I exclusively use private browsing, but I know that doesn't do much in preventing tracking, so it's nice to see this finally starting to roll out.
The fact that I have to go to great lengths to browse anonymously - and companies desperately try to circumvent my genuine decision to opt out of their tracking - tells me everything I need to know about those companies. Words like sleezy, shady, and predatory come to mind.
I would love to see this taken one step further and have states/countries prevent companies from tracking me altogether if I reject their cookies, but I fear it's more likely those companies will lobby to prevent Firefox from protecting us.
The "Temporary Containers" extension is great here, allowing pretty easy compromise between different buckets of sites. I'll have some personal ones that I log into, others go specifically into a snoop container, and the rest get temporary ones that evaporate when closed. https://addons.mozilla.org/en-CA/firefox/addon/temporary-con...
> I would love to see this taken one step further and have states/countries prevent companies from tracking me altogether if I reject their cookies
You're in luck since EU's GDPR is about informing users of PII harvesting and consent in general (among other things). And I think nowadays there are similar regulations elsewhere.
I am dreaming for righteous 'small' employees too, those who carry out the dishonourable practice of implementing privacy intrusion following instructions, for money. Corporates are built by thousands of ignorant grey workers.
Out of curiousity, how would you steelman the argument that fingerprinting is no different than a store owner, standing behind the counter, taking note of the faces of who enters his store, and maintaining a log?
To make that analogy closer to the Internet reality, I would say that Internet tracking is more like a cabal of shop-keepers, librarians, neighbors, utility pole workers, and so on who are keeping track of all the faces, all their habits, what they look at, what they say, who they interact with, and share this information amongst themselves, recording it in perpetuity. They also share details with the police and anyone who cares to purchase them.
When you talk about a "shopkeeper" it gives it a small community charm. The Internet is anything but that.
The difference is scale and intent. A mom and pop store owner “remembering” my face versus big tech tracking is like comparing a nosy neighbor to the CIA.
One of them might peer out their window, the other will infiltrate every aspect of your life. One of them is bored, the other has no qualms about doing significant harm to you if it serves their interests.
The store owner visibly responds to the customers differently.
Fingerprinting is invisible. It's more like the store owner recording everyone on hidden camera.
I'm fairly confident I could sue that store owner for stalking if they were logging every time I entered that store and left, along with all my activities.
I'm absolutely positive I could if they were getting other store owners to help them track me.
What I don't understand is why this is unacceptable if they do it to a single person but perfectly normal if they do it to all their customers. IMO that should make things worse, not better.
Let's put it this way. You'd get a restraining order against someone if they followed you around all day, logging when you woke up, ate, who you talked with (even if they don't hear the conversation), where you went, and when you went to bed. That's clearly stalking, right? So why us it suddenly acceptable when it's being done by some guy named Mark who is stalking a billion people instead of just one?
We clearly differentiate this from being a regular customer at a store. If I'm a regular at Joe's Corner Market and get a sandwich every Wednesday for lunch then he remembers me because we're talking face to face and making conversation. It's personal. There's clear consent in what I'm sharing and there's a clear expectation that Joe isn't going to use that information to manipulate me or follow me around town. Our interaction is limited to the store and maybe bumping into each other on the street. It's clearly not stalking, we're just friendly. The same way your partner might know about when you wake up, go to sleep, eat for breakfast, and all that same stuff. Your partner isn't stalking you.
[Edit]: I want to encourage the above comments. Doesn't matter if recursive4 believes the other side or not, I want these conversations to be front and center. I like to see the other responses than mine as well and I think these help us refine our arguments and by being prominent they help others be convinced and join us. So while I know we don't usually talk about how to upvote/downvote, I'll just say "vote strategically rather than agreeability" :)
It's automated data processing at scale rather than a local mom and pop country general store. The profit seeking, decision making, management culture driving decisions is a fundamentally different relationship. Also I don't think store owners do that?
Rather than presupposing an analogy to something importantly different, I would propose that the steelman would be along the lines of noting that ads and hyperpersonalization are effective at meeting and predicting your needs, and steering you towards an interpretation of your own needs that finds their fulfillment in deepening a consumer relationship. And if you get steered into lock-in with one company's ecosystem, you get the convenience of a stack of vertically integrated services.
This is a good use of Firefox resources. Unfortunately Firefox is at a natural disadvantage for fingerprinting by virtue of being used by such a small number of users.
There was a commenter some time back showing that browser statistics were easy to skew. Safari and Firefox are less likely to show up in analytics, so website owners think they're less important than they really are. Conflating client-side with server-side analytics showed quite a gap.
Most of the people who are just looking at browser statistics for the purpose of managing a website are using simple tools that just simply collect data from user agent strings. Determining browser from this isn't 100% straightforward, but it's enough to give website operators a rough idea of what browser to target. This data was more important in the days when everything wasn't Chrome/Android/iOS, and it actually mattered what version of IE your users were running.
If you're doing fingerprinting for tracking purposes, you're gonna be tracking a lot more in-depth data.
But in the end, there are pretty much three types of Internet user today: 1. The person who uses the default browser installed on their device. 2. The user who always downloads Chrome when they first get a new computer. and 3. Nerds who do something else.
