[Privacy] Abrowser susceptible to browser fingerprinting

Projet:Trisquel
Version:6.0
Composant:Programs
Catégorie:Rapporter un bogue
Priorité:normal
Attribué:Non assigné
Statut:closed
Description

The version of Abrowser that is included in Trisquel is susceptible for browser fingerprinting. (Read more about this at https://panopticlick.eff.org/). Some potentially easy fixes for making Abrowser less unique and trackable:

- The User-Agent includes the build date, e.g. Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/20130818 Firefox/23.0, whereas the vanilla Mozilla Firefox builds include the generic date "Gecko/20100101".
- Trisquel sends an X-Abrowser-Spdy header instead of X-Firefox-Spdy.

Difficult issues to fix:

- Gnash includes an old, more unique version number, and perhaps its unique implementation could give itself away.
- Other plugin version numbers could too be revealing.

It appears that some work has already been done on this:

- Previous versions included "Abrowser/x.y" in the UA, but newer versions of Abrowser use "Firefox/x.y".

We also need to look into which user-agents for Firefox on GNU/Linux systems are more used, e.g. "Linux x86_64" vs "Ubuntu x86_64" in the OS part of the string. Perhaps more research into what unique browser characteristics other GNU/Linux distros have (especially the free ones) needs to be done.

I'm adding this to my "TODO when I get the chance in the holidays or long weekends" list.

mar, 10/08/2013 - 03:46

I use the Modify Headers addon[0] to change the user-agent string to

Mozilla/5.0 (Windows NT 6.0; rv:23.0) Gecko/20100101 Firefox/23.0, thinking this may further reduce my browser's fingerprint.

[0] http://trisquel.info/en/browser/addons/modify-headers

lun, 03/31/2014 - 04:19

Installing Blender by default may help with this.

1. Select Add-ons, Get Add-ons, and search for Blender. Install Blender.
2. You also have to disable all plugins, which is a good idea anyway. If you don't want to do that, just skip to 3
3. Go to Extensions, locate Blender, select Preferences, then check the "Fake Language" and "Disable plugins" boxes.

Go to http://panopticlick.eff.org and try it. Without Blender, Abrowser is unique. After following these steps, Abrowser is now...one in 364,153.

Better than nothing, but it would be nice if we could obscure time zone, and screensize and color depth. However the main problem seems to be choosing a better user agent string, since the default Blender one makes you 1 in 200 with that string. Maybe it is worth drawing from their code?

UPDATE: Installing LibreJS on top of all this brought my fingerprint down to one in 2,764 browsers. Try this!!!

Can anybody help us figure out how to change the user agent?

lun, 03/31/2014 - 07:05

No cookies and no JavaScript, result: one in 90,000. This is how everybody should browse.

ps. you don't need an extension to change the UA, just goto the location bar and input about:config [enter] then promise to be careful (if this is your first time) and then right click -> new -> string, name: general.useragent.override, value: UA goes here. If you want to restore the real UA, then use the filter to find this preference, right click it -> reset.

lun, 01/12/2015 - 21:14
Statut:active» fixed

Current Abrowser spoofs the UA to match Firefox, which is more common. Along with some config tweaks, options have been added to the Abrowser frontpage to mitigate fingerprinting: "request pages in english", "use system fonts" and "disable js".

As stated in that frontpage as well, IceCat is available for more privacy conscious users if needed.

lun, 01/26/2015 - 21:15
Statut:fixed» closed

Automatically closed -- issue fixed for 2 weeks with no activity.