[p410n3]

> make the Lockdown mode browser look to external websites like it isn't in Lockdown mode.

This will be instantly defeated by benchmarking the js performance. But disabling JIT is a VERY important step to harden your browser. This is one of these things where you have to actually choose between privacy and security

[mrex]

>This will be instantly defeated by benchmarking the js performance.

How common is this behavior for non-malicious websites that a Lockdown mode user is likely to use? It seems to me that if you're loading malicious content from a site controlled by foreign intelligence services, you're probably done whether Lockdown is enabled or not. Preventing more casual profiling from common logs likely to be strewn about in CDNs, etc. is still an important level of protection, I'd argue.

[ev1]

Incredibly, extremely common on tons of sites.

Normal web pages that load ads will attempt to detect "fraud" by connecting back over WebRTC, running benchmarks to see how "valuable" of a user you are (how shit or expensive your hardware is), and running benchmarks to see whether you might be a fake browser/"ad fraud" user running large amounts of sessions at the same time and therefore have slower performance. It's bullshit and should be illegal.

I already dislike webgl leaking the model of my gpu, concurrency leaking memory and cores available, and disk space.

Go visit walmart or really any major site - almost more likely than not it will do this - and watch it attempt to enumerate all of your plugins, connect over webrtc, enumerate performance.* msPerformance, mozPerformance, make a webgl video and ask for unmasked renderer, enumerate thousands of fonts, attempt and fail to spawn piles of ActiveXObject, use "window.msDoNotTrack" as a fingerprinting feature point, enumerate hundreds of browser functions and getters (maxTouchPoints, doNotTrack, hardwareConcurrency, ...) and calling toString() on dozens of specific things like window.RTCDataChannel.toString() and seeing whether it fails in a try/catch, if it returns a function, or if it returns "function RTCDataChannel() { [native code] }" as a string, etc.

[ev1]

Can't edit anymore, but I want to point out that one particularly gross thing I've seen is code that checks how well your device characteristics line up with expectations for CPU and RAM.

The numbers are intentionally imprecise for anti-fingerprinting, but I've seen JS code that treats users as suspicious or bad when your logical core count reports 1-2 but memory is 8+, or a lot of cores and very little memory, or if your device is non-mobile but reporting less than 4 or 8 GB of memory. The assumption is that you are a virtual machine if you're a "desktop or laptop" and have a single or dual core in 2022, for example.

[mrex]

Wow. I had no idea. This bullshit is why I browse with javascript off, and enable it only on a per subdomain basis with uMatrix, and disable all the tracking technologies I can. I probably already stick out like a sore thumb to anyone doing browser fingerprinting.

Not only did the kids fail to get off our lawn, look at this giant hunk of poop they left all over it. Eternal September never ends.

[ev1]

Well, good thing they reverse-proxy the javascript code first party directly on the domain (www.*), and attempt to load multiple subdomains on the primary domain one after another (including randomised CDN paths)

[JackGreyhat]

I'm trying to grasp what you are explaining here. Is this another fingerprinting method?

[ev1]

"enable it only on a per subdomain basis" works when the tracking runs off a separate subdomain. Walmart, for example, intentionally proxies the files through their primary domain, the one that you are visiting, to try and bypass this.

--

Other sites and services will also use blocking them as a fingerprinting point. For example, it loads native first-party JS to try and bootstrap the rest of it.

A really simplified example:

Stage 1: on-page script tag, not a separate file, sets up a variable - let's call it "counter"

Stage 2: Load cross-site-tracker.js from obvious-analytics.example.com.

If it fails:

Stage 3: Load QyojK8oIwLjske2JkW9mdJY0Np.js from hqMOBRLccCmEnG9.cloudfront.net; increment a "shady user is trying to hide from us" counter

If it fails:

Stage 4: Load RandomWordsRainbowButterfly.js from N4NqCUJAT9UUXFcwnn.cloudfront.net; increment a "shady user is trying to hide from us" counter

Keep trying this through 3-4 domains, use random s3 buckets, cloudfront hostnames, akamaized.net hostnames. Upload all tracking data as soon as one of them succeeds.