Cloudflare Turnstile requiring fingerprintable WebGL

Posted by HypnoticOcelot 6 hours ago

Cloudflare Turnstile requiring fingerprintable WebGL(hacktivis.me)

307 points | 166 commentspage 3

zuzululu 2 hours ago|

Dont like it but is a reality due to bots

megous 2 hours ago||

They use all kinds of obscure APIs, which you'll learn if you're privacy/security conscious and disable random web APIs that are of no use to YOU as a web user, but only can ever serve the people who serve you stuff or want to hack you or track you.

Normally websites feature test and just skip using obscure disabled APIs, or more likely, websites don't use those APIs at all or only tracking scripts use it, which are already optional usually.

Problem with CF is that if you want increased security they'll prevent you from gaining it everywhere, even on sites they don't protect, or prevent you from accessing services even the ones you paid for. Browsers don't allow disabling APIs per domain, so you're either at risk everywhere or you're blocked from accessing a lot of things for no particular reason.

CF can't be bothered to feature test.

bflesch 4 hours ago||

Firefox has so much built-in tracking it seems they want to push me to build my own browser. For example every time you open the settings there are several ways they are sending out pings to certain extensions.

Also by default addons.mozilla.org is a privileged site so of course they include google tracking in it and they get the proper fingerprint no matter what you have configured.

konform 2 hours ago||

If you are this motivated (I am!), how about joining forces on Konform Browser? Radio silence and remote third-party integrations disabled by default and generally sane and conservative defaults respecting old-fashioned notions like individual consent and data-protection regulations.

Aside from general dev, could use a hand in bringing it to more platforms (mobile and flatpak are frequently asked) and taking a closer look at fingerprinting protections and what's currently tripping up the turnstile.

https://codeberg.org/konform-browser/source

anonym29 5 hours ago||

Say no to malware - say no to Cloudflare

kykat 6 hours ago||

What? Big tech company is evil? No way! I thought cloudflare were good guys...

aleksandrm 5 hours ago||

What gave you the impression that Cloudflare were the good guys?

tardedmeme 5 hours ago||

Probably everyone on HN singing their praises for the past 10 years.

tick_tock_tick 52 minutes ago|||

Pretty sure every thread has a massive chain about them being a NSA honey pot.

kykat 5 hours ago|||

And my og comment getting downvoted on this very intellectual forum that definitely isn't an echo chamber

Petersipoi 4 hours ago|||

Your very sarcastic, uninteresting comment getting downvoted is not an indication that forum isn't intellectual. It's an indication that you aren't behaving intellectually.

bflesch 4 hours ago|||

Cognitive dissonance in tech millionaires is quite strong, still worth it to trigger them from time to time on a factual basis.

aboardRat4 5 hours ago||

Big tech companies are always visited first by the G-men who need something done.

shevy-java 4 hours ago||

I wondered about that too. So they allege that bots require that everyone now has to ID to the big service providers. Very dystopian situation. Skynet is currently winning the war.

Fokamul 5 hours ago||

Please, anyone from EU (US is doomed rofl) create a petition to ban browser-fingerprinting in EU, across all existing browsers.

I'm not good at creating petitions but can happily sign it. Also with stop killing games and anti-chat control.

I can imagine this can get a traction, if it's explained in youtube video to "normal" people.

arbol 27 minutes ago||

You literally can't get rid of it without introducing government issued ID to buy any scarce freely accessible items

fidotron 5 hours ago|||

A better solution would be to make webgl, webgpu and (especially) webrtc have some sort of prompt before they can be in any way used in that fashion, but this will absolutely destroy web ux Windows Vista style.

JoshTriplett 5 hours ago|||

And then the gatekeepers like Cloudflare will say "please hit accept in order to verify your browser and access this site".

richwater 5 hours ago|||

You mean the "Accept Cookies" banner that has become a complete joke? Pass

MyMemoryfails 5 hours ago|||

I think he means browser permissions, for example when browsers want notify or record your mic theres a permission check something similar for webgl.

J-Kuhn 4 hours ago||

Fun Fact: When Cookies were introduced into Netscape, you got a browser permission prompt. Then browser vendors set it to allow by default.

And then legislation required those consent boxes back, so everyone built their own, instead of demanding that the default should be changed back.

bflesch 4 hours ago||||

It's about explicitly deciding to allow certain capabilities on a per-website basis. No major browser allows defense-in-depth via fine-grained website permissions.

