I exclusively use private browsing, but I know that doesn't do much in preventing tracking, so it's nice to see this finally starting to roll out.
The fact that I have to go to great lengths to browse anonymously - and companies desperately try to circumvent my genuine decision to opt out of their tracking - tells me everything I need to know about those companies. Words like sleezy, shady, and predatory come to mind.
I would love to see this taken one step further and have states/countries prevent companies from tracking me altogether if I reject their cookies, but I fear it's more likely those companies will lobby to prevent Firefox from protecting us.
The "Temporary Containers" extension is great here, allowing pretty easy compromise between different buckets of sites. I'll have some personal ones that I log into, others go specifically into a snoop container, and the rest get temporary ones that evaporate when closed. https://addons.mozilla.org/en-CA/firefox/addon/temporary-con...
I am dreaming for righteous 'small' employees too, those who carry out the dishonourable practice of implementing privacy intrusion following instructions, for money. Corporates are built by thousands of ignorant grey workers.
> I would love to see this taken one step further and have states/countries prevent companies from tracking me altogether if I reject their cookies
You're in luck since EU's GDPR is about informing users of PII harvesting and consent in general (among other things). So the banner is not only about cookies. And I think nowadays there are similar regulations elsewhere.
Out of curiousity, how would you steelman the argument that fingerprinting is no different than a store owner, standing behind the counter, taking note of the faces of who enters his store, and maintaining a log?
This is a good use of Firefox resources. Unfortunately Firefox is at a natural disadvantage for fingerprinting by virtue of being used by such a small number of users.
There was a commenter some time back showing that browser statistics were easy to skew. Safari and Firefox are less likely to show up in analytics, so website owners think they're less important than they really are. Conflating client-side with server-side analytics showed quite a gap.
>This is a good use of Firefox resources. Unfortunately Firefox is at a natural disadvantage for fingerprinting by virtue of being used by such a small number of users.
I'd rather be trackable but secure -- the big draw for me is NoScript. Paired with uBlock, I'm safe from malvertising[1]
I often think about this in connection with my user agent. I am sure it helps identify me. If I spoofed a Chrome/Windows UA that would probably be better from a privacy perspective. But if we all do that then web designers will never know that we exist. I want people to know there are Firefox and Linux users out there.
One thing I found that broke tracking algorithms was the ‘every tab is a new random profile’ extension. I can’t remember the name as I haven’t used it in a while and it broke a lot of logins.
They could not build a profile on you and it would break their system of tracking user login per device.
In my case the single largest contributor to my fingerprint is ... canvas size. I run full screen with a custom Firefox setup that basically makes my canvas size unique :/ The "protection" Firefox uses for this is to always open a new window at a default size, which does nothing in my case since my toolbar config still makes the canvas size unique.
It would be really useful to have something that dithers the reported canvas size by 5 or 10 pixels in different containers to add noise there.
Now I understand why I'm getting paywall limits even in private browsing :) I use Tree Style Tab, so my canvas is also of unusual size and ratio. I guess I can try making it more narrow or wider to combat that :)
I wish them the best. When I last tested it on fingerprint.com, the hash remained stable even with resistFingerprinting and letterboxing from a VPN, only changing between profiles. When I daily-drove resistFingerprinting (not reduceFingerprinting that permits exceptions like dark mode) in 2021, my hash changed every restart.
Perhaps fingerprint.com has stepped up their detection game and have new heuristics to identify you, thwarting the resistFingerprinting measures.
My experience lately has been that fingerprint.com is able to identify my main profile "in bursts", i.e. it will identify me consistently for some days, then it will forget and tell me it's never seen me. Maybe the service they provide on the landing page has a TTL policy? Either way, I've observed this behaviour on both my main profile and my "Firefox Focus"-like profile (a mix of no history + automatic temporary containers). On Mullvad Browser, however, it always seems to group me with random access across the globe.
Unfortunately, Cloudflare and other protections will keep working even less than they used to. I have started to not use Cloudflare protected websites because they don’t work with Firefox. But that is a fight I am going to lose.
Symptoms? Is it limited to when a site has Cloudflare's more aggressive protection turned on? I haven't noticed any problems I've attributed to Cloudflare, and I use Firefox exclusively.
I'm sorry whatever problem you've run into, but it's definitely not true that no cloudflare protected websites work with any Firefox. You've run into something more specific, I guess.
It’s a bit annoying that Firefox by default breaks all sites that use canvas imageData API. There is no permission for that, so no user-friendly way to ask for consent either.
I'm already using CanvasBlocker, Decentraleyes, and the NoScript Security Suite; but getting more protections will be nice. Even if it may take a while for them to land in Waterfox.
You are actually easier to track using these addons.
