While browser extensions are often suggested as a method to improve your privacy, they could make things way worse. I linked an article about the anti-fingerprint extensions however, every extension that you installed on your browser make you stand out more.
This happens even with adblocker extensions. First of all, enumeration badness it’s not a good approach against tracking, that’s why Tor browser doesn’t use any adblocker.
Site-specific or filter-based addons such as AdBlock Plus, Request Policy, Ghostery, Priv3, and Sharemenot are to be avoided. We believe that these addons do not add any real privacy to a proper implementation of the above privacy requirements, and that development efforts should be focused on general solutions that prevent tracking by all third parties, rather than a list of specific URLs or hosts.
Trying to resort to filter methods based on machine learning does not solve the problem either: they don’t provide a general solution to the tracking problem as they are working probabilistically. Even with a precision rate at 99% and a false positive rate at 0.1% trackers would be missed and sites would be wrongly blocked
Moreover, every site visited can detect every change you made including blocked domains and so, instead of achieve privacy you’ll stand out more. If you’re going to use and adblocker it’d be a good idea using only the standard filters.
This happens even with adblocker extensions. First of all, enumeration badness it’s not a good approach against tracking, that’s why Tor browser doesn’t use any adblocker.
Long time ago I’ve read that Tor browser does not use uBlock Origin because there were CPU spike issues at startup reported with Tor browser.
Here is a thread : https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/17569
It seems ublock Origin has quite some performance issues on higher security levels
Thank for sharing. It’s true; if Tor bundled uBlockOrigin then every Tor user would have the same fingerprint. However, now the problem is about the filter lists. For having the same fingerprint all users need to use the same set of filter lists because the domains blocked need to be the same, but every single user has a different user case. Moreover, the enumeration badness and philosophy problem still remains.
In my opinion Tor has chosen the right approach since most of the websites need to use use ads & trackers in order to cover the fees.
deleted by creator
Tails uses uBlock Origin in their TBB btw.
Yes, but the use of Ublock could help identity you as a Tails User which it’s not a good approach, especially for people who have an higher threat model. Another problem about ublock on Tor (I’m not sure about this, maybe tails blocked this feature and shipped ublock only with a set of filter lists, very glad to be corrected here) is the possibility to chose different lists thus creating fragmentation between users.
removes advertisements on Tor it’s pretty much useless, is more about convenience than actually privacy. Tor has built real privacy approaches in order to mitigate fingerprint and cross tracking, like FPI. Using filter lists in order to achive privacy it’s a poor approach for the reasons I linked in the OP.
Tails includes the uBlock Origin extension which removes advertisements. If an attacker can determine that you are not downloading the advertisements that are included in a webpage, that could help identify you as a Tails user.
In my opinion any website that build on ads and tracking to “cover their costs” (or rather making a profit) is harming the planet. Exploitation should not be rewarded.
I understand your point, if you’re choosing to block ads & tracking it’s fine in my option, but on Tor it’s different, simply because has already mitigate these problem using good countermeasures. Instead, using and adblocker could worse your privacy.
since most of the websites need to use use ads & trackers in order to cover the fees.
Most ad companys do not pay for tor views/clicks some not even for conversions. And you definitely want to block the ones that track conversions.
deleted by creator
I’d yes and no. Achieve privacy on browser is actually not easy at all. In fact, every single change you make in the browser make you stand out more. Ideally, your should let your browser settings untouched. The most you blend out with the crowd the most privacy you’ll get.
Example: let’s say you’re going to use Firefox as browser, if you choose - for example - to disable WebGL and WebRTC you’ll way more fingerprintable across the internet because a very few people set Firefox in this way. These kind of approaches have sense only on Tor, because the 100% of users will have WebGL and WebRTC disable.
It’s the same for blocking ads/tracking. There are way more people which doesn’t block ads/tracking so, if you’re going to use an adblocker, you’ll stand out, if you’re are going to use an aggressive filter lists instead of the standard ones you’ll stand out even more. the option to block ads and trackers should be integrated in the browser like in Firefox, edge or Safari.
The most you blend out with the crowd the most privacy you’ll get.
