-
Notifications
You must be signed in to change notification settings - Fork 523
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Effort towards a common browser fingerprint #1274
Comments
🔴 Peacock365 is an ignorant trollscroll down to see the details of his ignorance, hypocrisy and trolling I will address this another day, but are some quick notes.
First of all, arkenfox has never claimed to defeat all fingerprinting, but it does help reduce it. Fingerprinting is not the main aim here - it is security and privacy: think of all the ways sites can track you with persistent storage, cross-domain chatter, and a dozen+ other methods. This is what the bulk of trackers use (and some will also tinker with FPing) - a long established methodology with large data brokers and infrastructure already built for harvesting/buying/real-time bidding etc - cookies + site data + uuids + cross-domain = catches 95% - the rest is generally not economical or worth it So please don't mischaracterize arkenfox or think its something it doesn't claim to be. It is about privacy and linking traffic (yes FP can link traffic - but there are many ways to reduce this - think tracking protection, uBO etc) That said, fingerprinting is taken into consideration - but you (as in the readers/users) need to understand how fingerprinting works - what do the scripts actually do (metrics, are they naive or various levels of advanced), what is it's purpose (legit? or benign e.g. the reddit one is only used by reddit for bot detection?), does it matter if you log in, how is it shared to link traffic and whose script is it and how is it linked (universality e.g a script bundled inside a FB widget would be scary - but think of the perf hit to millions of sites, when they can just embed a fucking cookie), who does it (I think it's about 10% of top sites and then rapidly falls off to nothing), how do they do it (partyness and other tricks), is it a known script already blocked? - I've written about this before: scripts need to be universal, and a fingerprint is just a snapshot in time that can be manipulated after the fact, and that scripts are rare and most are naive and most never make it cross party, if at all. The biggest problem with fingerprinting is that you are still giving away an IP, even if you use a VPN and hop. That IP is collected and can be used to link same VPN known IP ranges, and correlated with timestamps. IP fingerprints don't have to be precise, they can just be "AT&T Detriot" or "Shady VPN" - modified after the fact. So even if you had a fingerprint that was in a large bucket of users - the IP or IP behavior is going to totally wreck that - and IP is trivial to collect The only solution against advanced scripts is going to require solving that IP problem - such as using tor - which is why Firefox want to introduce a Tor Mode Window (and Tor Project to stop putting out a browser) - this is still in the pipeline, but requires changes at Tor Project - such as latency and a dozen other items [1] - because you can't go throwing open the floodgates at the tor network by adding a potential 217 million users - off the top of my head the tor network runs at about 30-50% capacity and has 2 or 6 million daily users or something [1] I spent a week with the Tor Project guys at a Mozilla All-Hands back in 2019, and their whole time there was finishing up the pitch/ideas for eka on what needed to be done to get this Tor Window Mode. It's going to take time, and has not been forgotten Also, people have threat models, and easily have multiple browsers. Nothing is stopping them from using Tor Browser for some traffic - it's not a be-all end-all. That said: there are different levels of FPing (legit one-offs that pose no threat, naive thru to various levels of advanced), but ultimately the aim is to render enough metrics as useless in a given set of users (such as Tor Browser) as well as solving the IP problem in order to defeat even advanced scripts. However, that does not mean that rendering some metrics as useless doesn't improve things - because, levels of FPing.
this is simply not true against advanced scripts this is highly likely true but also relies on other factors
because no-one size fits all - users will get different mileage, and have different threat models - USERS ARE MEANT TO READ IT AND MAKE
Again, arkenfox is not trying to defeat all fingerprinting, and doing nothing you are already unique on desktop. Fonts and screen are almost enough, now add webgl where sophisticated images (with fonts and other factors like emojis and a dozen other items) and not to mention all the entropy in vendor and parameters and values etc can get upwards of 95% uniqueness (on desktop), now add timezone and language and locale and formatting (which !== the same as Intl. necessarily) all the way down to binary results like prefers-color-scheme = you are already unique Additionally, there are large chunks of prefs specifically not active (i.e But it doesn't really matter given most users threat model and what the actual threat of FPing is right now - low.
