Skip to content
This repository has been archived by the owner on Feb 25, 2020. It is now read-only.

ghostwords/chameleon

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

82 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Chameleon

Browser fingerprinting protection for everybody.

Chameleon is a Chrome privacy extension that 🌟 detects fingerprinting-like activity, and ✨ protects against fingerprinting, currently by making Chrome look like Tor Browser.

Detection

Chameleon detects font enumeration and intercepts accesses of fingerprinting-associated JavaScript objects like Window.navigator.

The number over Chameleon's button counts the number of distinct attempts to collect information about your browser on the current page. Higher numbers suggest fingerprinting might be taking place.

Protection

Since Tor users are supposed to all look alike, Chameleon attempts to blend in by altering request headers and JavaScript properties to match Tor Browser's values.

To start with, Chameleon covers Panopticlick's fingerprinting set, with more complete coverage in the works.

Chrome without Chameleon:

"before" screenshot

Chrome with Chameleon:

"after" screenshot

Tor Browser:

Tor Browser screenshot

Installation

To manually load Chameleon in Chrome, check out (or download and unzip) this repository, go to chrome://extensions/ in Chrome, make sure the "Developer mode" checkbox is checked, click on "Load unpacked extension..." and select the chrome folder inside your Chameleon folder.

To update manually loaded Chameleon, update your checkout, visit chrome://extensions and click on the "Reload" link right under Chameleon's entry.

You could also generate an installable CRX package. See below for details. To install from a CRX package, drag and drop the package file onto the chrome://extensions page.

Development setup

  1. npm install to install dev dependencies.
  2. npm run lint to check JS code for common errors/formatting issues.
  3. npm run watch to monitor extension sources for changes and regenerate extension JS bundles as needed. Leave this process running in a terminal as you work on the extension. Note that you still have to reload Chameleon in Chrome from the chrome://extensions page whenever you update Chameleon's injected script or background page.
  4. npm run dist to generate an installable CRX package. This requires having the signing key in ~/.ssh/chameleon.pem. To get a key, visit chrome://extensions/ in Chrome and click on the "Pack extension..." button to generate a CRX manually.

CSS sprites were generated with ZeroSprites.

Known issues

Some sites use Flash detection before loading Flash content. Since Chameleon overloads window.navigator.plugins, these sites end up showing error messages about needing to install or upgrade Flash.

Coverage

Fingerprinting technique Detection Protection Notes
Request header values βœ— βœ” detection of passive fingerprinting requires an indirect approach
window.navigator values βœ” βœ” partial protection (navigator.javaEnabled not yet overriden, ...)
window.screen values βœ” βœ”
Date/time queries βœ” βœ” partial protection (need to adjust the entire timezone, not just getTimezoneOffset)
Font enumeration βœ” βœ— unable to override fontFamily getters/setters on the CSSStyleDeclaration prototype in Chrome; needs more investigation
CSS media queries βœ— βœ— needs investigation
Canvas image data extraction βœ” βœ— protection impeded by image rendering differences between Chrome and Firefox
Request header ordering/checksum, window.navigator checksum, checksumming in general ? ? needs investigation
Flash/Java-driven queries βœ— βœ— plugins need to be switched to click-to-play by default
Third-party cookies βœ— βœ— need to disable by default
JS/rendering engine differences βœ— βœ— needs investigation
Packet inspection/clock skew (?) βœ— βœ— not possible in a browser extension

Code license

Mozilla Public License Version 2.0

About

Browser fingerprinting protection for everybody.

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages