Chameleon
Browser fingerprinting protection for everybody.
Chameleon is a Chrome privacy extension that detects fingerprinting-like activity, and
protects against fingerprinting, currently by making Chrome look like Tor Browser.
WARNING
Chameleon is pre-alpha, developer-only software.
Please note that while Chameleon detects the use of canvas fingerprinting, Chameleon does not yet protect against it. See the coverage table below for more on Chameleon's current status.
The next step for Chameleon is to block scripts from loading based on their use of fingerprinting techniques, of which canvas fingerprinting is one. This work is in progress now (enabled by tying code execution to originating scripts in 25d7a5).
Detection
Chameleon detects font enumeration and intercepts accesses of fingerprinting-associated JavaScript objects like Window.navigator.
The number over Chameleon's button counts the number of distinct attempts to collect information about your browser on the current page. Higher numbers suggest fingerprinting might be taking place.
Protection
Since Tor users are supposed to all look alike, Chameleon attempts to blend in by altering request headers and JavaScript properties to match Tor Browser's values.
To start with, Chameleon covers Panopticlick's fingerprinting set, with more complete coverage in the works.
Chrome without Chameleon:
Chrome with Chameleon:
Tor Browser:
Installation
To manually load Chameleon in Chrome, check out (or download and unzip) this repository, go to chrome://extensions/ in Chrome, make sure the "Developer mode" checkbox is checked, click on "Load unpacked extension..." and select the chrome folder inside your Chameleon folder.
To update manually loaded Chameleon, update your checkout, visit chrome://extensions and click on the "Reload" link right under Chameleon's entry.
You could also generate an installable CRX package. See below for details. To install from a CRX package, drag and drop the package file onto the chrome://extensions page.
Development setup
-
npm installto install dev dependencies. -
npm run lintto check JS code for common errors/formatting issues. -
npm run watchto monitor extension sources for changes and regenerate extension JS bundles as needed. Leave this process running in a terminal as you work on the extension. Note that you still have to reload Chameleon in Chrome from thechrome://extensionspage whenever you update Chameleon's injected script or background page. -
npm run distto generate an installable CRX package. This requires having the signing key in~/.ssh/chameleon.pem. To get a key, visitchrome://extensions/in Chrome and click on the "Pack extension..." button to generate a CRX manually.
CSS sprites were generated with ZeroSprites.
Coverage
| Fingerprinting technique | Detection | Protection | Notes |
|---|---|---|---|
| Request header values | ✗ | detection of passive fingerprinting requires an indirect approach | |
| window.navigator values | partial protection (navigator.javaEnabled not yet overriden, ...) | ||
| window.screen values | |||
| Date/time queries | partial protection (need to adjust the entire timezone, not just getTimezoneOffset) | ||
| Font enumeration | ✗ | unable to override fontFamily getters/setters on the CSSStyleDeclaration prototype in Chrome; needs more investigation | |
| CSS media queries | ✗ | ✗ | needs investigation |
| Canvas image data extraction | ✗ | protection impeded by image rendering differences between Chrome and Firefox | |
| Request header ordering/checksum, window.navigator checksum, checksumming in general | ? | ? | needs investigation |
| Flash/Java-driven queries | ✗ | ✗ | plugins need to be switched to click-to-play by default |
| Third-party cookies | ✗ | ✗ | need to disable by default |
| JS/rendering engine differences | ✗ | ✗ | needs investigation |
| Packet inspection/clock skew (?) | ✗ | ✗ | not possible in a browser extension |
Code license
Mozilla Public License Version 2.0