Each Firefox download has a unique identifier

Martin Brinkmann
Mar 17, 2022
Firefox
|
112

Internet users who download the Firefox web browser from the official Mozilla website get a unique identifier attached to the installer that is submitted to Mozilla on install and first run.

firefox installer hash

The identifier, called dltoken by Mozilla internally, is used to link downloads to installations and first runs of the Firefox browser. The identifier is unique to each Firefox installer, which means that it is submitted to Mozilla whenever it is used.

While it is possible to download new installers each time a new Firefox version is released, it is also possible to use the downloaded installer again for that purpose.

ADVERTISEMENT

A bug report on Mozilla's official bug tracking website confirms the use of the download token. The linked document is not public, but the listing itself confirms the use and provides an explanation on why it has been implemented:

This data will allow us to correlate telemetry IDs with download tokens and Google Analytics IDs. This will allow us to track which installs result from which downloads to determine the answers to questions like, "Why do we see so many installs per day, but not that many downloads per day?"

According to Mozilla's description, the identifier is used to analyze downloading and installation trends among other things.

The feature is powered by Telemetry in Firefox and it applies to all Firefox channels.

Interested users may verify the findings. One of the easier ways is to check the hashes of two or more Firefox installer downloads (the same version, language and architecture). Each hash is different. A search for dltoken using any hex editor reveals the string in the Firefox installer.

Firefox users who prefer to download the browser without the unique identifier may do so in the following two ways:

  1. Download the Firefox installer from Mozilla's HTTPS repository (formerly the FTP repository).
  2. Download Firefox from third-party download sites that host the installer, e.g., from Softonic.

The downloaded installers do not have the unique identifier, as they are identical whenever they are downloaded.

Mozilla notes that the opt-out mechanism is the standard Telemetry opt-out. How users may opt-out before the installation of Firefox is unclear. A quick check of Chrome installers returned identical hashes each time.

Now You: how useful do you think is the information to Mozilla? (thanks PMC for the tip)

Summary
Each Firefox download has a unique identifier
Article Name
Each Firefox download has a unique identifier
Description
Internet users who download the Firefox web browser from the official Mozilla website get a unique identifier attached to the installer that is submitted to Mozilla on install and first run.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Mike said on March 17, 2022 at 4:54 pm
    Reply

    It’s useful enough for them to have implemented it. GA telemetry isn’t horribly invasive. Google is a bit slicker and implements the install tagging server-side leaving as little client side evidence as they can.

    As for Firefox, you can prevent launch of the first-run OOBE via their Enterprise Policies, they have an atomic policy toggle for all outbound telemetry as far as I know, doubt it changed in the past 5 months since I stopped bothering to use FF. (Edge Enterprise FTW!)

    1. baizuo said on March 20, 2022 at 5:34 am
      Reply

      Original sin: softwares developers do not commit this sin but rather contract it from the Fall of Larry Page and Sergey Brin.

  2. Gerard said on March 17, 2022 at 5:02 pm
    Reply

    This is a deal breaker. They have now made me a Mozilla basher. Screw them!

    1. Arrt said on March 17, 2022 at 8:29 pm
      Reply

      Awww

    2. Libre Wolf said on March 17, 2022 at 9:52 pm
      Reply

      You might like LibreWolf.

      1. TelV said on March 19, 2022 at 5:16 pm
        Reply

        LibreWolf isn’t a privacy enhancing browser: quite the opposite in fact: https://www.unixsheikh.com/articles/choose-your-browser-carefully.html#librewolf

        Personally though I stripped FF of all the Google shite along with most of the telemetry crap using 0XDE57’s recommendations at https://gist.github.com/0XDE57/fbd302cef7693e62c769

    3. Anonymous said on March 17, 2022 at 10:31 pm
      Reply

      Is it true you work for Google or Microsoft?

    4. Anonymous said on March 18, 2022 at 3:39 am
      Reply

      Wait until you see the stuff the EU is planning in order to “protect” you. They want an end to anonymity completely.

      1. Anonymous said on March 18, 2022 at 11:32 am
        Reply

        Doesn’t sound like a bright future. Can you specify what you are talking about?

  3. Mystique said on March 17, 2022 at 5:30 pm
    Reply

    Mozilla questioning everything but their poor approach to the browser and community. How to fix this and win back marketshare? The answer invariably is MORE TELEMETRY!

    And they all cheered in their board meeting!
    “IT’S GOLD!!”
    “MAKE IT SO!!”
    “WINNING!!”

    Morons!

  4. Black Prince said on March 17, 2022 at 5:43 pm
    Reply

    This ‘feature’ appears to enable interested persons to identify specific computers accessing specific sites. I suspect our ‘security services’ would find this ‘feature’ very useful should they have access to the data.

  5. Tom Hawack said on March 17, 2022 at 5:45 pm
    Reply

    I do download a new installer each time a new Firefox version is released and perform a clean install (previous version is uninstalled). I always download the installer from [https://archive.mozilla.org/pub/firefox/releases/] but I do acknowledge [https://ftp.mozilla.org/pub/firefox/releases/] provided in the article. I just downloaded FF98.0 from the latter and it’s exactly the same as the installer from the former : hence, no dltoken identifier.

    Besides this dltoken, there are two more IDs right in a Firefox’s profile, in the prefs.js file, accessible as well in about:config : toolkit.telemetry.cachedClientID AND browser.newtabpage.activity-stream.impressionId

    No idea what the second relates to, but the first is surprising given all telemetry is blocked here.
    Setting both to “” (about:config or with user.js) doesn’t change anything, but because I set pref values with Firefox Autoconfig rather than with a user.js file I can clear both on start and this time they are rebuilt but with different values :

    // RESET IDs AT START
    clearPref(“toolkit.telemetry.cachedClientID”);
    clearPref(“browser.newtabpage.activity-stream.impressionId”);

    Am I over-reacting? Maybe. I just dislike IDs hanging around and if my battle doesn’t change anything at least it doesn’t harm.

