Browser fingerprinting? [message #182780] |
Thu, 12 September 2013 21:56 |
Gilles Ganault
Messages: 27 Registered: September 2010
Karma: 0
|
Junior Member |
|
|
Hello
I googled the archives of this ng, but didn't find much.
I'd like to find some good PHP code that does what Panopticlick does,
namely uniquely identify a user's browser even when they connect as
anonymously as they can, ie. either in incognito mode or by running a
browser in a virtual host:
www.lifehacker.com/5458513/panopticlick-shows-how-easy-your-browser-is-to-t rack
The goal is to keep trolls away from a site. As there aren't that many
browser available, they should tire quickly, profited they even think
of installing another browser.
Is there some code PHP code for that?
Thank you.
|
|
|
|
Re: Browser fingerprinting? [message #182782 is a reply to message #182780] |
Thu, 12 September 2013 22:19 |
jimp
Messages: 22 Registered: December 2010
Karma: 0
|
Junior Member |
|
|
Gilles <nospam(at)nospam(dot)com> wrote:
> Hello
>
> I googled the archives of this ng, but didn't find much.
>
> I'd like to find some good PHP code that does what Panopticlick does,
> namely uniquely identify a user's browser even when they connect as
> anonymously as they can, ie. either in incognito mode or by running a
> browser in a virtual host:
>
> www.lifehacker.com/5458513/panopticlick-shows-how-easy-your-browser-is-to-t rack
>
> The goal is to keep trolls away from a site. As there aren't that many
> browser available, they should tire quickly, profited they even think
> of installing another browser.
>
> Is there some code PHP code for that?
>
> Thank you.
Look at the PHP documentation for the get_browser function.
Be sure to read all the notes.
FYI it is rather trivial to fake what browser is in use.
--
Jim Pennino
|
|
|
|
|
Re: Browser fingerprinting? [message #182785 is a reply to message #182784] |
Thu, 12 September 2013 23:29 |
Denis McMahon
Messages: 634 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On Fri, 13 Sep 2013 00:43:49 +0200, Gilles wrote:
> I'll experiment with eg. "md5(implode('',$_SERVER));" and see how it
> goes.
Comparing md5s of anything that contains timestamps is unlikely to match
across multiple checks.
Comparing md5s of anything that contains remote ports is unlikely to
match across multiple browser sessions.
Comparing md5s of anything that contains remote ip addresses is unlikely
to uniquely identify any sort of malicious user using proxies / tor etc.
Note - it's a lot easier to work out what won't work than to work out
what will.
--
Denis McMahon, denismfmcmahon(at)gmail(dot)com
|
|
|
Re: Browser fingerprinting? [message #182786 is a reply to message #182780] |
Fri, 13 September 2013 00:31 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 9/12/2013 5:56 PM, Gilles wrote:
> Hello
>
> I googled the archives of this ng, but didn't find much.
>
> I'd like to find some good PHP code that does what Panopticlick does,
> namely uniquely identify a user's browser even when they connect as
> anonymously as they can, ie. either in incognito mode or by running a
> browser in a virtual host:
>
> www.lifehacker.com/5458513/panopticlick-shows-how-easy-your-browser-is-to-t rack
>
> The goal is to keep trolls away from a site. As there aren't that many
> browser available, they should tire quickly, profited they even think
> of installing another browser.
>
> Is there some code PHP code for that?
>
> Thank you.
>
You can easily detect the browser the user is using, and you can detect
the IP address.
However, browsers can easily be forged (as others have indicated), and
since there are only a few browsers available, a lot of people use them.
You can detect IP addresses, but there is no way to determine the REAL
IP address if the user is using an anonymous proxy.
The bottom line is - you really can't protect against trolls; they have
too many ways around things.
The article you reference is good marketing material - I would suspect
it works on both browser and IP address. But in real life it has more
holes than swiss cheese.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
Re: Browser fingerprinting? [message #182787 is a reply to message #182780] |
Fri, 13 September 2013 03:04 |
Fiver
Messages: 35 Registered: July 2013
Karma: 0
|
Member |
|
|
On 2013-09-12 23:56, Gilles wrote:
> I'd like to find some good PHP code that does what Panopticlick does,
> namely uniquely identify a user's browser even when they connect as
> anonymously as they can, ie. either in incognito mode or by running a
> browser in a virtual host:
>
> www.lifehacker.com/5458513/panopticlick-shows-how-easy-your-browser-is-to-t rack
>
> The goal is to keep trolls away from a site.
In that case, forget it.
The Panopticlick demo isn't intended as something to emulate in
practice, but rather as something to be aware of. It works best on
visitors who don't know or don't care about how much information they
divulge. When I visit the demo site with all of the default plugins
enabled, I'm a unique snowflake. On the other hand, if I wanted to hide,
I'd turn plugins and scripting off for that site, and maybe go through a
proxy, and then I'm just one in a million.
If you target your troll too closely, he can trivially evade your
filter. If your constraints are too loose, you'll hit some legitimate
visitors. There's just no way you can win this battle by fingerprinting
the troll.
Forget it.
regards,
5er
|
|
|
Re: Browser fingerprinting? [message #182788 is a reply to message #182786] |
Fri, 13 September 2013 04:59 |
J.O. Aho
Messages: 194 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 13/09/13 02:31, Jerry Stuckle wrote:
> On 9/12/2013 5:56 PM, Gilles wrote:
>> Hello
>>
>> I googled the archives of this ng, but didn't find much.
>>
>> I'd like to find some good PHP code that does what Panopticlick does,
>> namely uniquely identify a user's browser even when they connect as
>> anonymously as they can, ie. either in incognito mode or by running a
>> browser in a virtual host:
>>
>> www.lifehacker.com/5458513/panopticlick-shows-how-easy-your-browser-is-to-t rack
>>
>>
>> The goal is to keep trolls away from a site. As there aren't that many
>> browser available, they should tire quickly, profited they even think
>> of installing another browser.
>>
>> Is there some code PHP code for that?
>>
>> Thank you.
>>
>
> You can easily detect the browser the user is using, and you can detect
> the IP address.
>
> However, browsers can easily be forged (as others have indicated), and
> since there are only a few browsers available, a lot of people use them.
The idea with browser fingerprint is to look other things than the
browser itself as operating system, installed plugins and supported
fonts, those usually will stay the same even if you change browser, but
the information need ain't accessible for PHP, you would need to relay
on javascript and then we are off topic and the OP should be looking for
answers elsewhere.
--
//Aho
|
|
|
Re: Browser fingerprinting? [message #182789 is a reply to message #182787] |
Fri, 13 September 2013 05:49 |
Michael Vilain
Messages: 88 Registered: September 2010
Karma: 0
|
Member |
|
|
In article <l0tvb5$2ot$1(at)dont-email(dot)me>, Fiver <numeralfive(at)gmail(dot)com>
wrote:
> On 2013-09-12 23:56, Gilles wrote:
>> I'd like to find some good PHP code that does what Panopticlick does,
>> namely uniquely identify a user's browser even when they connect as
>> anonymously as they can, ie. either in incognito mode or by running a
>> browser in a virtual host:
>>
>> www.lifehacker.com/5458513/panopticlick-shows-how-easy-your-browser-is-to-t r
>> ack
>>
>> The goal is to keep trolls away from a site.
>
> In that case, forget it.
>
> The Panopticlick demo isn't intended as something to emulate in
> practice, but rather as something to be aware of. It works best on
> visitors who don't know or don't care about how much information they
> divulge. When I visit the demo site with all of the default plugins
> enabled, I'm a unique snowflake. On the other hand, if I wanted to hide,
> I'd turn plugins and scripting off for that site, and maybe go through a
> proxy, and then I'm just one in a million.
>
> If you target your troll too closely, he can trivially evade your
> filter. If your constraints are too loose, you'll hit some legitimate
> visitors. There's just no way you can win this battle by fingerprinting
> the troll.
>
> Forget it.
>
>
> regards,
> 5er
I kept getting humans evading my CAPATCHA and sending me marketing SPAM
through my web site's contact form. After a while, I would just go
through the web long and find the IP address that completed the form and
block the entire subnet. So far, entire swaths of China, South America,
and Russia can't view my site. Their connection is refused based on
their IP address.
A broad brush, I know, but I haven't had any marketing emails to improve
my SEO score, improve my site, or better my mortgage interest rate.
--
DeeDee, don't press that button! DeeDee! NO! Dee...
