A history of Fingerprinting protection in Firefox - gHacks Tech News

A history of Fingerprinting protection in Firefox

Fingerprinting is a common technique used predominantly by advertising agencies and marketing companies to track people on the Internet.

Mozilla introduced the preference privacy.resistFingerprinting in Firefox 41 as part of the Tor Uplift project.

The official Tor browser is based on Firefox ESR; Tor Uplift aims to introduce patches that the Tor development team makes to the Tor browser to Firefox. See our article on Tor Browser privacy changes coming to Firefox for additional information on Tor Uplift.

These preferences are set to disabled by default usually as they may break things on the Internet.

Fingerprinting protection

firefox fingerprint protection

Fingerprinting protection is disabled by default in Firefox as it may cause quite a few issues currently when enabled.

Firefox users may notice, for instance, that they cannot install extensions on AMO using the default method thanks to the integrated User Agent spoofing in fingerprinting protection (Mozilla AMO reads the version of the browser as Firefox 52.x regardless of the actual version of the browser).

Firefox users can enable fingerprinting protection in the following way:

  1. Load about:config?filter=privacy.resistFingerprinting
  2. Double-click on the preference.
    1. A value of True means that the protection is enabled.
    2. A value of False that it is disabled.

Fingerprinting protection started with basic protective features, but changes in recent versions of Firefox added a significant number of additional protections to the privacy feature.

fingerprinting protection

The Ghacks User JS team keeps track of these changes on the project's GitHub page. You find the most important changes and the Firefox version they are implemented in below:

  • Firefox 41:  privacy.resistFingerprinting added to the browser. (418989)
  • Firefox 50: spoof screen orientation (1281949)
  • Firefox 50: hide navigator.plugins and navigator.mimeTypes (1281963)
  • Firefox 55: spoof timezone as UTC 0 (1330890)
  • Firefox 55: round window sizes to hundreds (1360039)
  • Firefox 55: precision of time exposed by JavaScript reduced (1217238)
  • Firefox 56: spoof/disable performance API (1369303)
  • Firefox 56: spoof navigator API (1333651)
  • Firefox 56: disable device sensors (1369319)
  • Firefox 56: disable site-specific zoom (1369357)
  • Firefox 56: hide gamepads from content (1337161)
  • Firefox 56: spoof network info API as "unknown" (1372072)
  • Firefox 56: disable Geolocation API (1372069)
  • Firefox 56: disable WebSpeech API (1333641)
  • Firefox 57: spoof media statistics (1369309)
  • Firefox 57: enable fingerprinting resistance for WebGL (1217290)
  • Firefox 57: reduce fingerprinting in Animation API (1382545)
  • Firefox 57: enable fingerprinting resistance for Presentation API (1382533)
  • Firefox 57: disable mozAddonManager Web API (1384330)
  • Firefox 58: prompt before allowing canvas data extraction (967895)
  • Firefox 59: spoof/block MediaDevices API fingerprinting (1372073)
  • Firefox 59: spoof keyboard events and suppress keyboard modifier events (1222285)

Mozilla maintains an incomplete list of information that is blocked or spoofed on the company's support website.

You have granted the website permission.
Your timezone is reported to be UTC
Not all fonts installed on your computer are available to webpages
The browser window prefers to be set to a specific size
Your browser reports a specific, common version number
Your keyboard layout and language is disguised
Your webcam and microphone capabilities are disguised.
The Media Statistics Web API reports misleading information
Any Site-Specific Zoom settings are not applied
The WebSpeech, Gamepad, Sensors, and Performance Web APIs are disabled

The GitHub page lists reported issues and follow-ups as well as pending changes as well.

FOLLOWUPS & BUGS to RFP patches

  • 1377744UTC timezone spoof: should not affect extensions
  • 1426232UTC timezone spoof: create timezone spoof site permission when RFP=true (similar to canvas, default deny, allow exceptions)
  • 1394448UA spoof: breaks AMO
    • you can still install extensions: right-click the + Add to Firefox button and open in a new tab
  • 1397994UA spoof: CSS line-height reveals platform
  • 1397996UA spoof: scrollbar thickness reveals platform
  • 1409269UA spoof: OS leaks over TCP/IP FP'ing
  • 1418162UA spoof: Aurora/Nightly spoofs next ESR too early, before it exists, unmasking them as Aurora/Nightly
  • 1428111UA spoof: ESR spoof out of whack
  • 1433676UA spoof: sub-document UA issues
  • 1412961Canvas: when RFP=true breaks extensions using canvas, eg, Screenshots
  • 1422862Canvas: OffscreenCanvas doesn't respect Canvas Permission Prompt
  • 1422890Canvas: more tests needed
  • 1429865Canvas: pref for canvas default permission
  • 1418537Window Rounding: bookmark toolbar issues in FF57+
  • 1428331Window: HiDPI & RFP
  • 1433592Keyboard: don't spoof/suppress CTRL key (regression from 1222285 FF59+)
  • 1441295GEO: Revert 1372069 as geo is behind a prompt

