My understanding is that websites use Canvas to generate a unique or semi-unique fingerprint of your browser, whether or not a cookie has been set. It's absolutely true that this is technically possible. Most people don't have your exact resolution/cpu speed/fonts installed/etc, so you are somewhat unique even if you have the same browser and OS as other people. If you block Canvas, you can actually see some websites request it as you log in. Amazon produces a popup asking permission to do canvas-y things during the login progress on my computer, for instance.
I think the tone of most of the conversations around Canvas I've seen are a bit more catastrophic. Their argument usually goes something like: "Most websites are making UUIDs of your Canvas profile and tracking you everywhere, and therefore your cookie blocking and VPN are useless!" Bear in mind, I don't mean to strawman here, that's just a version of the argument I see most often.
What I personally suspect is that Canvas fingerprinting is used to supplement other tracking or verification. For example, I have a valid amazon account, an Amazon cookie is properly set, and Amazon also checks my Canvas information to make sure nothing looks too out place. ie, my cookie was probably not replayed since my Canvas, IP address, and credentials check out. Presumably, my Canvas information cannot generate a true UUID, but it is something like 1 in 10,000. Enough to use it for additional verification.
Now, is any of this correct? Are folks' most paranoid fears accurate? Is my belief that Canvas is supplementary fraud detection accurate? Whatever answer is correct, it's unlikely to be broadly uniform across all websites. But, the point is, I'd really like to hear from an engineer about how Canvas is used.
I think the tone of most of the conversations around Canvas I've seen are a bit more catastrophic. Their argument usually goes something like: "Most websites are making UUIDs of your Canvas profile and tracking you everywhere, and therefore your cookie blocking and VPN are useless!" Bear in mind, I don't mean to strawman here, that's just a version of the argument I see most often.
What I personally suspect is that Canvas fingerprinting is used to supplement other tracking or verification. For example, I have a valid amazon account, an Amazon cookie is properly set, and Amazon also checks my Canvas information to make sure nothing looks too out place. ie, my cookie was probably not replayed since my Canvas, IP address, and credentials check out. Presumably, my Canvas information cannot generate a true UUID, but it is something like 1 in 10,000. Enough to use it for additional verification.
Now, is any of this correct? Are folks' most paranoid fears accurate? Is my belief that Canvas is supplementary fraud detection accurate? Whatever answer is correct, it's unlikely to be broadly uniform across all websites. But, the point is, I'd really like to hear from an engineer about how Canvas is used.