>This is a good use of Firefox resources. Unfortunately Firefox is at a natural disadvantage for fingerprinting by virtue of being used by such a small number of users.
I'd rather be trackable but secure -- the big draw for me is NoScript. Paired with uBlock, I'm safe from malvertising[1]
You're more trackable by using NoScipt and there's no good reason to use it if you know how to properly use uBlock: https://github.com/arkenfox/user.js/wiki/4.1-Extensions#-don...
uBlock is a content blocker so it can do everything NoScript can if you learn its advanced UI usage. Using additional extensions makes you more trackable.
I often think about this in connection with my user agent. I am sure it helps identify me. If I spoofed a Chrome/Windows UA that would probably be better from a privacy perspective. But if we all do that then web designers will never know that we exist. I want people to know there are Firefox and Linux users out there.
If a website has 100 visitors, and 99 of them use Chrome, and 1 user uses Firefox, it doesn't matter how good their fingerprinting resistance is, they're always the one using Firefox.
One thing I found that broke tracking algorithms was the ‘every tab is a new random profile’ extension. I can’t remember the name as I haven’t used it in a while and it broke a lot of logins.
They could not build a profile on you and it would break their system of tracking user login per device.
I've recently switched from Containerise + Temporary Containers to Auto Containers. Brand new addon, but the dev is responsive and IMO it works much better for creating new containers on the fly as you browse.
In my case the single largest contributor to my fingerprint is ... canvas size. I run full screen with a custom Firefox setup that basically makes my canvas size unique :/ The "protection" Firefox uses for this is to always open a new window at a default size, which does nothing in my case since my toolbar config still makes the canvas size unique.
It would be really useful to have something that dithers the reported canvas size by 5 or 10 pixels in different containers to add noise there.
Now I understand why I'm getting paywall limits even in private browsing :) I use Tree Style Tab, so my canvas is also of unusual size and ratio. I guess I can try making it more narrow or wider to combat that :)
Unfortunately, Cloudflare and other protections will keep working even less than they used to. I have started to not use Cloudflare protected websites because they don’t work with Firefox. But that is a fight I am going to lose.
Symptoms? Is it limited to when a site has Cloudflare's more aggressive protection turned on? I haven't noticed any problems I've attributed to Cloudflare, and I use Firefox exclusively.
This matches my experience as well. As a FF user, I very occasionally encounter problems, but these don't seem to be correlated to their using CF protections. Much more often I find sites broken that rely on cloud domains with bad reputations, which my DNS filters block.
I was actually wondering if the stuff that Mozilla's talking about here will be used by bad bot people to try to circumvent CF's abuse protections. As I recall from when I was working with them, CF's service relies in part on being able to identify botnet attacks by doing its own fingerprinting.
I'm sorry whatever problem you've run into, but it's definitely not true that no cloudflare protected websites work with any Firefox. You've run into something more specific, I guess.
I wish them the best. When I last tested it on fingerprint.com, the hash remained stable even with resistFingerprinting and letterboxing from a VPN, only changing between profiles. When I daily-drove resistFingerprinting (not reduceFingerprinting that permits exceptions like dark mode) in 2021, my hash changed every restart.
Perhaps fingerprint.com has stepped up their detection game and have new heuristics to identify you, thwarting the resistFingerprinting measures.
My experience lately has been that fingerprint.com is able to identify my main profile "in bursts", i.e. it will identify me consistently for some days, then it will forget and tell me it's never seen me. Maybe the service they provide on the landing page has a TTL policy? Either way, I've observed this behaviour on both my main profile and my "Firefox Focus"-like profile (a mix of no history + automatic temporary containers). On Mullvad Browser, however, it always seems to group me with random access across the globe.
It’s a bit annoying that Firefox by default breaks all sites that use canvas imageData API. There is no permission for that, so no user-friendly way to ask for consent either.
I'm already using CanvasBlocker, Decentraleyes, and the NoScript Security Suite; but getting more protections will be nice. Even if it may take a while for them to land in Waterfox.
You are actually easier to track using these addons.
By installing Canvasblocker, Decentraleyes and NoScript you are providing more entropy to trackers and thus making it easier to track you. Imagine how many people worldwide block specifically Canvas, have weird looking network requests to certain js libs and have JS disabled for some (/all) scripts combined with your general setup (window size, font size, and many other factors that do not even require JS).
The Tor project explicitly suggests to not install an adblocker for example because of this.
I more or less use those addons (uMatrix instead of NoScript) plus uBlock Origin. uMatrix doesn't load a large number of JS files. An example from an ecommerce site I'm browsing right now: the site is functional (at least in browsing mode) without the scripts from
It needs only the JS from the first party domain. So they can track me from there but all the other guys don't know about me, unless they buy data from the first party. At least they have to do more work.
I also don't get advertising in any form, maybe because I don't have ecommerce apps on my phone and I block a lot of things with Blockada, but that's another story.
> (window size, font size, and many other factors that do not even require JS
Yeah, they require CSS, which you can also block using noscript and other tools, if you want.
Also, while you might be more "trackable" to those who fingerprint, if you are blocking those cross origin or same origin scripts from loading you are already stopping some of that. You can even blacklist some known hosts completely in your browser's policy settings and prevent those requests from ever reaching their destination.