PENDING

  • 1333933 disable/spoof fingerprintable features
  • 1336208 bundle & whitelist fonts
  • 1337157 disable WebGL debug renderer info
  • 1369299 disable GeoIP/RegionDefault searches
  • 1363508 pointer events
  • 1392844 ensure that Stylo respects privacy.resistFingerprintin
  • 1233846 Webspeech API further anti-FP'ing
  • 1404017 option to restrict RFP to PB mode
  • 1401440 split RFP into multiple possibilities
  • 1428033 mitigate fingerprinting with WebGL
  • 1428034 mitigate WebGL's readPixels (kind of a Canvas thing
  • 1433350 disable windows user data collection

Closing Words

Fingerprinting protection is a unique feature of the Firefox browser (and compatible web browsers).

While it is undoubtedly possible to reach a similar level of protection with browser extensions, scripts, and modifications, it is good to see that Mozilla is pushing this privacy-enhancing feature.

It is not clear whether this will ever be enabled by default or listed as an option in the Firefox preferences though.

Now You: Do you use privacy add-ons in your browser?

Related articles

Summary
A history of Fingerprinting protection in Firefox
Article Name
A history of Fingerprinting protection in Firefox
Description
Fingerprinting is a common technique used predominantly by advertising agencies and marketing companies to track people on the Internet.Mozilla introduced the preference privacy.resistFingerprinting in Firefox 41 as part of the Tor Uplift project.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. Pants said on March 1, 2018 at 2:12 pm
    Reply

    > that they cannot install extensions on AMO using the default method

    FYI: users can still install extensions, just right click on the “+ Add to Firefox” button and open in a new tab

    1. Pants said on March 1, 2018 at 2:17 pm
      Reply

      Hmm , no edit button for me .. I see now that you already listed that in the article (I only did it earlier today as I am sick of reddit answers for this problem telling people to disable RFP)

  2. Pants said on March 1, 2018 at 2:25 pm
    Reply

    FYI: in the https://github.com/ghacksuserjs/ghacks-user.js/issues/7 first post, under each major item, eg UA spoofing, there are subsequent changes listed with bugzilla links

    eg: FF58: canvas prompts also lists the change in 59 where canvas prompts will be reduced to those that are “caused by user interaction”. By default, canvas will be spoofed, but you can still override canvas on a per site setting in the site settings panel. This will reduce the canvas prompt fatigue.

    eg: FF56: UA spoofing lists a number of subsequent changes such as not lying about the OS, and the problems with ESR being 60 rather than 59, and the issue of Aurora/Nightly at times spoofing ahead of schedule (thus unmasking themselves as Aurora/Nightly)

    So for those who want to know more and dig deeper, enjoy the list and links

  3. Pants said on March 1, 2018 at 2:44 pm
    Reply

    Martin, I have some eagle eyes (poor eagle)

    Missing:
    ======
    – 55 spoof navigator.hardwareConcurrency as 2 1360039
    – 57 spoof media statistics 1369309
    – 57 reduce screen co-ordinate fingerprinting in Touch API 1382499
    – 57 enable fingerprinting resistance for WebGL 1217290
    – 57 reduce fingerprinting in Animation API 1382545
    – 57 limit MediaError.message to a whitelist 1354633
    – 57 enable fingerprinting resistance for Presentation API 1382533
    – 57 disable mozAddonManager Web API 1384330 (behind it’s own pref)

    Incorrect:
    =======
    Canvas is FF58, not 57

    1. Martin Brinkmann said on March 1, 2018 at 3:14 pm
      Reply

      Totally blanked out the Fx 57 changes ;)

  4. Coriy said on March 1, 2018 at 4:30 pm
    Reply

    I tried activating the resist fingerprinting setting in the latest firefox and waterfox. It caused the same problem in both. It shrank the active window size of the browser.
    Okay, so having a 1440 by 900 screen size, I set the browser to use most of it (typically 1400 by 800) but activating fingerprint resistance shrank them to 1000 by 600. Returning the setting to false fixed the problem.

