Canvas Defender: canvas fingerprinting protection

Martin Brinkmann
Jul 17, 2017
Firefox add-ons, Google Chrome extensions, Internet
|
38

Canvas Defender is a free add-on for Firefox and Chrome that manipulates the canvas fingerprint to protect against canvas fingerprinting.

Canvas Fingerprinting uses the HTML5 Canvas element. The Canvas element may be used to draw graphics on a web page, and it is supported by all major web browsers.

The fingerprinting makes use of the fact that the canvas output is often not identical when it is rendered in different browsers. This is not always the case, and that's why Canvas fingerprinting is often used alongside other tracking methods.

Generally speaking, the more unique your browser and operating system is, the more unique is the fingerprint.

Tip: Check out how companies use Canvas fingerprinting to track you for additional information.

Internet users have a couple of options when it comes to blocking fingerprinting. Add-ons may block Canvas elements completely in the browser, or offer a whitelist / blacklist approach instead. Since Canvas requires JavaScript, turning that off will also prevent it but that is usually not practicable.

Canvas Defender

Canvas Defender is a browser add-on for Firefox and Chrome, and likely also browsers based on Firefox and Chrome code, that changes the "real" Canvas fingerprint of a browser by adding noise to it.

The browser extension does not block the Canvas element completely in the browser unlike other add-ons created for the purpose. Canvas is used on legitimate sites as well, and blocking Canvas outright may disable some or even all of the functionality of these sites.

The extension adds an icon to the browser's main toolbar that you can interact with. A click displays the noise hash, and an option to generate new noise. You may disable the creation of noise to Canvas at any time using the menu as well.

One interesting feature, probably the most interesting if you ask me, is that Canvas Defender displays a notification whenever it detects that sites may use Canvas fingerprinting.

fingerprinting attempt

The extension comes with two options that users may find useful. First, an option to add sites to a whitelist. If you notice that a site won't work properly anymore after installing Canvas Defender, you may add it there if you trust it to block Canvas Defender from adding noise to Canvas when you are on the site.

The second option configures the browser add-on to generate a new noise hash automatically. I recommend that you enable that option if you use the extension, as you'd have to generate new noise hashes manually otherwise.

Firefox users may download the extension from Mozilla AMO, Chrome users from the Chrome Web Store.

Closing Words

If you are particularly worried about Canvas fingerprinting, or fingerprinting in general, then you may want to add protection against this form of fingerprinting. Canvas Defender does a good job at distorting the fingerprint of your browser, but only if you change the noise hash regularly.

Now You: are you worried about online fingerprinting?

Summary
software image
Author Rating
1star1star1star1stargray
3.5 based on 7 votes
Software Name
Canvas Defender
Software Category
Browser
Landing Page
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Jeeba said on July 19, 2017 at 5:23 pm
    Reply

    I’ve used Canvas Defender for months. Whereas months ago the sites that tried to fingerprint me were relatively rare, in the past month there has been a noticeable increase. More and more they are trying to identify me and track me all over the web.

    Keep up the good work on this exension…

  2. Brenkku said on July 19, 2017 at 11:17 am
    Reply

    Martin,

    You suggest “The second option configures the browser add-on to generate a new noise hash automatically. I recommend that you enable that option if you use the extension, as you’d have to generate new noise hashes manually otherwise.”

    But I urge people to read the fine print here (BY THE CREATORS OF THE PLUGIN):
    https://multiloginapp.com/how-canvas-fingerprint-blockers-make-you-easily-trackable/

    Specifically this section: Canvas fingerprint blocking tactics – and why they don’t work

    Generating a new hash every 10 seconds (constantly) is also not good for it.

  3. Donat said on July 18, 2017 at 9:01 pm
    Reply

    Hey Martin,

    thanks for featuring our add-on!
    I have been following your website for a while. It is hands down one of the best news sources about web browsers and related technologies.

    Keep up the good work!

    -Donat from Multiloginapp

  4. Arcionquad said on July 18, 2017 at 3:44 pm
    Reply

    Canvas Defender is a fine extension. The most recent update (Version 1.1.0) stopped Gmail from loading, so I have to turn off Canvas Defender to get to my inbox. That’s not too much trouble.

    1. Donat said on July 18, 2017 at 9:33 pm
      Reply

      Some websites indeed stopped working correctly. We will fix it shortly.

      -Donat from Multiloginapp

  5. XenoSilvano said on July 18, 2017 at 8:52 am
    Reply

    @ Pants & Sampei Nihira

    I stand corrected

  6. combat said on July 17, 2017 at 10:11 pm
    Reply

    Unfortunately, simply blocking canvas altogether (instead of faking the unique identifier with one of these cool addons) makes you more trackable for example: ‘this user doesn’t use canvas at all…but their useragent says firefox 55 so they’ve obviously disabled it’.
    The endless struggle to not be tracked online :/

    1. crack said on July 18, 2017 at 7:17 am
      Reply

      Just don’t use internet if you don’t want to be tracked :/

      1. Tom Hawack said on July 18, 2017 at 9:56 am
        Reply

        That’s rubbish. Like saying “Just don’t wear a mini-skirt if you don’t want to be harassed”. Do we have to consider that tracking is a natural, correlative feature of the Internet? While we’re at it, why not blindly accept that US ISPs collect and sell users’ data? I call that defeatism.

