• Hey Guest,

    We wanted to share a quick update with the community.

    Our public expense ledger is now live, allowing anyone to see how donations are used to support the ongoing operation of the site.

    👉 View the ledger here

    Over the past year, increased regulatory pressure in multiple regions like UK OFCOM and Australia's eSafety has led to higher operational costs, including infrastructure, security, and the need to work with more specialized service providers to keep the site online and stable.

    If you value the community and would like to help support its continued operation, donations are greatly appreciated. If you wish to donate via Bank Transfer or other options, please open a ticket.

    Donate via cryptocurrency:

    Bitcoin (BTC):
    Ethereum (ETH):
    Monero (XMR):
fadedghost

fadedghost

Found SaSu after reading BBC & watching YouTube
Dec 10, 2025
742
I asked a mod to edit this and add this at the top. I may be wrong about what I have written and don't want to cause alarm. This can probably be ignored for now, especially because I am not seeing the same "canvas extraction" indicator I saw before. This is really more of a technical question for techies and or @EmptyBottle and I don't want to worry non-technies, so please don't be concerned for now. This was also a specific concern with my network and something called packet injection or code injection and really is very technical and obscure for people accessing the site in very unusual ways. I don't have any data or evidence that consistent extraction is occurring and was responding to a possible anomaly in my browser and probably did phrase this poorly at the time.

I am not entirely sure what to make of this. I don't know if this is a malicious exit node or what is going on.

For those who understand this (aka @EmptyBottle and possibly also my arch enemy @GlassMoon), it could be a MITM thing?

My SaSu https cert SHA-1 is 7C:EB:AD:FA:E9:91:0F:63:28:6C:EB:8B:BF:33:28:10:8A:40:EC:4D. It's probably right?

I know cloudflare.com scripts are running, I am blocking javascript from cloudflareinsights.com, so that's not what's doing it, and jquery.com is loading scripts also.

I just don't know what gets done with the data. Is some 18 year old using their phone and chrome and matched to amazon or their bank going to end up applying for a job and this gets into the "personality insights" that data brokers offer up to third party companies who offer info on applicants? It just seems sketchy. If it were only about marketing betterhelp and mirtazipine to depressed teens, I wouldn't give a fuck, but that's not how data works, and most people don't know this. @EmptyBottle may know it. @GlassMoon probably thinks about it, but doesn't understand it, because that's just how glassmoon is, always plotting sneaky things and not really getting it because he's too busy plotting...
 
Last edited by a moderator:
  • Like
  • Hugs
Reactions: iguazo falls, Aknu132 and EternalShore
N

noname223

Archangel
Aug 18, 2020
7,203
I would be interested to know more about this.
 
  • Like
Reactions: Aknu132 and fadedghost
fadedghost

fadedghost

Found SaSu after reading BBC & watching YouTube
Dec 10, 2025
742
I would be interested to know more about this.
Well, I'm sure @EmptyBottle will have more to say that will be coherent and intelligent and shine a light on this. He's the real "ethical penetration tester."

Also I'm sure @GlassMoon will have various thoughts.
 
  • Like
Reactions: Aknu132
rainwillneverstop

rainwillneverstop

Global Mod | Serious Health Hazard
Jul 12, 2022
1,138
I am not sure I understand what you are saying, but I will try to answer. You can also always just ask us directly rather than make accusations.

Man in the middle attacks usually happen at a local level, like at your own network. It's also very legacy and because https then you would know if that was the case as you would get an error loading the site.

Of course Cloud Flare scripts are running, it's basic anti-bot/DDOS protection and every site with ddos protection does this.

Again I am not sure I understand what you mean with "site reading canvas data" so sorry if this reply is lacking.
 
  • Informative
  • Hugs
  • Like
Reactions: EternalShore, Aknu132, fadedghost and 1 other person
fadedghost

fadedghost

Found SaSu after reading BBC & watching YouTube
Dec 10, 2025
742
I am not sure I understand what you are saying, but I will try to answer. You can also always just ask us directly rather than make accusations.

Man in the middle attacks usually happen at a local level, like at your own network. It's also very legacy and because https then you would know if that was the case as you would get an error loading the site.

Of course Cloud Flare scripts are running, it's basic anti-bot/DDOS protection and every site with ddos protection does this.

Again I am not sure I understand what you mean with "site reading canvas data" so sorry if this reply is lacking.
sorry @rainwillneverstop

i wasn't accusing the site of doing anything bad. it's more that sometimes analytics have scripts in them and it's hard to know what they do with the scripts.