Show me what in the list of extensions in the wiki alters FPs that isn't a net gain (e.g. the benefits of uBO FAR outweigh any possible FP threat of some random non-universal script) and what is the threat that anyone would bother to try and FP these if they could or if the "metric" is stable and can be used for linking, and is universally run on websites
I assume you mean the user.js not the wiki - NO it doesn't leave a lot of state that changes FPing - but that is NOT the aim Show me of all the changes in arkenfox, excluding webrtc and webgl and RFP - where it makes FPing any worse = it can't, you're already unique, and claims that a shitload of them do alter your fingerprint, is incorrect and doesn't take into account
🔴 Peacock365 is an ignorant trolldon't listen to him, all he wants to do is argue for attention, and try and drag arkenfox into every conversation - and he misquotes out of context (like my example of chrome zero days was bookended by warnings that THIS IS NOT HOW IT WORKS) and just likes to make generalized sweeping statements this is all he could come up with, out of 170 odd pref flips
Remembering that arkenfox's primary aim is not FPing, lets have a look UTTER BS
sure, but not likely
these actually help
And none of all his nonsense changes the facts
edited: typos |
feel free to comment, but i'm closing |
The easiest way to achieve the same environment fingerprint is to take some lightweight distro, put it into a VM and aggree that everyone will use the browser through that VM image. The problem is it would protect only from environment fingerprinting but won't protect from hardware fingerprinting and mandatory backdoors (a.k.a TEEs, it is almost everything ready to require internet users to use devices with TEEs, i.e. https://arxiv.org/pdf/2110.07954.pdf ) |
The main problem with all these privacy protecting technologies is discrimination against users using them (or even worse, against users not using the privacy-violating technologies of The Owner Of The Internets). I constantly face it. |
I agree - the |
@PhysicsIsAwesome you might also want to read #1218 where the idea is to succinctly lay this out in a wiki page so users can decide
|
Here's a pretty good list of STATE tracking Arkenfox is primarily concerned with STATE tracking (and cross-origin of them) - which is all the things that need to be "partitioned", some more than others e.g. double keying and scheme. Arkenfox has used this strategy since FPI first came out. Now dFPI is here (with a heuristics pref) and is probably more robust (FPI is not maintained and will be dropped). I'm not sure what FPI/dFPI are lacking in, except for dFPI's service workers. Interesting that the list includes WebRTC and webGL Note that it also says that some of these can be and are blocked on occasions such as Arkenfox is also concerned with STATELESS tracking but not at the expense of STATE - anyway it is largely out of our hands (see IP, see enforced large set of users where people don't change things) - but we enable RFP as the most robust solution (it is built into the browser and fully tested/vetted - extensions lack APIs) and this alone fools naive scripts (assuming a script gets to run and even then the damage an advanced does is limited to it's universality) and does not require any crowd state > stateless .. get over it you trolls :) Anyway, I found that list and sharing is caring |
FYI if you didn't already know about it -> https://privacytests.org/ |
Thanks for taking the time and explaining in great detail. I need to read more into this, especially state tracking, and also get more of a feeling for how common and important the different forms of browser related privacy threats are in the wild, before commenting. |
sometimes I wish I could reply (can't be fucked with an account) - https://old.reddit.com/r/firefox/comments/qz1po6/question_about_aboutconfig/hljmmco/
First, we say (in numerous places including the user.js itself) to go use Tor Browser Secondly we push built-in browser solutions (and recommend fuck all in way of extensions) Third, we have never claimed to beat all FPing. Only 4 or 5 prefs are to do with FPing, and they help reduce it (robust built-in browser solution for naive scripts, and ETP's FPers blocklist - as well as uBO) Once again, FPing is not the main thing this guide tries to accomplish - and this girl knows far more about fingerprinting than some rando on reddit making false assumptions - I really wish people would FUCKING READ before they open their mouths - as if early adopters of features and the other 95% of prefs have |
Would you like me to reply just with a link to your answer here? |
@crssi nah, no need (pointless discussing things ad infinitum with every comment on the internet) - and he/she is not wrong about the how to defeat all FPing - just annoying that he/she jumps to conclusions about arkenfox and doesn't consider that there are degrees of FPing and considers it basically all pointless because of something orthogonal |
Who is Peacock365? |
@rusty-snake Peacock365 does not have any public repository. 😉 |
Hi,
since fighting browser fingerprinting is only reliably possible in a crowd of users with the same setup, a community effort is needed to make users more homogeneous.
The Arkenfox wiki in its current state leaves a lot of space for individualization, for example by explicitly saying that this is only a template and users can adjust it to their needs or by leaving it to the user to decide which of the recommended extensions to choose from.
Simply using RFP is not enough to fight fingerprinting. You could get fingerprinted by changed settings or by your extensions and their settings, for example which ad blocking lists you use.
I don't know how many users Arkenfox user.js has, but I assume, that even though it is one of the most popular ones, it's still not that many in absolute numbers. If these users then get split up into even smaller subsets by using different extensions or changing settings, it is in the end not unlikely that users end up being unique.
From what I have read so far and looking at TZP @Thorin-Oakenpants seems very knowledgeable in terms of browser fingerprinting. I would be interested in your opinion on this topic and if we could create a solution, by clearly stating a common fixed anti-fingerprinting setup in the wiki, including extensions and their settings, for all users, that want be part of that crowd and value a common fingerprint more than individualization, but for some reasons don't want to use Tor browser as their everyday browser.
Best regards,
PhysicsIsAwesome
The text was updated successfully, but these errors were encountered: