Firefox may soon display Sponsored Top Sites on the New Tab Page - gHacks Tech News

ADVERTISEMENT

Firefox may soon display Sponsored Top Sites on the New Tab Page

Mozilla is working on introducing Sponsored Top Sites to the Firefox web browser's New Tab Page. The New Tab Page is displayed by default when users open a new tab in the browser. It is customizable, and may display a number of items by default including top sites, highlights such as Pocket recommendations, visited pages, or most recent downloads, and news/announcement snippets from Mozilla.

Some of the elements are reserved to some regions. Pocket especially falls into that category as story recommendations are only available in the U.S., U.K., Germany and Canada. Sponsored Stories, also linked to Pocket, are only available in the United States.

All of these options can be disabled easily from the New Tab Page configuration menu. Users may also download New Tab Page extensions such as Humble New Tab Page, Group Speed Dial, or Tabliss.

A recently added bug to Mozilla's bug tracking site Bugzilla indicates that Firefox may soon display sponsored top sites on the New Tab page. The bug requests that a preference is added to Firefox to disable sponsored top sites.

firefox sponsored top sites
via Mozilla

Information on the implementation is not provided, but it is very likely that Mozilla is going to launch the advertisement in one or a small number of regions first. The United States is probably the best candidate, considering that Sponsored Stories is also only available to users of the country.

It is also likely that the introduction of Sponsored Top Sites affects only new installations of Firefox and not existing installations.

The main motivation behind introducing the feature is to diversify Mozilla's income further. The organization relies on search engine deals, and has an agreement with Google in place that brings in most of the organization's yearly earnings.

Mozilla has some data from its Sponsored Stories integration in Firefox, and it may have used the data to estimate the earnings that it could get from the inclusion of Sponsored Top Sites.

Mozilla is not the only browser maker that sells top sites placements. Vivaldi earns revenue from partner deals with bookmark partners; these bookmarks are displayed on the browser's New Tab Page for new installations. The Opera browser uses a similar system to earn revenue from Speed Dial listings.

Closing Words

Firefox users get control over the Sponsored Top Sites listings and can block these from being displayed in the options once the change lands in the browser. We have to wait for additional details to surface to find out more about the implementation, privacy, and other information.

Now You: Do you use the default New Tab Page or a custom one in your browser?

Summary
Firefox may soon display Sponsored Top Sites on the New Tab Page
Article Name
Firefox may soon display Sponsored Top Sites on the New Tab Page
Description
Mozilla is working on introducing Sponsored Top Sites to the Firefox web browser's New Tab Page.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: »

Comments

  1. Matthew said on October 9, 2020 at 12:59 pm
    Reply

    “Firefox users get control over the Sponsored Top Sites listings and can block these from being displayed”

    That’s how it always starts off. It’s like when Firefox users got control over the status bar, so while it was disabled by default users could enable it if they wanted it, but then Mozilla removed the status bar entirely. And like when Firefox users could chose whether they wanted the tab bar below or above the address bar, but then Mozilla removed the option to have the tab bar below the address bar. There are countless other examples of when Mozilla have initially given you a choice, but then later removed the option and forced changes on users.

    It seems Mozilla won’t be happy until they have destroyed Firefox completely and all users have abandoned the browser. I switched to Vivaldi on my phone after the latest Firefox Daylight train wreck, and it looks like Mozilla want me to abandon Firefox on the desktop as well.

    1. Allwynd said on October 9, 2020 at 1:08 pm
      Reply

      I’d switch to Vivaldi on Android when they implement extension support. So far their content blocking by default is sub-par.

      On Android I use Kiwi browser, because I can install extensions from the Chrome Web Store and completely block all the ads and pop ups and have a clean experience. At this point no other mobile browser on either Android or iOS can accomplish that. Firefox was able to when they allowed users to install all extensions, but since that’s not possible at the moment, only Kiwi can do it among thousands of browsers.

      1. ShintoPlasm said on October 9, 2020 at 1:27 pm
        Reply

        What’s wrong with Vivaldi’s content blocking?

      2. Ross Presser said on October 9, 2020 at 3:43 pm
        Reply

        It is not true that no other browser can do it on Android. You can install Fennec F-Droid 68.12.0 which is a fork of Firefox from that version, free of forced updating, and you’ll have complete access to all extensions.
        https://f-droid.org/en/packages/org.mozilla.fennec_fdroid/

      3. Anonymous said on October 9, 2020 at 4:50 pm
        Reply

        > You can install Fennec F-Droid 68.12.0 which is a fork of Firefox from that version, free of forced updating, and you’ll have complete access to all extensions.

        Complete access because it’s the version from before the corresponding Firefox update. This means being stuck on it. The next Fennec F-Droid versions will uninstall extensions that are not in Mozilla’s very small allowed list.

        Try IceRaven instead:
        https://github.com/fork-maintainers/iceraven-browser

        Restores the right to attempt to install all extensions, about:config, and more generally is more aggressive at removing Firefox crap and bad defaults than Fennec F-Droid, which only removes the proprietary bits to be allowed on F-Droid.

      4. somename said on October 9, 2020 at 4:09 pm
        Reply

        Vivaldi’s content blocking is amazing as far a chromium browsers are concerned. It allows users to add their own filter lists for both tracking and ad-blocking. You can just write your own filters, put the on github and link the raw and bam, you get customization on the level of ublock, including cosmetic filters, removal of any and all annoyances, etc.

      5. Allwynd said on October 9, 2020 at 6:06 pm
        Reply

        @somename,

        Have you tried adding your own lists?

        Have you tried the default blocking on more aggressive websites that also run pop ups?

        I tried to add custom filter lists to Vivaldi and do you know what happened? With each list I added, Vivaldi got slower and slower, after about 10-15 lists, it slowed down to a crawl, at that point the UI barely even responded and loading websites became almost impossible.

        I have a phone with 3GB RAM and that’s enough to run any mobile app.

        Even if you customize it and tinker it, Vivaldi just doesn’t block as well as Kiwi or old Firefox would if you install the proper extensions.