    1. Pants said on March 1, 2018 at 4:38 pm
      Reply

      The window resizing is probably the biggest turn-off. It sets an inner window of only 1000px max width, and on desktops that sucks.

      Use the hidden overrides. Note that the size will be rounded down to 200’s in width and 100’s in height, so find the size you want. For example, I have a screen res of 1080×1650 (double height task bar). I have no FF side bar, so a I find the following works for me

      user_pref(“privacy.window.maxInnerWidth”, 1400); // (hidden pref)
      user_pref(“privacy.window.maxInnerHeight”, 800); // (hidden pref)

      You’re on a smaller res monitor, but with these two prefs set to your liking, I am sure you can come up with something that suits

      1. Coriy said on March 2, 2018 at 12:10 am
        Reply

        Thank you, I’ll try them out.

    2. TOR BROWSER said on March 1, 2018 at 6:59 pm
      Reply

      1) Nothing prevents you from maximizing your browser’s window or even going full-screen even when that pref is flipped out, 2) if you don’t want to be easily fingerprinted keep your browser size at the one that privacy.resistFingerprinting sets, otherwise you’re leaking a lot of info about your machine (window size).

      1. Pants said on March 2, 2018 at 1:08 am
        Reply

        Point 2 is very true. While inner screen measurements can be obtained without JS, the key here is to limit JS exposure thru eg uMatrix and setting JS off by default for all sites (1st party included). You’d be surprised how many sites (for reading, not logging in or being interactive with) work with just css and images. All we can do is mitigate as much damage as possible.

        That said, I am hoping (and I will push for it) that since most FF users are desktop users, and most desktops are widescreen, and since that FF privacy study showed a massive abandonment of RFP due to “screen issues” (most would be the window size and perhaps not opening maximized), that tor uplift change the re-sizing algorithm to use better widths. I looked at the FF metrics for screen res, and they are not catering to something like 75% of potential users

        PS: by the way, if you have the bookmarks toolbar visible, your resizing is out by 1 to 3 pixels (different results for diff people) anyway due to icon padding

  5. InGSoC said on March 1, 2018 at 4:35 pm
    Reply

    Hello,

    resist Fingerprint is a nice Idea due to privacy settings, but the performance of thee actual Beta 59

    is sluggish and Fullscreen Video in Html5 is also a Mess for mee.

    I was fedup with FF last year and only came back to see Improvements in Speed.

    Yes,there are Improvements but, for mee FF still sxxxs. I am on OPERA again, seems, for my

    personal kinda View, thee better choice, cos of thee Addon Policy Control, which gives u instant

    Access on Javascript and other important Features to allow or block, very fine to use

    Greets, InGSoC.

  6. Herr CCC said on March 1, 2018 at 9:28 pm
    Reply

    Mozilla improvements are:

    – Slow
    – Create more Bugs than Improvements
    – Are pushed only to appeal Tor Project.

    There are indipendent 3rd party extensions that do this (and more) in a clean, honest a free way.

    Free as in not-tracked.

    Feel free to follow a dying project, the Mozilla Browser… it’s Time wasted.

    1. Stut said on March 1, 2018 at 11:59 pm
      Reply

      You’re wrong.

      Add-ons cannot provide fingerprinting resistance because the amount of people using them is negligible, and because they do not offer an all-or-nothing protection, which is a necessity for a protection that actually works. Add-ons also can’t do certain things, yes even legacy add-ons, which is why Tor Browser is a fork and not just an add-on.

      Add-ons are only able to provide privacy through reducing exposure, by which I mean blocking network requests. Since this is not practical for most people, and since a certain level of exposure is mandatory for all people anyway, fingerprinting resistance comes into play which allows you to expose yourself more without increased risk, assuming you can deal with your IP (e.g. IPv4 shared with many devices, dynamic IP, ProtonVPN or possibly in the future, Firefox Private Browsing mode since it might include the Tor client so that all Firefox users in PB mode can use the Tor network)

      1. Stut said on March 2, 2018 at 12:12 am
        Reply

        (In case that part wasn’t clear: Some spoofing add-ons exist but they aren’t able to reduce fingerprint entropy enough for fingerprinting protection to work, see first line of previous post. Some add-ons and about:config prefs disable certain web standards and stuff but again people are split into minuscule configuration groups. Protection requires significant market share and all-in-one protection, anything less makes it not work. When you can’t get it, reduce exposure though it’s partially voodoo unless you block like a nazi.)

