Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

When will Firefox offer user-friendly fingerprinting protection?

  • 6 replies
  • 2 have this problem
  • 10 views
  • Last reply by rumble

more options

Like many Firefox users, I'm interested in protecting myself from tracking. I use a number of privacy-focused extensions, but they don't protect well against browser fingerprinting. I've read that websites can also detect which add-ons are used, which can, counterintuitively, make the browser easier to fingerprint.

Unfortunately it is not even remotely practical to disable JS for all sites at this time. I do use NoScript - but some websites require JS to function. Enabling JS even temporarily for these sites potentially reveals a lot of unique information.

I compared the outputs for Firefox 58 to the Firefox ESR-based Tor Browser and found Tor Browser takes some interesting steps to protect users by spoofing some values and disabling some features by default.

Features that Tor Browser hides or disables: - Plugin list - WebGL

Values that Tor Browser spoofs: - System fonts (shows only common fonts) - User agent (always shows Windows) - Platform (always shows Windows) - Canvas fingerprint (appears to be very common - so I'm guessing it fakes or engineers this somehow)

The privacy.resistFingerprinting setting in about:config does seem to do many of these things in Firefox 58, but it is harder/scary for less-advanced users to enable. I would love to see this setting available in the browser's privacy preferences, and on by default in Private Browsing windows and when Tracking Protection is enabled.

I couldn't find a way to disable WebGL without going into about:config either. I think it would make sense to ask the user for permission to use WebGL on a given page, since it can be used to fingerprint similarly to canvas elements.

Like many Firefox users, I'm interested in protecting myself from tracking. I use a number of privacy-focused extensions, but they don't protect well against browser fingerprinting. I've read that websites can also detect which add-ons are used, which can, counterintuitively, make the browser easier to fingerprint. Unfortunately it is not even remotely practical to disable JS for all sites at this time. I do use NoScript - but some websites require JS to function. Enabling JS even temporarily for these sites potentially reveals a lot of unique information. I compared the outputs for Firefox 58 to the Firefox ESR-based Tor Browser and found Tor Browser takes some interesting steps to protect users by spoofing some values and disabling some features by default. Features that Tor Browser hides or disables: - Plugin list - WebGL Values that Tor Browser spoofs: - System fonts (shows only common fonts) - User agent (always shows Windows) - Platform (always shows Windows) - Canvas fingerprint (appears to be very common - so I'm guessing it fakes or engineers this somehow) The privacy.resistFingerprinting setting in about:config does seem to do many of these things in Firefox 58, but it is harder/scary for less-advanced users to enable. I would love to see this setting available in the browser's privacy preferences, and on by default in Private Browsing windows and when Tracking Protection is enabled. I couldn't find a way to disable WebGL without going into about:config either. I think it would make sense to ask the user for permission to use WebGL on a given page, since it can be used to fingerprint similarly to canvas elements.

Chosen solution

https://wiki.mozilla.org/Fingerprinting https://wiki.mozilla.org/Security/Fingerprinting

One big change people may have noticed with Fingerprinting over the years was with Firefox 16.0.2 and later to stop showing the build date and minor version in the useragent. A downside on this is it made doing support much harder

The showing UA as a Windows user is not a good thing for Mac OSX and Linux users for stats and such.

Read this answer in context 👍 1

All Replies (6)

more options

Unless those VPN or Tor Browser truly says they don't track or give online disclaimer consider your IP logged. If your not doing anything illegal or black market I doubt they would care about tracking your IP. Remember you may think your hidden but your ISP knows you activity already.

more options

Chosen Solution

https://wiki.mozilla.org/Fingerprinting https://wiki.mozilla.org/Security/Fingerprinting

One big change people may have noticed with Fingerprinting over the years was with Firefox 16.0.2 and later to stop showing the build date and minor version in the useragent. A downside on this is it made doing support much harder

The showing UA as a Windows user is not a good thing for Mac OSX and Linux users for stats and such.

Modified by James

more options

See also:

  • Bug 1329996 - [META] Support anti-fingerprinting protection

(please do not comment in bug reports
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html
)

more options

WestEnd said

Unless those VPN or Tor Browser truly says they don't track or give online disclaimer consider your IP logged. If your not doing anything illegal or black market I doubt they would care about tracking your IP. Remember you may think your hidden but your ISP knows you activity already.

I'm not talking about hiding an IP address, or shielding my activity from my ISP. That's a different problem, and not one I expect a browser to solve.

I mentioned Tor Browser because it intentionally obfuscates its fingerprint, so all Tor users look alike to websites.

more options

James said

The showing UA as a Windows user is not a good thing for Mac OSX and Linux users for stats and such.

Thanks for the pointers to the wiki pages.

Tor Browser uses the Windows Firefox UA right now only because it represents the most common one (I'm a Mac user myself). I guess I'm not that sympathetic to sites that want to collect statistics on their visitors. Honestly I'd like to see OS information disappear from the UA entirely.

more options

cor-el said

See also:
  • Bug 1329996 - [META] Support anti-fingerprinting protection
(please do not comment in bug reports
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html
)

Very useful, thank you!