        Here are two websites for you:

        [Editor: Removed site links]

        Try watching some episodes on Vivaldi and see how many ads don’t get blocked or how many pop ups get opened when you try to play videos from each source.

        These two websites are great for watching TV series, but the downside is that they are riddled with ads and pop ups, unless you can block them properly, the websites become too annoying to use. I also like to use them as a test on any browser’s content blocking capabilities… if a website fails the swatchseries.to test, then it’s not worthy of my time.

      6. 33andstillgoing said on October 10, 2020 at 1:00 am
        Reply

        It is not good to advertise pure evil and cancer here, even if it is good for your testing.
        Such sites are garbage and should be visited with extreme caution (eg, you have nothing to lose). You might be above average Joe, but the next one to you usually is not.

      7. Anonymous said on October 11, 2020 at 12:17 am
        Reply

        You can report those things to Vivaldi.. Browsers are moving to inbuilt adblocking now because Google will restrict how addons block ads. Eventually adblock extensions will be restricted and become useless.

        To summarize, your only problem is with the adblock not extension support, correct?

    2. Anonymous said on October 9, 2020 at 7:33 pm
      Reply

      Matthew said on October 9, 2020 at 12:59 pm
      “There are countless other examples of when Mozilla have initially given you a choice, but then later removed the option and forced changes on users.”

      Very good point.

  2. Tom Hawack said on October 9, 2020 at 2:14 pm
    Reply

    I don’t use Firefox’s New Tab Page, not its default Home Page, but a userChromeJS script (NewTab_custom-page.uc.js) which allows any page to be the New Tab Page, which is then set to be as well Firefox’s Home Page (one page, the user’s choice, for both).

    As always I don’t condemn an organization for searching where it can to be funded, I only condemn profit with no alternative. I read in this article that the project of including Sponsored Top Sites in Firefox’s New tab page would include as well the option to disable them. As long as it goes that way it’s okay with me.

  3. Mothy said on October 9, 2020 at 2:26 pm
    Reply

    Do you use the default New Tab Page or a custom one in your browser?

    I’ve been using a blank page (about:blank) for home or new tab for as long as I can remember (on any browser used). I prefer starting with a clean slate then primarily use bookmarks to get where I want to go. But I still uncheck everything under “Firefox Home Content”.

  4. m3city said on October 9, 2020 at 2:53 pm
    Reply

    I use default new tab, but tweak some settings. Being an old user of Opera 12, i’ve grown up using speeddial. Tried some of them in firefox but none really worked as simple as in Opera. So now I just pin the pages in new tab, the most commonly used at least. The other, often visited land as a bookmark in “Temporary” bookmark folder. Navigate to it by address sugestions.

    Now this sponsored top sites: note that it’s already there in all other browsers (don’t know about Brave, we will learn about that soon I guess;). I delete those at first run. I can’t see anything wrong actually with that. If Mozilla gets $ from that, or even from clicks on that top sites – thats ok, i guess I could support them this way.

    1. Iron Heart said on October 9, 2020 at 9:11 pm
      Reply

      @m3city

      Brave doesn’t display any sponsored websites on the New Tab Page. Not related to the New Tab Page: Brave Rewards show ads if you enable them, however Brave Rewards are disabled by default. Cheers.

      1. Mike W. said on October 11, 2020 at 2:44 pm
        Reply

        @Iron Heart
        Technically, Brave has NTP sponsored images that usually promote a website or a service. You can turn them off, but they are enabled by default. I’m not sure NTP sponsored images are all that different than the paid bookmarks Firefox is considering or Vivaldi currently uses.

      2. Iron Heart said on October 11, 2020 at 8:32 pm
        Reply

        @Mike W.

        Fair enough, though they serve the double purpose of being background wallpapers, if you will. I leave them enabled because they are non-problematic from a privacy perspective and because the images at times looked kinda cool.

        “Ads” in the strict sense would only be the ads displayed if you opt into Brave Rewards, but if we view sponsored tiles like those described in the article as ads, then Brave’s Sponsored NTP would also qualify, I agree.

      3. Iron Heart said on October 12, 2020 at 9:30 am
        Reply

        @Martin Brinkmann

        Where has my reply to @Mike W. gone?

  5. JohnIL said on October 9, 2020 at 3:16 pm
    Reply

    Firefox is cooked thanks to Mozilla, this organization completely ruined the web browser.

  6. owl said on October 9, 2020 at 3:21 pm
    Reply

    I prefer the “Open new tab” browsing style using the “Tree Style Tab” extension.

    For the home page and new tabs, My preference was simplicity (blank pages or custom settings: https://start.duckduckgo.com/).
    However, with the Firefox extension “Tabliss”, you will be fascinated by the “beautiful images” that appear randomly each time you open a new page. This is my favorite.
    Case study in “Tabliss”:
    https://i.imgur.com/l9OSmO0.jpeg
    Customize(Settings)
    https://i.imgur.com/pVaYKGg.jpg
    https://i.imgur.com/TyHywzS.jpg
    Example of its behavior (an example of Next Background)
    https://i.imgur.com/m8aequB.jpg

    By the way, I don’t like “Top Sites, Highlights, Snippets, etc” appearing in new tabs or Firefox Home screen.
    Therefore, for the functions related to them, are setting in about:config to false.
    I understand “advertising”, so I don’t care about it’s a problem if can opt out of ad display.

  7. ShintoPlasm said on October 9, 2020 at 3:56 pm
    Reply

    I’m actually okay with this, as long as the tiles are not chosen through user tracking and can be disabled. Vivaldi does this for extra funding, and there’s no reason why Mozilla shouldn’t.

    1. Anonymous said on October 9, 2020 at 8:50 pm
      Reply

      Shintoplasm said:
      “I’m actually okay with this, as long as the tiles are not chosen through user tracking and can be disabled.”

      Do you still not mind if Mozilla gets pings of how you click on them ?