Without an ad blocker and JavaScript blocker the average website would be 100GB in size and take several years to load. If I really cared about tracking protection I would just not use the regular internet and stick to Gemini. CanvasBlocker is just because the Tor browser itself has one implemented (source: <https://2019.www.torproject.org/projects/torbrowser/design/#...>) so I figured I might as well.
There has to be a happy middle between "no protection" and "complete uniqueness"
The web without ad blocking is revolting. Browsers building in these features makes them more popular.
Aside: Fuck the Washington Post. They have a line in their privacy policy that acknowledges the existence of "Do Not Track" flags in browsers. Their acknowledgement: since there is no industry standard for responding to it, they ignore it.
How is your browsing experience with that stuff? I used to go nuts with anti-tracking measures, but enough of my browsing experience kept breaking that it just didn't feel worth it.
My experience with uMatrix: most sites work right away. Others require fiddling with the matrix of media, script, xhr, frames and the third parties serving them. After a while it's easy to remember which ones must be temporary enabled and which ones don't. Sites with videos are a little more difficult. Sites with payments require care. I whitelist the minimum set of scripts that make the sites I use often work. There are usually many scripts that can be left out. If everything fails and it's a one shot site, I start Chrome.
It's fine. Sometimes I get annoyed by websites which require JavaScript to show static text (apparently HTML is too difficult?) or which block me with a 'please unblock challenges.cloudflare.com to proceed' (that second one seriously pisses me off when I see it on, for example, the website of the Belgian railways), but by and large I'm fine with just saying 'if it breaks I don't need it'. But I handle my e-mail with isync, mu, and mu4e; and as far as I understand e-mail tends to be a sticking point for those who care for their digital rights. I also don't have Xitter or Facebook or any of that nonsense.
If there's one thing I don't like its the fact that NoScript doesn't integrate with Multi-Account Containers. It would be neat if instead of having to temporarily allow GitHub JavaScript and re-disable it when I'm done; I could just allow GH JS in a GitHub or Microsoft container and it only being enabled in that container.
It would be nice to see Firefox implement a few features browsers like brave have, like being able to automatically clear cookies for a site when leaving it, and to make containers available when in private browsing, ah well.
This is pretty handy and I've been using it for years[0].
I like the idea of Brave but we have a bigger fight that requires us to have no chromium. Chromium winning is Google winning, allowing them to control the Internet. I don't want that power in any single entity's hands. So I do ask that more people switch to Firefox or Safari as those are the best options to fight back and have decent market shares (even if small). If we lose the internet we'll lose our privacy too
Adding noise to images sounds like a really bad idea. It will mess with any Javascript code which performs processing on images. Try writing a photo editor in Javascript and watch your browser corrupt your images.
The question that I have not see answered in the many, many forum threads on "browser fingerprinting", is specifically why a user seeks to avoid it
Is it (a) to avoid internet marketing, (b) some other reason or (c) both. What is the "threat model"
If the answer is (c) then is there a belief that a fingerprint collected for marketing purposes may be used for other purposes
I do not use a browser to make HTTP requests, I only send two headers, Host and Connection, unless I need to send more, e.g., User Agent, Cookie, Accept, etc. The vast majority of websites I access work with only two headers. The list of ones that require more is short and the local forward proxy adds them automatically for those sites
For me, the "threat model" is (a) internet marketing
I do not see any ads because (1) the computers I use cannot access ad or tracking servers^FN1 and (2) I use a text-only browser to read HTML. There is no Javascript interpreter, no way to auto-load resources, no way to display images, no way to store cookies, etc.
I have no issue with this information that I'm a text-only web user being revealed to any internet marketer. (More likely I am mistaken for a "bot" as a result of crude heuristics)
On the other hand, if I were using a popular browser to make HTTP requests, one that sends a "common" fingerprint to internet marketers, then this would signal a more viable target for ads and tracking. Popular browsers have default settings that enable Javascript, cookies, images, auto-loading resources, etc.
tl;dr The reasons a computer user has for avoiding fingerprinting may be different. For example, one user might want to "blend in" and "hide", i.e., avoid being "identified", whereas another user might want to "be left alone", i.e., avoid being the target of internet marketers
FN1. Markerters always seem to require access to DNS
I use FF and I paid for NYTimes. I was logged in, yet NYTimes constantly flagged my browser with a persistent captcha I couldn't bypass for months (across 2 different machines). It thought I was a bot because of the privacy features. So I cancelled my subscription using my phone.
Is there a reason to force all these bot checks on logged in accounts that are paying you money other than insanity? Surely you could just have a max monthly bandwidth limit per account and just stop worrying about this?
I don't think there is any value of [x] for the monthly bandwidth usage you could pick that malicious users cannot afford, but legitimate users could not hit.
The New York Times is like a microcosm of the publishing industry. They seem to spend the majority of their effort on protecting their intellectual property. I'd rather they use those resources to improve their reporting, particularly about technical topics, but alas.
when I used to subscribe to the nyt, I had to block a few of their endpoints to kill the awful popups and etc. This, the further ads for paying subscribers, and a host of other issues led me to drop them as well though.
I just found a way to bypass the paywall on a web browser when I want to read an article. Which I figured was a easier solution than emailing customer service over a technical matter (never fun).
I'm still unhappy with the user-agent header. I tried removing information but it breaks a number of sites.