[I filter all Goggle Groups posts, so any reply may be automatically ignored]
|
|
|
Re: Browser fingerprinting? [message #182790 is a reply to message #182787] |
Fri, 13 September 2013 07:22 |
Gilles Ganault
Messages: 27 Registered: September 2010
Karma: 0
|
Junior Member |
|
|
On Fri, 13 Sep 2013 05:04:04 +0200, Fiver <numeralfive(at)gmail(dot)com>
wrote:
> The Panopticlick demo isn't intended as something to emulate in
> practice, but rather as something to be aware of. It works best on
> visitors who don't know or don't care about how much information they
> divulge. When I visit the demo site with all of the default plugins
> enabled, I'm a unique snowflake. On the other hand, if I wanted to hide,
> I'd turn plugins and scripting off for that site, and maybe go through a
> proxy, and then I'm just one in a million.
But then, most trolls aren't technically-savvy, and wouldn't even
think of installing a new browser after being banned.
And even then, after trying Chrome, Firefox, and IE, what else would
most of them think of doing?
I'll read up on what PHP + JS can do about that.
Thank you.
|
|
|
|
|
Re: Browser fingerprinting? [message #182793 is a reply to message #182789] |
Fri, 13 September 2013 13:35 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 9/13/2013 1:49 AM, Michael Vilain wrote:
> In article <l0tvb5$2ot$1(at)dont-email(dot)me>, Fiver <numeralfive(at)gmail(dot)com>
> wrote:
>
>> On 2013-09-12 23:56, Gilles wrote:
>>> I'd like to find some good PHP code that does what Panopticlick does,
>>> namely uniquely identify a user's browser even when they connect as
>>> anonymously as they can, ie. either in incognito mode or by running a
>>> browser in a virtual host:
>>>
>>> www.lifehacker.com/5458513/panopticlick-shows-how-easy-your-browser-is-to-t r
>>> ack
>>>
>>> The goal is to keep trolls away from a site.
>>
>> In that case, forget it.
>>
>> The Panopticlick demo isn't intended as something to emulate in
>> practice, but rather as something to be aware of. It works best on
>> visitors who don't know or don't care about how much information they
>> divulge. When I visit the demo site with all of the default plugins
>> enabled, I'm a unique snowflake. On the other hand, if I wanted to hide,
>> I'd turn plugins and scripting off for that site, and maybe go through a
>> proxy, and then I'm just one in a million.
>>
>> If you target your troll too closely, he can trivially evade your
>> filter. If your constraints are too loose, you'll hit some legitimate
>> visitors. There's just no way you can win this battle by fingerprinting
>> the troll.
>>
>> Forget it.
>>
>>
>> regards,
>> 5er
>
> I kept getting humans evading my CAPATCHA and sending me marketing SPAM
> through my web site's contact form. After a while, I would just go
> through the web long and find the IP address that completed the form and
> block the entire subnet. So far, entire swaths of China, South America,
> and Russia can't view my site. Their connection is refused based on
> their IP address.
>
> A broad brush, I know, but I haven't had any marketing emails to improve
> my SEO score, improve my site, or better my mortgage interest rate.
>
You probably need a different CAPTCHA. Many of the commonly available
ones have been broken.
I wrote my own and my spam rate has dropped to zero.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
Re: Browser fingerprinting? [message #182794 is a reply to message #182789] |
Fri, 13 September 2013 14:42 |
Martin Leese
Messages: 23 Registered: June 2012
Karma: 0
|
Junior Member |
|
|
Michael Vilain wrote:
> I kept getting humans evading my CAPATCHA and sending me marketing SPAM
> through my web site's contact form. After a while, I would just go
> through the web long and find the IP address that completed the form and
> block the entire subnet. So far, entire swaths of China, South America,
> and Russia can't view my site. Their connection is refused based on
> their IP address.
>
> A broad brush, I know, but I haven't had any marketing emails to improve
> my SEO score, improve my site, or better my mortgage interest rate.
You can improve on this by flicking the
power switch on your computer. Then you
will be guaranteed to receive no SPAM at
all.
--
Regards,
Martin Leese
E-mail: please(at)see(dot)Web(dot)for(dot)e-mail(dot)INVALID
Web: http://members.tripod.com/martin_leese/
|
|
|
|
|
Re: Browser fingerprinting? [message #182797 is a reply to message #182790] |
Fri, 13 September 2013 23:30 |
bill
Messages: 310 Registered: October 2010
Karma: 0
|
Senior Member |
|
|
On 2013-09-13 3:22 AM, Gilles wrote:
> On Fri, 13 Sep 2013 05:04:04 +0200, Fiver <numeralfive(at)gmail(dot)com>
> wrote:
....
then I'm just one in a million.
>
> But then, most trolls aren't technically-savvy, and wouldn't even
> think of installing a new browser after being banned.