      “Firefox sends us data such as the position, size and placement of content we suggest, as well as basic data about your interactions with Firefox’s suggested content. This includes the number of times suggested content is displayed or clicked.”

      https://www.mozilla.org/en-US/privacy/firefox/#suggest-relevant-content

      1. Anonymous said on October 11, 2020 at 12:20 am
        Reply

        “It’s okay if Firefox do it, otherwise how Mozilla know how their browser performs! It’s not okay if Google do it.” Said Mozilla apologist

  8. Jake said on October 9, 2020 at 4:02 pm
    Reply

    Here we go down the rabbit hole, Alice.

    BTW I explicitly configure my browser to always start with a blank page. Yet as of ESR 78, I occasionally see a start page telling me to get Firefox on my Phone. What’s with that?

    I know it’s very hip and trendy for software to obey the developer and not the end user today, but this still rubs me the wrong way. If I say I want a blank page on startup, then I want a blank page on startup.

  9. Thaumiel said on October 9, 2020 at 4:11 pm
    Reply

    To the surprise of absolutely nobody. Some time ago it started pinning Search with Amazon when accessing the URL bar on all installations I’ve seen, in the very first row, requiring user intervetion to disable it, that’s malicious enough to me, and certainly not without remuneration.

  10. Anonymous said on October 9, 2020 at 4:28 pm
    Reply

    > The main motivation behind introducing the feature is to diversify Mozilla’s income further.

    Mozilla has been paid to have sites promoted, shady add-ons promoted, third party vpns promoted, manipulation disguised as news promoted, to monetize the private browsing data they have unfettered access to for these ads, to install browsing altering advertising add-ons, to send browsing data to Cliqz, to push users to send their private data to Pocket servers for more advertising uses, to push users to send search terms to Google (a lot), to send promotional emails for third parties, to whitelist Scroll trackers, they talked about a pay-to-implement-something-in-Firefox system, I forget lots of things probably…

    And that’s only what we know. But it seems diversified enough. Should we want more “diversification” in that direction ? How comes so much of the libre software world lives without selling a single malfeature and Mozilla in its heroic “diversification” efforts and with its top-notch growth specialists couldn’t think yet of any single revenue source that is not one ?

    1. Anonymous said on October 9, 2020 at 4:42 pm
      Reply

      Wait I never entered “Ross Presser” as the author name in my comment above, it’s not me, server bug or am I typing things without realizing it ?

      1. Eponymous said on October 9, 2020 at 5:16 pm
        Reply

        Happened to me lately – random name and email already typed in, and then next day I saw all aricles flooded with spam with the same name. Haxors, I guess…

      2. Eponymous said on October 9, 2020 at 10:20 pm
        Reply

        Stumbled upon comments from “Ross Presser” here and there. Nothing suspicious or spammy so far. gLeak?

      3. Eponymous said on October 9, 2020 at 10:32 pm
        Reply

        This site is in a bad state, comments which are disabled/removed/notapproved/whatever became visible just after posting previous comment. Maybe its a feature, encouraging engagement :)

    2. Anonymous said on October 9, 2020 at 7:51 pm
      Reply

      What we have now? Firefox, Chrome and their somehow improved clones. Before that we had Internet Explorer, Firefox and other different browsers. There was hope.

    3. name said on October 9, 2020 at 11:04 pm
      Reply

      There is some delay which might be avoided by participation it seems, not quite sure but quite confident. Let’s see how it goes…

  11. Clairvaux said on October 9, 2020 at 4:41 pm
    Reply

    Firefox imitating Vivaldi, now that’s funny. Why not use Vivaldi instead ?

    1. computer said no said on October 9, 2020 at 7:21 pm
      Reply

      Vivaldi has sponsered tiles in it’s new tab page also so why is it different for vivaldi.?

      As for firefox well just turn them off if it is such a problem for folks.

    2. Mike W. said on October 9, 2020 at 7:37 pm
      Reply

      @Clairvaux

      Because Firefox is miles ahead of Vivaldi in terms of stability? In my experiences with Vivaldi, it remains a pretty buggy browser and I really wish the company would devote time to cleaning up those bugs rather than adding niche features.

    3. computer said no said on October 9, 2020 at 8:21 pm
      Reply

      @Clairvaux
      Vivaldi is a very buggy browser and like others have said they need to be fixing the bugs which are getting reported on a daily basis instead of adding useless gimmicks.

      I am of the belief that reporting and filing a bug report with vivaldi is a complete waste of time as it will either be ignored or when a dev has spare time which in other words means never.

      For goodness sake there are bugs years old and still not fixed and as time marches on it will progressively get worse.

      1. Anonymous said on October 11, 2020 at 12:22 am
        Reply

        @computer said no
        Well Firefox has a lot of 15 years old unfixed bug, isn’t it same?

      2. Mike W. said on October 11, 2020 at 2:41 pm
        Reply

        @Anonymous
        No browser is without bugs, but no one can say with a straight face that Vivaldi and Firefox are on the same level when it comes to bugs.

  12. Paul(us) said on October 9, 2020 at 6:00 pm
    Reply

    Custom, I have four rows with 32 thumbnails and black background.
    Maybe anybody knows how I can adjust the black background with a high resolution picture of main choice?

    1. sleeved_runner said on October 10, 2020 at 3:37 am
      Reply

      I’m sure there must be an extension for that… but just for the sake of argument and avoiding installing a new extension, you can make use of bookmarklets that update the background for you. This has some major flaws, mainly that it needs your interaction (one click) for every new tab/window. A possible workaround is to have a new tab open pinned and refer back whenever you need a new tab.

      A much better option would be to serve a static HTML page locally with whatever styling and functionality you want. Then, set FF preferences to point to a custom URL (127.0.0.1) for a new tab/page. Being locally served means that it’ll work even offline and pretty much instantaneously, however you have to take care of creating the page first.

      Again this is purely a thought experiment, as I’m sure there is a perfectly suitable extension out there already that suits your needs (I wouldn’t know which extension that might be as I use a blank page for new tabs).

  13. Anonymous said on October 9, 2020 at 7:02 pm
    Reply

    Firefox needs a new preferences page for newtab only, because graphical content of list is growing after every update.

    /*** [SECTION 0100]: STARTUP ***/

    browser.newtabpage.enabled, false
    browser.newtab.preload”, false
    browser.newtabpage.activity-stream.feeds.telemetry, false
    browser.newtabpage.activity-stream.telemetry, false
    browser.newtabpage.activity-stream.feeds.snippets, false
    browser.newtabpage.activity-stream.asrouter.providers.snippets, {}
    browser.newtabpage.activity-stream.feeds.section.topstories, false
    browser.newtabpage.activity-stream.section.highlights.includePocket, false
    browser.newtabpage.activity-stream.showSponsored, false
    browser.newtabpage.activity-stream.feeds.discoverystreamfeed, false
    browser.library.activity-stream.enabled, false
    browser.newtabpage.activity-stream.default.sites, “”

    https://github.com/arkenfox/user.js/blob/master/user.js

    1. Iron Heart said on October 9, 2020 at 10:16 pm
      Reply

      @Anonymous

      You do realize though that this could potentially be a new pref unrelated to those you have already listed, right?

      1. Anonymous said on October 10, 2020 at 12:13 am
        Reply

        Not the same anonymous, but this is valuable nonetheless.

        Also, they said “because graphical content of list is growing after every update.”

      2. Anonymous said on October 12, 2020 at 7:09 pm
        Reply

        What do you realize?

      3. Iron Heart said on October 13, 2020 at 8:22 am
        Reply

        @Anonymous

        A great many things.

      4. Some anonymous said on October 13, 2020 at 4:16 pm
        Reply

        I think little things.

      5. Iron Heart said on October 13, 2020 at 4:41 pm
        Reply

        @Some anonymous

        Cool. Don’t care.

  14. Iron Heart said on October 9, 2020 at 10:15 pm
    Reply

    Make no mistake, the leadership at Mozilla knows that Firefox has no chance of regaining market share against Google (at least not significantly). However, Mozilla enables them to earn considerable salaries compared to other non-profits. So what do they do? Milk the company as long as possible, try to hold on to it as long as possible, without having any real intention of improving Firefox or making it grow again. They literally sacked the Servo team that was responsible for bringing in most major performance improvements of years past, which is pretty telling as far as their view of Firefox’s future is concerned.

    Monetize it, monetize the hell out of it, as long as those diehards keep using it. Can’t blame them, really.

    1. Joe Biden likes to touch children said on October 10, 2020 at 12:00 am
      Reply

      > Monetize it, monetize the hell out of it, as long as those diehards keep using it. Can’t blame them, really.

      Does this apply to Brave or does this do not apply to Brave?

      1. Iron Heart said on October 10, 2020 at 7:46 am
        Reply

        > Does this apply to Brave or does this do not apply to Brave?

        Brave Software is for-profit, but so is Mozilla Corp. That they are both companies is not what I was referring to.

        What I was referring to is the senseless inclusion of features that only exist because Mozilla is being paid for them and / or the user is meant to pay for.

        There are no such features in Brave. Brave Software funds itself by search engine royalties, as well as ad partners paying them to be part of a Brave Rewards ad campaign (Brave Rewards are disabled by default, though, so they do not exactly force it on users).

        Does that answer your question?

      2. Mike W. said on October 10, 2020 at 6:10 pm
        Reply

        @Iron Heart

        How is this different than Brave adding a different crypto widget on the NTP every month or so? They just added BitcoinCash to go along with Binance and Gemini. You can turn them off in the settings, but I don’t see what the difference is between what Mozilla is doing and what Brave is doing by shoving Crypto adoption down user throats and by promoting paid deals they have with these Crypto companies.

      3. Quick quesh said on October 10, 2020 at 8:22 pm
        Reply

        So where exactly do I have to click in Brave’s browser settings to stop it from putting new crypto widgets every 1-2 months (Bitcoin dot com a couple days ago, Binance and others recently) on my new tab page even though I have every Rewards/Crypto related option deactivated?

      4. Iron Heart said on October 11, 2020 at 8:38 pm
        Reply

        @Mike W. & Quick quesh

        Yeah, you are right. To be frank, I totally forgot about the widget(s) as I disabled the Brave Rewards widget some time ago and never bothered to look at the related settings again. I’ve heard that Gemini, Binance, and Bitcoin widgets also exist in select countries (note: not in all countries, it’s a staged rollout).

        They are definitely advertising the related services, though to be fair, if you do not have a related wallet, the widgets fail to serve their purpose, you can’t use them really. They hint at the existence of the related services most definitely, but since they can’t fulfill their purpose for most people, I guess the majority of users just disable them right upon seeing them.

  15. place where three roads meet said on October 9, 2020 at 10:56 pm
    Reply

    @Iron Heart
    In another comment not long ago you said:
    > When I find out the extension IDs of your Firfox extensions, which is trivial to do, I can uniquely identify you.

    Please do uniquely identify me or tell how it could be done?
    Does that mean that you alone could compromise the whole firefox userbase with a trivial methods?

    1. Iron Heart said on October 10, 2020 at 9:09 am
      Reply

      @place where three roads meet

      Well, extension IDs can be used as a way to uniquely identify you. All browser extensions have an ID assigned to them, however, Chromium (and all browsers based thereon) and Firefox differ in how extension IDs are implemented.

      Chromium: Chromium assigns static IDs to extensions, meaning it’s always the same ID for an extension, it doesn’t change on a per user basis.

      Firefox: Firefox also assigns extension IDs, however, they are not static (i.e. not always the same for the same extension), but are generated per user, the same extension has two different IDs on two different installations.

      The downside of Chromium’s approach is apparent: If I want to know whether or not you run a certain extension, I can just check for the known ID connected to that extension. Firefox’s approach mitigates this by virtue of extension IDs being random, however, it opens another can of worms: If your Firefox extension IDs leak to me, I’ll have at least one unique string with which I can uniquely identify you, because as said, only you and no other Firefox user has this string. Note that I do not need to know which extension is behind that string. Imagine the following: You carry a small sheet of paper around with you, a small sheet of paper that contains a succession of number unique to you. I get to know of this string, and in order to identify you among a crowd of people, I only need the number, without having to know whether or not the number stands for something or has symbolic value. Knowledge of the number alone is enough.