      2. Stut said on March 2, 2018 at 12:22 am
        Reply

        (By partially voodoo I mean that reducing exposure “but not too much” still has some efficiency, but it’s hard to evaluate so it can be overestimated or induce a false sense of security)

      3. Anonymous said on March 2, 2018 at 6:52 am
        Reply

        @Stut – Yes. Thank you :) It requires a significant enough numbers of users (in the Firefox set of users) to all buy into the exact same “enforced” settings, albeit a few of them have variables (OS in UA, windows sizes), in order to **reduce** entropy in a real world scenario

        I would also like to reiterate your point (which I think you made) that a lot of what has been done could only have been done within the application code itself. Extensions can and could not do half of this stuff: and some extensions that readers may think do the job (some UA spoofing items for example) are probably not aware that they leak like a sieve

        One other point: Anti-FP’ing is a generally a last gap measure (in tests you are meant to assume the worst) – in other words, reducing your exposure, or the “attack surface” is always a good start (eg, blocking third party JS by default). That’s not to say there aren’t quite a few server-side FP’ing methods. So in the real world, a tightened browser with extensions and the end user’s habits can mitigate a lot of this – eg TBB with preset NoScript settings.

    2. jupe said on March 2, 2018 at 5:25 am
      Reply

      Dying project? I think there market share has been going up, so not sure where you get your info…

      1. Anonymous said on March 2, 2018 at 6:39 am
        Reply

        @jupe Just ignore the trolls or the forum will degenerate into a debacle and get derailed – I mean look at some of the last few Firefox articles. I’d rather have informative and meaningful discussion about RFP than defend against Herr CCC’s ridiculous claims.

        As for market share, I think they have stabilized, its a bit early to tell what will happen. I hope that the further quantum parts when they arrive for really noticeable speed gains (not benchmarks but real world) over chrome, and this, the push about privacy (when it’s finally ready for prime time) really make an impact. There was a study done by DuckDuckGo or StartPage about “privacy mode” / “icognito” and something like 83% of people thought that mode made them anonymous and kept them private. I can’t remember if there was a figure for people who said they would swap browsers for one that did, I should try and find that survey. So hopefully Mozilla will do some advertising etc when its ready, to really drive this point home, and get some real growth, because a strong FF is healthy for the browser/internet ecosystem.

        Assumption: Please, commentators, do not start up about FF’s default settings (that can be tweaked for more privacy) vs some other niche browser/fork with those pre-done. They are different beasts with different needs, aimed at different users.

  7. Kal Lung said on March 2, 2018 at 4:46 am
    Reply

    I’d like to use resist.fingerprinting, but don’t like how it makes the timezone UTC. The times are all off when reading webmail and also using other web apps. Is there a way to manually set the timezone?

    1. Yupa said on March 13, 2018 at 9:49 pm
      Reply

      Best solution would be for Firefox to translate utc to local time locally instead of letting the server know what time zone you are in.

  8. Klaas Vaak said on March 2, 2018 at 6:36 am
    Reply

    Instead of having to jump through hoops to get this setting working, or not, why not use the extension CanvasBlocker?

    1. Anonymous said on March 2, 2018 at 7:01 am
      Reply

      There’s nothing wrong with using CanvasBlocker. I use it. But if you want to look like all the other RFP users in the future (when numbers get up and it gets more mainstream and is ready), then it would pay to behave like them (see Stuts posts above)

      At the moment, I use CB to block, and since this disables the API calls (I think I got that right), then the canvas prompt never kicks in. But in 59 when it comes out in a couple of weeks, the canvas prompts will be reduced to only those that are “user-initiated” – see https://bugzilla.mozilla.org/show_bug.cgi?id=1376865 . This means that then I can change CB to fake and not worry about canvas prompt fatigue.

      So, by default most canvas is auto-handled under RFP which will auto return a 10x10px white square. Those sites you get a prompt you can allow. Any site, you can override the permission in the site permissions panel. Then any canvas extraction you let thru RFP, CB can take over with a setting of fake, and in CB you can, if needed, allow a whitelist for sites that REALLY need it.