Would like to leave Linux in there (if feasible so it gets counted) but remove/spoof everything else.
Breaking websites is about the only thing you're going to accomplish by messing with the UA string. It's a small amount of entropy and anyone who really wants to track you, doesn't need it.
Fingerprinting is nearly impossible to resist these days anyways, no matter which technics Firefox uses to reduce it, and sometimes it actually makes the browser appear more unique.
Last time I tried everything I could to prevent Firefox from calling home, it was still requesting Mozilla servers. Though I haven’t given up, my
plan is disabling it at source code level and build my own release.
I think this is a nihilistic view. The browser ultimately sends only what the webpage requests. If we gut the ability for websites to request large swathes of information such as every supported TLS Cipher suite and also better protections such as GDPR to make it illegal for browsers to track this information unless a user signs up and also not gating information behind said sign-ups
>The browser ultimately sends only what the webpage requests.
You've got 6 layers under your browser before that data is sent -- some of those are useful for fingerprinting. Also, browser behavior and feature sets are not and likely will never be 100% uniform.
> GDPR to make it illegal for browsers to track this information
Unfortunately the internet is global and people outside of the reach of those jurisdictions can just exist outside of the reach of those laws. Consider the existing landscape of malicious internet traffic and scams which are already illegal in almost every country -- they are still a widespread problem.
>Having a unique fingerprint means fingerprinters can continuously identify you invisibly
This is not right. If you have a unique fingerprint every time someone tries to fingerprint you, then they have to do extra work to try and figure out which are the same. If you make it always be the same you've made the fingerprinter's job much easier.
Agreed. And this technique becomes more effective as the number of people using it increases. It's easy to match up randomized fingerprints if only one person is doing it, but quite hard when thousands or millions are doing it.
I dev my private fork of browser fingerprinting bypass and I can tell, this is like 1% of what commercial tracking companies use for fingerprinting.
Unless they tackle all the hidden things, all artifacts, canvas rendering and many more.
These companies will be actually happy after this change, because even users with ublock and other plugins, will think they're not tracked. Yeah, nope.
And it's not that hard to see how they fingerprint your browser, reverse any JS tracking script yourself and see.
I tested firefox recently. It had some AI summary button or something
that was new. I instantly wanted to eliminate this from the UI but I
don't know how to do that. I guess it is possible? But it probably
requires some time and research; the thing I don't need or want this,
it just takes away space.
Then I remembered why I no longer use firefox. I believe we, as users,
need to take back the open web. The days of some random developers
ruining the UI should really be over, be it firefox, or Google chrome
killing ublock origin. We need to fight back.
> It had some AI summary button or something that was new. I instantly wanted to eliminate this from the UI but I don't know how to do that. I guess it is possible?
Started a fresh profile, but couldn't find an AI button. The AI stuff in the context menu? You can remove the chat bot functionality right there. As for the buttons, if there is an undesirable button, it should be removable via context menu or toolbar customization.
Almost all "alternative" browsers are Chromium based or Gecko/Firefox based. If there are any that are truly scratch-built other than the text-based browsers such as lynx or w3m I'd be interested to hear about them. I'd guess they are extremely limited in features.
I exclusively use private browsing, but I know that doesn't do much in preventing tracking, so it's nice to see this finally starting to roll out.
The fact that I have to go to great lengths to browse anonymously - and companies desperately try to circumvent my genuine decision to opt out of their tracking - tells me everything I need to know about those companies. Words like sleezy, shady, and predatory come to mind.
I would love to see this taken one step further and have states/countries prevent companies from tracking me altogether if I reject their cookies, but I fear it's more likely those companies will lobby to prevent Firefox from protecting us.
The "Temporary Containers" extension is great here, allowing pretty easy compromise between different buckets of sites. I'll have some personal ones that I log into, others go specifically into a snoop container, and the rest get temporary ones that evaporate when closed. https://addons.mozilla.org/en-CA/firefox/addon/temporary-con...
You could try to use profiles instead of private browsing. It keeps things separated.
Also profiles can be configured and used with CLI, no need for UI (old or new).
And, you can run it directly, no need to launch default firefox profile:
Given that /usr/bin/firefox is just a shell script, you can
If you use an icon to run firefox (say, /usr/share/applications/firefox.desktop), you'll need to do copy/adjust line for the icon.
5 replies →
> I would love to see this taken one step further and have states/countries prevent companies from tracking me altogether if I reject their cookies
You're in luck since EU's GDPR is about informing users of PII harvesting and consent in general (among other things). And I think nowadays there are similar regulations elsewhere.
Tor? Although I wish there was a way to make a reddit account.
You might want to check out the Mullvad browser. They work with Tor and are based on Firefox. It won't connect you to the Tor network but still
I am dreaming for righteous 'small' employees too, those who carry out the dishonourable practice of implementing privacy intrusion following instructions, for money. Corporates are built by thousands of ignorant grey workers.
Out of curiousity, how would you steelman the argument that fingerprinting is no different than a store owner, standing behind the counter, taking note of the faces of who enters his store, and maintaining a log?
To make that analogy closer to the Internet reality, I would say that Internet tracking is more like a cabal of shop-keepers, librarians, neighbors, utility pole workers, and so on who are keeping track of all the faces, all their habits, what they look at, what they say, who they interact with, and share this information amongst themselves, recording it in perpetuity. They also share details with the police and anyone who cares to purchase them.
