I'm already using CanvasBlocker, Decentraleyes, and the NoScript Security Suite; but getting more protections will be nice. Even if it may take a while for them to land in Waterfox.
Adding noise to images sounds like a really bad idea. It will mess with any Javascript code which performs processing on images. Try writing a photo editor in Javascript and watch your browser corrupt your images.
I wish them the best. When I last tested it on fingerprint.com, the hash remained stable even with resistFingerprinting and letterboxing from a VPN, only changing between profiles. When I daily-drove resistFingerprinting (not reduceFingerprinting that permits exceptions like dark mode) in 2021, my hash changed every restart.
Perhaps fingerprint.com has stepped up their detection game and have new heuristics to identify you, thwarting the resistFingerprinting measures.
My experience lately has been that fingerprint.com is able to identify my main profile "in bursts", i.e. it will identify me consistently for some days, then it will forget and tell me it's never seen me. Maybe the service they provide on the landing page has a TTL policy? Either way, I've observed this behaviour on both my main profile and my "Firefox Focus"-like profile (a mix of no history + automatic temporary containers). On Mullvad Browser, however, it always seems to group me with random access across the globe.
This is a good use of Firefox resources. Unfortunately Firefox is at a natural disadvantage for fingerprinting by virtue of being used by such a small number of users.
>This is a good use of Firefox resources. Unfortunately Firefox is at a natural disadvantage for fingerprinting by virtue of being used by such a small number of users.
I'd rather be trackable but secure -- the big draw for me is NoScript. Paired with uBlock, I'm safe from malvertising[1]
There was a commenter some time back showing that browser statistics were easy to skew. Safari and Firefox are less likely to show up in analytics, so website owners think they're less important than they really are. Conflating client-side with server-side analytics showed quite a gap.
It’s a bit annoying that Firefox by default breaks all sites that use canvas imageData API. There is no permission for that, so no user-friendly way to ask for consent either.
I exclusively use private browsing, but I know that doesn't do much in preventing tracking, so it's nice to see this finally starting to roll out.
The fact that I have to go to great lengths to browse anonymously - and companies desperately try to circumvent my genuine decision to opt out of their tracking - tells me everything I need to know about those companies. Words like sleezy, shady, and predatory come to mind.
I would love to see this taken one step further and have states/countries prevent companies from tracking me altogether if I reject their cookies, but I fear it's more likely those companies will lobby to prevent Firefox from protecting us.
Out of curiousity, how would you steelman the argument that fingerprinting is no different than a store owner, standing behind the counter, taking note of the faces of who enters his store, and maintaining a log?
I am dreaming for righteous 'small' employees too, those who carry out the dishonourable practice of implementing privacy intrusion following instructions, for money. Corporates are built by thousands of ignorant grey workers.
The "Temporary Containers" extension is great here, allowing pretty easy compromise between different buckets of sites. I'll have some personal ones that I log into, others go specifically into a snoop container, and the rest get temporary ones that evaporate when closed. https://addons.mozilla.org/en-CA/firefox/addon/temporary-con...
> I would love to see this taken one step further and have states/countries prevent companies from tracking me altogether if I reject their cookies
You're in luck since EU's GDPR is about informing users of PII harvesting and consent in general (among other things). So the banner is not only about cookies. And I think nowadays there are similar regulations elsewhere.
I use FF and I paid for NYTimes. I was logged in, yet NYTimes constantly flagged my browser with a persistent captcha I couldn't bypass for months (across 2 different machines). It thought I was a bot because of the privacy features. So I cancelled my subscription using my phone.
when I used to subscribe to the nyt, I had to block a few of their endpoints to kill the awful popups and etc. This, the further ads for paying subscribers, and a host of other issues led me to drop them as well though.
I tested firefox recently. It had some AI summary button or something
that was new. I instantly wanted to eliminate this from the UI but I
don't know how to do that. I guess it is possible? But it probably
requires some time and research; the thing I don't need or want this,
it just takes away space.
Then I remembered why I no longer use firefox. I believe we, as users,
need to take back the open web. The days of some random developers
ruining the UI should really be over, be it firefox, or Google chrome
killing ublock origin. We need to fight back.
>Having a unique fingerprint means fingerprinters can continuously identify you invisibly
This is not right. If you have a unique fingerprint every time someone tries to fingerprint you, then they have to do extra work to try and figure out which are the same. If you make it always be the same you've made the fingerprinter's job much easier.
