Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add firefox to the list of secure browsers #107

Closed
wants to merge 2 commits into from
Closed

add firefox to the list of secure browsers #107

wants to merge 2 commits into from

Conversation

cherti
Copy link
Contributor

@cherti cherti commented May 16, 2020

This PR adds Firefox to the list of secure browsers by only using internal configuration options.

@gautamkrishnar
Copy link
Owner

gautamkrishnar commented May 16, 2020

@cherti firefox was there on the list but was removed due to #98 by @nunbit.

@nunbit can you please verify this now.

We need more verifications from other firefox users.

@cherti
Copy link
Contributor Author

cherti commented May 16, 2020

According to the documentation this was added in 57 (as denoted in the file), however I did test this with 76.0.1, it would be interesting to get a firefox ESR-Test as well for older versions.

@cherti
Copy link
Contributor Author

cherti commented May 16, 2020

So, I have run some tests and the result seems to be: the Firefox-Fingerprint prevention works (even when simply reloading the same page), as long as the resolution of the browser window is different from where the form was originally filled out.
Only if it is exactly the same size the browser is recognized again.

This finding translates over different distributions, and, most importaintly, this also translates to the Tor Browser, which is currently listed as secure (and actually the behavior of reproducing windows sizes is one of its core features for the user's privacy).

@cherti
Copy link
Contributor Author

cherti commented May 16, 2020

Some further research has yielded this explanation for why Firefox adopted a different behavior for their fingerprint protection: arkenfox/user.js#767 (comment), they apparently decided to adapt the scheme of lowering entropy the Tor Browser already employs instead of raising it.

@gautamkrishnar
Copy link
Owner

gautamkrishnar commented May 28, 2020

I tried the latest version of Firefox, still, I can see some abnormalities. See the video below:
https://streamable.com/q15mgj
I am using the latest version of firefox.
Screenshot 2020-05-28 at 2 27 07 PM

@cherti if you had gone through the implementation of firefox's fingerprint restriction, can you please tell me what all parameters are randomized or blocked to avoid fingerprinting?

@cherti
Copy link
Contributor Author

cherti commented May 28, 2020

Yes, and this is precisely intended behavior for the sake of tracking protection. I haven't gone throught the implementation itself, but the point here is that canvas randomization is easily detectable, you just run the canvas-fingerprint twice in your fingerprinting routine and the fingerprinter knows exactly that you are applying canvas randomization. That being said, I have tested that with the ungoogled chromium, the only randomized part there, as far as I tested, is the canvas randomization (and likely this is the same for palemoon, I'm extrapolating, but as enabling "canvas.poisondata" is required to make it fool this specific test this seems very likely even without testing).

Therefore, these fingerprinting protections are actually artifacts that can be used for fingerprinting by just slightly modifying the fingerprinting-Javascript (and potentially you can even do statistical attacks on the randomization itself, ungoogled chromium says "maximum 10 pixels", if palemoon does more they are, statistically, easily distinguishable here).

Therefore, the Firefox-approach, taken from the Tor Browser, is fundamentally different: the canvas-API will always return blank white, independent of where the Firefox is running. Instead of making every Firefox randomly unique, they decided to make every firefox look alike. Given that the Browser is extracted by the fingerprinting-JS as well, this is actually denying any information extracted from the canvas API, whereas, as described above, randomization gives away information to the tracking party.

The question now boils down to what you mean by "secure browser". If this this means "fails this specific test", then Firefox will only pass this test if a lot Firefox users use it at the same time (that being said, in this case I'd argue that "secure browsers" is a dangerously misleading claim). If it means "protects you from fingerprinting", then Firefox is actually better in this, because it deprives the tracking party of any additional tracking information by making all firefoxes look alike with regards to their canvases (and many other things that are tweaked by that option), albeit seemingly failing this test (whereas it actually succeeds the test because you would get identified as the same person over different computers if the other specs of the browser are the same, yielding fingerprinting useless.

@ghost
Copy link

ghost commented Jun 14, 2020

@cherti firefox was there on the list but was removed due to #98 by @nunbit.

@nunbit can you please verify this now.

We need more verifications from other firefox users.

NO. Nothing changed in 77. same failure, not even on Librewolf with hardened user.js.

Also I am deleting my account due to Microsoft ownership. Consider moving to gitlab :). Bye bye.

@ghost
Copy link

ghost commented Jun 14, 2020

Also I am deleting my account due to Microsoft ownership. Consider moving to gitlab :). Bye bye.

@gautamkrishnar
Copy link
Owner

@cherti thank you for contribution, really sorry we cannot add firefox to the list since nothing private is working fine on default firefox, at least for me.

@gautamkrishnar
Copy link
Owner

gautamkrishnar commented Jun 21, 2020

@Thorin-Oakenpants Thanks a lot for the explanation, @cherti had already opened #112 With firefox on the list. It is now merged.

@cherti
Copy link
Contributor Author

cherti commented Jun 21, 2020

In FF78+ the canvas is randomized on each request (not cached) and is pretty much unique (8 colors, specific pattern, dead give-away on size) - but RFP is not trying to hide itself, and all RFP users (such as Tor Browser users) would still all be the same (on randomizing metrics such as colors etc), as an enforced set.

@Thorin-Oakenpants I've read about this, I wasn't aware that this would already land in FF78, thanks, that is indeed good to know. :)

@cherti
Copy link
Contributor Author

cherti commented Jun 21, 2020

BTW, it's not actually Depriving websites of canvas data readout: there is a difference in fingerprinting if something is blocked vs spoofing. It's just spoofing as white, so I would change that

Good point, done in #113.

I have left Tor Browser as it is for now, once the new release is out it can be changed in the list accordingly and alpha and non-alpha do not have to be differentiated explicitly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants