Hide plugins, visited links and WebRTC from websites in Firefox

Whenever you connect to a website using any browser, the site receives a variety of information automatically. While not all sites process the information or record them, some may very well use them for tracking and other purposes.

Web services such as the EFF's Panopticlick highlight the information that websites may retrieve while you are connecting to them.

This may include the operating system and web browser, screen size, system fonts or which plugins are available.

We already mentioned in the past that you can limit or change what is being made available to websites and services when you connect to them.

As far as plugins are concerned, websites can only identify plugins that are enabled in the browser (either directly or via click to play).

While you can -- and should -- disable plugins that you don't use, you cannot block information about plugins that you use from being leaked to websites you connect to.

This changes with the Firefox add-on Hide Plugin & Mimetype Identifiers which you can install in the browser for that purpose. Once done, no plugin information are made available to websites anymore which you can verify by reloading the Panopticlick website.

This means that websites won't get information about plugins and versions anymore when you connect.

How is that helpful?

It needs to be noted that this does not prevent plugin exploits as leaking the information and running the plugin are two different things. This means that plugin executions are not prevented by the add-on.

Still, if you set plugins to click to play, you prevent the automatic running of plugin contents to be safe in this regard.

Blocking the information prevents sites from using it to identify users. The more information sites can gather, the likelier it is that they can generate a unique user fingerprint to identify a user even without the use of local storage options such as cookies.

The add-on lacks options to whitelist sites or replace relevant information with fake information as the feature may break functionality on some websites.

Two additional add-ons

The author of the extension has created two additional add-ons that some users may find useful. Disable visited links prevents websites from probing which other websites and services you have visited in the past.

CSS history leaks was a issue up until 2010 when browser vendors plugged that hole, but it became an issue recently again. You can read about the methodology used here which offers all the explanations you need to understand how it is done nowadays.

The third add-on, Disable WebRTC, prevents the exposure of your network IP to services on the Internet. You can do the same thing manually by setting media.peerconnection.enabled in about:config to false.

Please share this article


Filed under:

Responses to Hide plugins, visited links and WebRTC from websites in Firefox

  1. Mozinet July 11, 2014 at 8:08 pm #

    No "Hide Plugin & Mimetype Identifiers" link?

    The other two AMO links lead to pages in German.

    • Martin Brinkmann July 11, 2014 at 8:32 pm #

      I hate it when Mozilla switches me automatically to the /de/ localized version. Corrected the links, thanks!

  2. Jorge July 11, 2014 at 9:08 pm #

    There is no media.peerconnection.enabled in the about:config of my pale moon browser. What gives?

  3. Tom Hawack July 11, 2014 at 9:53 pm #

    1- DisableWebRTC add-on : with Firefox I'd install this immediately. Pale Moon browser has WebRTC removed, another great initiative ;

    2- Hide Plugin & Mimetype Identifiers add-on : I'm about to install and try it : great news!

    3- About the Disable visited links add-on : I've heard about it, went to its page, but frankly I don't understand how this is done. I was about to forget this add-on if it hadn't been this article mentioning it. Thanks if a user can give me a hint on what is performed -- rather how - in order to achieve hiding visited links. It's nothing to do with history, so what is it (for crying out loud, grrr!) ?

    • Martin Brinkmann July 11, 2014 at 10:47 pm #

      It still has to do with your browsing history but requires you to click for each url the web service wants to test. See here http://lcamtuf.coredump.cx/yahh/

      • Tom Hawack July 11, 2014 at 11:14 pm #

        Thanks, Martin. I saved the spaceship but havn't been rewarded with the prize of understanding the add-on's mystery tour. Even when trying to pull up the limits of my allegory referentials :)
        I've admited since a long time ago that there are 3 categories of knowledge : 1- Understood, 2- Understandable with time & effort, 3- No hope - LOL :)

      • PJ January 19, 2015 at 3:08 pm #

        1) Doesn't layout.css.visited_links_enabled = false (default: true) perform the same function as the Disable Visited Links (DVL) add-on ? WIth visited_links set as false, the "Defend Your Spaceship" game indicated "Game over, try again" within 5 secs w/o me having to doing anything, ie. there is nothing to shoot (click on),

        2) As an experiment, I reverted the visited_links value to default true, installed the DVL addon, upon which the value instantly changes to false. (Disabling this add-on reverts the value to true.) And attempting the Spaceship game with DVL addon enabled gave the same output as (1): "Game over, try again" within 5 secs w/o providing anything for me to shoot (click on).

