Security Medium 1 — Canvas Fingerprinting
Before we look at canvas finger printing, I just want to set the scene with a reminder of one of the most fundamental truths about how the web was designed – each web page load is an independent event. Because that meant websites had no memory of anything that went before, i.e. no concept of state the original web could not cope with concepts like logging in, or shopping baskets. Something had to be bolted on to allow web servers connect individual requests into related groups of requests.
The official mechanism added to the HTTP protocol for retaining state between requests is the humble cookie. Cookies gave us the ability to log in, and basically, the modern web. But, they came with a dark side — as well as enabling all the cool things we like about the modern web, they also enabled tracking.
Because cookies are a well defined and well documented feature, browsers provide users with mechanisms for controlling their use. That’s a threat to the bottom line of those who make money by tracking people against their will and selling the information they glean from that tracking. That’s why the trackers have always tried to think outside the box and find un-official and hence hard to block mechanisms for tracking users.
One of the approaches used is fingerprinting. The idea is to figure out some kind of calculation or processing you can do with either the metadata included in HTTP headers the data accessible via the JavaScript APIs to generate a result that’s very unique, and doesn’t change over time.
A really naive finger print might be to combine the list of installed fonts with the browser version, screen resolution, and OS version and then hash that down to a single 28bit value. That’s not completely unique, but it’s pretty unique, and it’s not very long lived (you update your browser and OS right!), but it’s still going to remain static for days or even weeks. This kind of finger print can be used for some imperfect, but still financially valuable tracking.
Needless to say, the multi-billion-dollar tracking industry didn’t stop with naive fingerprints, they kept, and indeed keep, looking for better finger prints. That’s where the HTML5 canvas comes in.
I’d argue that the humble HTML 5 canvas is probably the single biggest reason Flash is dead! So what is it? It’s an HTML tag that allows developers to define a rectangular area on a web page that they can write pixel information to. Basically, it’s a canvas you can draw on programatically. Make that pixel pink, draw a blue square with one corner at one coordinate and the other at another, and so on. Basically, the HTML 5 canvas made it possible to write graphical games on the web without Flash.
That doesn’t sound like it has anything what so ever to do with tracking does it!?
What some very clever people noticed though is that while the same code creates a picture that looks extremely similar on every computer, the pixels on canvases have teeny tiny subtle variations, and those variations are determined by the computer rendering them, and consistent over time. My computer will draw a canvas a tiny bit differently to yours, and that difference will stay the same over time. Bingo — tracking!
How can “make this pixel pink” result in different outputs on different computer? That simple example can’t, but the canvas supports much higher-level drawing operations, like support for anti-aliasing, and shape and font rendering. Each browser has its own implementation of the canvas tag, so they’ll make subtly different choices on things like which anti-aliasing algorithm to use. Worse still, browsers hand a lot of graphics tasks off to the graphics card, so different hardware will also result in subtle differences in renderings. So even if two computers have the same browser version on the same OS version, if they have different graphics cards the anti-aliasing on a letter or a shape is likely to be very subtly different.
I have to stress that these differences are REALLY subtle. You’d need to zoom right in to a few 100% and compare pixel by pixel to notice these changes, but computers deal in absolutes, so different is different!
The way this works is that a small piece of JavaScript creates a small canvas and positions it off screen so you don’t see it. It then renders some carefully chosen shapes or letters to that canvas, and reads back the exact value of every resulting pixel, and hashes that result. The shapes are carefully chosen to be as likely as possible to be rendered differently from browser to browser and computer to computer.
Remember that a small change in input to a hash should produce a big change in output. So, by hashing small subtle difference our eyes can’t see, you get massively different outputs.
It’s these hashes that are the canvas fingerprint, and, they vary a lot from computer to computer, and they stay static over long periods of time, so they make great trackers.
So, what made the news this week is that FireFox 58 is following the TOR Browser’s lead, and blocking canvas fingerprints — how?
Simple — if some JavaScript code calls the function to read pixel value from a canvas that is not visible on screen, the browser will ask the user’s permission before proceeding.
Right now this second only the TOR browser does this, FireFox will do it when version 58 releases, but for now, I’m not aware that the other browser manufacturers have committed to doing this too. Hopefully they will, and soon.
Links:
- A fantastic explanation of all this, with very helpful illustrations — nakedsecurity.sophos.com/…
Notable Security Updates
- Apple patch pretty much everything (including fixes for the KRACK Wifi vulnerabilities)
- iOS 11.1 — www.macobserver.com/…
- macOS High Sierra 10.13.1, Security Update 2017–001 for macOS Sierra & Security Update 2017–004 for MacOS X El Capitan — www.intego.com/…
- watchOS 4.1 — tidbits.com/…
- The TOR Browser was patched to fix the so-called TorMoil bug which leaked IP addresses (utterly defeating the purpose of TOR) — nakedsecurity.sophos.com/…
Notable News
- While Apple have patched for KRACK, a new zero-day Wifi bug has been found in pre-iPhone7 models of iPhone. The bug was found at the Pwn2Own hacking contest, and in keeping with that competition’s rules, the details have been passed to Apple, but will not be made public until Apple have had 90 days to get a patch out. Keep your eye out for another iOS update soon — nakedsecurity.sophos.com/…
- Facebook have begun trialing a new system to allow users to submit images for blocking on Facebook. The idea is that you securely upload the image of you that you want blocked, Facebook review it to make sure it really is an image of you, then they take a fingerprint of it, and delete it. From then on, no image matching that fingerprint can be uploaded to Facebook — nakedsecurity.sophos.com/…
- Brother printers hit by zero-day denial of service exploit — nakedsecurity.sophos.com/…
Suggested Reading
- PSAs, Tips & Advice
- Notable Breaches & Privacy Violations
- News
- ⭐️ (US) Senators act to SAVE voting machines — nakedsecurity.sophos.com/…
- The US Government’s fight against Encryption continues:
- US government wants “keys under doormat” approach to encryption — nakedsecurity.sophos.com/…
- FBI can’t break the encryption on Texas shooter’s smartphone — arstechnica.com/…
- Right On Cue, DOJ Says Encryption ‘Surely Costs Lives’ — www.macobserver.com/…
- Texas Shooting Massacre Revives False Dichotomy over Privacy and Encryption — www.macobserver.com/…
- London Heathrow Airport’s security laid bare by one lost USB stick — nakedsecurity.sophos.com/…
- Now anyone can fool reCAPTCHA — nakedsecurity.sophos.com/…
- Equifax Reopens Salary Lookup Service — krebsonsecurity.com/…
- Meet Russian Twitter troll Jenna Abrams and her 2,752 friends — nakedsecurity.sophos.com/…
- Opinion & Analysis
- ⭐️ Month in Review: Apple Security in October 2017 — www.intego.com/…
- ⭐️ Face ID’s Innovation: Continuous Authentication — tidbits.com/…
- ⭐️ A closer look at the capabilities and risks of iPhone X face mapping — social.techcrunch.com/…
- No, siblings aren’t ‘fooling’ Face ID — they’re training it — www.imore.com/…
- ⭐️ The era of easily faked, AI-generated photos is quickly emerging — qz.com/…
- How Twitter outrage hatches in tiny fringe groups on 4chan and Reddit — nakedsecurity.sophos.com/…
- Is the 1.6TB Paradise Papers exposé a leak or a hack? — nakedsecurity.sophos.com/…
- Propellor Beanie Teritory
- ⭐️ Microsoft have issued a security advisory on the DDE vulnerabilities we talked about in the previous show, but none of their advice is in any way human-friendly. If you work in IT, then the document is very valuable, and you might consider a group policy to set the various registry keys discussed — technet.microsoft.com/…
- ⭐️ What do Microsoft’s highly secure Windows 10 device standards tell us? — nakedsecurity.sophos.com/…
- Android takes aim at ISP surveillance with DNS privacy — nakedsecurity.sophos.com/…
- Fear the Reaper, or Reaper Madness? — krebsonsecurity.com/…
- How to wear your password on your sleeve, literally — nakedsecurity.sophos.com/…
- Apple Releases Details on Differential Privacy, and the Big Takeaway Is Which Emoji Is Most Popular — www.macobserver.com/…
- Google’s QUIC protocol: moving the web from TCP to UDP — ma.ttias.be/…
Palate Cleansers
- The 100 megapixel Moon — www.syfy.com/…
- Pat gave Allison a “Box of Boogers” amzn.to/…