-
-
Notifications
You must be signed in to change notification settings - Fork 151
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add firefox to the list of secure browsers #107
Conversation
According to the documentation this was added in 57 (as denoted in the file), however I did test this with 76.0.1, it would be interesting to get a firefox ESR-Test as well for older versions. |
So, I have run some tests and the result seems to be: the Firefox-Fingerprint prevention works (even when simply reloading the same page), as long as the resolution of the browser window is different from where the form was originally filled out. This finding translates over different distributions, and, most importaintly, this also translates to the Tor Browser, which is currently listed as secure (and actually the behavior of reproducing windows sizes is one of its core features for the user's privacy). |
Some further research has yielded this explanation for why Firefox adopted a different behavior for their fingerprint protection: arkenfox/user.js#767 (comment), they apparently decided to adapt the scheme of lowering entropy the Tor Browser already employs instead of raising it. |
I tried the latest version of Firefox, still, I can see some abnormalities. See the video below: @cherti if you had gone through the implementation of firefox's fingerprint restriction, can you please tell me what all parameters are randomized or blocked to avoid fingerprinting? |
Yes, and this is precisely intended behavior for the sake of tracking protection. I haven't gone throught the implementation itself, but the point here is that canvas randomization is easily detectable, you just run the canvas-fingerprint twice in your fingerprinting routine and the fingerprinter knows exactly that you are applying canvas randomization. That being said, I have tested that with the ungoogled chromium, the only randomized part there, as far as I tested, is the canvas randomization (and likely this is the same for palemoon, I'm extrapolating, but as enabling "canvas.poisondata" is required to make it fool this specific test this seems very likely even without testing). Therefore, these fingerprinting protections are actually artifacts that can be used for fingerprinting by just slightly modifying the fingerprinting-Javascript (and potentially you can even do statistical attacks on the randomization itself, ungoogled chromium says "maximum 10 pixels", if palemoon does more they are, statistically, easily distinguishable here). Therefore, the Firefox-approach, taken from the Tor Browser, is fundamentally different: the canvas-API will always return blank white, independent of where the Firefox is running. Instead of making every Firefox randomly unique, they decided to make every firefox look alike. Given that the Browser is extracted by the fingerprinting-JS as well, this is actually denying any information extracted from the canvas API, whereas, as described above, randomization gives away information to the tracking party. The question now boils down to what you mean by "secure browser". If this this means "fails this specific test", then Firefox will only pass this test if a lot Firefox users use it at the same time (that being said, in this case I'd argue that "secure browsers" is a dangerously misleading claim). If it means "protects you from fingerprinting", then Firefox is actually better in this, because it deprives the tracking party of any additional tracking information by making all firefoxes look alike with regards to their canvases (and many other things that are tweaked by that option), albeit seemingly failing this test (whereas it actually succeeds the test because you would get identified as the same person over different computers if the other specs of the browser are the same, yielding fingerprinting useless. |
NO. Nothing changed in 77. same failure, not even on Librewolf with hardened user.js. Also I am deleting my account due to Microsoft ownership. Consider moving to gitlab :). Bye bye. |
Also I am deleting my account due to Microsoft ownership. Consider moving to gitlab :). Bye bye. |
@cherti thank you for contribution, really sorry we cannot add firefox to the list since nothing private is working fine on default firefox, at least for me. |
@Thorin-Oakenpants Thanks a lot for the explanation, @cherti had already opened #112 With firefox on the list. It is now merged. |
@Thorin-Oakenpants I've read about this, I wasn't aware that this would already land in FF78, thanks, that is indeed good to know. :) |
Good point, done in #113. I have left Tor Browser as it is for now, once the new release is out it can be changed in the list accordingly and alpha and non-alpha do not have to be differentiated explicitly. |
This PR adds Firefox to the list of secure browsers by only using internal configuration options.