{"id":13429,"date":"2017-11-11T17:33:19","date_gmt":"2017-11-12T01:33:19","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=13429"},"modified":"2017-11-20T14:26:09","modified_gmt":"2017-11-20T22:26:09","slug":"sb-12-11-2017","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2017\/11\/sb-12-11-2017\/","title":{"rendered":"Security Bits – Canvas Fingerprinting, KRACK Updates, TOR Browser Bug, New Zero-Day WiFi Bug, Brother Printer Exploit"},"content":{"rendered":"

Security Medium 1 \u2014 Canvas Fingerprinting<\/h3>\n

Before we look at canvas finger printing, I just want to set the scene with a reminder of one of the most fundamental truths about how the web was designed \u2013 each web page load is an independent event. Because that meant websites had no memory of anything that went before, i.e. no concept of state<\/em> the original web could not cope with concepts like logging in, or shopping baskets. Something had to be bolted on to allow web servers connect individual requests into related groups of requests.<\/p>\n

The official mechanism added to the HTTP protocol for retaining state between requests is the humble cookie. Cookies gave us the ability to log in, and basically, the modern web. But, they came with a dark side \u2014 as well as enabling all the cool things we like about the modern web, they also enabled tracking.<\/p>\n

<\/p>\n

Because cookies are a well defined and well documented feature, browsers provide users with mechanisms for controlling their use. That\u2019s a threat to the bottom line of those who make money by tracking people against their will and selling the information they glean from that tracking. That\u2019s why the trackers have always tried to think outside the box and find un-official and hence hard to block mechanisms for tracking users.<\/p>\n

One of the approaches used is fingerprinting<\/em>. The idea is to figure out some kind of calculation or processing you can do with either the metadata included in HTTP headers the data accessible via the JavaScript APIs to generate a result that\u2019s very unique, and doesn\u2019t change over time.<\/p>\n

A really naive finger print might be to combine the list of installed fonts with the browser version, screen resolution, and OS version and then hash that down to a single 28bit value. That\u2019s not completely unique, but it\u2019s pretty unique, and it\u2019s not very long lived (you update your browser and OS right!), but it\u2019s still going to remain static for days or even weeks. This kind of finger print can be used for some imperfect, but still financially valuable tracking.<\/p>\n

Needless to say, the multi-billion-dollar tracking industry didn\u2019t stop with naive fingerprints, they kept, and indeed keep, looking for better finger prints. That\u2019s where the HTML5 canvas comes in.<\/p>\n

I\u2019d argue that the humble HTML 5 canvas is probably the single biggest reason Flash is dead! So what is it? It\u2019s an HTML tag that allows developers to define a rectangular area on a web page that they can write pixel information to. Basically, it\u2019s a canvas you can draw on programatically. Make that pixel pink, draw a blue square with one corner at one coordinate and the other at another, and so on. Basically, the HTML 5 canvas made it possible to write graphical games on the web without Flash.<\/p>\n

That doesn\u2019t sound like it has anything what so ever to do with tracking does it!?<\/p>\n

What some very clever people noticed though is that while the same code creates a picture that looks extremely similar on every computer, the pixels on canvases have teeny tiny subtle variations, and those variations are determined by the computer rendering them, and consistent over time. My computer will draw a canvas a tiny bit differently to yours, and that difference will stay the same over time. Bingo \u2014 tracking!<\/p>\n

How can \u201cmake this pixel pink\u201d result in different outputs on different computer? That simple example can\u2019t, but the canvas supports much higher-level drawing operations, like support for anti-aliasing, and shape and font rendering. Each browser has its own implementation of the canvas tag, so they\u2019ll make subtly different choices on things like which anti-aliasing algorithm to use. Worse still, browsers hand a lot of graphics tasks off to the graphics card, so different hardware will also result in subtle differences in renderings. So even if two computers have the same browser version on the same OS version, if they have different graphics cards the anti-aliasing on a letter or a shape is likely to be very subtly different.<\/p>\n

I have to stress that these differences are REALLY subtle. You\u2019d need to zoom right in to a few 100% and compare pixel by pixel to notice these changes, but computers deal in absolutes, so different is different!<\/p>\n

The way this works is that a small piece of JavaScript creates a small canvas and positions it off screen so you don\u2019t see it. It then renders some carefully chosen shapes or letters to that canvas, and reads back the exact value of every resulting pixel, and hashes that result. The shapes are carefully chosen to be as likely as possible to be rendered differently from browser to browser and computer to computer.<\/p>\n

Remember that a small change in input to a hash should produce a big change in output. So, by hashing small subtle difference our eyes can\u2019t see, you get massively different outputs.<\/p>\n

It\u2019s these hashes that are the canvas fingerprint, and, they vary a lot from computer to computer, and they stay static over long periods of time, so they make great trackers.<\/p>\n

So, what made the news this week is that FireFox 58 is following the TOR Browser\u2019s lead, and blocking canvas fingerprints \u2014 how?<\/p>\n

Simple \u2014 if some JavaScript code calls the function to read pixel value from a canvas that is not visible on screen, the browser will ask the user\u2019s permission before proceeding.<\/p>\n

Right now this second only the TOR browser does this, FireFox will do it when version 58 releases, but for now, I\u2019m not aware that the other browser manufacturers have committed to doing this too. Hopefully they will, and soon.<\/p>\n

Links:<\/h4>\n