    See what they’ve done to me, ma? Twenty years ago when I started surfing on the Web I’d post my name, email and so on (fortunately a good guy told me then to at least always avoid sharing my true “snail-mail” address) and now I behave as a newborn soldier, always cautious, often over-cautious, maybe occasionally paranoid. But, hey, we’re all like special agents in that we have to be aware of not only the bad guys but as well of the “good guys”, those who track us for our good, to protect us, for a better e-experience …

    The beat goes on, baby.

    1. Frankel said on March 17, 2022 at 6:12 pm
      Reply

      And that is the thing:
      All telemetry they collect is useless, since they scared away the tech savvy crowd. The clever people still use Firefox, especially on Linux. But they have become mutes toward Mozilla.

      At the same time they wonder why so many people complain on bugzilla, yet use the argument they are a minority. They are not! Just because I disable telemetry in about:config and on DNS level doesn’t mean I am irrelevant or a minority.

      I simply would prefer not to bug my machine to have a right to veto terrible changes to the browser I love!

      “O Mozilla, your leaders have been like foxes among ruins.”
      — modified from Ezekiel 13:4

      1. Tom Hawack said on March 17, 2022 at 6:34 pm
        Reply

        “The beast that you saw was, and is not, and is about to rise from the bottomless pit and go to destruction. And the dwellers on earth whose names have not been written in the book of life from the foundation of the world will marvel to see the beast, because it was and is not and is to come”
        — Revelation 17:8

      2. Neutrino said on March 17, 2022 at 7:11 pm
        Reply

        @Tom Hawack

        “the book of life” aka the “tree of life”, aka the “right hand of god”, aka the right hemisphere of the brain.
        Sorry for the off-topic, couldn’t resist.

      3. Tom Hawack said on March 17, 2022 at 9:08 pm
        Reply

        @Neutrino, no problem! I had tried myself to comment the quote but after 5 minutes gave up and considered that I’d appear smarter without trying to be. Remains the verse is increasingly questioning as you read it again and again. I found it by searching for revolt+bible, I’m not at all an exegete :=)

        Back to our beasts, those which are!

      4. Matti said on March 18, 2022 at 6:29 am
        Reply

        Even on Linux, I’m not sure all builds of FF are safe. Old fashioned repositories and Flatpaks should be good, but I’m very suspicious of Snaps. On the next Ubuntu LTS, they say FF will come as a Snap by default. I personally use Librewolf on my setup though.

    2. Shiva said on March 17, 2022 at 9:15 pm
      Reply

      “See what they’ve done to me, ma? …e-experience …”

      Ah! Ah! Ah! Terrific. A hymn of pain. Not to mention that our category is the most suffering possible: we are not computer scientists but neither people who don’t care. We do what we can with the awareness of our own limits knowing that if we give them an inch, they’ll take a mile.

      After buying that useless device called ‘smathphone’ imposed by changing times, joking about it, I thought: maybe I could put an ad on Tinder peer looking for a better half who is competent in the matter.

      1. Shiva said on March 17, 2022 at 9:25 pm
        Reply

        ‘Smartphone’. It sucks so bad that I keep making the mistake writing ‘Smart’.

      2. Yash said on March 18, 2022 at 8:47 am
        Reply

        For all of smathphones flaws, you can’t beat its usability factor when you need to do something quick while walking or outside. It may not be perfect but with few switches here and there, it can help albeit on a limited basis.

      3. Shiva said on March 18, 2022 at 1:07 pm
        Reply

        @Yash
        Sure, but I’m still thinking about buying a simple Nokia and using that other (smart)thing in the rare cases I need it. It’s not a matter of privacy or anything else, I just don’t usually use it and I also find it cumbersome. I can spend time behind laptops, hardware components for assembled PCs, various technologies… but strangely I’ve never been interested in mobile phones. Well I guess I’m wrong since they are all stuck in front of the phone lately.

      4. Anonymous said on March 18, 2022 at 5:17 pm
        Reply

        A Nokia N9 and put Linux on it, nice spot, or a N900 if you want keyboard and better support

      5. Marc said on March 20, 2022 at 3:48 am
        Reply

        We do need a way to completely stop audio recording on smartphones without breaking usability and also a way to use history but without making it accesible to websites. If there are already ways to do so please I’m eager to know…

      6. Yash said on March 20, 2022 at 7:50 am
        Reply

        Stop audio recording – simple disable Google Assistant and revoke all recording permissions. Look at LineageOS too without GSF. Personally with switches here and there Android can be made privacy friendly. Same you have to do with Windows.

      7. Marc said on March 27, 2022 at 11:16 pm
        Reply

        @Yash Thank you. Question is then easy to re-enable recording say for the moment I actually need it?

      8. Frankel said on March 18, 2022 at 9:20 am
        Reply

        @Shiva
        Just say you are typing on a virtual keyboard on a phone. Those smear and swipe keyboards are disliked but pretty much everyone with a mechanical keyboard.

      9. Tom Hawack said on March 18, 2022 at 3:55 pm
        Reply

        @Shiva, >”A hymn of pain”. Everything is relative. When I wrote “I behave as a newborn soldier, always cautious, often over-cautious, maybe occasionally paranoid.” I should have emphasized on the difference with an armed soldier which faces blood and blasted bodies. Pain in our case, half moral and psychological half humorous, is not comparable to a soldier’s pain, sufferance when defending his invaded country, but also when attacking another (soldiers endorse, governments and sometimes a leader by himself decide.). Imagine moreover those facing the same without being soldiers …

        I’m adding this as I just watched a TV documentary.