>
> And even then, after trying Chrome, Firefox, and IE, what else would
> most of them think of doing?
They don't need tech-savvy; all they need are the easily available
spam/scam et al applications of which there are many. There is very
little you can do about it at all. In the end you can end up making it
as hard on humans as it is for robots and other miscreants who want to
compromise you for whatever reason.
IMO solid, as unbreakable as you know how to make it, validation is
about all you can do. If there are no reasons to have tags in anything,
then strip the out and throw it away. Same for say hex, where there is
no reason to expect hex in a text. Stop the data and you stop the abuse.
But of course there is no 100% solution and I doubt there ever will be.
EVERY data input can be spoofed, so instead of over-watching for that,
be pro-active about ANY unexpected data!
If it were easy to do, it'd also be widely publicized and available.
HTH,
Twayne`
|
|
|
|
Re: Browser fingerprinting? [message #182802 is a reply to message #182789] |
Sun, 15 September 2013 18:57 |
Thomas 'PointedEars'
Messages: 701 Registered: October 2010
Karma: 0
|
Senior Member |
|
|
Michael Vilain wrote:
> I kept getting humans evading my CAPATCHA and sending me marketing SPAM
> through my web site's contact form. After a while, I would just go
> through the web long and find the IP address that completed the form and
> block the entire subnet. So far, entire swaths of China, South America,
> and Russia can't view my site. Their connection is refused based on
> their IP address.
>
> A broad brush, I know, but I haven't had any marketing emails to improve
> my SEO score, improve my site, or better my mortgage interest rate.
And no serious attempts at communication from those places either. Your
logic is flawed.
PointedEars
--
Danny Goodman's books are out of date and teach practices that are
positively harmful for cross-browser scripting.
-- Richard Cornford, cljs, <cife6q$253$1$8300dec7(at)news(dot)demon(dot)co(dot)uk> (2004)
|
|
|
Re: Browser fingerprinting? [message #182803 is a reply to message #182801] |
Sun, 15 September 2013 20:27 |
bill
Messages: 310 Registered: October 2010
Karma: 0
|
Senior Member |
|
|
Path: textnews.cambrium.nl!feeder2.cambriumusenet.nl!feed.tweaknews.nl!212.27.60. 9.MISMATCH!feeder2-2.proxad.net!proxad.net!feeder1-2.proxad.net!usenet-fr.n et!gegeweb.org!aioe.org!.POSTED!not-for-mail
From: Twayne <nobody(at)spamcop(dot)net>
Newsgroups: comp.lang.php
Subject: Re: Browser fingerprinting?
Date: Sun, 15 Sep 2013 16:27:28 -0400
Organization: Aioe.org NNTP Server
Lines: 31
Message-ID: <l1557f$gfq$1(at)speranza(dot)aioe(dot)org>
References: <9sd439tbmqhqgqice5psd6nd3018rcr5v6(at)4ax(dot)com> <l0tvb5$2ot$1(at)dont-email(dot)me> <f4f539loti3ds3elv7s5qifjnv3o9ham1k(at)4ax(dot)com> <l1076e$a9s$1(at)speranza(dot)aioe(dot)org> <vmn939pmm184ciferi83kb1gbklgv370l4(at)4ax(dot)com>
NNTP-Posting-Host: sxz+YiVX1xGhpfYRODJHIA.user.speranza.aioe.org
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Complaints-To: abuse(at)aioe(dot)org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
X-Notice: Filtered by postfilter v. 0.8.2
Xref: textnews.cambrium.nl comp.lang.php:142314
On 2013-09-14 6:11 PM, Gilles wrote:
> On Fri, 13 Sep 2013 19:30:18 -0400, Twayne <nobody(at)spamcop(dot)net> wrote:
>> If it were easy to do, it'd also be widely publicized and available.
>
> Thanks for the feedback.
>
Welcome.
I'm empathetic because I'm working along the same research lines as you
are. The only thing I'm sure of is, it has to be done server-side;
anything client-side can weed out some of it and save a tiny bit of
server traffic, but from the client side it's too easy. Those guys won't
be allowing js on their machines so js isn't going to be much good.
Right now all I can see doing is sanitizing and especially
validation of ALL inputted data. There are ways to catch enough of them
that at least it becomes too much effort for the bad guys to bother
with. And never forget htmlentities and htmlspecialcharacters; along
with the right sanitizing, they can at least render anything that comes
through useless.
