From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.ciao.gmane.io!not-for-mail From: Boruch Baum Newsgroups: gmane.emacs.w3m,gmane.emacs.help Subject: [emacs-w3m:13608] Re: Browser Fingerprinting Date: Thu, 16 Apr 2020 22:55:14 -0400 Message-ID: <20200417025514.5gotmp6vlvg3v25x@E15-2016.optimum.net> References: <87lfmx8frv.fsf@ebih.ebihd> <873694mu9f.fsf@fliptop.i-did-not-set--mail-host-address--so-tickle-me> Reply-To: emacs-w3m@namazu.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="ciao.gmane.io:159.69.161.202"; logging-data="90285"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: NeoMutt/20180716 Cc: Emanuel Berg , help-gnu-emacs@gnu.org To: tomasn@posteo.net, emacs-w3m@namazu.org Original-X-From: emacs-w3m-admin@namazu.org Fri Apr 17 05:00:42 2020 Return-path: Envelope-to: gew-emacs-w3m-3@m.gmane-mx.org Original-Received: from vaj.namazu.org ([202.221.179.42]) by ciao.gmane.io with esmtp (Exim 4.92) (envelope-from ) id 1jPHFB-000NOf-FP for gew-emacs-w3m-3@m.gmane-mx.org; Fri, 17 Apr 2020 05:00:41 +0200 Original-Received: from vaj.namazu.org (localhost [127.0.0.1]) by vaj.namazu.org (Postfix) with ESMTP id B617FF4001A; Fri, 17 Apr 2020 12:00:35 +0900 (JST) Original-Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) by vaj.namazu.org (Postfix) with ESMTP id 22A77F40019 for ; Fri, 17 Apr 2020 12:00:32 +0900 (JST) Original-Received: from E15-2016.optimum.net ([100.38.74.74]) by mail.gmx.com (mrgmx005 [212.227.17.184]) with ESMTPSA (Nemesis) id 1MKKUv-1jg75c1mAh-00LmAm; Fri, 17 Apr 2020 04:55:19 +0200 In-Reply-To: <873694mu9f.fsf@fliptop.i-did-not-set--mail-host-address--so-tickle-me> X-ML-Name: emacs-w3m X-Mail-Count: 13608 X-MLServer: fml [fml 4.0.3 release (20011202/4.0.3)]; post only (anyone can post) X-ML-Info: If you have a question, send e-mail with the body "help" (without quotes) to the address emacs-w3m-ctl@namazu.org; help= X-Greylist: delayed 307 seconds by postgrey-1.36 at vaj; Fri, 17 Apr 2020 12:00:33 JST DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1587092430; bh=hNNskMrKnISSJhQ16s84sIeNKdF8ZXc8ThHzsqPzTK4=; h=X-UI-Sender-Class:Date:From:To:Cc:Subject:References:In-Reply-To; b=fUI8qLcxIblgUrlCmwykDtcKX7TVQpxg8jjTrKlctFyU9lyV583CRSv0QioiSjre2 00ja7rUk5o3yJqEuV7M2pIQldu4oOBkOoK8tsjT91OGdMmjdG6a2EBts3H5zMXqvOh GRR1K6uUbpPuNM0IiJrMxs1lmdT9oq+iKRX1YwtY= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Content-Disposition: inline X-Provags-ID: V03:K1:Q77OBIaJbW5JtYmZBGfWBDvEfhKo3Y4c2ecLA3BUbsQ+8wAsXQb EVDLR4A9PKehOGLir5bjReMer/y1EyK0wZFRTLF6qf9j+RqAHibc7EYs4G9tPs0rS+c8LHh /AiZ6FlaX5TBlK2dDXvNJBQvapjpLnRlIk0Vgkjkeui0gEH7Mt3C6aCsbA/uJyOZSgGqeQZ jyNm9UtCGLcP+DfOgRyHg== X-UI-Out-Filterresults: notjunk:1;V03:K0:T+k/OnsRgrw=:itKaokkxprfK0gi77HM1MX h1kI3BWWXe5J96kZ802Zus1uAeYkqLWCL/cgzbM5ULeSApted29apdHdhYUGr9BmCslutCG7A 0cEwxuPQHH9Lz0a4PA7lGnVp+GwCfbayWY4L1jWciHej9hZpAdSRZldRpd8IOT0QHOv94Gn+S afFziHE29KZJOjesppgIZMnaKlBD2IgrvOlWB9OjvEVTVTK2cihMSjIZHXiI5gjbdG6hUaGpO FixWxBijZ2n4yMZyWC7IurpgCaLLQG0kcEbYmT9DQvd0abl3gLsd7VGDy2KEVcUmqaEyDeVBB L373o1c206uJ0Ge9O2FC67DkaVwoWUc6fYC2j6mchrxlVG9CZCQsfyokeVpQvQpJXI6/8nuyX NikB6s/+KePra3NBAFHRsrziC/w6e3h1sPa2YjyOMYLwGnkjJqcWRCFevVysO7wdrqH6UO1Ft FsC2kUgqDQSm32z4CdXLg2wxxSEx/uvTm19GEHBciIjnnoz/xfhEkhYyWrGsK7R7w5Y6PLWAk nPH7lHWIaFj/C2AorBnx8VwULNcGNyQ913dQkQdax02w88i5mJ869Hinu6YsSMVCj0LmVoY6m eAU4IXaTXLiDAIe2F4lES6vEAr3b7zaDYgcm1Z2g+P0r19W6avaFeQ8zKNHxa7xWhcG6uXtgh nRlbr1ngO80W3XOz9rHOf5Z2lpzBZScLdtsL5g4UgD8cSohBAnPxZs8kkuCWA2qGVNEtgIHRV XcTKDuPfEcTZESUPxi/APdrY4jFvA3KuD7gB8BcnNm93c24Gq72U2UZxW4AtzVAnnwDFA+Og Precedence: bulk Original-Lines: 115 List-Id: emacs-w3m.namazu.org List-Software: fml [fml 4.0.3 release (20011202/4.0.3)] List-Post: List-Owner: List-Help: List-Unsubscribe: Xref: news.gmane.io gmane.emacs.w3m:10486 gmane.emacs.help:122851 Archived-At: On 2020-04-15 21:19, Tomas Nordin wrote: > Emanuel Berg via Users list for the GNU Emacs text editor Thank for cc'ing this list. I'm interested in this topic and would like to stay in the loop for it. > > Here is an interesting article on so called "Browser > > Fingerprinting" [1]. This can be of some concern to > > people using uncommon browsers like Emacs-w3m. > > I did this test at https://panopticlick.eff.org in 2017 with emacs w3m. > ... > (emacs w3m). Here are some more stats from that test: > > Test Result > Is your browser blocking tracking ads? =E2=9C=93 yes > Is your browser blocking invisible trackers? =E2=9C=93 yes > Is your