    2. Tom Hawack said on July 17, 2017 at 11:50 pm
      Reply

      “The endless struggle to not be tracked online”
      You said it! I’m quite sure all this struggle is in a way pointless, or anyway pointless if we have the aim of remaining incognito. There’s only one way : TOR or excellent VPN. I’m really getting fed up with so much efforts for a very hypothetical result.

      1. Donat said on July 18, 2017 at 9:32 pm
        Reply

        There are many “IFs” in this question but generally speaking VPN doesn’t help much.
        I agree with you on TOR browser, though.
        If all you care is maximum anonymity, TOR browser is the way to go. I2P seems to be promising in these regards as well.

        -Donat from Multiloginapp

  7. CHEF-KOCH said on July 17, 2017 at 8:55 pm
    Reply

    Battery, gamepad api and others have nothing to do with Canvas. You can entirely disable such api’s already since over 1 year in Chrome and Firefox based browser. So come the hell down. Wilders often spread wrong things.

    Well, about the extension/addon (whatever) I not recommend it. Instead I would go for the open source ScriptSafe which also does have (a better) Canvas protection, you can customize it.

    Martin already wrote about it:
    https://www.ghacks.net/2016/06/21/scriptsafe-for-chrome-update-brings-fingerprint-protecting/

    1. Tom Hawack said on July 17, 2017 at 9:59 pm
      Reply

      1- ScriptFace is available only for the Google Chrome browser;
      2- Even if ScriptFace was available for Firefox, it acts as a blocker when ‘Canvas Defender’ is more nuanced, therefor more efficient, as it acts as a defender … as well as ‘CanvasBlocker’ (if the fake readout API block mode is chosen).

      The difference between blocking and defending :
      [https://multiloginapp.com/how-canvas-fingerprint-blockers-make-you-easily-trackable/]

      1. CHEF-KOCH said on July 17, 2017 at 10:16 pm
        Reply

        Dunno if you talk with me but the extension is called ScriptSafe. It’s also available for Opera.For Firefox you have NoScript. But Firefox overall is less secure.

        Canvas Defender isn’t more efficient, the code is copy and paste 90% from other Extensions like ScriptSafe (unpack both extensions and check yourself). The benefit is that ScriptSafe blocks really all known things while CanvasDefender is only another addon which waste resources, how about an all-in-one solution? Just think about it.

        https://pictr.com/image/ZXhMU

        You can’t overall block all things with any extension without destroying the page/DOM elements, so in 90% of all cases it doesn’t matter at all because you might want login into the page. So blank readout is best option and CanvasDefender doesn’t offer it.

  8. Tom Hawack said on July 17, 2017 at 8:20 pm
    Reply

    I’ve just disabled CanvasBlocker (CB) and installed ‘Canvas Defender’ (CD)
    At this point I’m wondering if CD is reliable. Why?

    CB with Block Mode=fake readout API has the option to notify the user when the fake mode is used.
    CD as well displays a notification.

    When testing, both add-ons notified the canvas on the BrowserLeaks Canvas test page, but when testing on Google Maps, only CB notified, not CD. Google Maps definitely uses Canvas. So why did CD not notify me?

    CD, ‘Canvas Defender’ ver. 1.1.0 is at this time marked as experimental by its developers. Maybe is that the explanation?

    1. Donat said on July 18, 2017 at 9:28 pm
      Reply

      You are right, Canvas Defender doesn’t show a notification on Google Maps.
      I think this has something to do with a delay in loading the script which triggers the notification.

      We will look into this.

      It shouldn’t affect spoofing of the fingerprint in any way, though.

      -Donat from Multiloginapp

  9. IPnonymous said on July 17, 2017 at 7:19 pm
    Reply

    Why not just create one fingerprint for everyone? …either built in(if only), as an addon, a pac file or perhaps a proxy program on the system which all browsers must pass through. If i understand, all information must leave a users computer through a transmission via a web browser to be transmitted to a website. Between user and website the real fingerprinting info could be blocked and a universal one could take its place. A universal fingerprint would be the best option for stopping fingerprinting because all users would transmit the same information.

    A second possibility would be to always to always randomize said information. Doing so might prevent or at least delay privacy stealers from catching on to false information and then designing a new method to circumvent the fingerprinting privatizing tactic.

    1. Donat said on July 18, 2017 at 9:16 pm
      Reply

      What are you describing was invented a while ago. Some companies provide security browsing solutions. The idea is to render websites in a sandbox and then transmit a rendered page without scripts to the end-client. This approach greatly diminishes user experience, however.

      The solution with add-ons or proxies, unfortunately, won’t work.

      -Donat from Multiloginapp

  10. Marcin said on July 17, 2017 at 6:44 pm
    Reply

    I have simply disabled Canvas support in my browser.
    Ever noticed any problem on websites I visit regularly.

    Any example of popular website which makes use of canvas technology, please ?

