When will Firefox offer user-friendly fingerprinting protection?
Like many Firefox users, I'm interested in protecting myself from tracking. I use a number of privacy-focused extensions, but they don't protect well against browser fingerprinting. I've read that websites can also detect which add-ons are used, which can, counterintuitively, make the browser easier to fingerprint.
Unfortunately it is not even remotely practical to disable JS for all sites at this time. I do use NoScript - but some websites require JS to function. Enabling JS even temporarily for these sites potentially reveals a lot of unique information.
I compared the outputs for Firefox 58 to the Firefox ESR-based Tor Browser and found Tor Browser takes some interesting steps to protect users by spoofing some values and disabling some features by default.
Features that Tor Browser hides or disables: - Plugin list - WebGL
Values that Tor Browser spoofs: - System fonts (shows only common fonts) - User agent (always shows Windows) - Platform (always shows Windows) - Canvas fingerprint (appears to be very common - so I'm guessing it fakes or engineers this somehow)
The privacy.resistFingerprinting setting in about:config does seem to do many of these things in Firefox 58, but it is harder/scary for less-advanced users to enable. I would love to see this setting available in the browser's privacy preferences, and on by default in Private Browsing windows and when Tracking Protection is enabled.
I couldn't find a way to disable WebGL without going into about:config either. I think it would make sense to ask the user for permission to use WebGL on a given page, since it can be used to fingerprint similarly to canvas elements.
Chosen solution
https://wiki.mozilla.org/Fingerprinting https://wiki.mozilla.org/Security/Fingerprinting
One big change people may have noticed with Fingerprinting over the years was with Firefox 16.0.2 and later to stop showing the build date and minor version in the useragent. A downside on this is it made doing support much harder
The showing UA as a Windows user is not a good thing for Mac OSX and Linux users for stats and such.
Read this answer in context 👍 1All Replies (6)
Unless those VPN or Tor Browser truly says they don't track or give online disclaimer consider your IP logged. If your not doing anything illegal or black market I doubt they would care about tracking your IP. Remember you may think your hidden but your ISP knows you activity already.
Suluhisho teule
https://wiki.mozilla.org/Fingerprinting https://wiki.mozilla.org/Security/Fingerprinting
One big change people may have noticed with Fingerprinting over the years was with Firefox 16.0.2 and later to stop showing the build date and minor version in the useragent. A downside on this is it made doing support much harder
The showing UA as a Windows user is not a good thing for Mac OSX and Linux users for stats and such.
Modified
See also:
- Bug 1329996 - [META] Support anti-fingerprinting protection
(please do not comment in bug reports
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html)
WestEnd said
Unless those VPN or Tor Browser truly says they don't track or give online disclaimer consider your IP logged. If your not doing anything illegal or black market I doubt they would care about tracking your IP. Remember you may think your hidden but your ISP knows you activity already.
I'm not talking about hiding an IP address, or shielding my activity from my ISP. That's a different problem, and not one I expect a browser to solve.
I mentioned Tor Browser because it intentionally obfuscates its fingerprint, so all Tor users look alike to websites.
James said
The showing UA as a Windows user is not a good thing for Mac OSX and Linux users for stats and such.
Thanks for the pointers to the wiki pages.
Tor Browser uses the Windows Firefox UA right now only because it represents the most common one (I'm a Mac user myself). I guess I'm not that sympathetic to sites that want to collect statistics on their visitors. Honestly I'd like to see OS information disappear from the UA entirely.
cor-el said
See also:(please do not comment in bug reports
- Bug 1329996 - [META] Support anti-fingerprinting protection
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html)
Very useful, thank you!