privacy.resistFingerprinting useragent is out of date

[L-a-n-g-o-l-i-e-r-s]

Hi there,

Waterfox uses an out of date useragent string with privacy.resistFingerprinting enabled. I think it should be changed from rv:50.0 to rv: 52.0 to match current firefox releases. I don't know what the new line of extended release uses with this value toggled, but in either case, users of these browsers are in the minority, therefore more identifiable.

Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/2010. IMO is how it should be.

As a side note, I think we shouldn't be using a unique default (privacy.resistFIngerprinting false) useragent, it clearly identifies us as using waterfox, we are in a minority of the ecosystem, this makes it even easier to track. I don't know if it's custom because of some sort of mozilla intellectual property or what, but it should be changed.

The closer our browser looks to the outside world as newer firefox releases the better, firefox as we know it is in a minority of the browser ecosystem, we are an even smaller blip, all the more shiny, a real problem. 😞

I hope any participants in this ticket will not criticize my idea of privacy and suggest I move to Tor, that would be side stepping the issue, I do however encourage input to the contrary of my ideas, as I am no expert.

[MrAlex94]

UA by default is (on Mac, same for Win, Linux etc.): Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:56.0) Gecko/20100101 Firefox/56.0.

Surely that's pretty generic?

[laniakea64]

I think they're asking for mozilla/gecko-dev@d20c7d9 to be ported to Waterfox.

[MrAlex94]

I understand, but what I mean to say is that the UA is already fairly generic. Is there that much advantage to this option now?

[L-a-n-g-o-l-i-e-r-s]

@MrAlex94

My apology RE default UA on privacy.resistFingerprinting false, I made a new profile to verify, unsure why it said waterfox before months ago when I manually edited it back, maybe an extension? I don't use UA spoofers.

However, my request/concern still stands RE privacy.resistFingerprinting true.
"User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:50.0) Gecko/2010
0101" Should be "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/2010." as it is in Firefox with privacy.resistfingerprinting true.

This and webresource leaks exposes:
"✔ firefox.js
✔ firefox-branding.js
✔ firefox-l10n.js
✔ webide-prefs.js
✔ greprefs.js" contents.
Addons can be detected as well as webext random ID, unsure if latter is fixed in firefox (webext id), believe not, since I have seen @gorhill making this change for example in a Decentraleyes fork: https://github.com/gorhill/decentraleyes/commit/e6a5de1683f7eb8fdeeb944f4de170b06b44941a
https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Resource_URLs says it's fixed in 57.0 but it looks like webresources regarding webext is still an issue if @gorhil is doing this in March of this year,

I know those are two separate issues, but worth noting.

Thanks for your time.

[laniakea64]

webresource leaks exposes:

This seems fixed in self build from d5c2541 .

webresources regarding webext is still an issue

If an extension declares its resources web accessible, then its resources will be web accessible, and thus could leak. How is that a Waterfox issue?

[grahamperrin]

webresource leaks

AFAIK that's a separate issue, About the leak (resource) · Issue #235 …, which was fixed for me (the port to FreeBSD) around 24 days ago.

[L-a-n-g-o-l-i-e-r-s]

@laniakea64 it is a problem with the webext platform, so keep your eyes pealed for solutions because some authors aren't aware they're making this mistake and most users don't know either. Not sure what you mean regarding d5c241 "Revert "Use GTK cursors for zoom-in or zoom-out css cursors".

@grahamperrin I mentioned the other bug because it's still present in the current release, that alone but combined with the useragent versioning not matching with new firefox builds as 52.0 makes the browser easily identifiable, problematic since we are in a minority of a minority in terms of browser landscape.

I would love to try beta build where can I find those for windows? Do they need compiling?

[laniakea64]

it is a problem with the webext platform

... and in what way exactly is it a problem with the webext platform?

Not sure what you mean regarding d5c241 "Revert "Use GTK cursors for zoom-in or zoom-out css cursors".

I mean I built Waterfox from that revision and the resource URI leak seems fixed. The actual commits that fixed it are probably the first few here - https://github.com/MrAlex94/Waterfox/commits/master?after=3926aeb8ef710eb920f7971119d55577877965b7+0

[L-a-n-g-o-l-i-e-r-s]

@laniakea64 Off topic:
For what webextensions were touted to be, the safer and better alternative, they also have privacy issues by exposing themselves outwardly, that is only possible because of the way it was implemented, unintended or intended, just like APIs that have been added and then later removed from Firefox itself because it has been unintendedly used to identify users. Well intended ideas of course. Not exactly the same comparison to that issue, but you get the gist of it. I don't blame them, new things tend to have bugs.

https://www.ghacks.net/2017/08/30/firefox-webextensions-may-identify-you-on-the-internet/

URI leaks were (or technically are as they exist in the current public build here) a platform wide issue/bug, The problem with web extensions is a platform wide one. I don't know, maybe something has changed and the issue with web extensions has already been resolved with Firefox, but I have my doubts.

I really appreciate the effort and time @MrAlex94 and any other volunteers have taken to continue to develop this fork and to continue supporting XUL to the best of their abilities. I also appreciate that Mozilla has provided me with a lovely browser for many years.

Anyway, do you oppose updating privacy.Resistfingerprinting true useragent version number? I can't see the harm in doing so and I do think there is potential upside to doing so.