In this context "a unique fingerprint" means that your fingerprint does not match any other user's. When you visit Site A and B you give a fingerprint X that is the same on A and B but no one else on the internet has ever sent.
In contrast a randomized fingerprint mean when you visit A you have a fingerprint X' and on B you have a fingerprint Y' and no one else on the internet has X' or Y' but A and B can't correlate you.
The protections we've put in place first try to do API normalization to make it so more people have a fingerprint X, and it isn't unique. And then they do API randomization so you use X' and Y'.
If a fingerprint goes to extra effort of detecting a randomized fingerprint, and ignore (or remove) the randomization, they will get the X fingerprint which - hopefully - matches many more users.
Fingerprinting is nearly impossible to resist these days anyways, no matter which technics Firefox uses to reduce it, and sometimes it actually makes the browser appear more unique.
Last time I tried everything I could to prevent Firefox from calling home, it was still requesting Mozilla servers. Though I haven’t given up, my
plan is disabling it at source code level and build my own release.
I'm working on building a bot detection platform to defend websites right now and yeah, without immense effort on the part of the browsers, you are correct. Any of the apis they injected noise into here will be updated in the competant fingerprinting programs as well. The only real solution is to not enable JavaScript at all.
One thing I found that broke tracking algorithms was the ‘every tab is a new random profile’ extension. I can’t remember the name as I haven’t used it in a while and it broke a lot of logins.
They could not build a profile on you and it would break their system of tracking user login per device.
I dev my private fork of browser fingerprinting bypass and I can tell, this is like 1% of what commercial tracking companies use for fingerprinting.
Unless they tackle all the hidden things, all artifacts, canvas rendering and many more.
These companies will be actually happy after this change, because even users with ublock and other plugins, will think they're not tracked. Yeah, nope.
And it's not that hard to see how they fingerprint your browser, reverse any JS tracking script yourself and see.
In my case the single largest contributor to my fingerprint is ... canvas size. I run full screen with a custom Firefox setup that basically makes my canvas size unique :/ The "protection" Firefox uses for this is to always open a new window at a default size, which does nothing in my case since my toolbar config still makes the canvas size unique.
It would be really useful to have something that dithers the reported canvas size by 5 or 10 pixels in different containers to add noise there.
Unfortunately, Cloudflare and other protections will keep working even less than they used to. I have started to not use Cloudflare protected websites because they don’t work with Firefox. But that is a fight I am going to lose.
I'm still unhappy with the user-agent header. I tried removing information but it breaks a number of sites.
Would like to leave Linux in there (if feasible so it gets counted) but remove/spoof everything else.
The question that I have not see answered in the many, many forum threads on "browser fingerprinting", is specifically why a user seeks to avoid it
Is it (a) to avoid internet marketing, (b) some other reason or (c) both. What is the "threat model"
If the answer is (c) then is there a belief that a fingerprint collected for marketing purposes may be used for other purposes
I do not use a browser to make HTTP requests, I only send two headers, Host and Connection, unless I need to send more, e.g., User Agent, Cookie, Accept, etc. The vast majority of websites I access work with only two headers. The list of ones that require more is short and the local forward proxy adds them automatically for those sites
For me, the "threat model" is (a) internet marketing
I do not see any ads because (1) the computers I use cannot access ad or tracking servers^FN1 and (2) I use a text-only browser to read HTML. There is no Javascript interpreter, no way to auto-load resources, no way to display images, no way to store cookies, etc.
I have no issue with this information that I'm a text-only web user being revealed to any internet marketer. (More likely I am mistaken for a "bot" as a result of crude heuristics)
On the other hand, if I were using a popular browser to make HTTP requests, one that sends a "common" fingerprint to internet marketers, then this would signal a more viable target for ads and tracking. Popular browsers have default settings that enable Javascript, cookies, images, auto-loading resources, etc.
tl;dr The reasons a computer user has for avoiding fingerprinting may be different. For example, one user might want to "blend in" and "hide", i.e., avoid being "identified", whereas another user might want to "be left alone", i.e., avoid being the target of internet marketers
FN1. Markerters always seem to require access to DNS
It would be nice to see Firefox implement a few features browsers like brave have, like being able to automatically clear cookies for a site when leaving it, and to make containers available when in private browsing, ah well.
