvasBlocker (licensed under the Mozilla Public license) is no longer (!) compatible with non-Australis versions of Firefox, and Pale Moon.

    On the bright side, you can request for Pale Moon (must be v24 and up) compatibility by posting an issue in the extension’s GitHub site (github.com/kkapsner/CanvasBlocker), or you may work out on the compatibility issue yourself.

  4. Dave said on October 28, 2014 at 2:18 am
    Reply

    Men, my browser is still apparently unique. What I want is a way to hide what plugins are installed. Something that let’s me activate a plugin on demand for one page only…

  5. mick said on October 27, 2014 at 7:01 pm
    Reply

    Yes I’ve got the sidebar and through complacency didn’t think I was missing anything.
    The IP Check information is however sobering and I will use it in future.
    Thanks again.

  6. mick said on October 27, 2014 at 4:14 pm
    Reply

    Just thought I’d mention, HTML5 and Javascript are required for this type of tracking to work.
    NoScript too can block this obviously, confirmed by trying the link on this page.
    So too can disabling HTML5.
    I would like an add-on like Ghostery to include this tracking method as it makes a good job of others.
    Dwight’s ‘ignoratio elenchi’ is a little disparing for my taste, but as I have a unique browser footprint anyway,
    maybe he has a point of sorts: security is a journey, etc. etc.

    1. Tom Hawack said on October 27, 2014 at 5:41 pm
      Reply

      It’s not the canvas technology which is a tracking method, it’s what it may be used for, like cookies. Disabling WebGL or Javascript will indeed disable canvas, like throwing the baby with the water. Canvas acceptance is a per-site choice. Disable it on (new) Google Maps and you have no map, disable it on, say, Shoutcast and you have no fingerprinting. This is why an add-on like CanvasBlocker is the right approach when it allows a per-site decision.

      At this time I believe though that Canvas is mainly used for fingerprinting when the sites whose display requires it are seldom.

      Anyway when used for fingerprinting Canvas is just another tool of the arsenal. Want to have a look at how your computer is “registered” on the Web? Have a look here : http://ip-check.info/ and start their test …

      1. Tom Hawack said on October 27, 2014 at 6:47 pm
        Reply

        I guess, mick, that without HTML5 it is the old version of Google Maps that you get (the one with the sidebar on the left). Notice that many users even with HTML5-compatible browsers prefer the “old” Google Maps.

        Concerning the IP-Check test, it seems to be quite good indeed. I’ve discovered it yesterday when I read a user’s experience with anonymouse.org (a fast occasional proxy service), mentioning that IP-Check would nevertheless discover the true IP. It does indeed with anonymouse.org, but not with ZenMate VPN (or elaborated proxy rather) which has been described here on one of gHack’s articles. Made me smile : grr : hide ‘n’ seek -> hidden (that’s what I’d love to believe totally!)

      2. mick said on October 27, 2014 at 6:14 pm
        Reply

        Thanks for your post Tom.
        I agree that the motive for this kind of tracking is questionable. I’d like to say that it’s not an option on my browser as it won’t run HTML5, but you’re right that for most an add-on is the solution. I still get Google Maps by the way, so I don’t know if Canvas is actually required?

        Thanks too for the IP check link, it was very interesting, particularly the authentication ID as everything else was fine. I’m unfamiliar with this, any thoughts welcome.

  7. Tom Hawack said on October 26, 2014 at 10:48 am
    Reply

    When the buzz started a few years ago around canvas fingerprinting it had been said that only a few companies used this tracking mechanism. From my experience with this Firefox CanvasBlocker add-on I have noticed that it is much more than a few smart guys that call upon this Canvas technology to identify users. I say identify/track when it appears that using the canvas is not required for a site’s proper display (i.e. canvas is required in new Google Maps, which is why the developer of CanvasBlocker has included the latter in his default whitelist).

    A few of the sites that CanvasBlocker spotted as using canvas (hence asking user’s permission) appear to be some well-known domains :

    i24news.tv,shoutcast.com,msn.com,audionetwork.com,di.fm,panoramio.com,filemail.com,cnet.com,businessinsider.com,protonmail.ch,caisse-epargne.fr,abc11.com,nytimes.com,pcworld.com

    etc. etc. etc…the list is expandable in proportion of a user’s visits. Many, many, many sites track, call upon canvas when not required. It’ always the same story, like cookies like tools which are intended for the best and finish used for the worst.

    Nowadays honest sites are the exception. So, as they say at the NYPD ; do it to them before they do it to you. Doing it to them means zero tolerance, for canvas, for cookies, for trust. Once you know the place and mainly the landlord, like here with Martin, then you can sit down and relax, recover humanity and civilization.

  8. Zeus said on October 26, 2014 at 9:06 am
    Reply

    > There is also a Chrome extension

    What’s the name of the Chrome extension?

    Thanks!

    1. Martin Brinkmann said on October 26, 2014 at 12:09 pm
      Reply

      Chameleon, it is not available in the official Chrome Store.

      https://github.com/ghostwords/chameleon

  9. Dwight Stegall said on October 26, 2014 at 2:00 am
    Reply

    There are hundreds of ways to truck us. There is no way to block them all. It’s pointless to even try. I suggest you install Spybot S&D, Malwarebytes, and Superantispyware. They are all you need. Each one finds malware the others don’t. Someone told me using this many would crash my system. I’ve done this on Windows Vista, Windows 7, and now Windows 8.1. My system has never crashed.

    1. anon said on October 26, 2014 at 8:39 am
      Reply

      There are many things that could kill human, it’s pointless to even try block them all hence we should just stop breathing altogether.

      Wonderful.

    2. JohnMWhite said on October 26, 2014 at 3:39 am
      Reply

      Malware and tracking are different things, and it is not pointless to block any tracking attempts one becomes aware of if one wants to avoid egregious tracking. People probably told you having multiple antivirus programs running continuous monitoring at the same time would cause problems with your system because it would, but installing multiple on-demand malware scanners is again a different thing.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.