        3) Experimenting with (a) visited_links set as default true & no DVL add-on installed, (b) then with DVL addon disabled (which sets visited_links as true), I spent some time shooting (clicking on) missiles, after which the result can be either one of the following. Note: My browser history is enabled & left uncleared during the browser session.

        "Aaand we're done.
        Sites you have visited: [blank]
        Not Visited: slashdot.org, etc etc."

        "Aaand we're done.
        Sites you have visited: slashdot.org
        Not Visited: [shows list of other sites] "

        I clicked on numerous missiles (hyperlinks) during the Spaceship game-test, yet only slashdot.org is indicated as visited ? Or perhaps every missile was slashdot.org ? And for the case of Sites Visited= blank, were all the missiles blank ?

        Anyway, I personally avoid installing add-ons (which consume extra memory), if their functions can be carried out by setting the required about:config value(s) myself. For instance, why install the DIsable WebRTC add-on, when I can achieve the exact same function by setting media.peerconnection.enabled = false ?

      • Martin Brinkmann January 19, 2015 at 3:25 pm #

        The script running in the background uses your input to check a list of popular sites it maintains. There is no correlation between game elements and sites that are checked.

      • PJ January 19, 2015 at 5:30 pm #

        @Martin Brinkmann — Yep, I assumed that the script at the Spaceship page is checking against its own list of websites, because the list shown in the "Not Visited" results is always the same.

        I don't understand though why I am sometimes flagged for supposedly visited a site (slashdot.org) that I'd never visited. And during those times that I was flagged, the visited site is always slashdot.org.

      • Martin Brinkmann January 19, 2015 at 6:11 pm #

        By the way, you find the pages it tries in the source:

        var urls_to_try = [

      • PJ January 19, 2015 at 5:47 pm #

        Btw I did the test at the Spaceship page when browser history was enabled but cleared, & also with the cache cleared. Maybe the persistent visited: slashdot.org is somehow linked with ghacks.net, which was the only other webpage open (in another tab) & perhaps loaded something from slashdot.org ?

      • Martin Brinkmann January 19, 2015 at 6:07 pm #

        This seems unlikely. I may have written an article years ago that links to Slashdot but that would not add Slashdot to your browsing history. Maybe the script on the page has an error.

      • PJ January 21, 2015 at 10:26 am #

        The search function at ghacks.net does give a 3-page result of ghacks articles containing "slashdot". But then, I hadn't searched for this, or clicked on any of the results before the Spaceship tests.

        Just in case, I'd also checked my bookmarks & there is no "slashdot" or similar. So yeah, it does seem like a script error had flagged out "slashdot.org" from the Spaceship's predefined list of URLs when I hadn't visited the site.

        Incidentally, at least one of the sample URLs predefined by the Spaceship test-script is banned & blocked by my government. So imagine if they were to utilize a similar history-fingerprinting script that wrongly insists that I'd accessed playboy.com etc. via unsanctioned means.

        Hmm, perhaps this ghacks page can serve as my defence in that hypothetical scenario ... "No, your Justice, I did not visit Slashdot or Playboy or whatever is in your (very long) list ! The script was mistaken in its mind."

  4. Dougle July 12, 2014 at 1:01 am #

    I get mixed results with the spaceship test. With (fx 30) a new profile, no add-ons, all plug-ins disabled and the spaceship game url as the first and only site loaded, it seems to believe I've visited Bestbuy, a site I've never been to and is not even in the country in which I live. In my main profile (fx 31), with a days worth of history, It believes I've not visited any of the sites on the list, when in fact I have. However, this may be attributable to NoScript and/or Request Policy...

    • Tom Hawack July 12, 2014 at 1:18 am #

      The test tells me sites I haven' visited ... surrealistic !
      The test displays none of visited sites ...
      I'm betting myself a coffee.

      • Tom Hawack July 12, 2014 at 1:31 am #

        Did the test again after methodically visiting several sites.
        The test says I've visited reddit.com -> http://hpics.li/2264670 -> false
        Is this a joke ?!