By installing Canvasblocker, Decentraleyes and NoScript you are providing more entropy to trackers and thus making it easier to track you. Imagine how many people worldwide block specifically Canvas, have weird looking network requests to certain js libs and have JS disabled for some (/all) scripts combined with your general setup (window size, font size, and many other factors that do not even require JS).
The Tor project explicitly suggests to not install an adblocker for example because of this.
How is your browsing experience with that stuff? I used to go nuts with anti-tracking measures, but enough of my browsing experience kept breaking that it just didn't feel worth it.
Adding noise to images sounds like a really bad idea. It will mess with any Javascript code which performs processing on images. Try writing a photo editor in Javascript and watch your browser corrupt your images.
It would be nice to see Firefox implement a few features browsers like brave have, like being able to automatically clear cookies for a site when leaving it, and to make containers available when in private browsing, ah well.
This is pretty handy and I've been using it for years[0].
I like the idea of Brave but we have a bigger fight that requires us to have no chromium. Chromium winning is Google winning, allowing them to control the Internet. I don't want that power in any single entity's hands. So I do ask that more people switch to Firefox or Safari as those are the best options to fight back and have decent market shares (even if small). If we lose the internet we'll lose our privacy too
The question that I have not see answered in the many, many forum threads on "browser fingerprinting", is specifically why a user seeks to avoid it
Is it (a) to avoid internet marketing, (b) some other reason or (c) both. What is the "threat model"
If the answer is (c) then is there a belief that a fingerprint collected for marketing purposes may be used for other purposes
I do not use a browser to make HTTP requests, I only send two headers, Host and Connection, unless I need to send more, e.g., User Agent, Cookie, Accept, etc. The vast majority of websites I access work with only two headers. The list of ones that require more is short and the local forward proxy adds them automatically for those sites
For me, the "threat model" is (a) internet marketing
I do not see any ads because (1) the computers I use cannot access ad or tracking servers^FN1 and (2) I use a text-only browser to read HTML. There is no Javascript interpreter, no way to auto-load resources, no way to display images, no way to store cookies, etc.
I have no issue with this information that I'm a text-only web user being revealed to any internet marketer. (More likely I am mistaken for a "bot" as a result of crude heuristics)
On the other hand, if I were using a popular browser to make HTTP requests, one that sends a "common" fingerprint to internet marketers, then this would signal a more viable target for ads and tracking. Popular browsers have default settings that enable Javascript, cookies, images, auto-loading resources, etc.
tl;dr The reasons a computer user has for avoiding fingerprinting may be different. For example, one user might want to "blend in" and "hide", i.e., avoid being "identified", whereas another user might want to "be left alone", i.e., avoid being the target of internet marketers
FN1. Markerters always seem to require access to DNS
I use FF and I paid for NYTimes. I was logged in, yet NYTimes constantly flagged my browser with a persistent captcha I couldn't bypass for months (across 2 different machines). It thought I was a bot because of the privacy features. So I cancelled my subscription using my phone.
Is there a reason to force all these bot checks on logged in accounts that are paying you money other than insanity? Surely you could just have a max monthly bandwidth limit per account and just stop worrying about this?
when I used to subscribe to the nyt, I had to block a few of their endpoints to kill the awful popups and etc. This, the further ads for paying subscribers, and a host of other issues led me to drop them as well though.
>Having a unique fingerprint means fingerprinters can continuously identify you invisibly
This is not right. If you have a unique fingerprint every time someone tries to fingerprint you, then they have to do extra work to try and figure out which are the same. If you make it always be the same you've made the fingerprinter's job much easier.
In this context "a unique fingerprint" means that your fingerprint does not match any other user's. When you visit Site A and B you give a fingerprint X that is the same on A and B but no one else on the internet has ever sent.
In contrast a randomized fingerprint mean when you visit A you have a fingerprint X' and on B you have a fingerprint Y' and no one else on the internet has X' or Y' but A and B can't correlate you.
The protections we've put in place first try to do API normalization to make it so more people have a fingerprint X, and it isn't unique. And then they do API randomization so you use X' and Y'.
If a fingerprint goes to extra effort of detecting a randomized fingerprint, and ignore (or remove) the randomization, they will get the X fingerprint which - hopefully - matches many more users.
Agreed. And this technique becomes more effective as the number of people using it increases. It's easy to match up randomized fingerprints if only one person is doing it, but quite hard when thousands or millions are doing it.
I dev my private fork of browser fingerprinting bypass and I can tell, this is like 1% of what commercial tracking companies use for fingerprinting.
Unless they tackle all the hidden things, all artifacts, canvas rendering and many more.
These companies will be actually happy after this change, because even users with ublock and other plugins, will think they're not tracked. Yeah, nope.