The biggest problem IMHO is to make a textarea safe. HTML 5 now
includes the max length attribute but a miscreant isn't going to be
using anything 5 compliant if he's got more than one brain cell.
Personally I've managed so far to avoid javascript and instead look at
things like ctype, str-replace for validation uses, and whatever filters
will work. Counting page views help, in addition to keeping a list of
miscreant IPs and their proxy information when you can get it, but the
smart ones are still going to be by it.
All you can do is your best :)
Twayne`
|
|
|
Re: Browser fingerprinting? [message #182804 is a reply to message #182803] |
Mon, 16 September 2013 02:07 |
Peter H. Coffin
Messages: 245 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On Sun, 15 Sep 2013 16:27:28 -0400, Twayne wrote:
> The biggest problem IMHO is to make a textarea safe. HTML 5 now
> includes the max length attribute but a miscreant isn't going to be
> using anything 5 compliant if he's got more than one brain cell.
substr() does wonders for cutting length for safety. Cosmetically, it
may be less than ideal, but...
--
36. I will not imprison members of the same party in the same cell
block, let alone the same cell. If they are important prisoners, I
will keep the only key to the cell door on my person instead of
handing out copies to every bottom-rung guard in the prison. --EOList
|
|
|
Re: Browser fingerprinting? [message #182806 is a reply to message #182803] |
Mon, 16 September 2013 09:36 |
Gregor Kofler
Messages: 69 Registered: September 2010
Karma: 0
|
Member |
|
|
Am 15.09.2013 22:27, Twayne meinte:
> The biggest problem IMHO is to make a textarea safe. HTML 5 now
> includes the max length attribute but a miscreant isn't going to be
> using anything 5 compliant if he's got more than one brain cell.
Maybe he/she isn't even using a browser...
|
|
|
Re: Browser fingerprinting? [message #182807 is a reply to message #182803] |
Mon, 16 September 2013 10:13 |
Norman Peelman
Messages: 126 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 09/15/2013 04:27 PM, Twayne wrote:
> On 2013-09-14 6:11 PM, Gilles wrote:
>> On Fri, 13 Sep 2013 19:30:18 -0400, Twayne <nobody(at)spamcop(dot)net> wrote:
>>> If it were easy to do, it'd also be widely publicized and available.
>>
>> Thanks for the feedback.
>>
>
> Welcome.
> I'm empathetic because I'm working along the same research lines as you
> are. The only thing I'm sure of is, it has to be done server-side;
> anything client-side can weed out some of it and save a tiny bit of
> server traffic, but from the client side it's too easy. Those guys won't
> be allowing js on their machines so js isn't going to be much good.
> Right now all I can see doing is sanitizing and especially
> validation of ALL inputted data. There are ways to catch enough of them
> that at least it becomes too much effort for the bad guys to bother
> with. And never forget htmlentities and htmlspecialcharacters; along
> with the right sanitizing, they can at least render anything that comes
> through useless.
> The biggest problem IMHO is to make a textarea safe. HTML 5 now
> includes the max length attribute but a miscreant isn't going to be
> using anything 5 compliant if he's got more than one brain cell.
> Personally I've managed so far to avoid javascript and instead look at
> things like ctype, str-replace for validation uses, and whatever filters
> will work. Counting page views help, in addition to keeping a list of
> miscreant IPs and their proxy information when you can get it, but the
> smart ones are still going to be by it.
> All you can do is your best :)
>
> Twayne`
>
Why is a textarea any different than any other form control?
--
Norman
Registered Linux user #461062
-Have you been to www.php.net yet?-
|
|
|
Re: Browser fingerprinting? [message #182809 is a reply to message #182807] |
Mon, 16 September 2013 11:03 |
Denis McMahon
Messages: 634 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On Mon, 16 Sep 2013 06:13:52 -0400, Norman Peelman wrote:
> On 09/15/2013 04:27 PM, Twayne wrote:
>> The biggest problem IMHO is to make a textarea safe. .....
> Why is a textarea any different than any other form control?
It's not. Any form control is fine provided that it's sensibly[1] handled
in the server. I know that, you know that, most intelligent web
developers know that regardless of whether their server side is java, js,
asp, php, python, perl, a compiled cgi or something esoteric, but some
people seem to have their own unique worldview which doesn't seem to
involve what most of us would consider sensible handling of form controls
in the server.
[1] appropriate verification, validation and handling of data to prevent
injection of potentially harmful content.