When you talk about a "shopkeeper" it gives it a small community charm. The Internet is anything but that.
1 reply →
The difference is scale and intent. A mom and pop store owner “remembering” my face versus big tech tracking is like comparing a nosy neighbor to the CIA.
One of them might peer out their window, the other will infiltrate every aspect of your life. One of them is bored, the other has no qualms about doing significant harm to you if it serves their interests.
The store owner visibly responds to the customers differently. Fingerprinting is invisible. It's more like the store owner recording everyone on hidden camera.
So no, you cannot steelman a broken analogy.
I'm fairly confident I could sue that store owner for stalking if they were logging every time I entered that store and left, along with all my activities.
I'm absolutely positive I could if they were getting other store owners to help them track me.
What I don't understand is why this is unacceptable if they do it to a single person but perfectly normal if they do it to all their customers. IMO that should make things worse, not better.
Let's put it this way. You'd get a restraining order against someone if they followed you around all day, logging when you woke up, ate, who you talked with (even if they don't hear the conversation), where you went, and when you went to bed. That's clearly stalking, right? So why us it suddenly acceptable when it's being done by some guy named Mark who is stalking a billion people instead of just one?
We clearly differentiate this from being a regular customer at a store. If I'm a regular at Joe's Corner Market and get a sandwich every Wednesday for lunch then he remembers me because we're talking face to face and making conversation. It's personal. There's clear consent in what I'm sharing and there's a clear expectation that Joe isn't going to use that information to manipulate me or follow me around town. Our interaction is limited to the store and maybe bumping into each other on the street. It's clearly not stalking, we're just friendly. The same way your partner might know about when you wake up, go to sleep, eat for breakfast, and all that same stuff. Your partner isn't stalking you.
[Edit]: I want to encourage the above comments. Doesn't matter if recursive4 believes the other side or not, I want these conversations to be front and center. I like to see the other responses than mine as well and I think these help us refine our arguments and by being prominent they help others be convinced and join us. So while I know we don't usually talk about how to upvote/downvote, I'll just say "vote strategically rather than agreeability" :)
4 replies →
It's automated data processing at scale rather than a local mom and pop country general store. The profit seeking, decision making, management culture driving decisions is a fundamentally different relationship. Also I don't think store owners do that?
Rather than presupposing an analogy to something importantly different, I would propose that the steelman would be along the lines of noting that ads and hyperpersonalization are effective at meeting and predicting your needs, and steering you towards an interpretation of your own needs that finds their fulfillment in deepening a consumer relationship. And if you get steered into lock-in with one company's ecosystem, you get the convenience of a stack of vertically integrated services.
This is a good use of Firefox resources. Unfortunately Firefox is at a natural disadvantage for fingerprinting by virtue of being used by such a small number of users.
There was a commenter some time back showing that browser statistics were easy to skew. Safari and Firefox are less likely to show up in analytics, so website owners think they're less important than they really are. Conflating client-side with server-side analytics showed quite a gap.
Most of the people who are just looking at browser statistics for the purpose of managing a website are using simple tools that just simply collect data from user agent strings. Determining browser from this isn't 100% straightforward, but it's enough to give website operators a rough idea of what browser to target. This data was more important in the days when everything wasn't Chrome/Android/iOS, and it actually mattered what version of IE your users were running.
If you're doing fingerprinting for tracking purposes, you're gonna be tracking a lot more in-depth data.
But in the end, there are pretty much three types of Internet user today: 1. The person who uses the default browser installed on their device. 2. The user who always downloads Chrome when they first get a new computer. and 3. Nerds who do something else.
>This is a good use of Firefox resources. Unfortunately Firefox is at a natural disadvantage for fingerprinting by virtue of being used by such a small number of users.
I'd rather be trackable but secure -- the big draw for me is NoScript. Paired with uBlock, I'm safe from malvertising[1]
[1] https://en.wikipedia.org/wiki/Malvertising#Examples_of_malic...
You're more trackable by using NoScipt and there's no good reason to use it if you know how to properly use uBlock: https://github.com/arkenfox/user.js/wiki/4.1-Extensions#-don... uBlock is a content blocker so it can do everything NoScript can if you learn its advanced UI usage. Using additional extensions makes you more trackable.
I was wondering why uBlock is not enough since you can block Javascript globally and re-enable per site. AI's answer:
Only things uBlock doesn’t replicate:
NoScript’s anti-XSS and anti-clickjacking heuristics (uBlock just blocks the sources, not sanitize payloads).
NoScript’s control over other active content types (e.g., WebGL, media codecs, etc).
I often think about this in connection with my user agent. I am sure it helps identify me. If I spoofed a Chrome/Windows UA that would probably be better from a privacy perspective. But if we all do that then web designers will never know that we exist. I want people to know there are Firefox and Linux users out there.
Spoofed UAs are easily detected. And if you are spoofing your UA you are among a very small subset of users.
5 replies →
Interesting. So when you try resist fingerprinting. If you dont go all the way you're at risk of making your differentiations smaller?