And it's not that hard to see how they fingerprint your browser, reverse any JS tracking script yourself and see.
I'm still unhappy with the user-agent header. I tried removing information but it breaks a number of sites.
Would like to leave Linux in there (if feasible so it gets counted) but remove/spoof everything else.
Breaking websites is about the only thing you're going to accomplish by messing with the UA string. It's a small amount of entropy and anyone who really wants to track you, doesn't need it.
I tested firefox recently. It had some AI summary button or something
that was new. I instantly wanted to eliminate this from the UI but I
don't know how to do that. I guess it is possible? But it probably
requires some time and research; the thing I don't need or want this,
it just takes away space.
Then I remembered why I no longer use firefox. I believe we, as users,
need to take back the open web. The days of some random developers
ruining the UI should really be over, be it firefox, or Google chrome
killing ublock origin. We need to fight back.
> It had some AI summary button or something that was new. I instantly wanted to eliminate this from the UI but I don't know how to do that. I guess it is possible?
Started a fresh profile, but couldn't find an AI button. The AI stuff in the context menu? You can remove the chat bot functionality right there. As for the buttons, if there is an undesirable button, it should be removable via context menu or toolbar customization.
Fingerprinting is nearly impossible to resist these days anyways, no matter which technics Firefox uses to reduce it, and sometimes it actually makes the browser appear more unique.
Last time I tried everything I could to prevent Firefox from calling home, it was still requesting Mozilla servers. Though I haven’t given up, my
plan is disabling it at source code level and build my own release.
I'm working on building a bot detection platform to defend websites right now and yeah, without immense effort on the part of the browsers, you are correct. Any of the apis they injected noise into here will be updated in the competant fingerprinting programs as well. The only real solution is to not enable JavaScript at all.
I think this is a nihilistic view. The browser ultimately sends only what the webpage requests. If we gut the ability for websites to request large swathes of information such as every supported TLS Cipher suite and also better protections such as GDPR to make it illegal for browsers to track this information unless a user signs up and also not gating information behind said sign-ups
y-c-o-m-b|3 months ago
The fact that I have to go to great lengths to browse anonymously - and companies desperately try to circumvent my genuine decision to opt out of their tracking - tells me everything I need to know about those companies. Words like sleezy, shady, and predatory come to mind.
I would love to see this taken one step further and have states/countries prevent companies from tracking me altogether if I reject their cookies, but I fear it's more likely those companies will lobby to prevent Firefox from protecting us.
tlavoie|3 months ago
tgv|3 months ago
mihaaly|3 months ago
floxy|3 months ago
kalaksi|3 months ago
You're in luck since EU's GDPR is about informing users of PII harvesting and consent in general (among other things). So the banner is not only about cookies. And I think nowadays there are similar regulations elsewhere.
recursive4|3 months ago
xnx|3 months ago
port11|3 months ago
firefax|3 months ago
I'd rather be trackable but secure -- the big draw for me is NoScript. Paired with uBlock, I'm safe from malvertising[1]
[1] https://en.wikipedia.org/wiki/Malvertising#Examples_of_malic...
NoboruWataya|3 months ago
prism56|3 months ago
instagib|3 months ago
They could not build a profile on you and it would break their system of tracking user login per device.
DavideNL|3 months ago
https://addons.mozilla.org/en-US/firefox/addon/temporary-con...
notherhack|3 months ago
yborg|3 months ago
It would be really useful to have something that dithers the reported canvas size by 5 or 10 pixels in different containers to add noise there.
Liquix|3 months ago
about:config -> set privacy.resistFingerprinting to true
about:config -> create new boolean key privacy.resistFingerprinting.letterboxing set to true
this will set your canvas to a common size which fits in the viewport and display a grey "letterbox" border in the surrounding space.
HackerThemAll|3 months ago
pona-a|3 months ago
Tmpod|3 months ago
My experience lately has been that fingerprint.com is able to identify my main profile "in bursts", i.e. it will identify me consistently for some days, then it will forget and tell me it's never seen me. Maybe the service they provide on the landing page has a TTL policy? Either way, I've observed this behaviour on both my main profile and my "Firefox Focus"-like profile (a mix of no history + automatic temporary containers). On Mullvad Browser, however, it always seems to group me with random access across the globe.
nicce|3 months ago
harshreality|3 months ago
baranul|3 months ago
Spunkie|3 months ago
jrochkind1|3 months ago
jrochkind1|3 months ago
https://support.mozilla.org/en-US/kb/firefox-protection-agai...