I don’t know much in this regard, but I think if you don’t block trackers and third party cookies, then there’s no need to fingerprint your browser to track you, you have already lost your privacy. most people remain totally vulnerable to simple methods of tracking, blending with them means your privacy will be invaded too. this blending in the crowds is only useful when you use something that is hardened by default, like Tor.
the option to block ads and trackers should be integrated in the browser
agreed. Firefox should really change some default settings and give you some add-ons by default to make fingerprinting harder. like what they did with https everywhere.
But I think if you don’t block trackers and third party cookies, then there’s no need to fingerprint your browser to track you, you have already lost your privacy.
I understand your point, I’m not saying that you shouldn’t use and ad-blocker or blocking third party cookies, but probably you’re going to make things worse instead of achieve actual privacy. Unfortunately, this is a sad reality.
Blocking ads/trackers and third party cookies it would be a good approach only if the option was enabled by default in the browser. For example, Vanadium block third-party cookies by default, this is good because if all the users have the third-party cookies blocked then it’s way more difficult uniquely identify a single one. The same concept goes for ads & tracking.
most people remain totally vulnerable to simple methods of tracking
Ironically enough, sometimes even people who cares about privacy. It’s not about ads/trackers or third party cookies, fingerprint its much more complicated, every site can collect and enormous amount of data, including;
- IP
- HTTP header
- JavaScript
- WebRTC
- WebGL
- CanvasFingerprint
- Font fingerprint
- AdBlock detection
These pieces of data are actually easy to collect. While this information can leak a lot of data, disabling or spoofing even a small part e.g disable webgl, spoofing Useragent, screen resolution etc. will worsen the user privacy even more.
this blending in the crowds is only useful when you use something that is hardened by default, like Tor.
No at all, blending with crowd is useful regardless the browser you’re going to use. If you blend out with the crowd fingerprint it’s way more difficult.
Firefox should really change some default settings and give you some add-ons by default to make fingerprinting harder.
Firefox should not relaying on add ons. Instead, it should be build actual privacy mitigation against tracking and fingerprint.
I understand your point, I’m not saying that you shouldn’t use and ad-blocker or blocking third party cookies, but probably you’re going to make things worse instead of achieve actual privacy. Unfortunately, this is a sad reality. Blocking ads/trackers and third party cookies it would be a good approach only if the option was enabled by default in the browser. For example, Vanadium block third-party cookies by default, this is good because if all the users have the third-party cookies blocked then it’s way more difficult uniquely identify a single one. The same concept goes for ads & tracking.
the crowd I’m trying to blend in are users who have enabled ressist fingerprinting, and I’m pretty sure anyone enabling RFP would be using at least uBlock and ClearURLs. I think you’ve mistaken anti-fingerprinting addons, those are the ones that make you stand out from other people with RFP.
I also assume people who enable it, will disable javascript for sites they don’t trust, and js is needed for most fingerprinting. things like canvas fingerprint, screen, etc are protected by RFP so that users have similar fingerprints.
No at all, blending with crowd is useful regardless the browser you’re going to use. If you blend out with the crowd fingerprint it’s way more difficult.
I don’t think that’s correct. if your browser is something like chrome or edge, there’s no way you could possibly benefit from blending.
Firefox should not relaying on add ons. Instead, it should be build actual privacy mitigation against tracking and fingerprint.
the have made actual mitigation by something like RFP, the problem is that they haven’t enabled it by default. and for things like uBlock being an add-on is beneficial, they just need to ship it with firefox itself (like librewolf does), while it’d be cool if some other add-ons get implemented in the browser like HTTPSeverywhere was implemented.
the crowd I’m trying to blend in are users who have enabled ressist fingerprinting, and I’m pretty sure anyone enabling RFP would be using at least uBlock and ClearURLs.
You’re trying to blend in a crowd extremely small thus more easily fingerprintable using an approach that in fact doesn’t work. Users change the settings differently. Some of them could enable RFP but don’t disable WebGL, others could disable WebGL, enable RFP and do not disable JavaScript and so on. The combinations are unlimited because the are so many settings which users can change. This create an enormous fragmentation between users. This is why enable privacy setting by default it’s so important.
and js is needed for most fingerprinting.
It’s true, JavaScript prevent a lot of fingerprint. However, Fingerprinting can be done with only CSS and HTML. It’s possibile using CCS to figure out your browser resolution or mouse moviments. Moreover, almost no one disable JavaScript, even between privacy users. So, even with RFP enable , website can still check your real UA. That’s why user agent should the same for every Firefox user by default.