      I should also mention that Firefox’s “random ID” is not always effective in concealing which (type of) extension you run. Adblockers, for example, have certain behavioral patterns I can check for, and while it’s not easy to find out which exact adblocker you run (whether it’s uBlock Origin, AdBlock Plus or something else), I can certainly measure that you run an adblocking type extension. This is why websites can detect Firefox’s adblocking extensions despite a random ID string, by the way. Only relevant if someone really wants to find out which exact extensions you run, however, for fingerprinting purposes alone, as said, knowledge of a unique string is enough without having to know what it stands for.

      Make no mistake, though, Chromium users can also be identified based on extension IDs IF they are running a fairly unique combo of extensions, like a unique mosaic, I can identify highly unique Chromium setups consisting of many, especially less popular, extensions. However, if a Chromium user e.g. just runs uBlock Origin (which is a widely used extension), using its ID string for unique identification purposes will be useless as a great many people run this extension, oftentimes just that one extension and not much else.

      As for instances of extension ID leaks in Firefox, and further discussion of the topic, check out these links:

      https://bugzilla.mozilla.org/show_bug.cgi?id=1405971

      https://bugzilla.mozilla.org/show_bug.cgi?id=1372288

      https://www.ghacks.net/2017/08/30/firefox-webextensions-may-identify-you-on-the-internet/

      https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-sanchez-rola.pdf

      There is more, but I’ll leave it at that. Note that the two Bugzilla entries I linked to are not fixed, so the problem persists. As you can infer from the Bugzilla entries, retrieving the extension IDs is not even hard to do.

      So what is the solution? Running a browser completely without extensions? Unfortunately, we are dealing with a two-edged sword here. If you run a browser without extensions, then you will be exposed to various other privacy threats. uBlock Origin alone already gets rid of many tracking scripts and is thus an essential, but there are others like HTTPS Everywhere, LocalCDN, Cookie AutoDelete, ClearURLs that can also be considered extensions. Doing without their protection would be detrimental, however, by virtue of their IDs they already become a fingerprinting vector.

      If that sounds grim to you, rest assured, you are still better off than you might think: Adblocking extensions like uBO already block a great number of known scripts used for fingerprinting prurposes, the EasyPrivacy list deserves special recognition here. So the real threat are not known fingerprinting scripts that are likely already covered by your adblocker, but rather yet unknown or lesser known ones. Below 10% of websites worldwide performed fingerprinting not too long ago, unsure about current stats. Of these, the majority of them is already covered by script blockers, to give you an idea about the scope of the problem.

      On a more personal note, may I say that I am surprised that you still take interest in my exchanges with a certain someone? Sadly enough, these exchanges usually lead nowhere and are clouded by personal animosity. However, if other readers still get something out of that mess, that’s a success in its own right, I guess. In the discussion you refer to, I merely wanted to hint at the futility of fingerprinting measures in FF if users install extensions, and since nobody wants to deal with the hellhole that is the Internet without an adblocker, my guess is that most privacy-conscious users have extensions installed. In my humble opinion, it’s also questionable to talk about fingerprinting protections while at the same time suggesting the installation of a range of extensions, as their unique IDs render most anti-fingerprinting efforts null and void. That’s why the Tor project cautions against the installation of extensions, too.

      As you know by now, I am running Brave, and this browser is special for me in that it can be used in a non-hellhole fashion without the need for extensions, as it already ships with an internal adblocker (which is not an extension, so no ID assigned to it) and an internal HTTPS Everywhere (which is again not an extension, so no ID assigned to it). I can largely get around the extension ID mess with Brave, though I do not want to suggest that you should use it. Use whatever suits you best, all I am saying is that we should be aware of potential weaknesses in our setups.

      1. Wooden Heart said on October 12, 2020 at 7:28 pm
        Reply

        @Pants

        Help!

      2. Pants said on October 13, 2020 at 7:45 am
        Reply

        @wooden heart

        Are you non-plussed at the non-answer answer above?

        To grab a *potential* uuid/id in FF vs chromium, different methods are involved (although what may work in FF can also work on chromium). There is a method complexity-cost-perf-payoff. read the bugzilla: FF made it harder (but a potentially worse leak), chromium did nothing (so easier but not unique). As I said elsewhere both are awful. Trying to claim one is “better” than the other is a waste of time. I have seen scripts in the wild that target chromium: in these cases it’s as simple as checking a list of known ids of extensions that leak. You just can’t do that in FF. Claiming that this can be “trivially” done in FF is a load of giant bollocks

        Detection of extension behavior has nothing to with the question @place asked

        The suggested solution to stop using or limit extensions is just garbage. Not all extensions are equal: the bit where a list of popular extensions are named as, and I quote “by virtue of their IDs become a fingerprinting vector” is just utterly stretching the truth to try and push some sort of “win” of chrome over gecko. That’s not how it works. Pretty sure gorhill wouldn’t agree with this, ClearURLs can’t (look at the manifest for starters), etc. Maybe that info there will help answer the question for you.

        read this: https://old.reddit.com/r/uBlockOrigin/comments/j4ypur/ublock_why_are_you_leaking_your_extension/ – read what gorhill says. Listen to experts who use facts and logic

        OT: at least Firefox has an exportFunction to protect addon code: which chromium lacks. That’s another way extensions can be leaked

        > I merely wanted to hint at the futility of fingerprinting measures in FF if users install extensions

        Brave is not immune from this either, period!

        Due to Brave’s strategy, even though they randomize, they actually give you a persistent UNIQUE ID per eTLD+1 per session (per session meaning while Brave is open): which means even if you change your IP, clear persistent data etc – and revisit a site: you’re unique and your traffic can be linked. It also breaks how Tor circuits protect you.