browser accepting Do Not Track commitments? =E2=9C=97 no This 'Do Not Track' standard is a very modern development that I understand no-one (server-side) honestly honors. I remember reading that using it client-side only serves to identify you as someone likely to be using privacy protections, which is undesirable because you're just begging the server-side to invoke counter-measures. > Does your browser protect from fingerprinting? =E2=9C=97 no This has me puzzled. How did the website reach this answer? My memory of this subject is that fingerprinting can only happen when the client either voluntarily puts fingerprinting data in HTTP GET/POST requests, or when the client has a javascript API that can be queried to reveal fingerprinting data. AFAICT, neither emacs-w3m nor w3m do either. Off the top of my head, some examples of fingerprint data that I remember being common are: available fonts, display geometry and properties, geo-location, data from device sensors (eg. temperature, accelerometer) , hardware specifications, software environment, and device specific stuff like UUID numbers. BTW, If you are using a modern and updated version of linux, you may be surprised to find that year ~2016 someone quietly added a small file named 'machine-id' to your /etc directory. This would be the ultimate identifying fingerprint, and has been brought to you/us courtesy of the Red-Hat corporation, a genuinely giant supporter of and contributor to open-source software, FOSS, systemd, dbus, etc. Red Hat corporation only exists because of their major paying customers, so indirectly that obligates us to be grateful to those customers, which probably include your nation's counterpart to the US Department of Defense and US National Security Agency. But, like I said, AFAICT neither emacs-w3m nor w3m have any way for a server to see the contents of /etc/machine-id. > > > Because Emacs-w3m doesn't support JavaScript, one should > > be safe from all that save for the cookies, but they can > > be be disabled with > > > > (setq w3m-use-cookies nil) > > didn't turn that off... If you can live with setting this variable to nil, that's great. However, many people use websites that just won't work without a local session cookie. For those cases, emacs-w3m currently requires the user to set the variable t, and to remember to manually delete the generated cookies 'when appropriate', which is an intentionally vague way of saying "it's complicated". FYI, command M-x w3m-cookie allows you to view and manually manipulate cookie data. I think that it's bound by default to keybinding M-k. There also exists command M-x w3m-cookie-clear. Additionally, I've had a long-standing pull-request pending for a feature I wrote to clear ALL the browser's personal history (w3m-history-scrub). https://github.com/emacs-w3m/emacs-w3m/pull/2 I've been using the feature for over a year in my personal version https://github.com/Boruch-Baum/emacs-w3m > > Then there is also the User-Agent field in the HTTP > > request which browser supplies voluntarily. > > Because Emacs-w3m isn't the most common of browsers, > > this field can be used to identify YOU - possibly. > > Inhibit with > > > > (setq w3m-add-user-agent nil) A few years ago, I reported a bug that this variable wasn't being respected when set to nil. This wasn't a bug in emacs-w3m, but in w3m. emacs-w3m uses w3m as a back-end, and w3m wasn't respecting nil user-agent requests. Instead, w3m was replacing nil with its own default string. This bug may have been fixed, but I don't remember. The person who should know would be the w3m maintainer, Tatsuya Kinoshita . What might be more useful is to set variable w3m-add-user-agent to t, and then set w3m-user-agent to some generic and popular user-agent string. > > Of course, the IP is still there, because otherwise the > > server won't know where to send the requested HTML. > > I think it is much more likely that tracking will be > > done using that, than the browser fingerprint! > > Maybe. EFF explained to me at the time that browser fingerprinting is > more effective since IP can change over time and can be fiddled with > with VPN and so on. (Of course browser can change as well but anyway) If your client is accessing the internet from behind a router, it may be sharing public-facing ipv4 address with all other devices behind that router. =2D- hkp://keys.gnupg.net CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0