17
Stubsack: weekly thread for sneers not worth an entire post, week ending 5th January 2025 (awful.systems)
submitted 3 weeks ago by BlueMonday1984@awful.systems to c/techtakes@awful.systems
120 comments fedilink hide all child comments

Need to let loose a primal scream without collecting footnotes first? Have a sneer percolating in your system but not enough time/energy to make a whole post about it? Go forth and be mid: Welcome to the Stubsack, your first port of call for learning fresh Awful you’ll near-instantly regret.

Any awful.systems sub may be subsneered in this subthread, techtakes or no.

If your sneer seems higher quality than you thought, feel free to cut’n’paste it into its own post — there’s no quota for posting and the bar really isn’t that high.

The post Xitter web has spawned soo many “esoteric” right wing freaks, but there’s no appropriate sneer-space for them. I’m talking redscare-ish, reality challenged “culture critics” who write about everything but understand nothing. I’m talking about reply-guys who make the same 6 tweets about the same 3 subjects. They’re inescapable at this point, yet I don’t see them mocked (as much as they should be)

Like, there was one dude a while back who insisted that women couldn’t be surgeons because they didn’t believe in the moon or in stars? I think each and every one of these guys is uniquely fucked up and if I can’t escape them, I would love to sneer at them.

(Semi-obligatory thanks to @dgerard for starting this, and happy new year in advance.)

you are viewing a single comment's thread
view the rest of the comments
[-] skillissuer@discuss.tchncs.de 3 points 2 weeks ago

now i wonder how much of that is blocked by firefox enhanced tracking protection. not all, of course, and it's probably much more than needed for unique identifier. there's mozilla security blog post on this topic says that some anti-fingerprinting measures were built in all the way back in 2020 (firefox 72)

[-] sailor_sega_saturn@awful.systems 5 points 2 weeks ago* (last edited 2 weeks ago)

Above I listed a bunch of things which would help narrow down browser version, but that's hopeless anyway -- an adversary will probably be able to figure out your rough browser version even if you fake the UA string, and that you're running in anti-fingerprinting mode.

So assuming that's out of scope I think these are probably the big categories:

  • Normalize any system information presented to webpage (e.g. remove minor version from UA header, remove OS from UA header, etc)
  • Canvas, WebGL, and WebGPU need to be implemented in software in a deterministic way. Similarly any compositing (including stuff like font shaping, SVG rendering, page layout) must be done in software (prevent GPU fingerprinting)
  • A fixed font set must be used rather than using the system font set (prevent fingerprinting font enthusiasts)
  • The device size / frame size (and position) must be lied about (e.g. rounded to a common resolution or a multiple of 100px), and layout adjusted appropriately (Mozilla calls this "Letterboxing") (prevent fingerprinting psychos who don't run their browser in fullscreen mode).
  • Page storage should be disabled or cleared (local / session storage, cookies, service workers, indexeddb, etc) (A cookie by any other name would taste as sweet)
  • Caching is a big problem, probably have to disable it entirely (including HTTP caching, HTTP caching at the ISP level*, DNS lookups, favicons, JavaScript compilation cache) (Pesky pesky global state).
  • Performance metrics are another big problem. Disabling JavaScript would go a long way here but you probably can't prevent them entirely unless you're prepared to go to unhealthy extremes** (this is like the past 10 years of cutting edge security research so we're doomed)
  • Disable any plugins or other customizations which may provide a fingerprint accessible to the webpage (oops it turned out the FBI caught me because I configured my browser to inject pictures of cute bunnies into every webpage).
  • And of course IP address, which you presumably want to do something about (proxy?)

That said while I've worked with browsers, I'm not in the biz of fingerprinting or anti-fingerprinting, so there's surely stuff I haven't thought of.

* Actually we should probably just disable non-HTTPS entirely...

** Running under a VM is probably the minimum required to mitigate the chances of cutting-edge side-channel timing attacks from James Bond level adversaries, but at that point maybe you just want a dedicated browsing computer heh. I did chuckle at the idea of someone trying to apply cryptographic constant-time algorithm techniques to writing a browser though.

this post was submitted on 30 Dec 2024
17 points (100.0% liked)

TechTakes

1562 readers
154 users here now

Big brain tech dude got yet another clueless take over at HackerNews etc? Here's the place to vent. Orange site, VC foolishness, all welcome.

This is not debate club. Unless it’s amusing debate.

For actually-good tech, you want our NotAwfulTech community

founded 2 years ago
MODERATORS
dgerard@awful.systems