--
Denis McMahon, denismfmcmahon(at)gmail(dot)com
|
|
|
Re: Browser fingerprinting? [message #182829 is a reply to message #182801] |
Tue, 17 September 2013 20:53 |
Marc van Lieshout
Messages: 10 Registered: March 2011
Karma: 0
|
Junior Member |
|
|
On 15-09-13 00:11, Gilles wrote:
> On Fri, 13 Sep 2013 19:30:18 -0400, Twayne <nobody(at)spamcop(dot)net> wrote:
>> If it were easy to do, it'd also be widely publicized and available.
>
> Thanks for the feedback.
>
It IS easy to do and widely available.
Look at the firefox add-on called SecretAgent. It's at:
https://www.dephormation.org.uk/?page=81
It has some 150 browser identification strings aboard (Including Amaya,
Dillo, Bluefish), spoofs x-forwarded-for and via, spoof ETags and send
random Accept: headers.
Then rethink your question.
|
|
|
Re: Browser fingerprinting? [message #182830 is a reply to message #182806] |
Wed, 18 September 2013 00:02 |
bill
Messages: 310 Registered: October 2010
Karma: 0
|
Senior Member |
|
|
On 2013-09-16 5:36 AM, Gregor Kofler wrote:
> Am 15.09.2013 22:27, Twayne meinte:
>
>> The biggest problem IMHO is to make a textarea safe. HTML 5 now
>> includes the max length attribute but a miscreant isn't going to be
>> using anything 5 compliant if he's got more than one brain cell.
>
> Maybe he/she isn't even using a browser...
>
Very true; I didn't mention that because I didn't want to start any side
convos :)
Twayne`
|
|
|
Re: Browser fingerprinting? [message #182831 is a reply to message #182807] |
Wed, 18 September 2013 00:06 |
bill
Messages: 310 Registered: October 2010
Karma: 0
|
Senior Member |
|
|
On 2013-09-16 6:13 AM, Norman Peelman wrote:
> 4:27 PM, Twayne wrote:
>> On 2013-09-14 6:11 PM, Gilles wrote:
>>> On Fri, 13 Sep 2013 19:30:18 -0400, Twayne <nobody(at)spamcop(dot)net> wrote:
>>>> If it were easy to do, it'd also be widely publicized and available.
>>>
>>> Thanks for the feedback.
>>>
>>
>> Welcome.
....
>> All you can do is your best :)
> Why is a textarea any different than any other form control?
Don't recall the details & history, but it is different from text boxes
et al.
Wikipedia, I think, had a history on it with plenty of links.
|
|
|
Re: Browser fingerprinting? [message #182832 is a reply to message #182809] |
Wed, 18 September 2013 00:11 |
bill
Messages: 310 Registered: October 2010
Karma: 0
|
Senior Member |
|
|
On 2013-09-16 7:03 AM, Denis McMahon wrote:
> On Mon, 16 Sep 2013 06:13:52 -0400, Norman Peelman wrote:
>
>> On 09/15/2013 04:27 PM, Twayne wrote:
>
>>> The biggest problem IMHO is to make a textarea safe. .....
>
>> Why is a textarea any different than any other form control?
>
> It's not. Any form control is fine provided that it's sensibly[1] handled
> in the server. I know that, you know that, most intelligent web
> developers know that regardless of whether their server side is java, js,
> asp, php, python, perl, a compiled cgi or something esoteric, but some
> people seem to have their own unique worldview which doesn't seem to
> involve what most of us would consider sensible handling of form controls
> in the server.
>
> [1] appropriate verification, validation and handling of data to prevent
> injection of potentially harmful content.
>
Didn't understand much of that long run-on sentence, but there was a
reason that at the time probably sounded logical. But I've wondered the
same thing myself; seems like it was unnecessary to have to wait for 5
to come along to implement it. Shoulda been done years ago!
Twayne`
|
|
|
Re: Browser fingerprinting? [message #182833 is a reply to message #182829] |
Wed, 18 September 2013 00:20 |
bill
Messages: 310 Registered: October 2010
Karma: 0
|
Senior Member |
|
|
On 2013-09-17 4:53 PM, Marc van Lieshout wrote:
> On 15-09-13 00:11, Gilles wrote:
>> On Fri, 13 Sep 2013 19:30:18 -0400, Twayne <nobody(at)spamcop(dot)net> wrote:
>>> If it were easy to do, it'd also be widely publicized and available.
>>
>> Thanks for the feedback.
