Hello carders.
We all wondered "which antidetect browser to choose?", And, most importantly, "how to choose?" The problem is that due to the high complexity of emulating a foreign system, all antidetect browsers are scorched.
In this post I will tell you and use examples, reasonably, without conjectures and theories, I will show how they burn, how to minimize the fuse, and give you a minimal idea of the structure of each of them so that you can choose for yourself.
So, we have all four top browsers on the operating table today:
Linken Sphere, AntBrowser, Aezakmi and Indigo (aka "multilogin").
All browser makers are great guys and have kindly agreed to provide me with a demo, but in vain.
Theory first
1) Each antidetect browser is based on the engine of a regular browser. As a rule, this is Chromium or Firefox. The fundamental differences in the internal structure of the engines are so great that using javascript on the page, the site can always determine in which engine the page of the site we are viewing is actually loaded in. This means that the anti-fraud knows if your browser is based on IE, chrome or ff.Examples:
- The IE has an ActiveX Only support, facilities Debug, document.security, navigator.cpuClassand Dozens of: others,
- only FF and Safari have MathML support,
- only Chrome has a shape detection api ,
- only in Chrome and FF there is support for the webM codec in the tag video,
Hence the first rule for working with an antidetect browser:
For example, if your antidetect is made on Chromium, and your axis is a Mac, then use the most common UserAgent of Chromium on a Mac, for example Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36
2) Iron does not have to be unique. It should be "the same as everyone else."
The hardware characteristics of your pc are reflected in the following prints:
- Canvas simple (2d) - with assumptions is not unique within each version of each OS. The differences in prints are due to the difference in font smoothing mechanisms in different operating systems.
- WebGL (aka Canvas-3d) - in this case, the picture is drawn directly through the video card (if 3d acceleration support is enabled in the browser and in the os / virtual machine), and inside the browser by its built-in renderer (if 3d acceleration support is not available in the os, or disabled in the browser), is not unique for each combination of "os + video card + video card driver" in case there is support for 3d acceleration, and is not unique for each combination of "browser + os" if support for 3d acceleration is absent / disabled. On a sample of 1kk US traffic at the time of this writing, 16% of users did not have support for 3d acceleration on their PCs.
- Audio is not unique within each version of your device's audio chipset.
Those wishing to delve into the theory can watch the presentation of the Google developer https://elie.net/publication/picasso-lightweight-device-class-fingerprinting-for-web-clients/ (eng) about the WebGL-based fingerprint , which is also used in ReCaptcha.
The more not unique each of these prints, the less questions to your device. it is "the same as everyone else." None of these fingerprints uniquely identify your device, but it allows you to provisionally define its "class" (for example, "PC with discrete video," or "phone, probably an iPhone"). And the best way to keep these prints believable is not to touch them. No kidding.
The second rule for working with an antidetect browser:
3) When we use a proxy from another country, the question inevitably arises about changing the displayed language, time zone, and possibly the set of fonts corresponding to your locale (in the case of working with Asian markets)
There are three main ways to change the values of languages, time zone, screen resolution, etc., returned via javascript in the browser:
- rewrite these functions in the browser source code, before compiling it. This is the most reliable and most difficult to define method.
- inject into the working process of the tab and intercept calls to the desired functions in real time. Technically difficult because offsets and function addresses float with every browser update.
- overwrite the values we need directly on the page via javascript, after initializing the page we are viewing. The easiest to implement, but the most disgusting way, because it is really difficult to do it unnoticed. As I will show later, almost all antidetect browsers have chosen this path, which framed their users.
Let's turn to theory again to understand how a site / anti-fraud can detect that browser settings have been tampered with via javascript.
Most often, we need to change the language of the wasps so that it matches the user's location. In addition to being passed to the site in the header Accept-Language, it is available to js through a variable navigator.language.
The properties of the navigator object cannot be simply overwritten; they are read-only. Read-only objects in javascript are traditionally implemented by creating an empty setter-a and a non-empty getter-a that returns the desired value. Therefore, we always have the opportunity to overwrite such objects by calling Object.defineProperty:
We can assign to the mutable object value, or we can hang our own on it getter, overwriting its native, and thus preserving the "native" read-only behavior of this object:
Voila, we changed the value we needed. But what could have gone wrong?
All. Everything went wrong.
Initially, such objects as navigator, screenand some others do not have their own properties, but inherit all the properties from the constructor of the older brother (objects Navigatorand, Screenrespectively). And a call Object.definePropertyon any of these objects creates their own properties:
Thus, any site / anti-fraud simply by calling one line of code
if (Object.getOwnPropertyNames (navigator) [0]) alert ('fake parameters detected');
can determine that our browser settings are fake. And at this moment all the fancy protections and emulations become useless.
Diving
Now that we have decided where we will look, let's move on to our kittens. To create profiles, I chose the default settings, without a proxy, with the minimum possible substitution of prints and environment variables (screen, color, x * e-my)Indigo
A variant based on Chromium, codenamed "Mimic".The hardest hit browser of all, as well as the only browser in which parameter substitution is implemented in the source, and not through js.