      10. Shiva said on March 18, 2022 at 4:42 pm
        Reply

        @Tom
        Ok, “A (browsing user’s) hymn of pain”. I doubt that anyone has interpreted the sentence outside its figurative context. But considering the current crap of yet another ongoing war, let’s insert the clarification.

        Of course, the game of democracy is also played in front of the browser, moreover there is always someone who does not understand that apart from a few considerations on personal privacy, the real problems concern something else:
        https://www-agendadigitale-eu.translate.goog/cultura-digitale/le-nostre-vite-gestite-dalle-big-tech-le-sfide-per-cultura-democrazia-e-regolazione/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en

  6. Klaas Vaak said on March 17, 2022 at 5:50 pm
    Reply

    The fact that FF is downloadable without a unique ID is not the issue, and not even that useful since most users are unaware of the possibility and/or will not make use of it.

    The elephant in the room is that that unique ID can, and undoubtedly will some time, be used for installations and 1st runs.

    In other words, this is another step down the Google path.

    FF’s telemetry is changed almost every time there is an update, so you have to check again and again what has changed and correct/counteract it.

    1. Anonymous said on March 18, 2022 at 5:18 pm
      Reply

      Is because Google pays Mozilla corporation to not become mainstream

  7. Andy Prough said on March 17, 2022 at 6:48 pm
    Reply

    Why would anyone download directly from Firefox? It’s already in the repos for nearly all distros. Is this article about Windows or Mac users? They are already uniquely identified in so many different ways, why should they care about this?

    1. Frankel said on March 17, 2022 at 6:58 pm
      Reply

      That is defeatist thinking and whataboutism. Because one company tracks you, all others must as well? Cool. Also try reading the article, your other questions are already answered in it.

      1. Andy Prough said on March 17, 2022 at 7:20 pm
        Reply

        Cool, I guess it’s a concern for Windows and Mac users, in which case I do not care. Those who desire to be identified and tracked, and spend their money to be identified and tracked, will be identified and tracked.

      2. Iron Heart said on March 18, 2022 at 2:29 am
        Reply

        @Andy Prough

        Quick reality check for you: Mozilla tagging their installers with unique IDs is not the fault of Apple or Microsoft.

        And “wanting to be tracked”… If needing applications to run which are not available on Linux is the same as “wanting to be tracked” for you, then yes.

      3. Mark said on March 18, 2022 at 9:04 am
        Reply

        You are “thinking”.

        About 95% do not “think”, they just follow. They have no clue in what ways and how they are tracked. Nor are they able to see how this will affect the future of humanity as a whole. It is impossible for most people to see small things leading to something much bigger. So they do not “desire” to be tracked, they just don’t understand any of it (and don’t care to much because they do not see a bigger picture).

        If you do see the bigger picture and do care I suggest you try and help these people (and thus all people) instead of saying “I don’t care”. If you “don’t care” for anyone but yourself or your own “group” you are worse than the ignorant. You can’t blame people for not knowing or being able to see the things that are coming: it’s just how it works.

    2. bob said on March 17, 2022 at 8:11 pm
      Reply

      I’m sure both of you using Linux will be fine, but the vast majority of us will be using Windows.

      Personally, I started downloading from the ftp site as soon they started using those horrid stub-installers way back when.

      1. Andy Prough said on March 17, 2022 at 9:40 pm
        Reply

        For firefox? I would imagine the percentage of users on various distros is quite high. We’re not talking about Chrome. Firefox is the default browser on nearly every distro.

    3. TomMack said on March 18, 2022 at 4:40 pm
      Reply

      LOL
      there are 800 ways to install Firefox, even through Microsoft Store, people don’t need to download it, I mean, people don’t even need to download Firefox at all, Microsoft includes Edge now and MacOS have the Safari which is okay as well.

      You make it seem like only because you are Linux you are already protected. If you really care about “being tracked” you would NOT use internet or any device or phone (because I am sure you have either Android or iPhone).

      You are pretty much telling the world “please track me” when you are on the internet, it doesn’t matter which OS you use. Of course the world tracks you regardless if you use internet or not, or a phone or not, or a computer or not. So I don’t understand what are you even on about if you can’t avoid being tracked only because you use ‘linux’.

      I mean, on Linux its default Firewall can’t even block individual apps and only one 3rd party firewall can do it, so if you don’t use that one, all apps will send data to whatever server they want to send, something pretty basic for Windows and for its 3rd party firewalls, especially the ones that are fully based on WFP, so they are easier to use, but use the same ‘firewall platform’ as Windows Firewall.
      But sure… nobody is tracking you in Linux lol.

      What a delusional people “I am on the internet but I am not on the internet because I magically visit websites and I don’t get tracked because I am using the magical Linux”.

      Repeat after me “it’s all BS what I am saying because EVERYONE IS TRACKING ME”

      Even if you care or not, you get tracked, you can’t stop it, you can reduce it if you have the balls and stop using dumb devices and services and phones and computers.

      When you were born, you got an ID carved on your forehead, if you don’t have that ID you will not be able to function… do you think the government does that so you don’t get tracked? nah, they do it because they want to track you. And you think using Firefox or Linux will save you?

      You are leaving a trace to track you when you check the box “Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy” do you think you are anonymous in this world? any computer could easily figure out who you are by now with just your two comments and IPs and all.

      1. Andy Prough said on March 19, 2022 at 3:51 pm
        Reply

        >”You make it seem like only because you are Linux you are already protected.”

        No, I was merely pointing out that this particular unique identifier does not affect anyone on a Linux system who gets Firefox from their distro’s repo. You should learn to read. I actually agree with you on most of your other points – going online is being tracked; posting to the forum is consenting to giving some info away. My point about Microsoft and Apple is that they are already in possession of your system information and are already sharing it with their corporate partners, many of whom are the same as Mozilla’s corporate partners. I do not see what a person would think they are gaining by hiding their system data from Mozilla on a Windows or Apple device.

