Why does Akamai use two canvases for fingerprinting?
Akamai uses two canvases. What is their purpose?
Photo by Kate Stone Matheson on Unsplash
Did anyone else notice that Akamai generated two canvases? One of them is large, and the other is pretty small.
The big canvas they use looks like this:
It is, of course, used for canvas fingerprinting.
The small (16x16) canvas they use looks like this:
(sorry, you will have to zoom a bit)
My intuition is that the checksum of the small canvas will be the same on every GPU and OS. They use the first canvas for fingerprinting and the second one to check that the user did not apply noise to their canvases. (anti-canvas-fingerprinting extension will indiscriminately apply noise to all canvases)
This intuition coincides with a 2014 research paper I recently skimmed through, where you can read:
Enforcing a 16x16 pixel size limit allowed us to filter out scripts that read too few pixels to efficiently extract the canvas fingerprint. Although there are 28192 possible color combinations for a 16x16 pixel image, operating systems or font libraries only apply anti-aliasing (Which is an important source of diversity for canvas fingerprinting) to text larger than a minimum font size.
E.g. Akamai could catch people adding noise to ALL their canvases this way.
👆 This shows the importance of reading research papers and writing your evasions instead of using black box extensions
Further reading: Antoine Vastel - The Intriguing Sneaker Bot industry
Edit: my fix looks like this
/**
* Add noise to a given canvas
* This function will cause the canvas fingerprint to change.
*/
function manipulate(canvas: HTMLCanvasElement): void {
const { width, height } = canvas;
+ if (width * height <= 16 * 16) {
+ // skip image manipulation on small canvases
+ return;
+ }
[... snip ...]
I feel better now 😁
EDIT: I might be wrong
Nexus from the Extra Community pointed out that the small canvas is not the same across devices. Shoutout for the heads-up!
My intuition tells me still that Akamai uses the small canvas to detect noise tampering, so I'll stay with this approach.
I need to research this subject by doing some A/B testing.