Appreciate your reply.

[laniakea64]

@L-a-n-g-o-l-i-e-r-s Wow, thanks for that link. So the problem is not extensions making their resources web-accessible, but that websites can see the generated UUID assigned to the webextension, and thus use that UUID like a super-cookie to track users.

do you oppose updating privacy.Resistfingerprinting true useragent version number? I can't see the harm in doing so and I do think there is potential upside to doing so.

I agree with you about the user-agent. Someone identifying as Firefox 50 in 2018 is very likely to be someone using privacy.resistFingerprinting. Whereas Firefox 52 could be just a user of Firefox ESR. That's a bigger pool of people than just those who enable privacy.resistFingerprinting. More ambiguity + Bigger pool of people = More anonymity.

So making privacy.resistFingerprinting spoof UA as Firefox 52.0 would make it better at resisting fingerprinting.

[L-a-n-g-o-l-i-e-r-s]

@laniakea64

... but that websites can see the generated UUID assigned to the webextension, and thus use that UUID like a super-cookie to track users.

Yeah, I'm not sure if Mozilla has fixed it or not, I think I recall them making the UUIDs random one time only at install, which, the extensions cannot necessarily be identified, but then you give a bunch of random strings that are super unique and can single out individual users easily which defeats the purpose. (Don't quote me on that aspect, I'm just a laymen, no idea what Mozilla or Tor people are up to in their tickets.) 🎱

[MrAlex94]

1ad4308

It now rounds up to the nearest 10. So it'll be showing 60 from now on, which is good as mainline 60 is releasing tomorrow as well as ESR.

🙂

[WagnerGMD]

It's just a warning because it could be a bad idea to enable this one :
pref("privacy.resistFingerprinting",true);
Because it will modify the useragent. That's why sometimes it will be a trouble specially on the website addons.mozilla.org (aka AMO).
To resume, the trouble is simple because you will block : you can't download (neither install) the addon(s) (because AMO believe the browser is too old (and yes the origin of this trouble is the useragent).

PS : Just to confirm (that's right or like I said) the trouble (about the leak resource) has been (for real) rectify when Mozilla has published Firefox_v57.
What about Waterfox_v56.1.0 ? No this time I didn't check but I assume the trouble is still there. And I hope it will be rectify for the next version (or in the futur).

And to be clear (avoid any confusion), you can forgot the privacy.resistFingerprinting. Because there is nothing (none report (with the leak resource) and that's why it's totally useless to change this setting).
For the record, there is also a bad point (about this setting): because no we don't have any control (the useragent, etc). So as you can see, there is another solution(s) : because with one addon you will be able to modify the useragent (as your wish).

[L-a-n-g-o-l-i-e-r-s]

@WagnerGMD

When the newest release of WF is out it will read as 60.0 when privacy.resistfingerprinting is set to true, not to mention, a user can right click the install button on the site to save an extension and then drop it onto the browser to install. A user has to specifically go to about:config to enable it, therefore a user would have had to read information about privacy.resistfingerprinting to enable it, so they would know it comes with some minor inconveniences.

I seriously doubt they have fixed the issue with webextensions UUID leaking, because gorhill seems concerned enough about it to fork Decentraleyes to add an experimental patch against it. Resource URI leaks are separate from that issue.

As I understand it, an extension modifying the useragent is different from the native changes provided by privacy.resistfingerprintinging, furthermore, privacy.resistfingerprinting does more than just change the useragent. Both Tor and Mozilla would disagree with your statement, as do I.

You are free to not go into about:config and not enable privacy.resistfingerprinting. It is set to false by default.

[WagnerGMD]

There is huge difference between "read information" and "perfectly understand any informations".
You can call it : "a minor inconveniences" but for a lot of people it will be the contrary. That's just a(nother) reality.
Because in the reality, the people (a massive number) aren't very familiar with the technologies (computer, websites, etc). In fact, I could resume this by one little question : How many people know the page about:config ? Not many because it's just a web browser for them.

Remind me just who start by talking about the privacy.resistfingerprinting and the useragent ? After a moment, who you did the same thing (about the both : webextensions UUID leaking and Resource URI leaks) ?
That's why you sound a lot confuse.

Serious doubt ? About Waterfox, I can understand and we will see the result when the next release will be publish. But for Firefox did you have any argument (a real one) ? Because you will have to explain this (and for the record, this picture was extracted from there).

• Could you try to take a moment to read and to understand ?
• In my previous message, did you miss the word resume and this part : "we don't have any control [...]" ?

Pardon but no @L-a-n-g-o-l-i-e-r-s you're wrong. In fact, I was talking only about the useragent because you didn't understand one thing : my statement is a little summary. That's right, I'm aware about that (once it's enable it will change several different things).
Then don't pretend to know me. Because at the origin, the aim of my post is a warning (to show the drawback) and also to try to provide a little help with a explaination.

[L-a-n-g-o-l-i-e-r-s]

@WagnerGMD There seems to be a language barrier here 😕, I will cease further posting in this topic as the issue has been resolved ❤️ 🎉 🎈, it is unlikely most users will see further discussion anyways since by default github filters out closed tickets. (Those of us who remain subscribed to the ticket will continue to receive notifications though.)