      2. oldfoxbetterfox said on March 27, 2022 at 3:49 pm
        Reply

        If you knew more about windows you’d know you can turn any of that stuff off

        Firefox has more remote tracking by default than windows

        Fortunately I know how to stop both, though admittedly most people don’t. And frankly, most people don’t care in the slightest about tracking. Every smartphone provides far more information about you to others than even the most open PC

  8. You're Welcome said on March 17, 2022 at 7:24 pm
    Reply

    Off topic: To add an extra layer of defense against ransomware, just add russian as an extra language on your computer.

  9. ring a ding ding said on March 17, 2022 at 7:31 pm
    Reply

    Does this apply to Tor Browser as well?

  10. beemeup5 said on March 17, 2022 at 8:10 pm
    Reply

    An installer triggering an outbound connection is actually fairly common, though the reasons may vary. It’s usually to check if you’re installing the latest version but by default I block all such connections. I’ve noticed before that installing Firefox triggers my firewall but I didn’t know that THIS was the reason why. Well now I know. ;)

  11. Steve said on March 17, 2022 at 10:36 pm
    Reply

    >Interested users may verify the findings. One of the easier ways is to check the hashes of two or more Firefox installer downloads (the same version, language and architecture). Each hash is different.

    I just tried downloading it (US version) and:

    If I download in Firefox, all installers are exactly the same, with the same hash (SHA256 starting with 340b1…, just like the one in your screenshot).
    If I download in Chrome, the installers are different.

    1. Yash said on March 18, 2022 at 8:44 am
      Reply

      Same here. Which is why I find wording of this article interesting.

      Anyway as with all software – Linux, Windows, Android – I always turn off internet connection especially on start and allow it only after changing certain settings. Time consuming yeah but hey this is modern world. New tech and all which we were crying for.

      1. fibref said on August 23, 2022 at 6:07 am
        Reply

        just downloaded Firefox Setup 52.9.0esr with ff, chrome – hash is the same
        8FAB6469F06E62236A2E3F2291FB7DFCF927EBBDBDAC73BC90977E0579A4E69428899A388B7EED62B39385A0012502C8D7F5D422A219E7FC9FF711CF96148136

  12. DataGoblin said on March 17, 2022 at 11:25 pm
    Reply

    Scary! What if you had the installer from another computer using a mirror download link and installed Firefox offline on thousands of computers? Would it count once you get online?

  13. ShintoPlasm said on March 18, 2022 at 12:14 am
    Reply

    *facepalm*

  14. Corky said on March 18, 2022 at 12:40 am
    Reply

    Question is why do they care about things like “Why do we see so many installs per day, but not that many downloads per day?”. I can’t think of any reason why a developer would want or even need that question answered.

    Maybe a software developer can enlighten me.

  15. meg said on March 18, 2022 at 1:10 am
    Reply

    wow, Mozilla turns into yet another doxing enterprise

  16. BW said on March 18, 2022 at 1:26 am
    Reply

    Is this also a problem with the FF fork Librewolf? Very disappointed in FF. At the very least, this should be OPT-IN. Back to searching for a strong-by-default privacy browser.

  17. Iron Heart said on March 18, 2022 at 2:38 am
    Reply

    So many new intrusions by Mozilla, Google-sponsored white knight of privacy(TM), how do you guys even keep track of all the newly introduced settings you need to toggle with each new update? But then, in a way, it is good that most Firefox diehards appear to be masochists that keep using this crap no matter how heavily Mozilla is betraying them. This list of 200+ settings you need to toggle in order to turn Firefox into what it is being advertised as (the most privacy-respecting browser out there short of Tor) is MASSIVELY off-putting to newbies. Good for other browsers in the privacy space, I don’t complain at all.

    1. Rex said on March 18, 2022 at 1:31 pm
      Reply

      Bingo. I’ve always found their reactions hilarious.

      “That’s it, I’m not going to use it after ” (Were you sleeping under a rock since 2011 when they started down this path by imitating Chrome?)
      “Mozilla does respect privacy! You can always change these 50 about:config settings to be private again!” (Until they get rid of it altogether, as they did with making extension signing mandatory).

      I use Pale Moon as a primary (unlike what you’ve said elsewhere, it works great with 99% of the sites I use, and Google/Facebook are not among them). Brave is my backup browser and it works great as well.

      1. Marc said on March 20, 2022 at 3:44 am
        Reply

        This si the reason I can’t trust Brave actually
        https://www.portablefreeware.com/forums/viewtopic.php?f=6&t=22458&start=15

      2. Iron Heart said on March 21, 2022 at 11:33 am
        Reply

        @Marc

        You can’t trust Brave because of referral / affiliate links (that are not even a thing anymore)? How do you live with the search deals all browsers brokered years ago then? They are all realized via referrals, notice the Firefox referral in the address bar on the search results page of any Google search? Yep, that one doesn’t have to be there for the URL to work. Neither did the Binance referral have to be there in Brave’s case.

        Referrals have nothing to do with privacy or security or web compatibility.

  18. Anonymous said on March 18, 2022 at 2:49 am
    Reply

    Along with this there is something else about telemetry that should concern us
    When you turn off telemetry you don’t actually turn off the collection of data. You just save it locally.
    You don’t send it to Mozilla, but you do store it.
    Perhaps in some future upgrade they will turn on the telemetry during install and collect all your past telemetry.

  19. Mystique said on March 18, 2022 at 3:23 am
    Reply

    It’s not just Mozilla and that is the broader issue here, it has become a tech cultural issue now that is so rampant. Once Google came in with their filth and then Microsoft weighed in with their lowbrow operating system from 8 upwards it was all downhill from there. These kinds of activities and practices were once heavily frowned upon and referred to as spyware then someone decided to change the name to Telemetry to remove any negative connotations or to attempt to undermine the perception of what it actually is.

