Firefox 48: blocklist against plugin fingerprinting

Martin Brinkmann
Jul 18, 2016
Firefox
|
19

Firefox 48, out August 2, 2016, will block known plugin fingerprinting services thanks to a new blocklist that Mozilla developed to improve user privacy.

Fingerprinting techniques use various methods to identify and distinguish devices. Anything that the browser reveals on its own is used for instance. Methods may parse the user agent header which reveals the operating system, browser version and other information.

Apart from information that is revealed on connect automatically, scripts may be used to get additional information.

If Adobe Flash is installed for instance, sites may grab the list of fonts and other information.

Firefox plugin blocklist

firefox safebrowsing blocklist

And that is the area that Mozilla improves in Firefox 48. The browser ships with a new blocklist listing Flash SWF files that were identified by Mozilla as fingerprinting files.

Basically, what happens is that Firefox blocks connections to these fingerprinting files automatically starting with version 48.

The feature is useful to Firefox users who have Flash installed on their system and enabled in Firefox.

Mozilla did crawl the top 10,000 Alexa websites and analyzed SWF files loaded on those sites. The organization plans to run crawls regularly to catch new files.

The list distinguishes between fingerprinting and supercookie SWFs.

  • Any file smaller than 5x5 pixels that called enumerateFonts() and ExternalInterface was categorized as fingerprinting SWF and put on the blocklist.
  • Any file smaller than 5x5 pixels that called SharedObject and contained the string "cookie" was categorized as a supercookie SWF and put on the blocklist.

The blocklist covers only Flash functions. One reason for that is that all other plugins are set to click to play in Firefox. Another, that Mozilla will disable all plugins but Flash in Firefox 52 (with an override), and all but Flash completely in Firefox 53.

Control the blocklist preference

fingerprinting supercookie

The plugin blocklist feature is already available in Firefox 47 but disabled by default. You may enable it however to make use of the blocklist feature right away instead of waiting for the Firefox 48 release.

  1. Type about:config in Firefox's address bar and hit enter.
  2. Confirm you will be careful if a prompt appears.
  3. Search for firefox-safebrowsing-blocklist.
  4. Double-click on the preference.

Setting the value of the preference to true turns the feature on, a value of false disables it. If you have no need for it, or if you notice issues on sites then this may be what you need to do. Some users may run extensions that block these type of files automatically as well so that they have no need for it.

You may take a look at the blocklist on the project's Github page. This may be useful if you want to know what gets blocked, or if you want to port the list to another browser.

Closing Words

Better protection against browser fingerprinting is always welcome. It appears that Mozilla is starting to put the focus on privacy enhancing features in Firefox. While Firefox provides you with better privacy controls than other browsers already, it is one area in which Mozilla can outshine Google's Chrome by a large margin.

The organization announced recently that it will integrate Tor privacy settings in Firefox natively as well.

Now Read: Check out our comprehensive Firefox privacy and security listing.

Summary
Firefox 48: blocklist against plugin fingerprinting
Article Name
Firefox 48: blocklist against plugin fingerprinting
Description
Firefox 48, out August 2, 2016, will block known plugin fingerprinting services thanks to a new blocklist that Mozilla developed to improve user privacy.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Tony said on July 18, 2016 at 10:24 pm
    Reply

    And thus begins another “cat and mouse” game.

    Adobe could fix these issues in 5 minutes by giving the user control over what Flash exposes to *every* website that includes *any* flash object. Adobe obviously knows about these issues, and their inaction speaks volumes about their values and agenda.

    For these reasons, I got rid of Flash a long time ago. If a site uses it, I find a better site with similar functionality but without the Flash requirement.

    1. vosie said on July 19, 2016 at 8:21 am
      Reply

      And? What is your benefit from it? They can track you with HTML5 videos. And HTML5 is much worse than flash, because oppsed to flash, you CAN NOT use click-to-play blocking for HTML5 videos. So every HTML5 video loads on every page.

      The media.autoplay.enabled pref is useless because it is not able to block the downloading of HTML5 videos.

      So that’s why Flash is better.

      1. Jed said on July 20, 2016 at 7:35 pm
        Reply

        It’s not ‘better’ per se, just is easier to control.

  2. Ray said on July 18, 2016 at 8:36 pm
    Reply

    If you’re using uBlock Origin, as Martin notes, Firefox hosts the SWF blocklists on Github:
    https://github.com/mozilla-services/shavar-plugin-blocklist

    Copy and paste the raw link to uBlock Origin’s 3rd-party filters list to subscribe it. I’m using mozplugin2-block.txt as that as more entries.

    1. Tom Hawack said on July 18, 2016 at 9:46 pm
      Reply

      I was wondering about the difference between the mozplugin-block.txt and mozplugin2-block.txt files, besides the number of entries. If both are proposed then there must be a pertinence to choose either independently of their number of entries… I installed mozplugin2-block.txt on the assumption that bigger is better, which is not always true. Pity there’s no mention of the difference between these two lists.

