Canvas Fingerprinting Protection
Canvas Fingerprinting is a method of uniquely identifying browsers by hashing an image produced by the HTML5 Canvas element. This is one of the most common kinds of tracking I see when doing my research on webpages. To combat this, Trace randomly generates a new canvas hash every request, making it impossible to tie you down to one identity.
A demo of canvas fingerprinting is available here: BrowserLeaks Canvas Fingerprinting Demo, when protected you should see the “Signature” changes every time you reload the page. If it stays the same, you’re trackable.
Audio Fingerprinting Protection
A more advanced tracking method is Audio Fingerprinting, this uses the AudioContext API to fingerprint your browser, Trace stops this by disabling the API, it is configurable so you can choose how extreme you want the protection to be.
A demo of audio fingerprinting is available here: OpenWPM Audio Fingerprinting Demo.
getClientRects Fingerprinting Protection
Cookies are the main form of tracking on the web, they store a unique identifier which is tied to all of your online activities. There are 2 types of cookie, first party and third party; first party cookies are ones from the current website that you’re on. Whereas third party cookies are the ones set by other websites that are running code on the current site you’re visiting. Third party cookies are the ones which usually track you and it’s usually alright to outright disable third party cookies.
Trace protects you against these tracking cookies by intercepting both Set-Cookie and Cookie headers, checking the names of the cookies against the cookie list, checking if they’re third or first party and then removing them depending on your settings. More information is available here.
Screen Resolution Tracking Protection
One of the many variables that websites can use to track you is the size of your screen. Trace can modify the browser variables which are seen by websites and change them. This means that you could essentially have a new identity on each page load.
Removal of Referrer Headers
The HTTP ‘Referer’ header (Yes it’s spelt wrong), is a header that will tell a webpage the URL of the page that brought you to that page. This is an exremely common tracking technique but blocking it completely can actually break some websites. In version 2.0, Trace now handles this header itself instead of relying on a setting in the browser, allowing greater control in choosing when this header is sent.
Removal of Special Chrome Headers
Chrome, by default will tell Google, Youtube and some other websites certain information about your Chrome installation. Such as experiments that are running in your browser, this not only allows Google to force ‘experimental’ features on you but it wastes unnecessary bandwidth, Trace protects you by removing those headers from Web Requests.
The headers removed are: X-Client-Data , X-Chrome-UMA-Enabled , X-Chrome-Variations and X-Chrome-Connected
User-Agent Randomisation protection protects you by changing your HTTP User-Agent every 15 seconds. A User-Agent is a string of text sent to every website you visit telling it what OS and Browser you’re using and their versions. Whilst this information can be used to show you relevant information for your computer it can also be used to identify you, it can also be used by attackers to identify if your system or browser is vulnerable to certain attacks.
WebRTC Leakage Prevention
WebRTC is a technology that is rather new, by default it will tell a website your local IP (e.g 192.168.x.x), it can also tell a website about other devices on your network, blocking this not only makes it harder to track you but it can also stop attackers from being able to scope out your network and find potential weaknesses.
Hyperlink Auditing Prevention