    It’s not a new practice, people that reverse software have been dealing with this kind of thing long before Mozilla started doing it but the fact that every man and their donkey are doing it now suggests that this kind of thing is accepted by the tech companies which is troubling indeed. We even have spyware (aka Telemetry) in drivers these days.

    Mozilla isn’t the first to do it and they certainly won’t be the last. Mozilla is practically a lost cause these days. I don’t see them ever redeeming themselves and changing their ways anymore, the only thing one can hope for is that someone forks their work and heavily rewrites everything at which point they will take over all operations and have their team, community and skill set down. Mozilla will be left to languish and vanish to the sands of time and the world will keep spinning.

    Others have tried to but failed to capitalize on such a plan so who knows. They just never managed to gather any real traction and capture the magic in a bottle that was once Firefox. I’m not begrudging any such projects and wish them much success but at this point its a huge uphill battle for the respective brands.
    It’s almost as if they stayed in the shadows of Mozilla which is not where you want to be especially when Mozilla is in such a state.

    1. ZeN said on March 18, 2022 at 9:24 am
      Reply

      Well said

    2. Anonymous said on March 21, 2022 at 8:50 am
      Reply

      Except the world does not spin, the bible says earth is fixed and unmovable.

  20. SnoopzNotz said on March 18, 2022 at 3:26 am
    Reply

    I wonder what the Linux Mint Maintainers will have to say about that!

  21. someguys said on March 18, 2022 at 5:17 am
    Reply

    “And I think to myself~ What a wonderful world~”

  22. LipoSuction3 said on March 18, 2022 at 5:52 am
    Reply

    Does anybody know please if the same applies when we download plugins or addons (.xpi) from Mozilla?
    Does each xpi download (or online install) of any plugin has a GUID?

    1. Frankel said on March 18, 2022 at 9:59 am
      Reply

      XPIs are the same to all users. They have an internal ID that is the same to all of us and used for the sqlite databases. Like where uBlock stores their filter rules and your settings. So no addon has access to the data of other addons.

      1. Sdar said on March 18, 2022 at 1:35 pm
        Reply

        No, extensions IDs are randomized once, so it’s different for every user, it was supposedly a privacy protection but turns out such ids are sometimes leaked by some extensions what gives a ~100% fingerprint chance. It has been reported already, 5 years ago.

  23. hg said on March 18, 2022 at 8:54 am
    Reply

    If I have deleted the ID from the keys

    browser.newtabpage.activity-stream.impressionId
    toolkit.telemetry.cachedClientID

    and I update via Help/about Firefox, will tracking be re-enabled?

    1. Tom Hawack said on March 18, 2022 at 12:53 pm
      Reply

      @hg, I’m not savant enough to know if what applies to my Firefox 98.0 / Windows 7 environment applies to all.

      What I can say, as I noted above, is that deleting the values of the preferences you mention (either within about:config either within a user.js file) doesn’t make it : the preferences remain with the same values.

      In my case, because I use Firefox’s Autoconfig [https://support.mozilla.org/en-US/kb/customizing-firefox-using-autoconfig] I can *clear* (not delete) these values which means they will be reset and modified on Firefox restart. Deleting only theses values will have them be reset to what they were previously but *not* modified.

      // RESET IDs AT START
      clearPref(“toolkit.telemetry.cachedClientID”);
      clearPref(“browser.newtabpage.activity-stream.impressionId”);

      In other words there’s nothing you can do about these prefs without Autoconfig.
      But don’t worry : these prefs may very well be insignificant but because I’m uncertain I tried to play around with them, see how I could control them. Be noted that having these prefs get a new value at every start is better than having them set to nul (blank) in that it won’t set you apart :=)

      1. klimbim said on March 24, 2022 at 1:08 am
        Reply

        my firefox: 91.7.1esr.
        i cleared and then deleted both:
        – “toolkit.telemetry.cachedClientID”
        – “browser.newtabpage.activity-stream.impressionId”

        after restart:
        – “browser.newtabpage.activity-stream.impressionId” was re-enabled with value
        – “toolkit.telemetry.cachedClientID” stayed deleted. no reset, no re-enabled, no value

      2. Tom Hawack said on March 24, 2022 at 9:44 am
        Reply

        @klimbim, that partially confirms what I wrote above :

        – deleting the values of the preferences (either within about:config either within a user.js file) doesn’t make it : the preferences remain with the same values.
        – there’s nothing you can do about these prefs without Autoconfig.

        Except that in your experience “toolkit.telemetry.cachedClientID” stayed deleted. I’ll have to check again with my config.
        Is “browser.newtabpage.activity-stream.impressionId” reset with the *same* value? Because that’s the whole point : it’s always reset when deleted but it should be with a different value. In my case the value is different when processed with Autoconfig but not when simply deleted in about:config.

        Moreover : your FF version is 91.7 esr whils my experience was conducted on a later FF version. That could explain differences between our experiences (mainly “toolkit.telemetry.cachedClientID” staying deleted. not reset, not re-enabled, no value).

      3. Tom Hawack said on March 24, 2022 at 11:38 am
        Reply

        @klimbim, I’ve just tested again :

        after restart:

        – “toolkit.telemetry.cachedClientID” is reset BUT only after several minutes. I’ve just tested thoroughly and noticed its inclusion in about:config after 6 minutes and 30 seconds (+-10 seconds). So you’ll have to test it again after a few minutes ….

