#44 Passive fingerprint detection
Opened 2 years ago by polcak. Modified 2 years ago

We do not modify HTTP headers like UAS, Accept-Language and others that are often misused for passive fingerprinting (see the paper around the TCF figure or https://www.fit.vutbr.cz/~polcak/tcf/tcf2.html, TCFv2 feature 3: Receive and use automatically-sent device characteristics for identification).

We do not modify them as they may break pages (like changing UAS), force server to display incorrect language version (we would go for either english or farble between several languages). Inconsistent HTTP headers could also be exploited by JS code that would detect the correct browser settings (for example installed fonts suggest a different language than reported). See https://jshelter.org/versions/, version 0.3: "Removed feature Do not change request HTTP headers. See the paper FP-Scanner: The privacy implications of browser fingerprint inconsistencies and pages like https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html." Are we still Ok with this decision?

Keep in mind that browsers want to address the issue with client hints https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#client_hints. Although the progress looks a little bit slow.

One option is to recommend the Firefox extension User Agent Switcher that already covers HTTP headers modifications functionality in great detail. https://gitlab.com/ntninja/user-agent-switcher This would be a good addition to a list of compatible apps that fall outside of the scope of JShelter. We need to make sure to point out that the changed HTTP headers will likely create inconsistencies.

Some HTTP headers modifications might be available in Manifestv3: https://developer.chrome.com/docs/extensions/reference/declarativeNetRequest/#rules. Giorgio comments: it may or not may work depending on what you're actually trying to achieve.

We should decide if we are OK with recommending User Agent Switcher or we want to take additional actions.

Login to comment on this ticket.