Ask HN: How to avoid browser fingerprinting while using lots of extensions?

8 points by hidden-spyder ↗ HN
I use a lot of browser extensions and would be sad to give them up, but I realize that this is making me quite unique in browser fingerprinting.

Is there any way I could continue using the extensions while also not revealing myself too much?

9 comments

[ 2.9 ms ] story [ 40.3 ms ] thread
Some extensions inject code into the page or alter the look of a page (e.g Stylus). All a bad actor has to do is grab a screenshot of the page (which can be done with JS) and single you out specifically for using a certain style. Stay away from extensions that inject code, since that can be sniffed from third party trackers and single you out.

Also: if you're dedicated enough, you can always view the source of addons you don't trust and see what they do behind the scenes. I once spotted an addon siphoning off browsing history to a remote server, and had to report it to Mozilla and had to escalate the issue to get it removed swiftly.

Some addons are 'recommended' by Mozilla and have been analyzed to ensure there are no privacy violations, so try and use those addons. There is also the issue of an addon's author getting contacted by shady characters wanting to buy the extension so they can abuse it and violate people's privacy.

Good to know. There is no way I would give up Stylus, however. It’s too useful. I use Firefox containers to avoid the super horrible stuff and Adnauseum to hopefully poison the well.
How did you determine how a specific add-on behaves? Are you using a pack sniffer/ web debugger like Fiddler?
Turns out I didn't need to use a debugger. I just manually viewed the source, spotted a malicious domain, and worked backwards from that to see what was being sent to it. The author of the addon was careful not to make it obvious what was happening. There was some weird backdoor that randomly pinged the domain with a GET request containing info on sites I've visited. Fiddler is awesome BTW.
Maybe I'm misunderstanding the intention of your response, but this doesn't answer the question. Regardless of whether an extension injects code into the page or not, or if it's recommended by Mozilla, it will alter my fingerprint, wouldn't it?
I recall there was a bug in Firefox from years back where JS could be used to infer what addons were installed. Typically it just pinged some extension URIs to look for an extension's presence. If it HTTP 200 OK'd then you had it installed. That bug has been fixed IIRC.