      4. klimbim said on March 26, 2022 at 4:24 am
        Reply

        sorry for my late reply – i was for 2 days on the road.
        well, 2 days are a little more enough than 6 minutes and 30 seconds. ;)
        so i looked again for this beast “toolkit.telemetry.cachedClientID”.
        and yes, you’r right – its back.

        but now, when i cleared and deleted it once more and tested it again after 10 minutes – “toolkit.telemetry.cachedClientID” stayed deleted (same like at the first time).
        but i thing it will come back the next day at the latest.

        “Is “browser.newtabpage.activity-stream.impressionId” reset with the *same* value?”
        no, with a different value – as you described.

        btw:
        to stop the telemetry in my firefox i used about:config and all the switches listed under “Healthreport und Telemetriedaten für Mozilla”:
        https://www.privacy-handbuch.de/handbuch_21n.htm#telemetrie

      5. Tom Hawack said on March 26, 2022 at 8:42 am
        Reply

        @klimbim, this is a mystery as far as I’m concerned. I have no idea of whats and hows. That’s all I can say at this time : why is “toolkit.telemetry.cachedClientID” always reset even when all of telemetry is blocked in a Firefox user’s profile settings, why is it after a delay which seems to fluctuate?

      6. klimbim said on March 26, 2022 at 2:40 pm
        Reply

        @Tom Hawack
        “this is a mystery”

        yes.
        now 10 hours after my last comment and test, in my main firefox “toolkit.telemetry.cachedClientID” stay still deleted.

        but in my other foxes (portable) its back. i cleared and deleted “toolkit.telemetry.cachedClientID” in all foxes at the same time.

        my os is linux.

        well, for me its enough that there is continuous no data under “about:telemetry”.

  24. Yuliya said on March 18, 2022 at 9:21 am
    Reply

    Windows 64-bit, English (US), on both Stable and ESR

    https://www.mozilla.org/en-US/firefox/all/#product-desktop-release
    Name: Firefox Setup 98.0.1.exe
    Size: 55528896 bytes (52 MiB)
    SHA256: 340b13d52f3987ebb1c01b66cd389d26d5fa13db225f6dc135c3b4a8cca781b1
    SHA1: 5dcdb1e5ee9172b78510fc9fc1ce2a759b09201f

    https://www.mozilla.org/en-US/firefox/all/#product-desktop-esr
    Name: Firefox Setup 91.7.1esr.exe
    Size: 55985512 bytes (53 MiB)
    SHA256: 872449f18479088b2cb33ba5f3e91296c071de30e3a1ffed4c5a50dc3a27f67e
    SHA1: 4c00b46b2a7a685801eaf6bdece68484338390b0

    I can’t reproduce it on this page. I am not defending this behaviour, rather providing another potential solution. I have tried downloading it twice, using two different devices, running different operating systems and different browsers, on different ISPs. I always get the same file. You may want to check your downloads against mines, and if they match, it means this page is not distributing the moodified installer. I do wonder exactly what is modified, the reason why I tried this is that I wanted to see exactly what is different.

    1. Yuliya said on March 18, 2022 at 9:33 am
      Reply

      Just checked it myself, my downloads from those pages match the ones from their ftp-wannabe page. Maybe it’s a regional thing?

    2. Martin Brinkmann said on March 18, 2022 at 11:52 am
      Reply

      When I download from the page you linked, I get different hashes each time. Which browser did you use for the downloading?

      1. Yuliya said on March 18, 2022 at 5:57 pm
        Reply

        Martin,
        Windows 10 > Chrome Dev 32-bit PAF and Firefox 64-bit ESR
        Android 12 > Chrome ARM/64-bit
        All four downloads match.

    3. Tom Hawack said on March 18, 2022 at 2:15 pm
      Reply

      Strange that Martin gets different hashes each time.

      I have the same hashes for downloads performed from 3 download sources, and the same each time.
      Hashes are the same as those mentioned by Yuliya for Firefox 98.0.1
      Downloaded with Firefox 98.0 x64 on Windows 7 x64

      Firefox Setup 98.0.1.exe from
      [https://www.mozilla.org/en-US/firefox/all/#product-desktop-release]
      [https://archive.mozilla.org/pub/firefox/releases/98.0.1/win64/en-US/]
      [https://ftp.mozilla.org/pub/firefox/releases/98.0.1/win64/en-US/]

      SHA-256: 340B13D52F3987EBB1C01B66CD389D26D5FA13DB225F6DC135C3B4A8CCA781B1
      SHA-1: 5DCDB1E5EE9172B78510FC9FC1CE2A759B09201F

      1. Martin Brinkmann said on March 18, 2022 at 3:10 pm
        Reply

        Can you try and download from the same source twice and compare the hashes?

      2. Tom Hawack said on March 18, 2022 at 3:22 pm
        Reply

        @Martin, downloading from the same source twice had been performed as I wrote it, “I have the same hashes for downloads performed from 3 download sources, and the same each time” : “…and the same each time”. I can test again. Any preference for the source, all three?

        Firefox Setup 98.0.1.exe from
        [https://www.mozilla.org/en-US/firefox/all/#product-desktop-release] : / Firefox / Windows 64 / English (US)

        Unchanged :
        SHA-256: 340B13D52F3987EBB1C01B66CD389D26D5FA13DB225F6DC135C3B4A8CCA781B1
        SHA-1: 5DCDB1E5EE9172B78510FC9FC1CE2A759B09201F

        What you encounter is odd. PLEASE : anyone else experiencing such a hash disparity?

      3. Tom Hawack said on March 18, 2022 at 3:37 pm
        Reply

        FWIW I just downloaded again Firefox Setup 98.0.1.exe from
        [https://www.mozilla.org/en-US/firefox/all/#product-desktop-release] : / Firefox / Windows 64 / English (US)

        This time with FF’s ‘User-Agent Switcher’ extension set with ‘Windows 10 / Chrome 96’ : same hashes…

      4. ECJ said on March 20, 2022 at 1:27 am
        Reply

        “…anyone else experiencing such a hash disparity?”

