this post was submitted on 29 Jun 2024
23 points (87.1% liked)

Firefox

17957 readers
81 users here now

A place to discuss the news and latest developments on the open-source browser Firefox

founded 4 years ago
MODERATORS
 

Fingerprinting works by collecting bits of information about the browser and device to identify users. Couldn't browsers like Firefox see when a website gets such info with JS and either prevent or ask permission from the user for the website to make HTTP requests to upload such information to the website. Idk if they do something like this already.

top 12 comments
sorted by: hot top controversial new old
[–] [email protected] 12 points 5 months ago (1 children)

once the javascript gets that information from the browser it's kinda impossible to prevent it from being included in a request without just blocking all requests. It could be anywhere in arbitrarily structured data and/or encrypted

[–] [email protected] 2 points 5 months ago (3 children)

But couldn't the JS runtime track which objects and variables interact with such information, so if they make any HTTP requests with the info after getting it and maybe processing it then it could be rejected?

[–] [email protected] 4 points 5 months ago

It would at least be a very intensive process to do so, and that doesn't even solve that there would be other ways to glean the same information without accessing it directly. For example, one could create an element with 100% screen width set by CSS and query the element's size instead of using the simpler window.innerHeight. How do you detect every possible way a script could determine the viewport dimensions?

[–] [email protected] 1 points 5 months ago

Taint analysis is a real thing that several papers have been published about, but the implementations aren’t in a state where they could be run in real time without massively hampering performance. Also they’re mostly focused on findings bugs in native applications rather than privacy on the web.

[–] [email protected] 0 points 5 months ago (1 children)

While that sort of analysis probably isn't impossible, it is computationally unrealistic to do in realtime on a language which wasn't designed for it.

It's the sort of thing which is simple in 99% of cases, but the last 1% might well be impossible. Sadly it's the last 1% you need to worry about, because anyone trying to defeat your system is going to find them

[–] [email protected] 1 points 5 months ago* (last edited 5 months ago)

Even if you would be able to track js code like that, the js code can react to it's own sideeffects. E.g. have 8 Elements and encode the 8-bit Fingerprint as a custom style sheet that adds an animation some of the 8 elements. Then react on the animation events and rebuild the fingerprint. It's virtually impossible imo. Maybe it can even be formal proven.

[–] [email protected] 6 points 5 months ago* (last edited 5 months ago) (1 children)

https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting

Firefox also has a resist fingerprinting setting, but it can break many things.

If it is really a concern, I have heard the mullvad browser essentially the tor browser without tor.

[–] [email protected] 1 points 5 months ago (1 children)

I think in regards specifically to the question of resolution, that anti-fingerprint setting will start your browser at a smaller, set resolution. The problem is nothing prevents you from just expanding the window, so it's not a very strong solution in that aspect.

[–] [email protected] 1 points 5 months ago

It usually expands in specific increments, so you still end up with a common size.

[–] [email protected] 2 points 5 months ago
[–] open343 1 points 4 months ago

privacy.resistFingerprinting Turning it on provides privacy, yes, but it makes it unusable to use dark mode or even the "Dark Reader" addon.

My advice to you is not to overdo the secrecy, it should not be a problem for the people you do business with to see your face.

[–] [email protected] 1 points 5 months ago* (last edited 5 months ago)

If you turn on resist fingerprinting then supposedly yes. It does pass the test with fingerprint.com then. Assuming you’re using a VPN of course.

I’ve been running with resist fingerprinting enabled for about a year and aside from the annoyance of having all your new windows spawn at a very small fixed size, the only major issue is knowing that for some websites to work you may have to enable HTML5 canvas for them. (It’s an icon that will appear in the location bar and you will know to look for if things that are supposed to be graphics in the web page are just a bunch of striped boxes instead.)