Firefox 48: blocklist against plugin fingerprinting
Firefox 48, out August 2, 2016, will block known plugin fingerprinting services thanks to a new blocklist that Mozilla developed to improve user privacy.
Fingerprinting techniques use various methods to identify and distinguish devices. Anything that the browser reveals on its own is used for instance. Methods may parse the user agent header which reveals the operating system, browser version and other information.
Apart from information that is revealed on connect automatically, scripts may be used to get additional information.
If Adobe Flash is installed for instance, sites may grab the list of fonts and other information.
Firefox plugin blocklist
And that is the area that Mozilla improves in Firefox 48. The browser ships with a new blocklist listing Flash SWF files that were identified by Mozilla as fingerprinting files.
Basically, what happens is that Firefox blocks connections to these fingerprinting files automatically starting with version 48.
The feature is useful to Firefox users who have Flash installed on their system and enabled in Firefox.
Mozilla did crawl the top 10,000 Alexa websites and analyzed SWF files loaded on those sites. The organization plans to run crawls regularly to catch new files.
The list distinguishes between fingerprinting and supercookie SWFs.
- Any file smaller than 5x5 pixels that called enumerateFonts() and ExternalInterface was categorized as fingerprinting SWF and put on the blocklist.
- Any file smaller than 5x5 pixels that called SharedObject and contained the string "cookie" was categorized as a supercookie SWF and put on the blocklist.
The blocklist covers only Flash functions. One reason for that is that all other plugins are set to click to play in Firefox. Another, that Mozilla will disable all plugins but Flash in Firefox 52 (with an override), and all but Flash completely in Firefox 53.
Control the blocklist preference
The plugin blocklist feature is already available in Firefox 47 but disabled by default. You may enable it however to make use of the blocklist feature right away instead of waiting for the Firefox 48 release.
- Type about:config in Firefox's address bar and hit enter.
- Confirm you will be careful if a prompt appears.
- Search for firefox-safebrowsing-blocklist.
- Double-click on the preference.
Setting the value of the preference to true turns the feature on, a value of false disables it. If you have no need for it, or if you notice issues on sites then this may be what you need to do. Some users may run extensions that block these type of files automatically as well so that they have no need for it.
You may take a look at the blocklist on the project's Github page. This may be useful if you want to know what gets blocked, or if you want to port the list to another browser.
Closing Words
Better protection against browser fingerprinting is always welcome. It appears that Mozilla is starting to put the focus on privacy enhancing features in Firefox. While Firefox provides you with better privacy controls than other browsers already, it is one area in which Mozilla can outshine Google's Chrome by a large margin.
The organization announced recently that it will integrate Tor privacy settings in Firefox natively as well.
Now Read: Check out our comprehensive Firefox privacy and security listing.
And thus begins another “cat and mouse” game.
Adobe could fix these issues in 5 minutes by giving the user control over what Flash exposes to *every* website that includes *any* flash object. Adobe obviously knows about these issues, and their inaction speaks volumes about their values and agenda.
For these reasons, I got rid of Flash a long time ago. If a site uses it, I find a better site with similar functionality but without the Flash requirement.
And? What is your benefit from it? They can track you with HTML5 videos. And HTML5 is much worse than flash, because oppsed to flash, you CAN NOT use click-to-play blocking for HTML5 videos. So every HTML5 video loads on every page.
The media.autoplay.enabled pref is useless because it is not able to block the downloading of HTML5 videos.
So that’s why Flash is better.
It’s not ‘better’ per se, just is easier to control.
If you’re using uBlock Origin, as Martin notes, Firefox hosts the SWF blocklists on Github:
https://github.com/mozilla-services/shavar-plugin-blocklist
Copy and paste the raw link to uBlock Origin’s 3rd-party filters list to subscribe it. I’m using mozplugin2-block.txt as that as more entries.
I was wondering about the difference between the mozplugin-block.txt and mozplugin2-block.txt files, besides the number of entries. If both are proposed then there must be a pertinence to choose either independently of their number of entries… I installed mozplugin2-block.txt on the assumption that bigger is better, which is not always true. Pity there’s no mention of the difference between these two lists.