      1. Pants said on July 18, 2016 at 10:20 pm
        Reply

        The difference is that *plugin2-block is for experiments – see https://bugzilla.mozilla.org/show_bug.cgi?id=1237198#c23

      2. Tony said on July 18, 2016 at 10:12 pm
        Reply

        I agree, pity there’s no mention of the difference between these two lists.

        But it’s simple to take a look at the differences oneself: both lists contain the fingerprinting and supercookie items. The list with the “2” postpended also includes a “Viewability” section. Time to inspect all the items in the viewability section…

  3. anon said on July 18, 2016 at 11:35 am
    Reply

    oh wow, its fucking nothing. i dont even have flash player installes

    1. vosie said on July 19, 2016 at 8:22 am
      Reply

      And? What is your benefit from it? They can track you with HTML5 videos. And HTML5 is much worse than flash, because oppsed to flash, you CAN NOT use click-to-play blocking for HTML5 videos. So every HTML5 video loads on every page.

      The media.autoplay.enabled pref is useless because it is not able to block the downloading of HTML5 videos.

      So that’s why Flash is better.

      1. kwerboom said on July 22, 2016 at 9:18 pm
        Reply

        >Flash is better

        !?!… I don’t know what you’re high on, but Flash is a terrible plugin. Flash is based on bug ridden 20 year old code that neither Macromedia nor Adobe have ever seen fit clean up let alone refactor. Security control with Flash is an illusion because even if there were a button on the control panel, the back end is open spaghetti code that is constantly under attack and constantly exposing every system its on.

      2. anon said on July 19, 2016 at 9:25 pm
        Reply

        >Flash is better

        Nigga what?

  4. Tom Hawack said on July 18, 2016 at 11:01 am
    Reply

    Same here with Firefox 47.0.1 (x64) on Windows 7 (x64) : no firefox-safebrowsing-blocklist in about:config, though it could be a hidden setting requiring explicit user call.

    Concerning announced Firefox 48 blocklist against plugin fingerprinting, not concerned here at this time since I’ve removed Flash nearly a year ago and perhaps not concerned by the blocklist’s development as long as I keep Firefox as it is now : no plug-in (and I’m not the only one, I think Pants has the same policy).

    Plug-ins’ fingerprinting are just one vector of intrusion when many others exist, i.e. canvas fingerprinting (Firefox ‘CanvasBlocker’ add-on available), i.e. Firefox’s everlasting resource leak problem (a developer had to handle this with his ‘No Resource URI Leak’ add-on it since Mozilla loses a lot of time on useless gadgets ) … fingerprinting is everywhere, its an abomination, a digital cancer, it’s spreading everywhere using any and all possible vectors to access users’ data.

    Have a nice week, folks.

    1. Yuliya said on July 18, 2016 at 4:05 pm
      Reply

      I also have no plugins, the only one which survived until recently this year was Flash, though now all the websites that I visit work without. It’s funny now how I get on some websites a small square with an image telling me that I should install it. I wonder what could be in a 200px wide square that I should see :) If I really need it I keep Chrome porable, but it’s been a while since I opened it.

      1. anon said on July 18, 2016 at 4:35 pm
        Reply

        How can you remove the system integrated flash player in Windows 10?

      2. Tom Hawack said on July 18, 2016 at 4:29 pm
        Reply

        The reason why Firefox plugin blocklist starts by considering Flash fingerprinting is the same reason why several (many?) sites stick to Flash when HTML5 is available : the amount of collectable user information.

        Some of us, I hope many, you did, I did remove Firefox’s Flash plug-in (I removed Flash system-wide, that is the IE ActiveX included). When a site requires Flash it is their problem. Surprisingly or not it doesn’t appear that requiring Flash would be related to a domain’s seriousness; dare I admit to disclose a fraction of my privacy in order to illustrate my statement? Well known media sites, mainly news sites, serious etc… impose Flash while squalid porn sites have upgraded to HTML5. Gets me to wonder the Who’s Who of squalidness.

  5. wybo said on July 18, 2016 at 10:42 am
    Reply

    Uhhh. Same here. No Firefox-safebrowsing to be seen.

  6. yossarian said on July 18, 2016 at 9:05 am
    Reply

    firefox-safebrowsing-blocklist
    is missing from my Firefox 47 on Linux Mint 18. Closest to that is
    browser.safebrowsing.allowOverride.

    1. Psy said on July 18, 2016 at 12:23 pm
      Reply

      Same with FF47 on Seven x64.
      But i’d say closest is browser.safebrowsing.blockedURIs.enabled which is false by default

      1. Pants said on July 18, 2016 at 9:44 pm
        Reply

        The preference is what Psy said: see https://bugzilla.mozilla.org/show_bug.cgi?id=1237198#c14

        Here is some info (copypasta’d from mozilla)
        // The table and global pref for blocking plugin content
        pref(“browser.safebrowsing.blockedURIs.enabled”, false);
        pref(“urlclassifier.blockedTable”, “test-block-simple,mozplugin-block-digest256”);

        Here is a code link in nsObjectLoadingContent.cpp
        https://dxr.mozilla.org/mozilla-release/search?q=kPrefBlockURIs

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.