        Yes.

        I tried downloading the EN-US “Firefox Setup 98.0.1.exe” file from the UK at the following link: https://www.mozilla.org/en-US/firefox/all/#product-desktop-release

        Using Windows 10 (19044.1586) and Microsoft Edge Stable (99.0.1150.46), I get different SHA256 file hashes most times when downloading from within Windows Sandbox.

        However, when I download it from the same host machine (rather than in Windows Sandbox), the file hashes all match the correct hash (340b13d52f3987ebb1c01b66cd389d26d5fa13db225f6dc135c3b4a8cca781b1) found on the Mozilla site: https://ftp.mozilla.org/pub/firefox/releases/98.0.1/SHA256SUMS

        Initially I though it was perhaps because I was using uBlock Origin on the host machine, however I installed uBlock Origin in the Windows Sandbox, and the hashes still differed in the sandbox. Odd.

        Despite the hash difference, the code-signing digital signature remains valid, therefore it appears Mozilla are doing the same as Google Chrome:

        https://twitter.com/SwiftOnSecurity/status/1213286893976207360

    4. Yuliya said on March 18, 2022 at 7:06 pm
      Reply

      I have tried some TOR exit nodes:

      Name: Firefox Setup 98.0.1_germany.exe
      Size: 55528896 bytes (52 MiB)
      SHA256: 2d8164d547d8a0b02f2677c05e21a027dc625c0c1375fd34667b7d039746d400
      SHA1: 71302acbee6895b84cf0dfae99050926f2db59ef

      Name: Firefox Setup 98.0.1_austria.exe
      Size: 55528896 bytes (52 MiB)
      SHA256: a139a45dd5737ab981068ca2596b7fdfde15e5d4bc8541e0a2f07a65defd3e4e
      SHA1: 28630a0aababa162ca9e7cbca51e50b76b9c3cff

      I have labeled the file for the corresponding country of the exit node.

      I’ve also ran the fc command of each file against the original one, and again between themselves:
      https://pastebin.com/XZnGtJue
      The dirrefences between the tampered files themselves is smaller than it is betweeen the original and a tampered one, so a part of the UID is similar.

      Extracting the archives results in the exact same content as the original file:
      Folders: 11
      Files: 86
      Size: 217733346 bytes (207 MiB)
      SHA256 checksum for data: b70eb1850d03d0bc4c1a8c4a0de6027268a2a47a3210aeda422c4f12cd1941b8-0000002B
      SHA256 checksum for data and names: de9b5e07b1c373fc0e4a84aae9137eea2ca03d9e7da0e7887bb80c06df0369b9-0000002C
      SHA1 checksum for data: 62f4440f5bf05a94d740b8842b2102583bd74240-0000002B
      SHA1 checksum for data and names: 749b1df2713ab4be3b50c5acf0d3e283c6f4f401-0000002E
      So it’s only the installer which has been modified and phoning home during inistallation. 7-zip does warn during the extraction of the tampered installers that there is a checksum error. It does not do so during the extraction of the original file.

      Also, yes, TOR will always download the original ffile when downloaded from their ftp-wannabe site.

      This is I think a regional only thing.

  25. Torin Doyle said on March 18, 2022 at 9:51 am
    Reply

    What if someone gets their Firefox software from the repos of a GNU/Linux distro – like Debian or Ubuntu for example? Would those packages also have a unique ID?

    1. kehrity95y8 said on March 20, 2022 at 3:53 pm
      Reply

      Firefox is now forced on Ubuntu users the Snap package version, and it has been super strange, almost like some kind of virus, buggy and crashes (maybe intentionally so they can fetch some extra “crash data”?), I removed it and installed ESR using the ordinary installer package, better.

      1. Torin Doyle said on March 21, 2022 at 8:08 am
        Reply

        Hi. I never liked Snaps all that much. I prefer the repos, then Flatpaks, then AppImages, in that order.

  26. some1 said on March 18, 2022 at 10:08 am
    Reply

    I just downloaded Firefox Setup 98.0.1.exe from the main site (not FTP repository). and uploaded it to Virustotal but the file was already scanned, first submitted about a week ago. So I guess it is not completely unique.

    1. Some1 said on March 18, 2022 at 10:10 am
      Reply

      I downloaded again using Tor, that one had a different SHA1 and was NOT already scanned by VirusTotal.

      1. huh said on March 21, 2022 at 1:23 pm
        Reply

        yea same, download from firefox have know hash but from tor have unique hash, strange..
        i downloaded the whole firefox Firefox Setup 98.0.1.exe 53mb from their site

  27. Niko said on March 18, 2022 at 10:21 am
    Reply

    Another minus Mozilla!!!

  28. Anonymous said on March 18, 2022 at 12:58 pm
    Reply

    I’d like to know too. In France we’re far from it, even for adult contents they want website to check the age of a visitor with a certified method, but they don’t tell them how.

  29. Rex said on March 18, 2022 at 1:25 pm
    Reply

    The Beast stumbled in the dark for it could no longer see the path. It started to fracture and weaken, trying to reshape itself into the form of metal.
    Even the witches would no longer lay eyes upon it, for it had become hideous and twisted.

    The soul of the Beast seemed lost forever.

    Then, by the full moon’s light, a child was born; a child with the unbridled soul of the Beast that would make all others pale in comparison.

    —?from the Chronicles of the Pale Moon, 24:2

  30. Honk Honk said on March 18, 2022 at 6:12 pm
    Reply

    Well, Firefox being Firefox removed Yandex and Mailru as search providers imagine using a browser that promotes censoring, de-platforming and full in bed with Google and their half billion dollars.
    So that should be a reason not to even try to download Firefox and see if you get different hashes or not.
    Clown company managed by clowns people in a clown world.