      • Tom Hawack July 12, 2014 at 1:37 am #

        Tested again ... after having methodically visited several sites.
        Result : reddit.com displayed as visited when in fact not visited : http://hpics.li/2264670
        I'm quitting. Not only I don't understand the concept ("the plugin cleanly disables visited link styles"), but the test example seems to be quite unreliable. Perhaps the theory lacks the experience.

      • Martin Brinkmann July 12, 2014 at 8:26 am #

        Tom, remember that sites can also be visited indirectly, e.g. if contents from them are loaded on other sites that you visit.

  5. Pants July 12, 2014 at 1:20 am #

    Hide Plugins & Mime Types seems to FAIL on Palemoon >> PM still leaks this info on the panopticlick test (well my one plugin, flash, anyway)

    JonDonym test: http://ip-check.info/?lang=en <content>fonts&color>advanced and unchecking allowing sites to choose their own fonts). It kinda makes a lot of sites ugly, but hey, this is just a test. Anyway, this blocks (flash aside) from enumerating or testing for fonts. But in Palemoon, does NOTHING to stop this.

    • Pants July 12, 2014 at 11:00 am #

      Well ... half of what I wrote above is missing. Simply was pointing out that it fails for PM (which others have since also brought up) , that there is another good site for testing (JonDonym ) and on the end tacked on some info about fonts ... *sigh*

      Anyway - http://ip-check.info/?lang=en ( allow relevant cross site scripting and javascript in order for it to work and test everything ). You will get an initial list of items, and the underneath some blocked flash items, after about a minute or so, more info will appear. Am interested in what people think of the stuff that comes up RED : )

  6. Tom Hawack July 12, 2014 at 1:44 am #

    Tested again. Results are false (I hadn't visited reddit.com), and I had visited several sites, with the same tab moreover : http://hpics.li/2264670
    I'm abandoning the theory and the plug-in ("This plugin cleanly disables visited link styles" : how?"), and the test game is not relevant of efficiency. When you propose a plug-in, as an application, the minimum is to explain the basis to the literate rather than to only link to a theory board....

  7. Maou July 12, 2014 at 3:14 am #

    My browser window is too small for space battles, damn.

    Since I use Palemoon, WebRtc is already dealt it so I´ll try the other extension.

    Thanks Martin.

  8. Robert July 12, 2014 at 5:56 am #

    I've tested Hide Plugin & Mimetype Identifiers addon in Palemoon and it doesn't work. Is it for Firefox exclusively?

    • Martin Brinkmann July 12, 2014 at 8:24 am #

      Right, I verified that. It does not seem to work.

    • Dougle July 12, 2014 at 9:56 am #

      The addon changes an about:config preference called "plugins.enumerable_names" form '*' to a blank value. This preference doesn't seem to be available in Pale Moon. Whether that's by design or not... I guess you could try adding the preference as a 'String' value and see what happens.

      You can look at https://mail.mozilla.org/pipermail/firefox-dev/2013-November/001186.html for more information.

  9. jeff July 12, 2014 at 6:25 pm #

    Is there such a thing for Chrome? I'd love to hide the fact that I have Adblock installed.

  10. anonymous July 13, 2014 at 7:07 pm #

    I thought firefox recently made the addons or plugins hidden from websites in one of the updates?

  11. Aram July 14, 2014 at 3:48 am #

    The reason the "Hide Plugin & Mimetype Identifiers" extension is not working on the Pale Moon browser is very simple.
    Although Pale Moon (latest version 24.6.2) implements the latest security fixes, the code is still based on the Firefox ESR version. (latest: 24.6.0). The "plugins.enumerable_names" property was introduced in Firefox 29.0. It is no use to add the "plugins.enumerable_names" property in Firefox ESR or Pale Moon because the code to recognize this property just is not there. So we just have to wait until both catch up later this year. And remember, even if you use the "Hide Plugin & Mimetype Identifiers" extension or set "plugins.enumerable_names" to "" (empty string) on Firefox version 29 onwards, it is still possible to query individual plugins. Hope this helped to clarify things.

  12. blank is the answer July 14, 2014 at 6:54 am #

    well...so it hides only plugins.enumerable_names but not addons =Adblock and so on..
    could we try create manually entry addons.enumerable_names and set to blank ?
    check guys it and tell us if it works .

  13. Random October 22, 2015 at 5:23 pm #

    hide plugin and mime-types no longer works for the latest firefox. unfortunately, there is nothing you can do to hide them in firefox except using the tor.

Leave a Reply