They are... surprising to me. And as a developer, some of them seem kind of horrible. Altering canvas data, really?
hmry|3 months ago
cluckindan|3 months ago
HackerThemAll|3 months ago
tmtvl|3 months ago
hku333|3 months ago
By installing Canvasblocker, Decentraleyes and NoScript you are providing more entropy to trackers and thus making it easier to track you. Imagine how many people worldwide block specifically Canvas, have weird looking network requests to certain js libs and have JS disabled for some (/all) scripts combined with your general setup (window size, font size, and many other factors that do not even require JS).
The Tor project explicitly suggests to not install an adblocker for example because of this.
ravenstine|3 months ago
Dwedit|3 months ago
zuhsetaqi|3 months ago
Bender|3 months ago
someothherguyy|3 months ago
godelski|3 months ago
I like the idea of Brave but we have a bigger fight that requires us to have no chromium. Chromium winning is Google winning, allowing them to control the Internet. I don't want that power in any single entity's hands. So I do ask that more people switch to Firefox or Safari as those are the best options to fight back and have decent market shares (even if small). If we lose the internet we'll lose our privacy too
[0] https://addons.mozilla.org/en-US/firefox/addon/cookie-autode...
1vuio0pswjnm7|3 months ago
Is it (a) to avoid internet marketing, (b) some other reason or (c) both. What is the "threat model"
If the answer is (c) then is there a belief that a fingerprint collected for marketing purposes may be used for other purposes
I do not use a browser to make HTTP requests, I only send two headers, Host and Connection, unless I need to send more, e.g., User Agent, Cookie, Accept, etc. The vast majority of websites I access work with only two headers. The list of ones that require more is short and the local forward proxy adds them automatically for those sites
For me, the "threat model" is (a) internet marketing
I do not see any ads because (1) the computers I use cannot access ad or tracking servers^FN1 and (2) I use a text-only browser to read HTML. There is no Javascript interpreter, no way to auto-load resources, no way to display images, no way to store cookies, etc.
I have no issue with this information that I'm a text-only web user being revealed to any internet marketer. (More likely I am mistaken for a "bot" as a result of crude heuristics)
On the other hand, if I were using a popular browser to make HTTP requests, one that sends a "common" fingerprint to internet marketers, then this would signal a more viable target for ads and tracking. Popular browsers have default settings that enable Javascript, cookies, images, auto-loading resources, etc.
tl;dr The reasons a computer user has for avoiding fingerprinting may be different. For example, one user might want to "blend in" and "hide", i.e., avoid being "identified", whereas another user might want to "be left alone", i.e., avoid being the target of internet marketers
FN1. Markerters always seem to require access to DNS
dmix|3 months ago
deltoidmaximus|3 months ago
abawany|3 months ago
Esophagus4|3 months ago
nutjob2|3 months ago
unknown|3 months ago
[deleted]
charcircuit|3 months ago
This is not right. If you have a unique fingerprint every time someone tries to fingerprint you, then they have to do extra work to try and figure out which are the same. If you make it always be the same you've made the fingerprinter's job much easier.
tomrittervg|3 months ago
In contrast a randomized fingerprint mean when you visit A you have a fingerprint X' and on B you have a fingerprint Y' and no one else on the internet has X' or Y' but A and B can't correlate you.
The protections we've put in place first try to do API normalization to make it so more people have a fingerprint X, and it isn't unique. And then they do API randomization so you use X' and Y'.
If a fingerprint goes to extra effort of detecting a randomized fingerprint, and ignore (or remove) the randomization, they will get the X fingerprint which - hopefully - matches many more users.
cjkaminski|3 months ago
Fokamul|3 months ago
Unless they tackle all the hidden things, all artifacts, canvas rendering and many more.
These companies will be actually happy after this change, because even users with ublock and other plugins, will think they're not tracked. Yeah, nope.
And it's not that hard to see how they fingerprint your browser, reverse any JS tracking script yourself and see.
mixmastamyk|3 months ago
unknown|3 months ago
[deleted]
kube-system|3 months ago
trizuz|3 months ago
[deleted]
shevy-java|3 months ago
Then I remembered why I no longer use firefox. I believe we, as users, need to take back the open web. The days of some random developers ruining the UI should really be over, be it firefox, or Google chrome killing ublock origin. We need to fight back.
n4bz0r|3 months ago
Started a fresh profile, but couldn't find an AI button. The AI stuff in the context menu? You can remove the chat bot functionality right there. As for the buttons, if there is an undesirable button, it should be removable via context menu or toolbar customization.
glenstein|3 months ago
cowpig|3 months ago
Do you use something else?
perihelions|3 months ago
https://hn.algolia.com/?query=browser%20ml%20chat&type=all
dzikimarian|3 months ago
nalekberov|3 months ago
Last time I tried everything I could to prevent Firefox from calling home, it was still requesting Mozilla servers. Though I haven’t given up, my plan is disabling it at source code level and build my own release.
pixelmelt|3 months ago
vablings|3 months ago