Canvas Defender: canvas fingerprinting protection
Canvas Defender is a free add-on for Firefox and Chrome that manipulates the canvas fingerprint to protect against canvas fingerprinting.
Canvas Fingerprinting uses the HTML5 Canvas element. The Canvas element may be used to draw graphics on a web page, and it is supported by all major web browsers.
The fingerprinting makes use of the fact that the canvas output is often not identical when it is rendered in different browsers. This is not always the case, and that's why Canvas fingerprinting is often used alongside other tracking methods.
Generally speaking, the more unique your browser and operating system is, the more unique is the fingerprint.
Tip: Check out how companies use Canvas fingerprinting to track you for additional information.
Internet users have a couple of options when it comes to blocking fingerprinting. Add-ons may block Canvas elements completely in the browser, or offer a whitelist / blacklist approach instead. Since Canvas requires JavaScript, turning that off will also prevent it but that is usually not practicable.
Canvas Defender
Canvas Defender is a browser add-on for Firefox and Chrome, and likely also browsers based on Firefox and Chrome code, that changes the "real" Canvas fingerprint of a browser by adding noise to it.
The browser extension does not block the Canvas element completely in the browser unlike other add-ons created for the purpose. Canvas is used on legitimate sites as well, and blocking Canvas outright may disable some or even all of the functionality of these sites.
The extension adds an icon to the browser's main toolbar that you can interact with. A click displays the noise hash, and an option to generate new noise. You may disable the creation of noise to Canvas at any time using the menu as well.
One interesting feature, probably the most interesting if you ask me, is that Canvas Defender displays a notification whenever it detects that sites may use Canvas fingerprinting.
The extension comes with two options that users may find useful. First, an option to add sites to a whitelist. If you notice that a site won't work properly anymore after installing Canvas Defender, you may add it there if you trust it to block Canvas Defender from adding noise to Canvas when you are on the site.
The second option configures the browser add-on to generate a new noise hash automatically. I recommend that you enable that option if you use the extension, as you'd have to generate new noise hashes manually otherwise.
Firefox users may download the extension from Mozilla AMO, Chrome users from the Chrome Web Store.
Closing Words
If you are particularly worried about Canvas fingerprinting, or fingerprinting in general, then you may want to add protection against this form of fingerprinting. Canvas Defender does a good job at distorting the fingerprint of your browser, but only if you change the noise hash regularly.
Now You: are you worried about online fingerprinting?
I’ve used Canvas Defender for months. Whereas months ago the sites that tried to fingerprint me were relatively rare, in the past month there has been a noticeable increase. More and more they are trying to identify me and track me all over the web.
Keep up the good work on this exension…
Martin,
You suggest “The second option configures the browser add-on to generate a new noise hash automatically. I recommend that you enable that option if you use the extension, as you’d have to generate new noise hashes manually otherwise.”
But I urge people to read the fine print here (BY THE CREATORS OF THE PLUGIN):
https://multiloginapp.com/how-canvas-fingerprint-blockers-make-you-easily-trackable/
Specifically this section: Canvas fingerprint blocking tactics – and why they don’t work
Generating a new hash every 10 seconds (constantly) is also not good for it.
Hey Martin,
thanks for featuring our add-on!
I have been following your website for a while. It is hands down one of the best news sources about web browsers and related technologies.
Keep up the good work!
-Donat from Multiloginapp
Canvas Defender is a fine extension. The most recent update (Version 1.1.0) stopped Gmail from loading, so I have to turn off Canvas Defender to get to my inbox. That’s not too much trouble.
Some websites indeed stopped working correctly. We will fix it shortly.
-Donat from Multiloginapp
@ Pants & Sampei Nihira
I stand corrected
Unfortunately, simply blocking canvas altogether (instead of faking the unique identifier with one of these cool addons) makes you more trackable for example: ‘this user doesn’t use canvas at all…but their useragent says firefox 55 so they’ve obviously disabled it’.
