• mox@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    57
    arrow-down
    4
    ·
    edit-2
    5 months ago

    Another problem with Cloudflare:

    They are a man-in-the-middle between users and a sizable chunk of web and domain name servers, putting them in a position to track your behavior all over the place (even if you use an ad blocker).

    And in many cases, they provide the encryption for those sites, so they can read or modify your unencrypted traffic as it passes between them and the origin servers.

    • Ace! _SL/S@ani.social
      link
      fedilink
      English
      arrow-up
      15
      ·
      5 months ago

      AdBlock doesn’t do shit about advanced fingerprinters

      Have a look at CreepJS

      Only way I found to circumnvent it is by using JShelter with WebWorkers removed

        • Ace! _SL/S@ani.social
          link
          fedilink
          English
          arrow-up
          20
          ·
          edit-2
          5 months ago

          Well, this is a way to vast topic to explain everything here but I’ll try and summarize the most important things:

          Let me first explain how websites are able to “fingerprint” you: It’s basically just collecting as much data as possible about your device. Simple things like your browsers size (in pixels), your screen size, your CPU’s core count an many, many more. Having all this data makes it possible for websites to create a profile that only matches one of your specific devices (world wide!). Some websites/fingerprinters even go as far as scanning your local network for other devices, which could even tell them where you live, with whom etc. This wouldn’ be such a big deal if every website had their own database, but almost every page uses ads from Amazon, Meta or Google which makes these companies able to reliably track most of your internet usage even across different devices

          So fingerprinters can be very intrusive nowadays, the best way to be anonymous is for everyone to share the same fingerprint which is what the tor browser tries to attempt. Obviously this needs everyone to conform to some predefined norms to work, otherwise you’ll become an outlier which can be tracked again

          Tor browser sadly is very slow and by definition not very customizable, so I chose to forsake it in favor of Librewolf in combination with uBlock Origin in Strict Mode, all filterlists and all privacy settings enabled. Additionally I use JShelter to restrict websites Javascript usage and spoof some of the data which can be fingerprinted. Also for Android I use Firefox with some settings from the Arkenfox user.js (Librewolf uses this by default, I mostly use DNS over TLS and Resist Fingerprinting) and Firefox’s own Enhanced Tracking Protection in Strict mode. Additionally I like LibRedirect to access Reddit when I need to without having to login.

          This setup stops most fingerprinters from even being loaded, those that still get loaded won’t run most of the time. It also sadly doesn’t work very well with pages behind Cloudflare, so you sadly need to (temporarily) disable some protections to get arround cloudflares captcha (or alternatively delete the webpages cookies each time you request another page from the same domain, this can be automated with addons/Firefox)

          Keep in mind though that my setup might be considered pretty overkill by most and that privacy is a spectrum. It’s possible to block all tracking, but that would make almost the whole web unusable so keep that in mind. Your goal should be to limit the data that can be harvested from you to an acceptable degree, not to eliminate it. Most of the time this is a tradeoff of convenience vs privacy

          If you wanna learn more look arround uBlock Origin Wiki, the Arkenfox user.js Wiki and the JShelter webpage

          Additionally here’s some websites to test your overall fingerprintability:

          • Browserleaks (My favorite, as it explains most things it shows you)
          • Cover your tracks: Let’s you look at your fingerprint generated by real tracking companies, mine is unique but changes every browser session (restarting my browser/wiping the pages cookies)
          • CreepJS: Strongest fingerpriner I have found to date, almost impossible to fool. Goes as far as knowing when your browser lies about some things and much more!
          • IPLeak: Some more identifiable information about your ip address and DNS settings

          Shoutout to LibreJS as well, sadly it breaks wayyy to many websites without doing endless tweaking for me to consider it usable and also LocalCDN

          Also to finish this I should tell you that I’m by no means an expert and that you should do your own research. Having a semi random fingerprint can itself be a trackable vector but atleast I feel safe enough doing it this way

          Feel free to ask more if something’s unclear/you want to know some more about privacy outside of your browser

          • asbestos@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            5 months ago

            Didn’t expect this. Thank you so much for such a great write-up. Stuff like this makes Lemmy great. What field are you in? Also, do you find CreepJS more powerful than Fingerprint.com?