Even simply changing the user agent was sabotaged at Firefox, and choosing one user agent per domain is wishful thinking.

fsflover 2 hours ago|||

This is actually illegal under GDPR.

jeroenhd 3 hours ago|||

Fingerprinting is just an implementation, banning it will just drive these companies to invent new tricks. That's why the GDPR doesn't specify any technical tracking methods, whether you're using cookies or fingerprinting or a camera drone looking at the user's screen, tracking without consent or good reason is banned.

I doubt politicians care much about fingerprinting, though. They're more afraid of actual businesses getting attacked by bots than they are about Linux users with weird setups not being able to access some websites.

koolala 5 hours ago||

a. Accept All

b. Accept Only Necessary Fingerprinting

348752389 5 hours ago||

[dead]

gruez 5 hours ago|

This blog post is filled with false assumptions.

>Turns out it's because Cloudflare wants to have a fingerprint of your device via WebGL, the only reason for doing this would be tracking.

> So Cloudflare just banned all WebKitGTK browsers as I guess they put an exception for Safari.

This is false. I ran firefox with:

* hardware acceleration disabled (so software renderer, nothing to fingerprint)

* resistfingerprinting enabled, including letterboxing with default window size

* webgl disabled

* VPN enabled

* In a Windows VM

By all accounts this should be the most suspicious fingerprint ever, but turnstile happily lets me through. If they want to track people, they're doing a pretty bad job. My guess is that OP's browser is getting banned because his WebKitGTK has a weird fingerprint, not because of webgl or whatever.

> Such things are blocked in WebKit, and have been for years. Meaning it's tracking so awful that even Apple would block it, and as far as I can tell it's not the kind of privacy protection you can easily disable in it.

This is also false. Webgl fingerprinting works just fine on Safari. They might try to mitigate it by adding some noise, but that's not so different than what firefox does, and is certainly not "blocked".

konform 2 hours ago||

I think your comment is also making plenty assumptions..

Official Firefox can be leaky unless you build it yourself with some build-time changes or use a fork with such[0]. Am I guessing right that you still have Webcompat, RemoteSettings, and Nimbus enabled still? How do you know a compatibility intervention isn't causing your browser to open the kimono just enough to "unbreak the page"?

> My guess is that OP's browser is getting banned because his WebKitGTK has a weird fingerprint, not because of webgl or whatever.

My guess is a different flavor of the same: Not matching an expected fingerprint (simplified: whitelist vs blacklist approach) combined with other factors.

[0]: I'm currently aware of Tor Browser, Konform Browser (am dev), Mullvad Browser, and to a certain extent Waterfox, LibreWolf, and r3df0x doing that.

gruez 2 hours ago||

>Official Firefox can be leaky unless you build it yourself with some build-time changes or use a fork with such[0]. Am I guessing right that you still have Webcompat, RemoteSettings, and Nimbus enabled still? How do you know a compatibility intervention isn't causing your browser to open the kimono just enough to "unbreak the page"?

See my other comment, tor browser works fine too: https://news.ycombinator.com/item?id=48346659

jeroenhd 3 hours ago|||

Enabling resistfingerprinting on my Android phone shows me the same error screen. It's not just webkit.

fingerprintingProtection works fine on the other hand, but then again that's intentionally less intrusive.

shiomiru 5 hours ago|||

> My guess is that OP's browser is getting banned because his WebKitGTK has a weird fingerprint, not because of webgl or whatever.

So why is Cloudflare saying the author got blocked because of WebGL?

> > Such things are blocked in WebKit, and have been for years. Meaning it's tracking so awful that even Apple would block it, and as far as I can tell it's not the kind of privacy protection you can easily disable in it.

> This is also false. Webgl fingerprinting works just fine on Safari. They might try to mitigate it by adding some noise, but that's not so different than what firefox does, and is certainly not "blocked".

While I don't have an iDevice to try, the assumption that they are special cased is fair... because they are: https://blog.cloudflare.com/eliminating-captchas-on-iphones-...

(Yes, this is basically WEI in a shinier package.)

gruez 5 hours ago||

>So why is Cloudflare saying the author got blocked because of WebGL?

No idea. I can't even reproduce the error OP got with webgl disabled.

https://litter.catbox.moe/y42l22k97tgv96nx.png

superkuh 5 hours ago||

Yep. Cloudflare and cloudflare's customers don't care about blocking people that use non-standard browsers (or accessible browsers, or feed readers, or whatever). Using cloudflare defaults is basically saying, "Only major corporate browsers released in the last year or two can access this site."