Tor Browser when javascript is enabled will ask me if I want to allow Canvas Data extraction (showing a graphic). I am not sure if it even does real extraction anyway because Privacy:ResistFingerprinting is hardcoded as true in Tor Browser, but I saw it and thought "Why is this even showing?" And sometimes it will show when there's embedded third-party scripts (ie, YouTube videos), but I wasn't seeing that anywhere in the window. Tor Browser also codes firstparty.isolate as True and I was thinking "Okay, so I know it's not from a different window," which in hindsight doesn't make much sense, because it's still the same party. It's possible YouTube scripts from a different SaSu tab impacted a tab without any YouTube scripts. I also inspected things more and the request didn't actually execute the code (it got blocked), but I was confused why it was even happening.

the MITM was my way of trying to ask why I thought I was seeing a request for canvas data and whether it was actually from a malicious node injection, which would have probably resulted in a fake cert and wrong SHA-1 hash. Because sometimes I don't see any canvas request on this site unless their is a specific embedded media that links to a 3rd party script, and often I don't see any request, so I was wondering "Is this canvas request coming from the sever, or is someone intercepting the server and making a request for canvas data?" Right now the site is only requesting ClientRects, but that can be a normal part of coding. (I often see ClientRects requests on many sites and see it here often, so that wasn't a concern, because it's so typical.)

You're probably right that most MITM attacks would lead to an https cert issuer error also that would show up on most modern browsers.

I know you have to have DDOS scripts and protection, and also realize that Cloudflare mirrors the site and people retrieve it from Cloudflare, otherwise the DDOS attacks would take down the site always.

It's really weird because I am not seeing a canvas data extraction request now and usually don't see it. Sometimes I'll see that if someone else pastes content that has scripts (like a YouTube video) but I don't think I saw that when the request came up.

I'm not trying to worry people, and I don't see this request now, and didn't see it before prior to today, but I did see it today and was surprised. It's mostly an obscure technical question for @EmptyBottle and I don't mean to worry people. You could probably just delete this if it's too concerning to people and I can ask emptybottle privately.

I wasn't trying to accuse the site of having bad intentions or doing anything shady intentionally. It's more that often sites include scripts that sometimes do unexpected things and I was wondering about the javascript. The title was poorly phrased, since it's from javascript that's embedded in the site most likely and not the site, unless somehow the exit node I was on put it in, which... isn't actually impossible. Malicious injections happen.

It was a computer nerd question and I wasn't thinking it would concern people. I'm socially clueless at times. Don't blame me! Blame @EmptyBottle - his Australian tendencies have rubbed off on me and made me even more badder.

Sorry about this. I know something about computers but am not that good. That's why I was trying to ask emptybottle about this. But I wasn't really thinking that asking about this publicly would confuse non-technical people (although I am not a techie) and it woud be better to ask privately. Sorry!
 
Last edited:
  • Like
Reactions: Aknu132
EmptyBottle

EmptyBottle

Visionary
Apr 10, 2025
2,376
for canvas fingerprinting, note that there is false positives, because the same api that an fingerprint allows certain images to be rendered (eg pfp editors read canvas pixels to display the cropped image)... try denying the fingerprinting and seeing which images have thin bars (for me, the SaSu title logo gets bars).... geometry dash for example will be very tricky to play without the tor/librewolf restricted canvas functions.

As for the sha1 hashes, cloudflare can use more than 1 certificate, changing the hashes... but be aware that cloudflare, positioned between 20% of internet sites and their users, can intercept and modify pages (they use the ability to hide email addresses from possible spambots, remove malicious js libraries, insert images from their cache, etc... and I hope they only do it automatically without logging the content)
 
  • Informative
Reactions: fadedghost
fadedghost

fadedghost

Found SaSu after reading BBC & watching YouTube
Dec 10, 2025
742
for canvas fingerprinting, note that there is false positives, because the same api that an fingerprint allows certain images to be rendered (eg pfp editors read canvas pixels to display the cropped image)... try denying the fingerprinting and seeing which images have thin bars (for me, the SaSu title logo gets bars).... geometry dash for example will be very tricky to play without the tor/librewolf restricted canvas functions.
oh really! i didn't know that! see, that's why you are smarter than me. What api allows both images to be rendered and allows canvas extraction? Yes, I see the thin bars sometimes and don't understand what is going on. It seems like when they inject too much noise that happens right? I don't really understand! I wish I were better at the computer!
As for the sha1 hashes, cloudflare can use more than 1 certificate, changing the hashes... but be aware that cloudflare, positioned between 20% of internet sites and their users, can intercept and modify pages (they use the ability to hide email addresses from possible spambots, remove malicious js libraries, insert images from their cache, etc... and I hope they only do it automatically without logging the content)
You're right, it's almost pointless to consider SHA1 with Cloudflare are a CDN because they "colocate" the CDN in so many places! I didn't think of that!

So you think the extraction icon was a false positive and that's why it was there? That's interesting, I bet that was it. Because even if an exit node is malicious, it's so unlikely that the cert is going to be poisoned, and I didn't see any cert warnings.
 
Last edited:
  • Informative
Reactions: EmptyBottle
EmptyBottle

EmptyBottle

Visionary
Apr 10, 2025
2,376
I am not entirely sure what to make of this. I don't know if this is a malicious exit node or what is going on.

For those who understand this (aka @EmptyBottle and possibly also my arch enemy @GlassMoon), it could be a MITM thing?

My SaSu https cert SHA-1 is 7C:EB:AD:FA:E9:91:0F:63:28:6C:EB:8B:BF:33:28:10:8A:40:EC:4D. It's probably right?

I know cloudflare.com scripts are running, I am blocking javascript from cloudflareinsights.com, so that's not what's doing it, and jquery.com is loading scripts also.

I just don't know what gets done with the data. Is some 18 year old using their phone and chrome and matched to amazon or their bank going to end up applying for a job and this gets into the "personality insights" that data brokers offer up to third party companies who offer info on applicants? It just seems sketchy. If it were only about marketing betterhelp and mirtazipine to depressed teens, I wouldn't give a fuck, but that's not how data works, and most people don't know this. @EmptyBottle may know it. @GlassMoon probably thinks about it, but doesn't understand it, because that's just how glassmoon is, always plotting sneaky things and not really getting it because he's too busy plotting...
7C:EB:AD:FA:E9:91:0F:63:28:6C:EB:8B:BF:33:28:10:8A:40:EC:4D
Yep, sha1 matches for me

I also block cloudflareinsights.com (with ublock) every now and then, coz that script uses my CPU to do analytics (yes, a tiny fraction of time, but still)
 
  • Hugs
  • Informative
Reactions: EternalShore and fadedghost
fadedghost

fadedghost

Found SaSu after reading BBC & watching YouTube
Dec 10, 2025
742
7C:EB:AD:FA:E9:91:0F:63:28:6C:EB:8B:BF:33:28:10:8A:40:EC:4D
Yep, sha1 matches for me

I also block cloudflareinsights.com (with ublock) every now and then, coz that script uses my CPU to do analytics (yes, a tiny fraction of time, but still)
Can you explain how the api can lead to a false positive? I don't understand that at all!
 
  • Informative
Reactions: EmptyBottle
EmptyBottle

EmptyBottle

Visionary
Apr 10, 2025
2,376
Can you explain how the api can lead to a false positive? I don't understand that at all!
basically, this is the part of the API with dual use:
it's purpose was to allow images to be placed, changed, and read from a canvas (graphics box) element.

The same API can be used for fingerprinting:

Because of the dual use, the browser can't tell with confidence that the API is or isn't used for fingerprinting... so as a precaution some browsers notify the user and modify the extracted image before giving it to the site's script.
 
fadedghost

fadedghost

Found SaSu after reading BBC & watching YouTube
Dec 10, 2025
742
basically, this is the part of the API with dual use:
it's purpose was to allow images to be placed, changed, and read from a canvas (graphics box) element.

The same API can be used for fingerprinting:

Because of the dual use, the browser can't tell with confidence that the API is or isn't used for fingerprinting... so as a precaution some browsers notify the user and modify the extracted image before giving it to the site's script.
wouldn't that trigger the warning every time though? I usually don't see this warning
 
  • Informative
Reactions: EmptyBottle
fadedghost

fadedghost

Found SaSu after reading BBC & watching YouTube
Dec 10, 2025
742
it depends on how often the data to url api is called, it might just be called once per session
but then why would i not see it at all some sessions and then see it on another?
 
EmptyBottle

EmptyBottle

Visionary
Apr 10, 2025
2,376
but then why would i not see it at all some sessions and then see it on another?
interesting... maybe there's caching that persists across sessions... I assumed it'd be once per session tho idk, only reading the js that xenforo uses would provide the answer ig.
 

Similar threads