I don’t think that’s correct. if your browser is something like chrome or edge, there’s no way you could possibly benefit from blending.
This is a different problem. The fingerprint concern still remains regardless the first-party privacy of the browser you’re going to use.
like uBlock being an add-on is beneficial, they just need to ship it with firefox itself (like librewolf does), while it’d be cool if some other add-ons get implemented in the browser like HTTPSeverywhere was implemented
Blocking ads/trackers, blocking third party cookies, use only https and so on is benefical, but browsers need to built these settings in a robust and long term way, instead of using add-ons.
I understand the need for privacy respecting default settings, but right now my browser doesn’t have a unique fingerprint, so it kinda works. surely it would be better if mozilla improved firefox, or I used Tor, but for my normal browsing websites don’t really need js, and when it’s turned off my browser isn’t really fingerprintable.
personally all I’ve done has been following what privacytools.io says, since it’s the most popular one that I know, and hope other have done the same thing so our fingerprints would look the same.
about the CSS, arkenfox user.js has letterboxing enabled, but I have no idea about mouse movement.
user agent should the same for every Firefox user by default.
agreed, I assumed it must be the same for all users who enable RFP, but honestly I don’t know.
in general I agree, we should pressure Mozilla to make firefox better, but I don’t know how to do that really, I mean they haven’t deleted things like pocket, cloudflare, etc yet so they don’t seem interested in making a better firefox.
every site can collect and enormous amount of data, including;
IP HTTP header JavaScript WebRTC WebGL CanvasFingerprint Font fingerprint AdBlock detectionThese pieces of data are actually easy to collect. While this information can leak a lot of data, disabling or spoofing even a small part e.g disable webgl, spoofing Useragent, screen resolution etc. will worsen the user privacy even more.
Where is this information based on ? Sites like https://www.amiunique.org/fp and coveryourtracks.eff.org/ do not complain about my browser config.
You can see what information your browser leaks on browserleaks.com.
Sites like https://www.amiunique.org/fp and coveryourtracks.eff.org/ do not complain about my browser config.
Sites like amiunique.org/fp or coveryourtracks.eff.org are not reliably test your fingerprint.
In addition to tracker blocking, Cover Your Tracks measures the uniqueness of your browser. We anonymously log the following information, and compare it to a database of many other Internet users’ configurations that we’ve observed recently.
Your are not comparing your browser settings with a general audience, because the regular Joe doesn’t even know about these kind of sites. Instead, you comparing just with a small percent of people who cares enough to do a fingerprint test. amiunique.org/fp has 3737036 in their dataset however, there is a fragmentation between the differens OS. For example, android it’s just 10% of the total, so you’re comparing yourself with ≈ 373.703 users who use android, but in reality there are 1.6 billion android users in the world. Moreover, the data about fingerprint should be deleted after a while, otherwise you’ll just comparing yourself with old set of data e.g User Agent.
Other problems:
These sites wrongly detect Brave as identifiable because they are designed to measure a different form of fingerprinting protection than Brave uses. Most tools try to make as many browsers look identical as possible, and sites like panopticlick.eff.org look to see if your browser matches any they’ve seen previously. If not, then they determine that you’re fingerprintable.
Why then does EFF’s page tend to tell Tor users that they are unique amongst the hundreds of thousands of users that have been fingerprinted so far? The answer has largely to do with selection bias. The majority of visitors to EFF’s site are likely not Tor users.
If the site does give you an “anonymity score,” did you get a good result or a bad one? How do you know? If the fingerprint-testing site determines your score based on its recent visitors (like panopticlick), are their recent visitors a representative sample of the visitors of the other websites you visit? If yes, how do you know?
What are the features the fingerprint-testing site tested for and how does that set of features compare to the ones that other websites look for? If you claim they are similar, how do you know?
If you test your browser, make a change to it, test again, and then get the same score, is it really safe to assume that the change was benign? If you get a better score, is that meaningful? What if the score got worse?
If the fingerprint-testing site relies on JavaScript for the detection of many features (and they generally do), is JavaScript the only way to detect those features? It often isn’t. If you disable JavaScript and get a much better score, is that actually meaningful? Why or why not?
See how much uncertainty I have about fingerprint-testing websites? I find it mind boggling that people who don’t really understand what they’re looking at try to claim anything concrete after using one of these sites, especially after using ones that give them an “anonymity score.”