As an oversimplified example:
If a website has 100 visitors, and 99 of them use Chrome, and 1 user uses Firefox, it doesn't matter how good their fingerprinting resistance is, they're always the one using Firefox.
https://xkcd.com/1105/
6 replies →
One thing I found that broke tracking algorithms was the ‘every tab is a new random profile’ extension. I can’t remember the name as I haven’t used it in a while and it broke a lot of logins.
They could not build a profile on you and it would break their system of tracking user login per device.
You probably mean Temporary Containers…?
https://addons.mozilla.org/en-US/firefox/addon/temporary-con...
I've recently switched from Containerise + Temporary Containers to Auto Containers. Brand new addon, but the dev is responsive and IMO it works much better for creating new containers on the fly as you browse.
https://addons.mozilla.org/en-GB/firefox/addon/auto-containe...
https://github.com/Shajirr/FF-Auto-Containers
1 reply →
Thanks to both of you. That seems valuable.
https://github.com/stoically/temporary-containers/wiki/Autom...
In my case the single largest contributor to my fingerprint is ... canvas size. I run full screen with a custom Firefox setup that basically makes my canvas size unique :/ The "protection" Firefox uses for this is to always open a new window at a default size, which does nothing in my case since my toolbar config still makes the canvas size unique.
It would be really useful to have something that dithers the reported canvas size by 5 or 10 pixels in different containers to add noise there.
to defeat canvas size fingerprinting in firefox:
about:config -> set privacy.resistFingerprinting to true
about:config -> create new boolean key privacy.resistFingerprinting.letterboxing set to true
this will set your canvas to a common size which fits in the viewport and display a grey "letterbox" border in the surrounding space.
Now I understand why I'm getting paywall limits even in private browsing :) I use Tree Style Tab, so my canvas is also of unusual size and ratio. I guess I can try making it more narrow or wider to combat that :)
This seem sto be the actual list of things it's protecting?
https://support.mozilla.org/en-US/kb/firefox-protection-agai...
They are... surprising to me. And as a developer, some of them seem kind of horrible. Altering canvas data, really?
Unfortunately, Cloudflare and other protections will keep working even less than they used to. I have started to not use Cloudflare protected websites because they don’t work with Firefox. But that is a fight I am going to lose.
Symptoms? Is it limited to when a site has Cloudflare's more aggressive protection turned on? I haven't noticed any problems I've attributed to Cloudflare, and I use Firefox exclusively.
This matches my experience as well. As a FF user, I very occasionally encounter problems, but these don't seem to be correlated to their using CF protections. Much more often I find sites broken that rely on cloud domains with bad reputations, which my DNS filters block.
I was actually wondering if the stuff that Mozilla's talking about here will be used by bad bot people to try to circumvent CF's abuse protections. As I recall from when I was working with them, CF's service relies in part on being able to identify botnet attacks by doing its own fingerprinting.
I'm sorry whatever problem you've run into, but it's definitely not true that no cloudflare protected websites work with any Firefox. You've run into something more specific, I guess.
I wish them the best. When I last tested it on fingerprint.com, the hash remained stable even with resistFingerprinting and letterboxing from a VPN, only changing between profiles. When I daily-drove resistFingerprinting (not reduceFingerprinting that permits exceptions like dark mode) in 2021, my hash changed every restart.
Perhaps fingerprint.com has stepped up their detection game and have new heuristics to identify you, thwarting the resistFingerprinting measures.
My experience lately has been that fingerprint.com is able to identify my main profile "in bursts", i.e. it will identify me consistently for some days, then it will forget and tell me it's never seen me. Maybe the service they provide on the landing page has a TTL policy? Either way, I've observed this behaviour on both my main profile and my "Firefox Focus"-like profile (a mix of no history + automatic temporary containers). On Mullvad Browser, however, it always seems to group me with random access across the globe.
It’s a bit annoying that Firefox by default breaks all sites that use canvas imageData API. There is no permission for that, so no user-friendly way to ask for consent either.
Sites such as?
Offline friendly image editors for instance.
I'm already using CanvasBlocker, Decentraleyes, and the NoScript Security Suite; but getting more protections will be nice. Even if it may take a while for them to land in Waterfox.
You are actually easier to track using these addons.
By installing Canvasblocker, Decentraleyes and NoScript you are providing more entropy to trackers and thus making it easier to track you. Imagine how many people worldwide block specifically Canvas, have weird looking network requests to certain js libs and have JS disabled for some (/all) scripts combined with your general setup (window size, font size, and many other factors that do not even require JS).
The Tor project explicitly suggests to not install an adblocker for example because of this.
I more or less use those addons (uMatrix instead of NoScript) plus uBlock Origin. uMatrix doesn't load a large number of JS files. An example from an ecommerce site I'm browsing right now: the site is functional (at least in browsing mode) without the scripts from
It needs only the JS from the first party domain. So they can track me from there but all the other guys don't know about me, unless they buy data from the first party. At least they have to do more work.
I also don't get advertising in any form, maybe because I don't have ecommerce apps on my phone and I block a lot of things with Blockada, but that's another story.
1 reply →
> (window size, font size, and many other factors that do not even require JS
Yeah, they require CSS, which you can also block using noscript and other tools, if you want.
Also, while you might be more "trackable" to those who fingerprint, if you are blocking those cross origin or same origin scripts from loading you are already stopping some of that. You can even blacklist some known hosts completely in your browser's policy settings and prevent those requests from ever reaching their destination.
Without an ad blocker and JavaScript blocker the average website would be 100GB in size and take several years to load. If I really cared about tracking protection I would just not use the regular internet and stick to Gemini. CanvasBlocker is just because the Tor browser itself has one implemented (source: <https://2019.www.torproject.org/projects/torbrowser/design/#...>) so I figured I might as well.
There has to be a happy middle between "no protection" and "complete uniqueness"
The web without ad blocking is revolting. Browsers building in these features makes them more popular.
Aside: Fuck the Washington Post. They have a line in their privacy policy that acknowledges the existence of "Do Not Track" flags in browsers. Their acknowledgement: since there is no industry standard for responding to it, they ignore it.
3 replies →
How is your browsing experience with that stuff? I used to go nuts with anti-tracking measures, but enough of my browsing experience kept breaking that it just didn't feel worth it.
My experience with uMatrix: most sites work right away. Others require fiddling with the matrix of media, script, xhr, frames and the third parties serving them. After a while it's easy to remember which ones must be temporary enabled and which ones don't. Sites with videos are a little more difficult. Sites with payments require care. I whitelist the minimum set of scripts that make the sites I use often work. There are usually many scripts that can be left out. If everything fails and it's a one shot site, I start Chrome.
It's fine. Sometimes I get annoyed by websites which require JavaScript to show static text (apparently HTML is too difficult?) or which block me with a 'please unblock challenges.cloudflare.com to proceed' (that second one seriously pisses me off when I see it on, for example, the website of the Belgian railways), but by and large I'm fine with just saying 'if it breaks I don't need it'. But I handle my e-mail with isync, mu, and mu4e; and as far as I understand e-mail tends to be a sticking point for those who care for their digital rights. I also don't have Xitter or Facebook or any of that nonsense.
If there's one thing I don't like its the fact that NoScript doesn't integrate with Multi-Account Containers. It would be neat if instead of having to temporarily allow GitHub JavaScript and re-disable it when I'm done; I could just allow GH JS in a GitHub or Microsoft container and it only being enabled in that container.
1 reply →
I use LibreWolf at work, and I exempt most internal sites from aggressive anti-tracking stuff, but otherwise it works fine.
It would be nice to see Firefox implement a few features browsers like brave have, like being able to automatically clear cookies for a site when leaving it, and to make containers available when in private browsing, ah well.
This is pretty handy and I've been using it for years[0].
I like the idea of Brave but we have a bigger fight that requires us to have no chromium. Chromium winning is Google winning, allowing them to control the Internet. I don't want that power in any single entity's hands. So I do ask that more people switch to Firefox or Safari as those are the best options to fight back and have decent market shares (even if small). If we lose the internet we'll lose our privacy too
[0] https://addons.mozilla.org/en-US/firefox/addon/cookie-autode...
On the topic of Firefox fingerprinting, how does one edit the NetworkID in about:networking#networkid without creating new profiles or user accounts?
Adding noise to images sounds like a really bad idea. It will mess with any Javascript code which performs processing on images. Try writing a photo editor in Javascript and watch your browser corrupt your images.
Like the articel says those features can be disabled on a per site basis.
You are able to toggle these specific named categories:
* Cookies
* Tracking Content
* Cryptominers
* Known Fingerprinters
* Suspected Fingerprinters
But there is no separate toggle for the feature that adds noise to the image, or indication of which toggle would affect that.
The question that I have not see answered in the many, many forum threads on "browser fingerprinting", is specifically why a user seeks to avoid it
Is it (a) to avoid internet marketing, (b) some other reason or (c) both. What is the "threat model"
If the answer is (c) then is there a belief that a fingerprint collected for marketing purposes may be used for other purposes
I do not use a browser to make HTTP requests, I only send two headers, Host and Connection, unless I need to send more, e.g., User Agent, Cookie, Accept, etc. The vast majority of websites I access work with only two headers. The list of ones that require more is short and the local forward proxy adds them automatically for those sites
For me, the "threat model" is (a) internet marketing
I do not see any ads because (1) the computers I use cannot access ad or tracking servers^FN1 and (2) I use a text-only browser to read HTML. There is no Javascript interpreter, no way to auto-load resources, no way to display images, no way to store cookies, etc.
I have no issue with this information that I'm a text-only web user being revealed to any internet marketer. (More likely I am mistaken for a "bot" as a result of crude heuristics)
On the other hand, if I were using a popular browser to make HTTP requests, one that sends a "common" fingerprint to internet marketers, then this would signal a more viable target for ads and tracking. Popular browsers have default settings that enable Javascript, cookies, images, auto-loading resources, etc.
tl;dr The reasons a computer user has for avoiding fingerprinting may be different. For example, one user might want to "blend in" and "hide", i.e., avoid being "identified", whereas another user might want to "be left alone", i.e., avoid being the target of internet marketers
FN1. Markerters always seem to require access to DNS
I use FF and I paid for NYTimes. I was logged in, yet NYTimes constantly flagged my browser with a persistent captcha I couldn't bypass for months (across 2 different machines). It thought I was a bot because of the privacy features. So I cancelled my subscription using my phone.