        Hell, why bother when there’s no first party isolation: they can just propagate all your FP data across multiple sites and reveal the random seed – they are persisting the UNIQUE ID in order to protect the seed – but do not properly contain how third parties and behind the scene 3rd parties share data. It didn’t have to be this way: but that’s what they chose. It’s more complicated that what I just said: there are other factors as well: but too much to get into here.

      3. Iron Heart said on October 13, 2020 at 11:11 am
        Reply

        @Pants

        My answer was not a “non-answer”, dear Pants. But hey, who cares, right?

        > FF made it harder (but a potentially worse leak), chromium did nothing (so easier but not unique).

        You say it yourself: It’s not unique for Chromium. Firefox leaking extension IDs can be used for unique identification. I acknowledged in my above reply that highly unique Chromium extension setups can be used for easy identification, but e.g. someone just running uBlock Origin has little to fear for if the extension ID leaks.

        > I have seen scripts in the wild that target chromium: in these cases it’s as simple as checking a list of known ids of extensions that leak.

        I never said that Chromium isn’t able to leak extension IDs, I just said, and you admitted that as well, that only a non-unique leak can happen (highly special Chromium setups can still be used for unique identification, as stated).

        By the way, the reason that Chromium is targeted preferentially may have something to do with it having 80% market share while doing the same for 4% market share Firefox might not even justify the effort.

        > Claiming that this can be “trivially” done in FF is a load of giant bollocks

        https://bugzilla.mozilla.org/show_bug.cgi?id=1405971

        It’s literally in the origin header, and is demonstrably not hard to grab. Bug is still unresolved by the way.

        > Pretty sure gorhill wouldn’t agree with this, ClearURLs can’t (look at the manifest for starters), etc.

        Yep, certain extensions take their precautions, though the permission in question is being requested by many, many, many extensions, and they are subject to leak unless Mozilla finds a mitigation on their end.

        > read what gorhill says. Listen to experts who use facts and logic

        uBlock Origin not leaking doesn’t mean other extensions are unable to leak. What logic is that even? Plus, I can just combine the leak of other extensions with checking for uBlock Origin behavioral patterns to narrow down things even further.

        > OT: at least Firefox has an exportFunction to protect addon code: which chromium lacks. That’s another way extensions can be leaked

        Yeah, but a) nobody uses this, as I’ve told you some time ago already, because it increases the maintenance burden of extensions which otherwise could have more or less the same code for both Firefox and Chromium and b) even if it leaks, it would be a non-unique leak.

        > Due to Brave’s strategy, even though they randomize, they actually give you a persistent UNIQUE ID per eTLD+1 per session (per session meaning while Brave is open)

        They explicitly say that they only currently randomize per session, this is not surprising at all (even though you try to portray this as a huge gotcha). They are currently re-organizing their protections, of course you fail to mention this:

        https://github.com/brave/brave-browser/issues/8666

        But this can only used for re-identification within the same session, linking across sessions can’t be done this way. However, I can link across sessions using Firefox’s extension ID leak. Talk about useless comparisons…

        Tired of misguided comparisons, whataboutism, not admitting FF has any faults, stating that something trivial is non-trivial etc., by the way.

      4. Pants said on October 13, 2020 at 12:51 pm
        Reply

        Martin: last comment from me in this thread: if IH’s reply doesn’t answer the question originally asked by @place, or he fails to reply.. well, draw your own conclusion. IH: keep it short and stick to the answer

        IH: for the third time: please, pray, do tell all the readers how you can trivially fingerprint Firefox extensions

        > stating that something trivial is non-trivial

        YOU claimed it was trivial. When asked how you would do that, you get your facts wrong, don’t acknowledge that there is a significant difference in how scripts would go about it due to Mozilla changes: or assess the actual threat/risk. You even showed that you had ZERO idea what was required for them to leak (claiming uBO, ClearURLs etc leak: its right there in your comment)

        As for the rest of the content: just because you can link to a bugzilla and copypaste selected bits of text, does not mean you understand it.

        You also cannot comprehend the written word, and your replies are 90% fluff and misdirection
        – What part of “chromium did nothing (so easier but not unique)” makes you reiterate “It’s not unique for Chromium”
        – What part of “not all extensions are the same” makes you reiterate “uBlock Origin not leaking doesn’t mean other extensions are unable to leak”
        – “I never said that Chromium isn’t able to leak extension IDs” – neither did I – learn to read
        – What part of “per eTLD+1 per session (per session meaning while Brave is open)” makes you reiterate “But this can only used for re-identification within the same session” – why don’t you talk about how and why the random seed is protected, given Firefox also randomizes and not have to protect any seed. You do not know what the hell you are talking about

        If it’s not reading comprehension that is shot, then it’s making things up
        – “not admitting FF has any faults” – where have I ever claimed that
        – “They are currently re-organizing their protections, of course you fail to mention this” – that has nothing to do with eTLD+1 protecting the random seed, which is why IDs are session based
        – “”as their unique IDs render most anti-fingerprinting efforts null and void. That’s why the Tor project cautions against the installation of extensions, too”” – not true. TB have said not to use extensions, because they can alter the fingerprint – SAME AS IN BRAVE. TB have said this for many years, way before Mozilla switched to WebExt

        You do this because you can’t successfully defend your misleading generalizations and often factually incorrect statements. So you attack, usually with sentence by sentence deconstructions and all that fluff. It’s a dead giveaway.

        You’re the one who makes wild generalized statements. You’re the one who wants to keep comparing Firefox to Brave. You’re the one thing in common in all the discussions on ghacks where Martin has to step in or edit comments. You’re the one who seems to live on ghacks flooding every Firefox article bashing Firefox and shilling Brave

      5. Iron Heart said on October 13, 2020 at 4:17 pm
        Reply

        @Pants

        Just because I re-iterate things that were already stated (usually to emphasize a point or to correct misleading allegations), and which are true, that doesn’t automatically make them false all of a sudden. It’s just a re-iteration of a true statement, nothing more, nothing less.