    1. MdN said on July 17, 2017 at 7:12 pm
      Reply

      So far I noticed it on Electrek (page about electric cars), OMG! Ubuntu! and, for some reason, GitHub.

      1. insanelyapple said on July 17, 2017 at 7:20 pm
        Reply

        I’m getting notifications on potential usage on discord – tho, I have no clue if its about posted content on my channel or chat client itself

  11. Millenicide said on July 17, 2017 at 4:00 pm
    Reply

    Is there a way to accomplish this with ublock origin filters?

    1. Skrell said on July 20, 2017 at 4:10 pm
      Reply

      Does anyone have an answer to this?

  12. Max said on July 17, 2017 at 3:12 pm
    Reply

    …or you could use Pale Moon, which has had a native canvas fingerprinting protection option for the past two years.

    As reported here on Ghacks: https://www.ghacks.net/2015/07/28/pale-moon-25-6-ships-with-anti-fingerprinting-option/

  13. insanelyapple said on July 17, 2017 at 3:03 pm
    Reply

    I’m using for some time, seems to be working but lack of control over these notifications is really annoying.

    1. T J said on July 17, 2017 at 3:20 pm
      Reply

      I use Canvas Defender. I am very surprised that you are annoyed by a pop up which shows for 5 seconds on the screen !!
      There is a solution. If it annoys you then disable it.

      It works well. I get 4 or 5 warning pop ups each day.

      1. insanelyapple said on July 19, 2017 at 8:40 am
        Reply

        It’s not about removing it at all but having control under simple check-mark option to show or disable notifications. When I installed canvas defender I was surprised that this extension shows notifications and right away I was looking for options to disable it; because I’m not a fan of constant reminder that something works.

        If CD sole purpose is to defend users, I see no point of being spammed all the time with notifications about new noise hash each time browser starts. And also if CD does the work properly – makes impossible or at least hard to track user by canvas fingerprinting then I also see no reason why extension should scare me of “potential usage” on various sites. On the other hand, I do understand those who want to be warned, I understand that there are situations where extension should show warning notification but not every time I’m visiting site x, y or z.
        I am not against – I just want to control this aspect and I’ll be happy to have these options in upcoming version.

        Also, Donat, I trust you won’t ever decide to screw us like for example, ghostery did and you really want to protect everyone.

      2. Donat said on July 18, 2017 at 9:09 pm
        Reply

        This notification was requested by many users. Now even more request to remove it :)

        We will add an option to disable canvas fingerprinting attempt notifications in the next update. That said, this notification doesn’t show up on any website that is using object. It is only shown when a website attempts to read binary data from the canvas object. In 99,8% of cases, this means a fingerprinting attempt.

        -Donat from Multiloginapp

      3. insanelyapple said on July 17, 2017 at 3:37 pm
        Reply

        That’s… not very helpful. I see no options to disable notifications and disabling extension in both my browsers is pointless.

        It’s an annoying behaviour that reminds me golden times of bubble notifications in Windows 2k, XP.

  14. XenoSilvano said on July 17, 2017 at 2:51 pm
    Reply

    Many thanks, I must have missed this despite browsing through all of the available WebExtension on Mozilla’s add-ons site

    @Sampei Nihira – the Battery Status API has been removed from Firefox

    1. Sampei Nihira said on July 17, 2017 at 6:40 pm
      Reply

      Correct.

      Test with Chrome:

      https://pazguille.github.io/demo-battery-api/

      Some websites also use this technique:

      http://imgbox.com/9b9heaGc

    2. Pants said on July 17, 2017 at 6:37 pm
      Reply

      The API still exists, but it’s only available in chrome/privileged code ( https://bugzilla.mozilla.org/show_bug.cgi?id=1313580 ) – so web content cannot access it, but an add-on can for example

  15. Anon said on July 17, 2017 at 2:17 pm
    Reply

    Hey Martin! Mozilla are already thinking about integrating the Tor Browser patch for canvas fingerprinting into Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=967895

    And they’re even thinking about improving it by not displaying the Canvas Prompt unless triggered after page load https://bugzilla.mozilla.org/show_bug.cgi?id=1376865

  16. Jonnyredhead said on July 17, 2017 at 1:40 pm
    Reply

    I’ve been using this canvas defender for a while now and also been in contact with the devs who told me of the recent update, the first in a while. They told me its very hard for an add-on to detect and then block all the new and emerging techniques effectively without crippling the browsing experience.

  17. Tom Hawack said on July 17, 2017 at 12:33 pm
    Reply

    I’ve always used the CanvasBlocker Firefox add-on (with Block Mode=fake readout API), which (still?) uses legacy technology contrarily to ‘Canvas Defender’. Does the latter do the job better? No idea. Up to now I’ve had to whitelist only Google Maps (always hard to fool Google!).

  18. Lee said on July 17, 2017 at 9:27 am
    Reply

    Have not tried canvas defender but have been using canvasblocker for a few months, according to browserleaks.com it works as advertised.

    1. Donat said on July 18, 2017 at 9:03 pm
      Reply

      Canvas Defender was never advertised to be blocking battery API or AudioContext. Although we might release an add-on for spoofing AudioContext later this year.

      -Donat from Multiloginapp

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.