How to block Canvas Fingerprinting in Firefox
Canvas Fingerprinting is a new way of tracking Internet users that came to some prominence recently. I explained the concept some time ago and suggest you check out the article for detailed information on what it is, what it does and how to prevent it.
Simply put, it makes use of the Canvas element that is part of HTML5 to create profiles and track users. The element can draw on the screen and the fingerprinting makes use of the fact that results are different depending on a number of factors including the browser and operating system that is being used.
It means in essence that Canvas can be used to identify users based on those drawings, even if they are not visible or distinguishable to the human eye. It is especially powerful when combined with other information about a device, the user agent information for example or the IP address.
There is also a Chrome extension, and the new Firefox add-on CanvasBlocker. The add-on blocks the canvas element on pages that you visit and gives you control over the blocking as well.
It is set to ask for permission for visible canvas elements by default as sites may use the canvas element for other purposes besides user tracking.
You can change the block from that in the options if you prefer a different setting. This includes blocking all canvas elements on all pages, only allowing whitelisted elements, to block canvas only on blacklisted sites or to allow everything.
Both whitelist and blacklist are maintained in the preferences as well. CanvasBlocker supports regular expressions, and domains are separated with a "," in both lists. Google domains and the author's own domain are whitelisted by default with options to remove those from the whitelist in the options.
The last option available there is to allow canvas in PDFs. Firefox's native PDF reader pdf.js uses canvas to display contents which is why it is enabled by default. It is however possible to disable this there as well.
You can test the functionality of the extension on Browserleak's Canvas Fingerprinting test page. Canvas and Text Api for Canvas should return the value false in the test which means that the feature is not supported on that page.
CanvasBlocker is a useful extension for the Firefox web browser that can block the Canvas element selectively or completely in Firefox.
There are hundreds of ways to truck us. There is no way to block them all. It’s pointless to even try. I suggest you install Spybot S&D, Malwarebytes, and Superantispyware. They are all you need. Each one finds malware the others don’t. Someone told me using this many would crash my system. I’ve done this on Windows Vista, Windows 7, and now Windows 8.1. My system has never crashed.
Malware and tracking are different things, and it is not pointless to block any tracking attempts one becomes aware of if one wants to avoid egregious tracking. People probably told you having multiple antivirus programs running continuous monitoring at the same time would cause problems with your system because it would, but installing multiple on-demand malware scanners is again a different thing.
There are many things that could kill human, it’s pointless to even try block them all hence we should just stop breathing altogether.
> There is also a Chrome extension
What’s the name of the Chrome extension?
Chameleon, it is not available in the official Chrome Store.
When the buzz started a few years ago around canvas fingerprinting it had been said that only a few companies used this tracking mechanism. From my experience with this Firefox CanvasBlocker add-on I have noticed that it is much more than a few smart guys that call upon this Canvas technology to identify users. I say identify/track when it appears that using the canvas is not required for a site’s proper display (i.e. canvas is required in new Google Maps, which is why the developer of CanvasBlocker has included the latter in his default whitelist).
A few of the sites that CanvasBlocker spotted as using canvas (hence asking user’s permission) appear to be some well-known domains :
etc. etc. etc…the list is expandable in proportion of a user’s visits. Many, many, many sites track, call upon canvas when not required. It’ always the same story, like cookies like tools which are intended for the best and finish used for the worst.
Nowadays honest sites are the exception. So, as they say at the NYPD ; do it to them before they do it to you. Doing it to them means zero tolerance, for canvas, for cookies, for trust. Once you know the place and mainly the landlord, like here with Martin, then you can sit down and relax, recover humanity and civilization.
NoScript too can block this obviously, confirmed by trying the link on this page.
So too can disabling HTML5.
I would like an add-on like Ghostery to include this tracking method as it makes a good job of others.
Dwight’s ‘ignoratio elenchi’ is a little disparing for my taste, but as I have a unique browser footprint anyway,
maybe he has a point of sorts: security is a journey, etc. etc.
At this time I believe though that Canvas is mainly used for fingerprinting when the sites whose display requires it are seldom.
Anyway when used for fingerprinting Canvas is just another tool of the arsenal. Want to have a look at how your computer is “registered” on the Web? Have a look here : http://ip-check.info/ and start their test …
Thanks for your post Tom.
I agree that the motive for this kind of tracking is questionable. I’d like to say that it’s not an option on my browser as it won’t run HTML5, but you’re right that for most an add-on is the solution. I still get Google Maps by the way, so I don’t know if Canvas is actually required?
Thanks too for the IP check link, it was very interesting, particularly the authentication ID as everything else was fine. I’m unfamiliar with this, any thoughts welcome.
I guess, mick, that without HTML5 it is the old version of Google Maps that you get (the one with the sidebar on the left). Notice that many users even with HTML5-compatible browsers prefer the “old” Google Maps.
Concerning the IP-Check test, it seems to be quite good indeed. I’ve discovered it yesterday when I read a user’s experience with anonymouse.org (a fast occasional proxy service), mentioning that IP-Check would nevertheless discover the true IP. It does indeed with anonymouse.org, but not with ZenMate VPN (or elaborated proxy rather) which has been described here on one of gHack’s articles. Made me smile : grr : hide ‘n’ seek -> hidden (that’s what I’d love to believe totally!)
Yes I’ve got the sidebar and through complacency didn’t think I was missing anything.
The IP Check information is however sobering and I will use it in future.
Men, my browser is still apparently unique. What I want is a way to hide what plugins are installed. Something that let’s me activate a plugin on demand for one page only…
Starting from version 0.1.4, CanvasBlocker (licensed under the Mozilla Public license) is no longer (!) compatible with non-Australis versions of Firefox, and Pale Moon.
On the bright side, you can request for Pale Moon (must be v24 and up) compatibility by posting an issue in the extension’s GitHub site (github.com/kkapsner/CanvasBlocker), or you may work out on the compatibility issue yourself.
Random Agent Spoofer blocks canvas fingerprinting on Firefox.
However, only the Github version blocks the canvas tag and not the one on AMO:
I’ve tested this on browserleaks.com and it works.
Thanks @Ray. I’ve (superficially) seen Random Agent Spoofer for years. Never looked at the details. Tested the Canvas Tag (on by default) and it does work! R.A.S. also has a bunch of additional security features (surprising) I need to research. This extension is much more powerful than I imagined. I may opt for the CanvasBlocker (FF add-on) only because I like being asked to allow/deny as I visit each site (it let’s me see who has it enabled).
I was using Tor Browser for a couple of months while traveling and it has Canvas Tag detection. I was surprised how often sites used this tag. Everyday, trusted sites that I visit had the tag embedded including reddit.com. I’m certain they weren’t finger-printing but it was interesting to see how often I ran into it.
I don’t know how to contact the creator of this addons, because there is no email.
It is necessary to be systematically registered on all the sites.
Here is a translation in another language: french.
If that Mr. Kkapsner comes through here, voilÃ !