        I did reply to above question which was:

        “Please do uniquely identify me or tell how it could be done?
        Does that mean that you alone could compromise the whole firefox userbase with a trivial methods?”

        Just because you choose to ignore the reply does not mean it never happened. It happened, and it’s not exactly short, and can be found above. One can uniquely identify FF users based on extension ID leak (this was never disputed by you), and it’s trivial (which was disputed by you, yet it still is the case).

        > l. When asked how you would do that, you get your facts wrong,

        > You even showed that you had ZERO idea what was required for them to leak (claiming uBO, ClearURLs etc leak: its right there in your comment)

        How can I get my facts wrong, or have zero idea what I am talking about, when I am just linking to a Bugzilla issue and let it speak for itself!? It might have escaped your attention: I didn’t even comment on the Bugzilla issue, because anyone who is interested can already read the issue itself and the long discussion of the issue therein.

        > “not admitting FF has any faults” – where have I ever claimed that

        You know, when I mention a flaw of Firefox, just like the extension ID leak, you always try to downplay it, or otherwise just deflect the issue with your usual ad honinem attacks (usually the “IH doesn’t know what he is talking about – has no idea regarding anything at all!” trope). Example? Firefox leaks extension IDs, and instead of taking this matter seriously, you just point to an extreme minority of extensions which have taken their precautions. How is that not downplaying the issue? What are you trying to prove here? That it can theoretically be fixed by extension dev workarounds? That it’s fixed in 2% of all extensions or something? What is that all about? Just asking, because my point still stands even if a minority of extensions is not affected, you know.

        > that has nothing to do with eTLD+1 protecting the random seed, which is why IDs are session based

        But it has… They are currently reworking the related code, how can this be unrelated then?

        > TB have said not to use extensions, because they can alter the fingerprint – SAME AS IN BRAVE.

        Yeah, but in Brave extension IDs leaking can’t usually be used for unique identification (outside of complex setups), whereas it can be used for that purpose in Tor (which is based on Firefox and inherits its issues), this is what this discussion here revolved around the entire time, right? Plus, in Brave, I do not even need to use extensions to make my browsing experience less miserable, which mitigates the problem entirely.

        > You do this because you can’t successfully defend your misleading generalizations and often factually incorrect statements.

        Nothing in my comment was misleading or factually incorrect (despite you claiming it as always). “Trivial” is a matter of perspective, the Bugzilla points to a method required that is trivial in my opinion. If you think it’s non-trivial, then that is just your opinion. It’s like disagreeing on how hard it is to lift a sack of rice, pointless endeavor.

        > So you attack, usually with sentence by sentence deconstructions and all that fluff. It’s a dead giveaway.

        “Attack”? Please, if I really did attack you, my comment would have no chance get through. You have considerably more freedom to bash me than it would be the case vice versa. You can do a great many things here that would easily get you banned on other platforms, while my comments are being watched with an eagle’s eye. I can’t attack you even if I wanted to. If my comment above is already an “attack” on you, please reconsider your definition of an “attack”, for it might be a bit skewed.

        Moreover, and that’s obvious for anyone who can read, you are also cherry picking stuff out of my comment, usually ripping it out of context and thus invoking false appearances in the process. If I do the same according to you, then we would just be on equal footing again, though I try to avoid it.

        > You’re the one who makes wild generalized statements.

        Far from it, my original comment described the issue from various angles, pointing out weaknesses in Chromium’s approach and weaknesses in Firefox’s approach fairly… That Firefox can leak unique IDs while Chromium can’t (as you yourself know), is a technical fact, not me bashing Firefox.

        > You’re the one who wants to keep comparing Firefox to Brave.

        Pants, you brought up that individual Brave can be identified at least on a per-session basis, and dragged me into that rabbit hole of a discussion. My original comment merely stated that I can avoid the extension ID leak problem in Brave if I want to (which is true), because I do not really need extensions in it for my browsing experience to be non-horrible. That’s all I said, it was your decision to expand on the “Brave matter” further.

        > You’re the one thing in common in all the discussions on ghacks where Martin has to step in or edit comments.

        Because my opinion is non-mainstream and thus invites discussions, which are oftentimes more healthy than what I am having with you at this moment. When my comments are being edited (and of course you fail to mention this), as they are being watched with an eagle’s eye, it’s usually to shield you from the retort you – in my humble opinion – would oftentimes deserve, for various unfounded accusations, outrageous insults, other kinds of ad hominem attacks etc. pp. That’s the reality of things here.

        > You’re the one who seems to live on ghacks flooding every Firefox article bashing Firefox and shilling Brave

        Am I “bashing” Firefox for pointing out technical flaws and / or spyware activity? If so, then this quote might apply:

        Odysseus: “It’s no insult to say a dead man is dead.” (Troy, 2004)

        If I believed that Firefox was the best browser for my use case, I would use it. I don’t, so I don’t. So naturally I mention that I am using something else where appropriate – it’s not shilling, I get nothing in return and do not force anything on anyone, neither do I point things out wrongly for the sake of pushing anything. You just dislike the fact that I am not a Firefox proponent like most people here, and you would like to see this banned, because according to you, anyone not using Firefox is – its flaws notwithstanding – a bit misguided (to put it politely, for I don’t enjoy the freedom here to point out what I am really thinking).

        I’m out. I said what I had to say.

      6. Wooden Heart said on October 14, 2020 at 7:01 pm
        Reply

        Thanks Pants.

      7. Iron Heart said on October 15, 2020 at 7:47 am
        Reply

        @Wooden Heart

        You thank her for… confirming my point? Aside from stating that a few extensions have taken their precautions, she didn‘t argue that it‘s not a problem. Did you even read the comments?

      8. Wooden Heart said on October 16, 2020 at 8:53 pm
        Reply

        What?

      9. Iron Heart said on October 13, 2020 at 8:39 am
        Reply

        @Wooden Heart

        I doubt she is even able to help in this case:

        “This completely defeats any anti-fingerprinting work we’re doing (restricting access to resource://, the work to make web extension resources not content-accessible by default). Screenshots as described in the article requires user interaction to leak the fingerprint (and another later screenshot to check if it’s the same profile), but if any other popular extension adds content to pages by default then it could lead to silent tracking and deanonymization.