>>
>
> It IS easy to do and widely available.
For only one browser? And what if the miscreant isn't using a browser?
Such apps are readily available and have been for years, and they grow
smarter with each iteration.
So, no, it's not easy to do with the exception of keeping say FF
users from over-typing the boundaries. And if they are running js, which
miscreants are not going to do.
>
> Look at the firefox add-on called SecretAgent. It's at:
> https://www.dephormation.org.uk/?page=81
>
> It has some 150 browser identification strings aboard (Including Amaya,
> Dillo, Bluefish), spoofs x-forwarded-for and via, spoof ETags and send
> random Accept: headers.
>
> Then rethink your question.
>
I wasn't aware of FF's addon for that, but it wouldn't influence me in
any way; one browser amongst many and thinking they're going to be used
by all miscreants is a dangerous assumption when what you want to avoid
is a message bomb which is the max an OS can handle. And as has been
mentioned a few times, it's not enough for actual security purposes;
it's only one possibility to watch out for. A text bomb can be a real PITA.
I'm not sure rethinking the question based on that is a wise decision.
Twayne`
Twayne`
|
|
|
Re: Browser fingerprinting? [message #182835 is a reply to message #182831] |
Wed, 18 September 2013 00:33 |
The Natural Philosoph
Messages: 993 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 18/09/13 01:06, Twayne wrote:
> On 2013-09-16 6:13 AM, Norman Peelman wrote:
>> 4:27 PM, Twayne wrote:
>>> On 2013-09-14 6:11 PM, Gilles wrote:
>>>> On Fri, 13 Sep 2013 19:30:18 -0400, Twayne <nobody(at)spamcop(dot)net> wrote:
>>>> > If it were easy to do, it'd also be widely publicized and available.
>>>>
>>>> Thanks for the feedback.
>>>>
>>>
>>> Welcome.
>
> ...
>
>>> All you can do is your best :)
>
>> Why is a textarea any different than any other form control?
>
> Don't recall the details & history, but it is different from text
> boxes et al.
>
yep
most textareas will auto add scroll bars to accommodate 'more text'
> Wikipedia, I think, had a history on it with plenty of links.
>
--
Ineptocracy
(in-ep-toc’-ra-cy) – a system of government where the least capable to lead are elected by the least capable of producing, and where the members of society least likely to sustain themselves or succeed, are rewarded with goods and services paid for by the confiscated wealth of a diminishing number of producers.
|
|
|
Re: Browser fingerprinting? [message #182836 is a reply to message #182830] |
Wed, 18 September 2013 03:47 |
Peter H. Coffin
Messages: 245 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On Tue, 17 Sep 2013 20:02:43 -0400, Twayne wrote:
> On 2013-09-16 5:36 AM, Gregor Kofler wrote:
>> Am 15.09.2013 22:27, Twayne meinte:
>>
>>> The biggest problem IMHO is to make a textarea safe. HTML 5 now
>>> includes the max length attribute but a miscreant isn't going to be
>>> using anything 5 compliant if he's got more than one brain cell.
>>
>> Maybe he/she isn't even using a browser...
>>
>
> Very true; I didn't mention that because I didn't want to start any side
> convos :)
But... but... That's what we DO here!
--
Windows is a pane in the ass....
|
|
|
Re: Browser fingerprinting? [message #182837 is a reply to message #182829] |
Wed, 18 September 2013 05:06 |
Denis McMahon
Messages: 634 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On Tue, 17 Sep 2013 22:53:30 +0200, Marc van Lieshout wrote:
> On 15-09-13 00:11, Gilles wrote:
>> On Fri, 13 Sep 2013 19:30:18 -0400, Twayne <nobody(at)spamcop(dot)net> wrote:
>>> If it were easy to do, it'd also be widely publicized and available.
>> Thanks for the feedback.
> It IS easy to do and widely available.
No it's not.
> Look at the firefox add-on called SecretAgent. It's at:
> https://www.dephormation.org.uk/?page=81
> It has some 150 browser identification strings aboard (Including Amaya,
> Dillo, Bluefish), spoofs x-forwarded-for and via, spoof ETags and send
> random Accept: headers.
That's spoofing, not fingerprinting.
Spoofing is easy. Fingerprinting is not. Fingerprinting is attempting to
uniquely identify visitors to a site at the site server. Spoofing is
trying to tell the server you're someone different in some way to who you
really are. They're not the same thing, and while spoofing is easy,
fingerprinting accurately and reliably is incredibly difficult.
