[Privoxy-users] Suppressing/modifying some browser fingerprints (ie. Am I Unique?)

[Lee]

On 7/15/20, U.Mutlu <um at mutluit.com> wrote:
> Ian Silvester wrote on 07/15/2020 03:02 PM:
>>
>> Thinking further about Javascript, perhaps one could create a custom rule
>> to block whichever Javascript functions are leveraged to sniff the more
>> unique elements that comprise the fingerprint; if you do take on this and
>> perform the research into the appropriate strings to look for please do
>> report back to this list.
>
> Thanks, yes, I'm interessted in finding a solution especially for the
> Javascript functions. Best would be to have the choice to allow/deny
> each single of these JS queries, optionally building own strings to send
> back.
>
> I must admit I'm new to internals of privoxy, but I can say I'm highly
> motivated, if necessary even ready to do do some C coding in the sources.
> Unfortunately I'm not an expert in HTML nor in Javascript nor JS DOM
> nor privoxy nor privacy etc., but I'm confident I can master them :-)
>
> When I saw all the tracking/spying and of course also the nasty ads,
> I realized that I need to find a generic solution for this problem.

I'm not sure what you consider 'this problem' since you don't talk
about IP addresses and  'Am I Unique?' seems to be an issue only if
you're somehow hiding your IP address from the web servers (ie. using
TOR or some other VPN that mixes your traffic in with lots of other
people's traffic)

So if you're trying to keep your private web browsing private, I'd
suggest using the TOR Browser & leaving it at that.

Privoxy used to be amazing, and then most everything web switched to
https.  Which is much better than doing clear-text, but bad in that
privoxy can't do anything with encrypted traffic except pass it along.
So privoxy became pretty the emuch a glorified hosts file.  Until
recently..

Privoxy now has the ability to act as a man-in-the-middle (MITM) and
see all the clear-text traffic coming and going :)  But it's not a
released product yet, so you have to build the latest development
version of privoxy from git -- see
https://www.privoxy.org/user-manual/installation.html#INSTALLATION-SOURCE

You'll also need mbed-tls for the MITM functionality -- I grabbed the
2.16.7 version:
https://github.com/ARMmbed/mbedtls/releases/tag/mbedtls-2.16.7

> My current solution is IMO not that bad: in firewall blocking everything
> by default for both inbound _and_ outbound, and only on demand allowing
> the minimum required URLs (ie. their address parts) necessary for a site
> to function. By this method all external trackers of that site get
> automatically blocked. Of course it requires some work and experimenting
> for finding out the right addresses (from those inside the HTML) and
> putting
> them into the firewall and trying & retrying...
>
> This works well I can say, IMO better (more restrictive) than say the
> DNS-based concept of Pi-hole, but this alone is of course not enough,
> one _also needs_ privoxy to modify the HTML data.

Once you have the ability to do https-inspection it's almost like
you've been time-warped back to 2010 - all the traffic is clear-text,
and you can modify most anything 'on-the fly' :)

Regards,
Lee