1
0
Fork 0
mirror of https://git.sr.ht/~seirdy/seirdy.one synced 2024-11-23 21:02:09 +00:00

Compare commits

..

3 commits

Author SHA1 Message Date
Rohan Kumar
425798152f
syndicate 2023-08-28 13:52:35 -07:00
Rohan Kumar
7bb83e8158
New note: fingerprinting and customization 2023-08-28 13:52:11 -07:00
Rohan Kumar
44c328d5ca
receipts for 3 more instances 2023-08-28 11:44:25 -07:00
2 changed files with 30 additions and 1 deletions

View file

@ -0,0 +1,24 @@
---
title: "Fingerprinting and customization"
date: 2023-08-28T13:52:11-07:00
replyURI: "https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40337#note_2936949"
replyTitle: "Wouldn't, say, installing the Dark Reader extension have much less of a privacy impact than disabling RFP altogether?"
replyType: "DiscussionForumPosting"
replyAuthor: "Allium"
replyAuthorURI: "https://gitlab.torproject.org/Allium"
syndicatedCopies:
- title: 'Tor Project GitLab'
url: 'https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40337#note_2937536'
- title: 'The Fediverse'
url: 'https://pleroma.envs.net/notice/AZCWxOH1fC9CUnxmoi'
---
These addons work by injecting or altering stylesheets in the page, and are trivially detectable. A good rule of thumb is that if it can trigger a CSP violation in the developer console, it is trivial to detect with JavaScript.
(FWIW: I believe the Tor Browser does disable the Reporting API, so I think some JavaScript will be necessary).
On "safest" mode with remote JavaScript disabled, certain "dark mode" addons *might* be safe. I think a better long-term solution would be the ability to "freeze" a page: a button or something to prevent the current page from initiating further requests (it's already loaded), running scripts, accessing storage, etc. In this state, a user could use any addons or fingerprinting-compromising settings without risk.
A good point of comparison is Reader Mode: a user's preferred Reader Mode fonts, line-width, color scheme, etc. aren't fingerprinting vectors. It should be able to stop a site from phoning home or writing to client-side storage to allow for similar levels of customization outside Reader Mode.
Other sources of inspiration could be the expected behavior for the [`scripting: initial-only` media query](https://drafts.csswg.org/mediaqueries-5/#scripting), and Firefox's built-in "Work Offline" setting.

View file

@ -263,6 +263,9 @@ cachapa.xyz
: Admin [posts blatant racism](http://archive.today/2023.08.05-185121/https://moar.cachapa.xyz/notes/9huxc4zgtc), [blatantly racist transphobic sui-biat](http://archive.today/2023.08.05-185812/https://moar.cachapa.xyz/notes/9bv4ns2itf).
: Instance permits lolicon, and runs bots for it such as "Shishihime"; this may be a legal risk, depending on your jurisdiction.
catgirl.life OR peervideo.club
: Both are part of [the Waifu Hunter Club's suite of services](http://web.archive.org/web/20230828181259/https://waifuhunter.club/services/), along with gameliberty.club; see its FediNuke entry. catgirl.life has [the same admin as gameliberty.club](http://archive.today/2023.08.28-181717/https://catgirl.life/@matrix07012), who [has used the domain for block-evasion](http://archive.today/2023.08.28-182409/https://catgirl.life/notes/8wpdshluoy). Like gameliberty.club, both instances also permit lolicon.
cawfee.club
: [Racism from multiple users, including admin](https://web.archive.org/web/20230730210913/https://cawfee.club/notice/AY5J5qUA898oge9pa4).
: [Anti-Romani and racist posts from admin](https://web.archive.org/web/20230730211327/https://cawfee.club/notice/AXjafVFrE4C3c48Mm8).
@ -409,6 +412,9 @@ merovingian.club
midwaytrades.com
: Runs [a Libs of TikTok bot](https://web.archive.org/web/20230802162551/https://freesoftwareextremist.com/notice/AYBwS5rDjFaDyIqKtU). [Transphobic and misogynist admin](https://ghostarchive.org/archive/9qO8r).
mirr0r.city
: Paraphilia- and pedophilia-focused instance that [explicitly welcomes pro-contacts and neo-Nazis](http://web.archive.org/web/20230828183201/https://mirr0r.city/notice/AVr8KfJybjh4eFdHAO).
mouse.services
: Admin [posts blatantly racist use of slurs](http://archive.today/2023.08.19-042746/https://miss.mouse.services/notes/9ijlonbgrd), [more racism](http://archive.today/2023.08.19-054501/https://miss.mouse.services/notes/9icb5d8xav).
@ -654,7 +660,6 @@ wideboys.org
: On the root domain is [a wiki describing how this domain is affiliated with beefyboys.win](https://web.archive.org/web/20230827195937/https://wideboys.org/BEEFYBOYS.WIN). The [beefyboys.win "about" page](https://web.archive.org/web/20230827200822/https://beefyboys.win/about) confirms this.
: Since beefyboys.win is on FediNuke and wideboys.org is part of the same network with staff and member overlap, and wideboys.org still federates on the "blog" subdomain, it's on the list too. But since it only federates via WriteFreely at the time of writing, it looks like a smaller harassment vector so it's demoted to my tier-0 list.
{{</ nofollow >}}
</details>