If I visit your website today using firefox on my unix pc over my adsl
connection, and tomorrow using chrome on my android tablet over it's 3g
connection, how are you going to fingerprint me? I don't need to use
anything as "technical" as spoofing the browser id. You lost the game as
soon as I started playing!
--
Denis McMahon, denismfmcmahon(at)gmail(dot)com
|
|
|
Re: Browser fingerprinting? [message #182838 is a reply to message #182837] |
Wed, 18 September 2013 13:09 |
Scott Johnson
Messages: 196 Registered: January 2012
Karma: 0
|
Senior Member |
|
|
On 9/17/2013 10:06 PM, Denis McMahon wrote:
> On Tue, 17 Sep 2013 22:53:30 +0200, Marc van Lieshout wrote:
>
>> On 15-09-13 00:11, Gilles wrote:
>>> On Fri, 13 Sep 2013 19:30:18 -0400, Twayne <nobody(at)spamcop(dot)net> wrote:
>>>> If it were easy to do, it'd also be widely publicized and available.
>
>>> Thanks for the feedback.
>
>> It IS easy to do and widely available.
>
> No it's not.
>
>> Look at the firefox add-on called SecretAgent. It's at:
>> https://www.dephormation.org.uk/?page=81
>
>> It has some 150 browser identification strings aboard (Including Amaya,
>> Dillo, Bluefish), spoofs x-forwarded-for and via, spoof ETags and send
>> random Accept: headers.
>
> That's spoofing, not fingerprinting.
>
> Spoofing is easy. Fingerprinting is not. Fingerprinting is attempting to
> uniquely identify visitors to a site at the site server. Spoofing is
> trying to tell the server you're someone different in some way to who you
> really are. They're not the same thing, and while spoofing is easy,
> fingerprinting accurately and reliably is incredibly difficult.
>
> If I visit your website today using firefox on my unix pc over my adsl
> connection, and tomorrow using chrome on my android tablet over it's 3g
> connection, how are you going to fingerprint me? I don't need to use
> anything as "technical" as spoofing the browser id. You lost the game as
> soon as I started playing!
>
I think the point he was trying to make, which is what I took out of it,
was how easy it is to minimize the practical use of fingerprinting.
Spoofing and fingerprinting are related in those terms.
The easier and multiple way to spoof the harder to fingerprint a single
source reliably.
In a prior post, I think the OP, was asking for proof on how easy it is
to make fingerprinting unreliable, and one particular way was shown.
Scotty
|
|
|
Re: Browser fingerprinting? [message #182839 is a reply to message #182838] |
Wed, 18 September 2013 16:24 |
J.O. Aho
Messages: 194 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 18/09/13 15:09, Scott Johnson wrote:
> On 9/17/2013 10:06 PM, Denis McMahon wrote:
>> On Tue, 17 Sep 2013 22:53:30 +0200, Marc van Lieshout wrote:
>>> It has some 150 browser identification strings aboard (Including Amaya,
>>> Dillo, Bluefish), spoofs x-forwarded-for and via, spoof ETags and send
>>> random Accept: headers.
>>
>> That's spoofing, not fingerprinting.
>>
>> Spoofing is easy. Fingerprinting is not. Fingerprinting is attempting to
>> uniquely identify visitors to a site at the site server. Spoofing is
>> trying to tell the server you're someone different in some way to who you
>> really are. They're not the same thing, and while spoofing is easy,
>> fingerprinting accurately and reliably is incredibly difficult.
>>
>> If I visit your website today using firefox on my unix pc over my adsl
>> connection, and tomorrow using chrome on my android tablet over it's 3g
>> connection, how are you going to fingerprint me? I don't need to use
>> anything as "technical" as spoofing the browser id. You lost the game as
>> soon as I started playing!
>>
>
> I think the point he was trying to make, which is what I took out of it,
> was how easy it is to minimize the practical use of fingerprinting.
> Spoofing and fingerprinting are related in those terms.
Fingerprinting will most likely disregard the UA-string and just look
what they can get out of the plug-ins and fonts installed, those are
fare more static for a user over a long time. There are companies who
offer this kind of fingerprint detection to those willing to pay for it.
> In a prior post, I think the OP, was asking for proof on how easy it is
> to make fingerprinting unreliable, and one particular way was shown.
That really depends on the method for fingerprinting" and most of the
techniques are out of scope in the usergroup.
--
//Aho
|
|
|