    1. Anonymous said on March 21, 2022 at 9:13 am
      Reply

      Wow what a fantasy, they have censored and deplatformed nothing. They wrote an article,that’s it.
      Facebook,Twitter & Youtube do that all the time. The thing to note is Youtube is owned by Google
      who also produce Chrome. You’d think people would stop using Chrome because of the banning &
      censorship on youtube ,not so it seems.

  31. JonSnow said on March 18, 2022 at 9:59 pm
    Reply

    I am still using the last best vrsion of Forefox 51 …not changing it any time soon.

    1. Lordbw said on March 18, 2022 at 10:28 pm
      Reply

      Unfortunately, many sites break compatibility through JavaScript features like lack of catch binding.

    2. Iron Heart said on March 19, 2022 at 4:41 pm
      Reply

      @JonSnow

      Perhaps you should consider Waterfox Classic (based on Firefox 56). Thank me later.

      https://classic.waterfox.net/

      They patch security issues at least.

  32. X said on March 19, 2022 at 1:44 am
    Reply

    Yeah, let’s get in for more of the same; one more time, again and again, and again and ….. !

  33. wet beaver said on March 19, 2022 at 4:02 am
    Reply

    > I am still using the last best vrsion of Forefox 51 …not changing it any time soon.

    Sounds like you never heard about SECURITY FIXES. Enjoy your compromised box.

  34. FFdisappointed said on March 20, 2022 at 7:51 am
    Reply

    Alright…
    What alternative do you guys have for Firefox Sync Server?

    1. FIBREL said on August 23, 2022 at 7:57 am
      Reply

      YOUR FF 10000.1B HAS SECURITY HOLES TOO, THAT WILL BE FIXED IN FF10000.2, WHICH WILL HAVE SECURITY HOLES THAT WILL BE FIXED IN FF …. WHAT’S TE DIFFERENCE WHICH HOLE MAKES YOU COMPROMISED? THE ONE PRESENT IN FF51 OR THE ONE IN FF102?

  35. Anonymous said on March 20, 2022 at 11:46 pm
    Reply

    Martin, please update this article if solutions come about to disable “dltoken” __after__ installing. Thank you.

  36. James Bond said on March 21, 2022 at 9:00 am
    Reply

    @Tom Hawack said on March 17, 2022 at 5:45 pm

    // RESET IDs AT START
    clearPref(“toolkit.telemetry.cachedClientID”);
    clearPref(“browser.newtabpage.activity-stream.impressionId”);

    Where is “clearPref” values, in user.js file or is it in some other file? Is Firefox Autoconfig an extension?

  37. notanon said on March 23, 2022 at 3:50 am
    Reply

    Wow, even EVIL Google doesn’t track user installations with a unique identifier.

    Mozilla is getting EVILER everyday.

    Hopefully, when Mozilla dies, someone will continue developing Firefox, while firing the woke developers who are ruining the browser.

  38. Fred said on March 23, 2022 at 4:31 am
    Reply

    Martin, could you also update your article with straightforward recommendations for non-techies about how to download and install Firefox without the identifiers. Do I presume that this new installer would need to be run only after a full uninstall of Firefox?

    There is a great deal of informed techie discussion here, but it is hard for non-techies to follow, and some simple instructions would be very welcome.

    (By the way, the most recent Softtonic download is V96.0, whereas Firefox is now at V98.0.1. After some searching, every download that I looked at either had an old version, or a very old version, or didn’t say what version it had, apart only from filehorse.com, which had V98.0.1. Is that site safe?)

  39. Martin Brinkmann said on March 23, 2022 at 6:26 am
    Reply

    Hi Fred, you can download it from here: https://ftp.mozilla.org/pub/firefox/releases/

    Just open the folder with the version that you are interested in. Happy scrolling.

  40. Fred said on March 24, 2022 at 1:38 am
    Reply

    Thanks, Martin. Yes, I got version 98.0.1 from that webpage and installed it, and I have now downloaded the new V98.0.2.
    (And yes, I now have a sore finger from scrolling — why don’t they reverse the order?. And why are the dates ‘Last Modified’ missing?)

    * QUESTION 1: But should I have first uninstalled Firefox (preferably with Revo Uninstaller), then reinstalled Firefox and configured its settings and extensions again?

    * QUESTION 2: And will I need to repeat this uninstall–reinstall with each new version of Firefox?

    1. Martin Brinkmann said on March 24, 2022 at 6:20 am
      Reply

      You could turn off Telemetry in the settings, as this prevents the sending according to Mozilla.

      1. Fred said on March 24, 2022 at 10:48 am
        Reply

        I have already done this. In fact I have already followed all the steps that Sven Taylor advises in https://restoreprivacy.com/firefox-privacy .

        All I want to know is, to avoid the unique identifier:
        * Do I have to uninstall and reinstall Firefox (and then reconfigure settings and extensions)?
        * Do I have to repeat this at every update?

  41. Torin Doyle said on March 27, 2022 at 7:53 am
    Reply

    It seems that getting Firefox from GNU/Linux repos (Debian, etc.), doesn’t come with unique IDs.

  42. ? said on April 1, 2022 at 6:16 am
    Reply

    I’m curious where it’s stored on the system after install. It doesn’t make sense to store it in a profile since that could be wiped, so it must be located in the installation folder or ProgramData or in the administrator account or something. ?

    Moreover, the GUID is embedded in a UPX-compressed executable file and is the ONLY difference, yet the files’ digital-certificates still validate, as do their CRCs. How? ? Are they generating the GUIDs to have collisions?

  43. David S said on April 12, 2022 at 7:35 pm
    Reply

    It is their stab at killing the TorBroswer anonymity which relies on FF

  44. johnnygo said on April 17, 2022 at 8:48 pm
    Reply

    Thanks, for all of the valuable information that you provide!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.