      So extensions and settings can co-exist, enhancing each other. For more on that topic see https://github.com/ghacksuserjs/ghacks-user.js/issues/350

    2. Pants said on March 2, 2018 at 7:58 am
      Reply

      Also, to elaborate a little on this (using prefs & extensions in combo or instead of each other), with RFP, on the flipside, there are prefs that if you don’t have them at default, mess with various FP items. In the ghacks user.js they are in a section called RFP Alternatives (4600’s) although we stuck everything in there that was no longer needed (not necessarily those that impacted your FP). Every RFP patch needs to be looked at in isolation, as sometimes the RFP patch overrides the pref, and sometimes vice versa – and when the outcome differs (in some its very subtle), that’s when you can have a problem.

      See the no longer maintained issue https://github.com/ghacksuserjs/ghacks-user.js/issues/222 for a little more insight

      quick example; if you set “media.video_stats.enabled” to false this disables the API, and the RFP patch can no longer dynamically spoof actual values

      1. Klaas Vaak said on March 2, 2018 at 10:07 am
        Reply

        Thanks for jumping in. Unfortunately, what you write is “Chinese” to me. Nevertheless, I looked at https://github.com/ghacksuserjs/ghacks-user.js/issues/350 and noticed your recommended strategy:

        * set CanvasBlocker to fake. Do NOT set to block as this will disable the API and you will not get the same result as RFP.
        * block sites when prompted: RFP takes over and CB is never used
        * allow sites IF you must: RFP allows CB to take over which will fake
        * use a CB whitelist for sites that MUST have the real thing

        RFP = resist finger printing?
        I have my CB set to fake, and get a notification each time a site tries to finger print.
        “block sites when prompted”: where does the prompt come from?
        “use a CB whitelist for sites that MUST have the real thing”: how does none know which sites MUST have the real thing?

        My apologies for what are probably boringly stupid questions. If you decline to answer I fully understand.

  9. Pants said on March 2, 2018 at 7:05 am
    Reply

    Martin, I just posted (last 20 minutes) three or four replies before I realized I wasn’t logged in. Can you please make sure they get thru, as often they never do – thanks

    1. Martin Brinkmann said on March 2, 2018 at 7:43 am
      Reply

      Yes, should all be there. If one is missing let me know.

      1. Pants said on March 2, 2018 at 7:50 am
        Reply

        Thanks, they’re all there, 3 of em.

  10. John Fenderson said on March 2, 2018 at 5:45 pm
    Reply

    I love the idea of fingerprint resistance, but at this point it seems a bit futile. The screen size issue is a tough one to crack. The solution to that being explored in Firefox is entirely unacceptable to me from a usability standpoint.

    I don’t know the technical details of this stuff, but if I understand what various FF devs have said, then there is no solution to this problem. I really, really wish that browsers simply did not report this sort of information to web servers at all. No screen resolution, no OS information, no nothing.

    Unfortunately, that’s not going to happen. This whole issue feels hopeless.

  11. InGSoC said on March 2, 2018 at 8:02 pm
    Reply

    Soohooo,

    just retested FF Quantum vs. Opera Reborn, both Beta and Stable Version due to Websiteloading.

    Faceboo:) FF up to 8 Seconds, Opera up to 3 Seconds, other Websites as well tested.

    Result: I do NOT know what is wrong in FF???
    .

    Other Browsers tested, Google Chrome and Open Project Chromium, good results but lack of

    personal Designfeatures, as Speed Dial and so on.

    Staying on Opera as Mainbrowser, tested Stable, Beta and Developer Edition.

    System is Win 10 Prof, Geforce 9400 GT, and Dualcore Processors, 2 GB Ram, Panda Online

    Security as Antivirus,…..so it’s NOT an Up to Date

    Hardware PC, but testing out Browser Performance, it should be eloquent enough.

    Strange thing is that under same Circumstandings Browser behavoiur is so different?

    How can that be? Different programming of Engines?

    Hmmm.

    Greets, InGSoC.

  12. InGSoC said on March 2, 2018 at 9:21 pm
    Reply

    By the way, u wanna see some really great Offtopic Experience, which MUST u get a Smile on ur Face?

    https://www.youtube.com/watch?v=A22oy8dFjqc

    Go there and tell mee u NO like it,… enjoy just a Sequence in Life, which doesn’t make u wanna cry, this is awesome.

    Greets, InGSoC.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.