The endless struggle to not be tracked online :/
Just don’t use internet if you don’t want to be tracked :/
That’s rubbish. Like saying “Just don’t wear a mini-skirt if you don’t want to be harassed”. Do we have to consider that tracking is a natural, correlative feature of the Internet? While we’re at it, why not blindly accept that US ISPs collect and sell users’ data? I call that defeatism.
“The endless struggle to not be tracked online”
You said it! I’m quite sure all this struggle is in a way pointless, or anyway pointless if we have the aim of remaining incognito. There’s only one way : TOR or excellent VPN. I’m really getting fed up with so much efforts for a very hypothetical result.
There are many “IFs” in this question but generally speaking VPN doesn’t help much.
I agree with you on TOR browser, though.
If all you care is maximum anonymity, TOR browser is the way to go. I2P seems to be promising in these regards as well.
-Donat from Multiloginapp
Battery, gamepad api and others have nothing to do with Canvas. You can entirely disable such api’s already since over 1 year in Chrome and Firefox based browser. So come the hell down. Wilders often spread wrong things.
Well, about the extension/addon (whatever) I not recommend it. Instead I would go for the open source ScriptSafe which also does have (a better) Canvas protection, you can customize it.
Martin already wrote about it:
https://www.ghacks.net/2016/06/21/scriptsafe-for-chrome-update-brings-fingerprint-protecting/
1- ScriptFace is available only for the Google Chrome browser;
2- Even if ScriptFace was available for Firefox, it acts as a blocker when ‘Canvas Defender’ is more nuanced, therefor more efficient, as it acts as a defender … as well as ‘CanvasBlocker’ (if the fake readout API block mode is chosen).
The difference between blocking and defending :
[https://multiloginapp.com/how-canvas-fingerprint-blockers-make-you-easily-trackable/]
Dunno if you talk with me but the extension is called ScriptSafe. It’s also available for Opera.For Firefox you have NoScript. But Firefox overall is less secure.
Canvas Defender isn’t more efficient, the code is copy and paste 90% from other Extensions like ScriptSafe (unpack both extensions and check yourself). The benefit is that ScriptSafe blocks really all known things while CanvasDefender is only another addon which waste resources, how about an all-in-one solution? Just think about it.
https://pictr.com/image/ZXhMU
You can’t overall block all things with any extension without destroying the page/DOM elements, so in 90% of all cases it doesn’t matter at all because you might want login into the page. So blank readout is best option and CanvasDefender doesn’t offer it.
I’ve just disabled CanvasBlocker (CB) and installed ‘Canvas Defender’ (CD)
At this point I’m wondering if CD is reliable. Why?
CB with Block Mode=fake readout API has the option to notify the user when the fake mode is used.
CD as well displays a notification.
When testing, both add-ons notified the canvas on the BrowserLeaks Canvas test page, but when testing on Google Maps, only CB notified, not CD. Google Maps definitely uses Canvas. So why did CD not notify me?
CD, ‘Canvas Defender’ ver. 1.1.0 is at this time marked as experimental by its developers. Maybe is that the explanation?
You are right, Canvas Defender doesn’t show a notification on Google Maps.
I think this has something to do with a delay in loading the script which triggers the notification.
We will look into this.
It shouldn’t affect spoofing of the fingerprint in any way, though.
-Donat from Multiloginapp
Why not just create one fingerprint for everyone? …either built in(if only), as an addon, a pac file or perhaps a proxy program on the system which all browsers must pass through. If i understand, all information must leave a users computer through a transmission via a web browser to be transmitted to a website. Between user and website the real fingerprinting info could be blocked and a universal one could take its place. A universal fingerprint would be the best option for stopping fingerprinting because all users would transmit the same information.
A second possibility would be to always to always randomize said information. Doing so might prevent or at least delay privacy stealers from catching on to false information and then designing a new method to circumvent the fingerprinting privatizing tactic.
What are you describing was invented a while ago. Some companies provide security browsing solutions. The idea is to render websites in a sandbox and then transmit a rendered page without scripts to the end-client. This approach greatly diminishes user experience, however.
The solution with add-ons or proxies, unfortunately, won’t work.