The difference is that *plugin2-block is for experiments – see https://bugzilla.mozilla.org/show_bug.cgi?id=1237198#c23
I agree, pity there’s no mention of the difference between these two lists.
But it’s simple to take a look at the differences oneself: both lists contain the fingerprinting and supercookie items. The list with the “2” postpended also includes a “Viewability” section. Time to inspect all the items in the viewability section…
oh wow, its fucking nothing. i dont even have flash player installes
And? What is your benefit from it? They can track you with HTML5 videos. And HTML5 is much worse than flash, because oppsed to flash, you CAN NOT use click-to-play blocking for HTML5 videos. So every HTML5 video loads on every page.
The media.autoplay.enabled pref is useless because it is not able to block the downloading of HTML5 videos.
So that’s why Flash is better.
>Flash is better
!?!… I don’t know what you’re high on, but Flash is a terrible plugin. Flash is based on bug ridden 20 year old code that neither Macromedia nor Adobe have ever seen fit clean up let alone refactor. Security control with Flash is an illusion because even if there were a button on the control panel, the back end is open spaghetti code that is constantly under attack and constantly exposing every system its on.
>Flash is better
Nigga what?
Same here with Firefox 47.0.1 (x64) on Windows 7 (x64) : no firefox-safebrowsing-blocklist in about:config, though it could be a hidden setting requiring explicit user call.
Concerning announced Firefox 48 blocklist against plugin fingerprinting, not concerned here at this time since I’ve removed Flash nearly a year ago and perhaps not concerned by the blocklist’s development as long as I keep Firefox as it is now : no plug-in (and I’m not the only one, I think Pants has the same policy).
Plug-ins’ fingerprinting are just one vector of intrusion when many others exist, i.e. canvas fingerprinting (Firefox ‘CanvasBlocker’ add-on available), i.e. Firefox’s everlasting resource leak problem (a developer had to handle this with his ‘No Resource URI Leak’ add-on it since Mozilla loses a lot of time on useless gadgets ) … fingerprinting is everywhere, its an abomination, a digital cancer, it’s spreading everywhere using any and all possible vectors to access users’ data.
Have a nice week, folks.
I also have no plugins, the only one which survived until recently this year was Flash, though now all the websites that I visit work without. It’s funny now how I get on some websites a small square with an image telling me that I should install it. I wonder what could be in a 200px wide square that I should see :) If I really need it I keep Chrome porable, but it’s been a while since I opened it.
How can you remove the system integrated flash player in Windows 10?
The reason why Firefox plugin blocklist starts by considering Flash fingerprinting is the same reason why several (many?) sites stick to Flash when HTML5 is available : the amount of collectable user information.
Some of us, I hope many, you did, I did remove Firefox’s Flash plug-in (I removed Flash system-wide, that is the IE ActiveX included). When a site requires Flash it is their problem. Surprisingly or not it doesn’t appear that requiring Flash would be related to a domain’s seriousness; dare I admit to disclose a fraction of my privacy in order to illustrate my statement? Well known media sites, mainly news sites, serious etc… impose Flash while squalid porn sites have upgraded to HTML5. Gets me to wonder the Who’s Who of squalidness.
Uhhh. Same here. No Firefox-safebrowsing to be seen.
firefox-safebrowsing-blocklist
is missing from my Firefox 47 on Linux Mint 18. Closest to that is
browser.safebrowsing.allowOverride.
Same with FF47 on Seven x64.
But i’d say closest is browser.safebrowsing.blockedURIs.enabled which is false by default
The preference is what Psy said: see https://bugzilla.mozilla.org/show_bug.cgi?id=1237198#c14
Here is some info (copypasta’d from mozilla)
// The table and global pref for blocking plugin content
pref(“browser.safebrowsing.blockedURIs.enabled”, false);
pref(“urlclassifier.blockedTable”, “test-block-simple,mozplugin-block-digest256”);
Here is a code link in nsObjectLoadingContent.cpp
https://dxr.mozilla.org/mozilla-release/search?q=kPrefBlockURIs