            • Ace! _SL/S@ani.social
              link
              fedilink
              English
              arrow-up
              2
              ·
              edit-2
              5 months ago

              Thank you so much for such a great write-up

              Don’t worry, I kinda nerd out over this so it was fun to share some of my knowledge

              What field are you in?

              Nothing specific sadly, as I messed up school because I didn’t care enough. I started learning to program at 11 years old though, got into reverse engineering by 12 and so much more stuff by now because it’s all so fascinating I just can’t stop researching and messing arround with things

              Also, do you find CreepJS more powerful than Fingerprint.com?

              Haven’t seen that one yet, I’ll play arround with it the next time I’m at my PC

              Edit: It’s not, my android setup was enough to fool it automatically. CreepJS is insane though, it even kept track of me on Tor!

          • trolololol@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            5 months ago

            Mate thx for the wall post, I did learn a lot.

            I heard about generating unique IDs from harvesting PC data since the days that Adobe flash version were pretty telling, but no idea browsers today leaked so much semi identifying info.

            You are in fact an expert even if there’s people you look up to. Keep sharing and keep being awesome.

            • Ace! _SL/S@ani.social
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              5 months ago

              Mate thx for the wall post, I did learn a lot.

              You are in fact an expert even if there’s people you look up to. Keep sharing and keep being awesome.

              Oh wow, I really didn’t expect such a kind response. I appreciate it, a lot actually. Now I know it was 100% worth it to write this 30 minute essay :D

              Glad to help you mate and thank you

              You are in fact an expert even if there’s people you look up to

              I don’t wanna say you’re right/wrong with this. Although I definitely agree that it’s always a matter of perspective

              I heard about generating unique IDs from harvesting PC data since the days that Adobe flash version were pretty telling, but no idea browsers today leaked so much semi identifying info.

              Yeah, it’s honestly scary. These huge tracking companies can easily tell who you are, where you live, with whom and also deeply analyze your psyche and psychological state. That’s why I went so deep into the privacy rabbit hole

              It’s also really scary that most people are okay with this

          • InnerScientist@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            5 months ago

            Something I don’t get is, why try to make all browser look the same when you can do the easier thing and just make each browser session have a new fingerprint?

            A unique fingerprint doesn’t matter much if it’s only valid till I close that website, right? So why not change a lot of variables by some small amount to make the data useless?

            • Ace! _SL/S@ani.social
              link
              fedilink
              English
              arrow-up
              1
              ·
              5 months ago

              That’s exactly what my setup does. But like I said, this could in theory lead to you being more trackable

  • RubberDuck@lemmy.world
    cake
    link
    fedilink
    English
    arrow-up
    27
    arrow-down
    8
    ·
    5 months ago

    They don’t care. As long as their bills are payed they will host anything that won’t get them in legal trouble.

    • conciselyverbose@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      74
      arrow-down
      3
      ·
      5 months ago

      They shouldn’t care. Their job is not to control the internet. It’s to provide routing and content delivery.

      Responding to legal takedown notices is as far as they should go, and in a better system, would be as far as they’re legally allowed to go.

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        37
        arrow-down
        2
        ·
        5 months ago

        Exactly. In fact, I’d prefer for services like Cloudflare to not know much of anything about their customers, aside from whether they’re legally allowed to use the service.

        • conciselyverbose@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          11
          ·
          5 months ago

          Yeah, the biggest threat they pose is how many domains they see everything from.

          Though they did use it well with that JS supply chain bullshit a month or two ago (and equally importantly, explicitly acknowledged in their announcement that it was an extraordinary measure and not something they wanted to make a routine thing).

        • conciselyverbose@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          18
          ·
          5 months ago

          Their job is not to control the internet

          They take websites offline if and only if they receive a legal order to do so.

          Sites with user generated content have broad protections against illegal actions of their users unless they do one of a small handful of things that exposes them to liability, like actively participating or ignoring legitimate takedown requests. It’s not an accident. That’s how the internet is intended to work, and the only way allowing user generated content is realistically possible.

        • antler@feddit.rocks
          link
          fedilink
          English
          arrow-up
          12
          ·
          edit-2
          5 months ago

          Same reason why they serve Lemmy instances despite illegal content on Lemmy: section 230 of the DMCA

    • Nighed@sffa.community
      link
      fedilink
      English
      arrow-up
      31
      arrow-down
      1
      ·
      5 months ago

      If they were removing sites people would bash them too, there is no way they can win.