Confirmed users
3,339
edits
Fingerprinting: Difference between revisions
Jump to navigation
Jump to search
→Plugins: Rewrite plugin fingerprinting section to describe Firefox 28's navigator.plugins"cloaking"
(→Extra credit: canvas fix) |
(→Plugins: Rewrite plugin fingerprinting section to describe Firefox 28's navigator.plugins"cloaking") |
||
| Line 37: | Line 37: | ||
The PluginDetect JS library was used to check for 8 common plugins on that platform, plus extra code to estimate the Acrobat Reader version. Data sent by AJAX post. | The PluginDetect JS library was used to check for 8 common plugins on that platform, plus extra code to estimate the Acrobat Reader version. Data sent by AJAX post. | ||
IE does not allow enumeration via <code>navigator.plugins</code>. | IE does not allow enumeration via <code>navigator.plugins[]</code>. Starting in Firefox 28 ([https://bugzilla.mozilla.org/show_bug.cgi?id=757726 bug 757726]), Firefox restricts which plugins are visible to content enumerating <code>navigator.plugins[]</code>. This change does not disable any plugins; it just hides some plugin names from enumeration. Websites can still check whether a particular hidden plugin is installed by directly querying <code>navigator.plugins[]</code> like <code>navigator.plugins["Silverlight Plug-In"]</code>. | ||
This code change will reduce browser uniqueness by "cloaking" uncommon plugin names from <code>navigator.plugins[]</code> enumeration. If a website does not use the "Adobe Acrobat NPAPI Plug-in, Version 11.0.02" plugin, why does it need to know that the "Adobe Acrobat NPAPI Plug-in, Version 11.0.02" plugin is installed? If a website does need to know whether the plugin is installed or meets minimum version requirements, it can still check <code>navigator.plugins["Adobe Acrobat NPAPI Plug-in, Version 11.0.02"]</code> or <code>navigator.mimeTypes["application/vnd.fdf"].enabledPlugin</code> (to workaround problem plugins that short-sightedly include version numbers in their names, thus allow only individual plugin versions to be queried). | |||
For example, the following JavaScript reveals my installed plugins: | |||
<pre> | |||
for (plugin of navigator.plugins) { console.log(plugin.name); } | |||
"Shockwave Flash" | |||
"QuickTime Plug-in 7.7.3" | |||
"Default Browser Helper" | |||
"Unity Player" | |||
"Google Earth Plug-in" | |||
"Silverlight Plug-In" | |||
"Java Applet Plug-in" | |||
"Adobe Acrobat NPAPI Plug-in, Version 11.0.02" | |||
"WacomTabletPlugin" | |||
navigator.plugins["Unity Player"].name // get cloaked plugin by name | |||
"Unity Player" | |||
</pre> | |||
But with plugin cloaking, the same JavaScript will not reveal as much personally-identifying information about my browser because all plugin names except Flash, Shockwave (Director), Java, and QuickTime are hidden from <code>navigator.plugins[]</code> enumeration: | |||
<pre> | |||
for (plugin of navigator.plugins) { console.log(plugin.name); } | |||
"Shockwave Flash" | |||
"QuickTime Plug-in 7.7.3" | |||
"Java Applet Plug-in" | |||
</pre> | |||
In theory, all plugin names could be cloaked because web content can query navigator.plugins[] by plugin name. Unfortunately, we could not cloak all plugin names because many popular websites check for Flash or QuickTime by enumerating navigator.plugins[] and comparing plugin names one by one, instead of just asking for navigator.plugins["Shockwave Flash"] by name. These websites should be fixed. | |||
The policy of which plugin names are uncloaked can be changed in the about:config pref <code>plugins.enumerable_names</code>. The pref’s value is a comma-separated list of plugin name prefixes (so the prefix "QuickTime" will match both "QuickTime Plug-in 6.4" and "QuickTime Plug-in 7.7.3"). The default pref cloaks all plugin names except Flash, Shockwave (Director), Java, and QuickTime. To cloak all plugin names, set the pref to the empty string "" (without quotes). To cloak no plugin names, set the pref to magic value "*" (without quotes). | |||
== Fonts == | == Fonts == | ||