        The random UUID needs to be created at startup so that any tracking is limited to a session.”

        source: https://bugzilla.mozilla.org/show_bug.cgi?id=1372288#c4

        “In bug 1372288 any nosy site or ad-tech can fingerprint every user of all the extensions that have accessible resources.”

        source: https://bugzilla.mozilla.org/show_bug.cgi?id=1405971#c2

        “Wont Fix and keep this privacy leak. In comparison in Chrome uses the extension ID, which is not unique and “only” leaks which extension an user is using.”

        source: https://bugzilla.mozilla.org/show_bug.cgi?id=1405971#c42

        The above two quotes are from a Mozilla developer, the bugs are still open / unresolved (the problem still persists). Let me repeat that one for you: COMPLETELY DEFEATS ANY ANTI-FINGERPRINTING WORK THEY [Mozilla] ARE DOING.

        You think when Mozilla developers, the very people developing the browser in the first place, acknowledge the problem, that Pants will argue that this is not a problem? Seriously?

        Also, again, the Tor project cautions against the use of extensions for a reason. Guess they just do that for the shits and giggles, because there is no problem at all. *rolls eyes*

      10. Mike said on October 16, 2020 at 9:01 pm
        Reply

        Pants was right.

      11. Iron Heart said on October 18, 2020 at 10:15 pm
        Reply

        @Mike

        Right about what? That a minority of extensions can prevent this from happening if they take their precautions? I never disputed this. However, she acknowledged that a leak (if it happens) can be problematic (and would be worse on Firefox thanks to unique extension IDs), anything else would – frankly – be a ridiculous notion.

        I guess you think that the Tor team advising against the installation of extensions (as it might lead to de-anonymization) is just for shits and giggles as well? That you evidently think it’s not a serious problem despite Firefox developers (you know, the people actually writing the software in question) clearly and repeatedly saying it is one is just… laughable, nothing more.

  16. CastrateCommunityUnite said on October 9, 2020 at 11:36 pm
    Reply

    Firefox’s new tab page has been a place for “sponsored” content for ages. But that was not enough.
    Glad they found out how to squeeze out extra bux. Btw how much is megabar doing, mozilla?

  17. Mo said on October 9, 2020 at 11:50 pm
    Reply

    Wasn’t something like already in place a long time ago? Like before all of this quantum stuff.

  18. sunrising said on October 10, 2020 at 12:26 am
    Reply

    As long as there is ESR and (much loved and hated) user.js I’m fine. I also encourage everyone check their network traffic. Best system is silent.

  19. Monkey Wrench said on October 10, 2020 at 2:28 am
    Reply

    I avoid the echo chamber of being fed from an intrusive ad-tracking profile.
    This open-loop type of feedback is quite unstable and frequently results in publicly embarrassing ‘crash-n-burn’ breakdowns.
    Always go to the sites directly like from a bookmark.

    Mozilla half-hearted response to the coming global privacy solution:
    https://globalprivacycontrol.org/press-release/20201007.html

  20. Ipnonymous said on October 10, 2020 at 7:59 am
    Reply

    My opinion is that Firefox biggest competitor is Brave. Brave is doing what people expected Of Firefox all along. Now combine what Brave is Doing on a platform Google can’t prevent from allowing everyone favorite addon/extension, the ad locker and continue to build a reputation of trust as the people’s browser. For now Firefox is still well known alternative, Mozilla please take advantage before is too late. You can the the browser the people trust that also cater to personal customizing… The people’s browser.
    Ps. Please consider making it possible to donate to extension developers as well as sites owners. They are part of the people browser too.

    1. Mike W. said on October 10, 2020 at 6:18 pm
      Reply

      Braves biggest enemy is itself. The company is small, but have devoted more resources of late to expanding and improving their built-in adtech than on improving core features of the browser. I get why, they need to show growth to continue to haul in VC bucks from guys like Peter Thiel, but as a Brave user I really wish they would balance the focus out a bit on improving more “mainstream” features like the NTP, Brave Shields, and iOS sync.

      I think you are correct that Brave and Firefox are both trying to get the privacy share of the internet user pie, while Edge and Chrome compete in enterprise and education, but I do wish Brave pushed the crypto less and placed more focus on improving basic features.

      1. Anonymous said on October 11, 2020 at 10:02 am
        Reply

        Braves biggest enemy isn’t itself, it’s the market rules.

        They don’t need VC bucks, they simply need sustianable revenue, just like everyone else. And you can’t get revenue with core features.

        I wish they would focus on that, too, but their manpower is highly limited – they have around 100 employees and most of their attention flows into creating a new ad-system. So they have maybe 30-50 people for the browser itself, which is a huge undertaking when creating a competitor to Firefox, Chrome, Edge, etc.

        Firefox has at least 400 developers alone.

        User growth shows that they are on the right path: https://brave.com/transparency/

        I guess within a year they will have enough revenue to focus on some missing core features. I remember Eich said they need around 30 million monthly users to break even.

      2. Mike W. said on October 11, 2020 at 2:49 pm
        Reply

        @Anonymous
        Bit of a double-edged sword with Brave though, right? If Brave only focuses on the ads, potential users might bail on the browser if core features are lacking. But they have to focus on crypto fun-bucks because that’s how they will have sustainable revenues.

      3. Anonymous said on October 11, 2020 at 6:05 pm
        Reply

        Vivaldi focuses on “Core-Features” but they never got beyond a million users. Brave already has 20 times that amount.

    2. Anonymous said on October 11, 2020 at 10:10 am
      Reply

      Brave isn’t the biggest Firefox competitor. Edge is currently. They are now in par when it comes to marketshare, and the Windows integration will lock people into the Edge browser over time.

  21. Satyam said on October 11, 2020 at 11:18 am
    Reply

    Good firefox needs ability to make 400 million dollar without Google’s donation, current relationship is toxic.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.