Admin canvas tracking

Using Ghostery on a fresh install of WordPress 4.2, the only “tracker” it is finding and blocking is Gravatar, which is actually the service WordPress uses for avatars, not a tracker (Ghostery considers it a third-party widget).

Via dev tools, WordPress is not loading any cookies or frames outside of the domain itself.

The PDF you linked to is referring to the <canvas> element, which “allows for dynamic, scriptable rendering of 2D shapes and bitmap images. It is a low level, procedural model that updates a bitmap and does not have a built-in scene graph.” It is not used for tracking.

https://en.wikipedia.org/wiki/Canvas_element

In the WordPress code itself, the canvas element is used for Emoji/Smilies and some video player elements.

The tracking strategy outlined in the PDF suggests that use of <canvas> elements may contribute to a browser fingerprint, which “is information collected about a remote computing device for the purpose of identification. Fingerprints can be used to fully or partially identify individual users or devices even when cookies are turned off.”

https://en.wikipedia.org/wiki/Device_fingerprint

The primary attributes to a browser’s fingerprint are still largely the user agent, installed plugins/extensions, and window size. It is very unlikely that <canvas> usage offers any beneficial data for a fingerprint, or any beneficial data beyond what your browser already shares.

If you’re interested, you can see just how unique your browser’s finger print is, and all of the elements that go into it, at https://panopticlick.eff.org/

In short, there is no tracking the WordPress Dashboard. <canvas> is used for legitimate reasons, cannot be used for tracking, and may only contribute a negligible amount of data towards your browser’s fingerprint.

Yep, as mentioned, it’s a potential component of a browser fingerprint, just like the plugin/extensions you use, your window size, etc. Nothing more.

It’s not a security issue.

It’s a standard HTML5 tag being used legitimately in WordPress that some lousy people found a way to use as a tiny portion of barely identifying information.

Tor has chosen to react the way they do because the Tor browser is designed to block all potentially identifying information. (which is kind of a moot point if you’re logging in to your account anyway)

Then I guess don’t use smilies, emoji, or the video player.

Really, it’s not a security problem, and there warning is a bit over-paranoid.

If you want to make your case to the developers, start by filing a bug report, and make sure to include everything you’ve shared here (don’t just link to the thread).

If you make a strong enough case as to why the entire operation of the emoji/smilies and video player system needs to change for a very small minority of users, they might re-consider it.

https://make.wordpress.org/core/handbook/reporting-bugs/

most of the visitors will think they are beeing tracked and will stop visiting the Blog.

By “most of the visitors” I assume you mean your visitors using the Tor browser? Because, none of the major browsers have a check like this, and Tor is an incredibly small minority.

I hope this “feature” will be changed for the Admin to be able to turn this off.

As already mentioned, you can “turn this off” by not using emoji/smilies or the embedded video player in your posts. Those rely on the <canvas> element, but you don’t have to use them.