Nothing sticks out anywhere, nothing burns, except …
What is firing on
1) Disabled http3 protocol, which is available by default in chrome since 2013. Each site sees the type of connection and the protocol (http1.1, h2 or http / 2 + quic, aka http3), through which it is accessed. And if a site that supports http3 is accessed from chrome, but via http2, then either this request goes through a proxy, or it is not real chrome. Both the first and second conclusions drawn by the anti-fraud system are bad for us.2) When rendering text, Times is used as the monospace font, which is not monospaced. This is not possible in the wild and is an obvious sign of font substitution. A monospaced font is one in which the width of all characters (for example wand i) is the same, for example Courier new. According to the specification, when specifying in element styles, the font-family: monospace;browser must take one of the available monospaced fonts (at least one such font is necessarily available in the system).
the difference is visible even by eye
The site can determine the mismatch of the font by drawing it on the canvas, and measuring whether the width of the symbol 'and w, for example. You can see the difference yourself in the screenshot above. In the case of Indigo, any site (and antifraud) can see that a fake font is being used, not the native system font.
That's all with Indigo.
Linken sphere
Chromium-based antidetect. The most expensive of all, and the most advertised. In his sweatshirts they come to interviews in "People-Pro", and he is promoted in the magazine "Hacker". It was last updated on 09/13/2019 (half a year ago) and here the disgrace begins.What is firing on
1) In fact, it is built on the basis of chromium from ~ 2018:
which means that we are not only deprived of unnecessary things, such as support for apng, VP9 and AV1 codecs, but also open to many vulnerabilities that have been fixed in chrome over the years.
2) As well as in Indigo, http3 support does not work.
3) All parameters are faked after the page is initialized with javascript and any site can see this (using the method I described above):
what can you say …
Lousy. But can it be worse? We'll see.
AntBrowser
Antidetect based on FF, positioning itself as a tool for working with ru-services such as Avito and Yula.What is firing on
1) Since the browser is based on FF, all attempts to pretend to be chrome will fail, due to the difference in the engine design. Having a variable window.chromeis just such a failed attempt. Same | the time the At the object is Present on the page window.chromeand objects sidebar, screen.mozLockOrientation, navigator.oscputhe which Clearly Indicate That the browser engine - the FF
2) Just like in Indigo, mince from fonts is used. And a regular font is used instead of a monospaced one:
3) All variables on the page are substituted via javascript:
The developer tried to remedy the situation, and replaced not the properties of the object itself navigator, but the properties of the prototype of its constructor navigator.constructor.prototype. And it would have worked if their getters did not contain tens of kilobytes of obfuscated code that is available to every site / antifraud.
4) On every page in the dom tree <html>, a parameter is added to the tag data-acxscriptallow="true"that indicates that the AudioContext Fingerprint Defender browser extension is running on the page. That is, the code of this extension was ripped off and added to the antidetect "as is".
Can you make it worse?
AEZAKMI
Chromium-based antidetect. Positioned as "Cheat Code for Your Anonimity".At the start, when creating a profile, the developers try to keep us from being able to merge real webGL prints, allowing only the creation of a profile with disabled support for 3d acceleration:
"ANGLE" in the title indicates no support for 3d acceleration in the browser
But the good news ends there.
What is firing on
1) The browser is launched out of the box with the --disable-web-security flag. This is as bad as it can be.
Running chrome in this way disables CORS and any site can go to, for example, facebook.com and get all our profile data,
I'm wrong. Sites loaded into aezakmi do not have access to local files. I apologize.
2) Just as in the case of AntBrowser, on each page <html>, parameters data-cbscriptallow="true"and are added to the tag data-acxscriptallow="true", which indicate the presence of code from extensions for spoofing canvas and audio prints.
3) The array of plugins is faked crookedly and does not have a field of its own length:
This clearly indicates that the plugin list is fake.
4) On each page, the entire current browser profile config is placed in the global variable webglResponseStr:
There is no reason to do this in a sober mind and sound memory.
This data contains , among other things:
- Current profile name
- Your login on the AEZAKMI website
- All data on the used proxy: proxyIp, proxyPort, proxyUser, proxyPassword in clear text.
In summary, AEZAKMI is a suicide booth at $ 70 a month.
Is everything really that bad on the antidetect market? Yes, at the moment, absolutely everything is lousy.
Such an irresponsible attitude of the majority of antidetect developers to their clients and their material is not what the industry needs. The market needs knowledge, transparency and competition. In my heart, I expect that more players will appear who are guided by the principle of "do it right, it will be okay", not "it will do just that."
"So what kind of antidetect should I use?" My answer is "none", But the convenience brought by managing dozens of profiles from one program is captivating, and if you still need an antidetect browser, take Indigo at the moment - with some assumptions you will not be ashamed of it.