-Donat from Multiloginapp
I have simply disabled Canvas support in my browser.
Ever noticed any problem on websites I visit regularly.
Any example of popular website which makes use of canvas technology, please ?
So far I noticed it on Electrek (page about electric cars), OMG! Ubuntu! and, for some reason, GitHub.
I’m getting notifications on potential usage on discord – tho, I have no clue if its about posted content on my channel or chat client itself
Is there a way to accomplish this with ublock origin filters?
Does anyone have an answer to this?
…or you could use Pale Moon, which has had a native canvas fingerprinting protection option for the past two years.
As reported here on Ghacks: https://www.ghacks.net/2015/07/28/pale-moon-25-6-ships-with-anti-fingerprinting-option/
I’m using for some time, seems to be working but lack of control over these notifications is really annoying.
I use Canvas Defender. I am very surprised that you are annoyed by a pop up which shows for 5 seconds on the screen !!
There is a solution. If it annoys you then disable it.
It works well. I get 4 or 5 warning pop ups each day.
It’s not about removing it at all but having control under simple check-mark option to show or disable notifications. When I installed canvas defender I was surprised that this extension shows notifications and right away I was looking for options to disable it; because I’m not a fan of constant reminder that something works.
If CD sole purpose is to defend users, I see no point of being spammed all the time with notifications about new noise hash each time browser starts. And also if CD does the work properly – makes impossible or at least hard to track user by canvas fingerprinting then I also see no reason why extension should scare me of “potential usage” on various sites. On the other hand, I do understand those who want to be warned, I understand that there are situations where extension should show warning notification but not every time I’m visiting site x, y or z.
I am not against – I just want to control this aspect and I’ll be happy to have these options in upcoming version.
Also, Donat, I trust you won’t ever decide to screw us like for example, ghostery did and you really want to protect everyone.
This notification was requested by many users. Now even more request to remove it :)
We will add an option to disable canvas fingerprinting attempt notifications in the next update. That said, this notification doesn’t show up on any website that is using object. It is only shown when a website attempts to read binary data from the canvas object. In 99,8% of cases, this means a fingerprinting attempt.
-Donat from Multiloginapp
That’s… not very helpful. I see no options to disable notifications and disabling extension in both my browsers is pointless.
It’s an annoying behaviour that reminds me golden times of bubble notifications in Windows 2k, XP.
Many thanks, I must have missed this despite browsing through all of the available WebExtension on Mozilla’s add-ons site
@Sampei Nihira – the Battery Status API has been removed from Firefox
Correct.
Test with Chrome:
https://pazguille.github.io/demo-battery-api/
Some websites also use this technique:
http://imgbox.com/9b9heaGc
The API still exists, but it’s only available in chrome/privileged code ( https://bugzilla.mozilla.org/show_bug.cgi?id=1313580 ) – so web content cannot access it, but an add-on can for example
Hey Martin! Mozilla are already thinking about integrating the Tor Browser patch for canvas fingerprinting into Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=967895
And they’re even thinking about improving it by not displaying the Canvas Prompt unless triggered after page load https://bugzilla.mozilla.org/show_bug.cgi?id=1376865
I’ve been using this canvas defender for a while now and also been in contact with the devs who told me of the recent update, the first in a while. They told me its very hard for an add-on to detect and then block all the new and emerging techniques effectively without crippling the browsing experience.
I’ve always used the CanvasBlocker Firefox add-on (with Block Mode=fake readout API), which (still?) uses legacy technology contrarily to ‘Canvas Defender’. Does the latter do the job better? No idea. Up to now I’ve had to whitelist only Google Maps (always hard to fool Google!).
Have not tried canvas defender but have been using canvasblocker for a few months, according to browserleaks.com it works as advertised.
https://www.wilderssecurity.com/threads/html5-canvas-fingerprinting.386179/page-8#post-2692260
Canvas Defender was never advertised to be blocking battery API or AudioContext. Although we might release an add-on for spoofing AudioContext later this year.
-Donat from Multiloginapp