Hide plugins, visited links and WebRTC from websites in Firefox

Whenever you connect to a website using any browser, the site receives a variety of information automatically. While not all sites process the information or record them, some may very well use them for tracking and other purposes.

Web services such as the EFF's Panopticlick highlight the information that websites may retrieve while you are connecting to them.

This may include the operating system and web browser, screen size, system fonts or which plugins are available.

We already mentioned in the past that you can limit or change what is being made available to websites and services when you connect to them.

As far as plugins are concerned, websites can only identify plugins that are enabled in the browser (either directly or via click to play).

While you can -- and should -- disable plugins that you don't use, you cannot block information about plugins that you use from being leaked to websites you connect to.

This changes with the Firefox add-on Hide Plugin & Mimetype Identifiers which you can install in the browser for that purpose. Once done, no plugin information are made available to websites anymore which you can verify by reloading the Panopticlick website.

This means that websites won't get information about plugins and versions anymore when you connect.

How is that helpful?

It needs to be noted that this does not prevent plugin exploits as leaking the information and running the plugin are two different things. This means that plugin executions are not prevented by the add-on.

Still, if you set plugins to click to play, you prevent the automatic running of plugin contents to be safe in this regard.

Blocking the information prevents sites from using it to identify users. The more information sites can gather, the likelier it is that they can generate a unique user fingerprint to identify a user even without the use of local storage options such as cookies.

The add-on lacks options to whitelist sites or replace relevant information with fake information as the feature may break functionality on some websites.

Two additional add-ons

The author of the extension has created two additional add-ons that some users may find useful. Disable visited links prevents websites from probing which other websites and services you have visited in the past.

CSS history leaks was a issue up until 2010 when browser vendors plugged that hole, but it became an issue recently again. You can read about the methodology used here which offers all the explanations you need to understand how it is done nowadays.

The third add-on, Disable WebRTC, prevents the exposure of your network IP to services on the Internet. You can do the same thing manually by setting media.peerconnection.enabled in about:config to false.

Please share this article


Filed under:

Responses to Hide plugins, visited links and WebRTC from websites in Firefox

  1. Mozinet July 11, 2014 at 8:08 pm #

    No "Hide Plugin & Mimetype Identifiers" link?

    The other two AMO links lead to pages in German.

    • Martin Brinkmann July 11, 2014 at 8:32 pm #

      I hate it when Mozilla switches me automatically to the /de/ localized version. Corrected the links, thanks!

  2. Jorge July 11, 2014 at 9:08 pm #

    There is no media.peerconnection.enabled in the about:config of my pale moon browser. What gives?

  3. Tom Hawack July 11, 2014 at 9:53 pm #

    1- DisableWebRTC add-on : with Firefox I'd install this immediately. Pale Moon browser has WebRTC removed, another great initiative ;

    2- Hide Plugin & Mimetype Identifiers add-on : I'm about to install and try it : great news!

    3- About the Disable visited links add-on : I've heard about it, went to its page, but frankly I don't understand how this is done. I was about to forget this add-on if it hadn't been this article mentioning it. Thanks if a user can give me a hint on what is performed -- rather how - in order to achieve hiding visited links. It's nothing to do with history, so what is it (for crying out loud, grrr!) ?

    • Martin Brinkmann July 11, 2014 at 10:47 pm #

      It still has to do with your browsing history but requires you to click for each url the web service wants to test. See here http://lcamtuf.coredump.cx/yahh/

      • Tom Hawack July 11, 2014 at 11:14 pm #

        Thanks, Martin. I saved the spaceship but havn't been rewarded with the prize of understanding the add-on's mystery tour. Even when trying to pull up the limits of my allegory referentials :)
        I've admited since a long time ago that there are 3 categories of knowledge : 1- Understood, 2- Understandable with time & effort, 3- No hope - LOL :)

  4. Dougle July 12, 2014 at 1:01 am #

    I get mixed results with the spaceship test. With (fx 30) a new profile, no add-ons, all plug-ins disabled and the spaceship game url as the first and only site loaded, it seems to believe I've visited Bestbuy, a site I've never been to and is not even in the country in which I live. In my main profile (fx 31), with a days worth of history, It believes I've not visited any of the sites on the list, when in fact I have. However, this may be attributable to NoScript and/or Request Policy...

    • Tom Hawack July 12, 2014 at 1:18 am #

      The test tells me sites I haven' visited ... surrealistic !
      The test displays none of visited sites ...
      I'm betting myself a coffee.