37 comments
[ 2.5 ms ] story [ 54.6 ms ] threadMy experience lately has been that fingerprint.com is able to identify my main profile "in bursts", i.e. it will identify me consistently for some days, then it will forget and tell me it's never seen me. Maybe the service they provide on the landing page has a TTL policy? Either way, I've observed this behaviour on both my main profile and my "Firefox Focus"-like profile (a mix of no history + automatic temporary containers). On Mullvad Browser, however, it always seems to group me with random access across the globe.
I'd rather be trackable but secure -- the big draw for me is NoScript. Paired with uBlock, I'm safe from malvertising[1]
[1] https://en.wikipedia.org/wiki/Malvertising#Examples_of_malic...
The fact that I have to go to great lengths to browse anonymously - and companies desperately try to circumvent my genuine decision to opt out of their tracking - tells me everything I need to know about those companies. Words like sleezy, shady, and predatory come to mind.
I would love to see this taken one step further and have states/countries prevent companies from tracking me altogether if I reject their cookies, but I fear it's more likely those companies will lobby to prevent Firefox from protecting us.
You're in luck since EU's GDPR is about informing users of PII harvesting and consent in general (among other things). So the banner is not only about cookies. And I think nowadays there are similar regulations elsewhere.
Then I remembered why I no longer use firefox. I believe we, as users, need to take back the open web. The days of some random developers ruining the UI should really be over, be it firefox, or Google chrome killing ublock origin. We need to fight back.
This is not right. If you have a unique fingerprint every time someone tries to fingerprint you, then they have to do extra work to try and figure out which are the same. If you make it always be the same you've made the fingerprinter's job much easier.
In contrast a randomized fingerprint mean when you visit A you have a fingerprint X' and on B you have a fingerprint Y' and no one else on the internet has X' or Y' but A and B can't correlate you.
The protections we've put in place first try to do API normalization to make it so more people have a fingerprint X, and it isn't unique. And then they do API randomization so you use X' and Y'.
If a fingerprint goes to extra effort of detecting a randomized fingerprint, and ignore (or remove) the randomization, they will get the X fingerprint which - hopefully - matches many more users.
Last time I tried everything I could to prevent Firefox from calling home, it was still requesting Mozilla servers. Though I haven’t given up, my plan is disabling it at source code level and build my own release.
They could not build a profile on you and it would break their system of tracking user login per device.
Unless they tackle all the hidden things, all artifacts, canvas rendering and many more.
These companies will be actually happy after this change, because even users with ublock and other plugins, will think they're not tracked. Yeah, nope.
And it's not that hard to see how they fingerprint your browser, reverse any JS tracking script yourself and see.
It would be really useful to have something that dithers the reported canvas size by 5 or 10 pixels in different containers to add noise there.
Is it (a) to avoid internet marketing, (b) some other reason or (c) both. What is the "threat model"
If the answer is (c) then is there a belief that a fingerprint collected for marketing purposes may be used for other purposes
I do not use a browser to make HTTP requests, I only send two headers, Host and Connection, unless I need to send more, e.g., User Agent, Cookie, Accept, etc. The vast majority of websites I access work with only two headers. The list of ones that require more is short and the local forward proxy adds them automatically for those sites
For me, the "threat model" is (a) internet marketing
I do not see any ads because (1) the computers I use cannot access ad or tracking servers^FN1 and (2) I use a text-only browser to read HTML. There is no Javascript interpreter, no way to auto-load resources, no way to display images, no way to store cookies, etc.
I have no issue with this information that I'm a text-only web user being revealed to any internet marketer. (More likely I am mistaken for a "bot" as a result of crude heuristics)
On the other hand, if I were using a popular browser to make HTTP requests, one that sends a "common" fingerprint to internet marketers, then this would signal a more viable target for ads and tracking. Popular browsers have default settings that enable Javascript, cookies, images, auto-loading resources, etc.
tl;dr The reasons a computer user has for avoiding fingerprinting may be different. For example, one user might want to "blend in" and "hide", i.e., avoid being "identified", whereas another user might want to "be left alone", i.e., avoid being the target of internet marketers
FN1. Markerters always seem to require access to DNS
https://support.mozilla.org/en-US/kb/firefox-protection-agai...
They are... surprising to me. And as a developer, some of them seem kind of horrible. Altering canvas data, really?