Is there a reason to force all these bot checks on logged in accounts that are paying you money other than insanity? Surely you could just have a max monthly bandwidth limit per account and just stop worrying about this?
I don't think there is any value of [x] for the monthly bandwidth usage you could pick that malicious users cannot afford, but legitimate users could not hit.
2 replies →
The New York Times is like a microcosm of the publishing industry. They seem to spend the majority of their effort on protecting their intellectual property. I'd rather they use those resources to improve their reporting, particularly about technical topics, but alas.
2 replies →
They probably don’t want you paying once and using that subscription to scrape the website. Which is reasonable.
1 reply →
when I used to subscribe to the nyt, I had to block a few of their endpoints to kill the awful popups and etc. This, the further ads for paying subscribers, and a host of other issues led me to drop them as well though.
Ha - I thought you were gonna say you switched browsers.
I just found a way to bypass the paywall on a web browser when I want to read an article. Which I figured was a easier solution than emailing customer service over a technical matter (never fun).
Just use Bypass Paywalls Clean. Paying for a subscription is up to you.
I just open dev tools and look at the file in the network tab. You can read it the response sub-tab usually.
I'm still unhappy with the user-agent header. I tried removing information but it breaks a number of sites. Would like to leave Linux in there (if feasible so it gets counted) but remove/spoof everything else.
Breaking websites is about the only thing you're going to accomplish by messing with the UA string. It's a small amount of entropy and anyone who really wants to track you, doesn't need it.
Fingerprinting is nearly impossible to resist these days anyways, no matter which technics Firefox uses to reduce it, and sometimes it actually makes the browser appear more unique.
Last time I tried everything I could to prevent Firefox from calling home, it was still requesting Mozilla servers. Though I haven’t given up, my plan is disabling it at source code level and build my own release.
I think this is a nihilistic view. The browser ultimately sends only what the webpage requests. If we gut the ability for websites to request large swathes of information such as every supported TLS Cipher suite and also better protections such as GDPR to make it illegal for browsers to track this information unless a user signs up and also not gating information behind said sign-ups
> and also not gating information behind said sign-ups
"People should do work for free" isn't very workable.
3 replies →
>The browser ultimately sends only what the webpage requests.
You've got 6 layers under your browser before that data is sent -- some of those are useful for fingerprinting. Also, browser behavior and feature sets are not and likely will never be 100% uniform.
> GDPR to make it illegal for browsers to track this information
Unfortunately the internet is global and people outside of the reach of those jurisdictions can just exist outside of the reach of those laws. Consider the existing landscape of malicious internet traffic and scams which are already illegal in almost every country -- they are still a widespread problem.
I couldn't quite catch what you meant, but
> The browser ultimately sends only what the webpage requests.
You should do research before making such claims.
>Having a unique fingerprint means fingerprinters can continuously identify you invisibly
This is not right. If you have a unique fingerprint every time someone tries to fingerprint you, then they have to do extra work to try and figure out which are the same. If you make it always be the same you've made the fingerprinter's job much easier.
Agreed. And this technique becomes more effective as the number of people using it increases. It's easy to match up randomized fingerprints if only one person is doing it, but quite hard when thousands or millions are doing it.
dont use randomized fingerprints, spoof actual fingerprints, randomly.
1 reply →
I dev my private fork of browser fingerprinting bypass and I can tell, this is like 1% of what commercial tracking companies use for fingerprinting.
Unless they tackle all the hidden things, all artifacts, canvas rendering and many more.
These companies will be actually happy after this change, because even users with ublock and other plugins, will think they're not tracked. Yeah, nope.
And it's not that hard to see how they fingerprint your browser, reverse any JS tracking script yourself and see.
I tested firefox recently. It had some AI summary button or something that was new. I instantly wanted to eliminate this from the UI but I don't know how to do that. I guess it is possible? But it probably requires some time and research; the thing I don't need or want this, it just takes away space.
Then I remembered why I no longer use firefox. I believe we, as users, need to take back the open web. The days of some random developers ruining the UI should really be over, be it firefox, or Google chrome killing ublock origin. We need to fight back.
> It had some AI summary button or something that was new. I instantly wanted to eliminate this from the UI but I don't know how to do that. I guess it is possible?
Started a fresh profile, but couldn't find an AI button. The AI stuff in the context menu? You can remove the chat bot functionality right there. As for the buttons, if there is an undesirable button, it should be removable via context menu or toolbar customization.
I feel your pain with the AI stuff, but I think I had one sidebar open one time and I was able to disable it with one click.
You have to click that button and option to hide is right there.
I agree with your comment, but to resolve the question it's "browser.ml.chat.enabled". A common topic on HN,
https://hn.algolia.com/?query=browser%20ml%20chat&type=all
I use Firefox because it is better than Chrome, which is the only alternative I see.
Do you use something else?
Almost all "alternative" browsers are Chromium based or Gecko/Firefox based. If there are any that are truly scratch-built other than the text-based browsers such as lynx or w3m I'd be interested to hear about them. I'd guess they are extremely limited in features.
1 reply →
Not the commenter you're replying to, but I've been using LibreWolf for the last few months.
It's a bit more privacy focused, so may need some tweaking to your liking (by default it won't persist history, zoom levels, cookies, etc.)
LibreWolf, Iron Fox, and Brave are all worth a look, I think.