      • Tom Hawack July 12, 2014 at 1:31 am #

        Did the test again after methodically visiting several sites.
        The test says I've visited reddit.com -> http://hpics.li/2264670 -> false
        Is this a joke ?!

      • Tom Hawack July 12, 2014 at 1:37 am #

        Tested again ... after having methodically visited several sites.
        Result : reddit.com displayed as visited when in fact not visited : http://hpics.li/2264670
        I'm quitting. Not only I don't understand the concept ("the plugin cleanly disables visited link styles"), but the test example seems to be quite unreliable. Perhaps the theory lacks the experience.

      • Martin Brinkmann July 12, 2014 at 8:26 am #

        Tom, remember that sites can also be visited indirectly, e.g. if contents from them are loaded on other sites that you visit.

  5. Pants July 12, 2014 at 1:20 am #

    Hide Plugins & Mime Types seems to FAIL on Palemoon >> PM still leaks this info on the panopticlick test (well my one plugin, flash, anyway)

    JonDonym test: http://ip-check.info/?lang=en <content>fonts&color>advanced and unchecking allowing sites to choose their own fonts). It kinda makes a lot of sites ugly, but hey, this is just a test. Anyway, this blocks (flash aside) from enumerating or testing for fonts. But in Palemoon, does NOTHING to stop this.

    • Pants July 12, 2014 at 11:00 am #

      Well ... half of what I wrote above is missing. Simply was pointing out that it fails for PM (which others have since also brought up) , that there is another good site for testing (JonDonym ) and on the end tacked on some info about fonts ... *sigh*

      Anyway - http://ip-check.info/?lang=en ( allow relevant cross site scripting and javascript in order for it to work and test everything ). You will get an initial list of items, and the underneath some blocked flash items, after about a minute or so, more info will appear. Am interested in what people think of the stuff that comes up RED : )

  6. Tom Hawack July 12, 2014 at 1:44 am #

    Tested again. Results are false (I hadn't visited reddit.com), and I had visited several sites, with the same tab moreover : http://hpics.li/2264670
    I'm abandoning the theory and the plug-in ("This plugin cleanly disables visited link styles" : how?"), and the test game is not relevant of efficiency. When you propose a plug-in, as an application, the minimum is to explain the basis to the literate rather than to only link to a theory board....

  7. Maou July 12, 2014 at 3:14 am #

    My browser window is too small for space battles, damn.

    Since I use Palemoon, WebRtc is already dealt it so I´ll try the other extension.

    Thanks Martin.

  8. Robert July 12, 2014 at 5:56 am #

    I've tested Hide Plugin & Mimetype Identifiers addon in Palemoon and it doesn't work. Is it for Firefox exclusively?

    • Martin Brinkmann July 12, 2014 at 8:24 am #

      Right, I verified that. It does not seem to work.

    • Dougle July 12, 2014 at 9:56 am #

      The addon changes an about:config preference called "plugins.enumerable_names" form '*' to a blank value. This preference doesn't seem to be available in Pale Moon. Whether that's by design or not... I guess you could try adding the preference as a 'String' value and see what happens.

      You can look at https://mail.mozilla.org/pipermail/firefox-dev/2013-November/001186.html for more information.

  9. jeff July 12, 2014 at 6:25 pm #

    Is there such a thing for Chrome? I'd love to hide the fact that I have Adblock installed.

  10. anonymous July 13, 2014 at 7:07 pm #

    I thought firefox recently made the addons or plugins hidden from websites in one of the updates?

  11. Aram July 14, 2014 at 3:48 am #

    The reason the "Hide Plugin & Mimetype Identifiers" extension is not working on the Pale Moon browser is very simple.
    Although Pale Moon (latest version 24.6.2) implements the latest security fixes, the code is still based on the Firefox ESR version. (latest: 24.6.0). The "plugins.enumerable_names" property was introduced in Firefox 29.0. It is no use to add the "plugins.enumerable_names" property in Firefox ESR or Pale Moon because the code to recognize this property just is not there. So we just have to wait until both catch up later this year. And remember, even if you use the "Hide Plugin & Mimetype Identifiers" extension or set "plugins.enumerable_names" to "" (empty string) on Firefox version 29 onwards, it is still possible to query individual plugins. Hope this helped to clarify things.

  12. blank is the answer July 14, 2014 at 6:54 am #

    well...so it hides only plugins.enumerable_names but not addons =Adblock and so on..
    could we try create manually entry addons.enumerable_names and set to blank ?
    check guys it and tell us if it works .

Leave a Reply