Firefox 72.0.1 fixes a security vulnerability that is actively exploited

On Mon, 13 Jan 2020 00:57:35 +0000 (UTC), Spamblk wrote:

To minimize the fingerprinting
the TOR browser could possibly do this by adapting a common browser
useragent string and all of its engines features.

I appreciate the purposefully helpful conversation on browser privacy.

Thanks for the information about the web kit where it's my understanding,
from what I recall, that at least the Firefox-based Tor browser bundle (aka
TBB, or tbb) anonymizes certain fingerprinting things.
o 9/2019: Browser Fingerprinting: An Introduction and the Challenges Ahead
https://blog.torproject.org/browser-fingerprinting-introduction-and-challenges-ahead

Here are more test sites which I found while searching for details:
o https://www.deviceinfo.me
o https://amiunique.org
o https://panopticlick.eff.org
Where all say I have "partial" fingerprinting protection under the tbb.

What we'd care about is "what fingerprinting things" the tbb anonyizes:
o https://www.torproject.org/
"Tor Browser aims to make all users look the same,
making it difficultfor you to be fingerprinted
based on your browser and device information."

But it gets complex fast, as this font question attests to:
https://tor.stackexchange.com/questions/1619/fingerprint-effect-of-changing-tbb-default-font-size

To better understand how the tbb resists fingerprinting, we'd have to look
individually, one by one, at how it resists each fingerprinting technique:
o User agent header
o Accept header
o Connection header
o Encoding header
o Language header
o list of plugins
o platform
o cookies preferences (allowed or not)
o Do Not Track preferences (yes, no or not communicated)
o timezone
o screen resolution and its color depth
o use of local storage
o use of session storage
o a picture rendered with the HTML Canvas element
o a picture rendered with WebGL
o the presence of AdBlock
o the list of fonts
https://restoreprivacy.com/browser-fingerprinting/

But there's more, which I found by running the tests in three separate tabs
of the tbb, where fingerprinting includes things in each test not in the
other tests, e.g.,
o Upgrade Insecure Requests header
o Referer header
o Cache-Control header
o BuildId of the browser
o Supported Audio formats
o Supported Video formats
https://amiunique.org/faq

But there's more than that, e.g., even your "previous tab name" and your
"battery status" can be fingerprinted (both useful in the short term).

My main question is why does a browser _need_ all that information?

On Mon, 13 Jan 2020 01:02:06 GMT, Melzzzzz wrote:

Yep. It is really difficult to hide browser info, while still wanting
sites to work properly. But question is: how usefull is that info?
I mean screen res and all that?

I agree with you, Melzzzzz that a browser seems to "ask for" way more
information than it should ever _need_ to know.

For example, you bring up screen resolution, which, at least, the TBB
anonymizes (AFAIK) to 1000x1000x24 which works just fine as long as you
don't resize your browser window (AFAIK).

So why can't _all_ browsers simply use 1000x1000x24 by default?

Likewise, why does a browser _need_ your timezone?
o What other program you own (besides the clock) need a timezone?

While I don't know how to anonymize the screen resolution, at least you can
anonymize the timezone on Windows & Linux with a simple script, e.g.,
o tzutil.exe /g
o tzutil.exe /s "Pacific Standard Time"

Where you then need a freeware clock that works outside machine settings:
o http://www.clocx.net/download.php
o https://www.dualitysoft.com/dsclock/index.html
etc.

In short, I echo your sentiment asking "Why" a browser needs this stuff?

On 2020-01-13, Arlen Holder wrote:
On Mon, 13 Jan 2020 01:02:06 GMT, Melzzzzz wrote:

Yep. It is really difficult to hide browser info, while still wanting
sites to work properly. But question is: how usefull is that info?
I mean screen res and all that?

I agree with you, Melzzzzz that a browser seems to "ask for" way more
information than it should ever _need_ to know.

Browser can access any info any application can access.


For example, you bring up screen resolution, which, at least, the TBB
anonymizes (AFAIK) to 1000x1000x24 which works just fine as long as you
don't resize your browser window (AFAIK).

So why can't _all_ browsers simply use 1000x1000x24 by default?

Likewise, why does a browser _need_ your timezone?
o What other program you own (besides the clock) need a timezone?

To display proper time?


While I don't know how to anonymize the screen resolution, at least you can
anonymize the timezone on Windows & Linux with a simple script, e.g.,
o tzutil.exe /g
o tzutil.exe /s "Pacific Standard Time"

Where you then need a freeware clock that works outside machine settings:
o http://www.clocx.net/download.php
o https://www.dualitysoft.com/dsclock/index.html
etc.

In short, I echo your sentiment asking "Why" a browser needs this stuff?

Malicious software can do much more then collect some info widelly
available.


--
press any key to continue or any other to quit...
U ni�emu ja ne uživam kao u svom statusu INVALIDA -- Zli Zec
Svi smo svedoci - oko 3 godine intenzivne propagande je dovoljno da jedan narod poludi -- Zli Zec
Na divljem zapadu i nije bilo tako puno nasilja, upravo zato jer su svi
bili naoruzani. -- Mladen Gogala

Arlen Holder wrote in
:

On Mon, 13 Jan 2020 00:57:35 +0000 (UTC), Spamblk wrote:

To minimize the fingerprinting
the TOR browser could possibly do this by adapting a common browser
useragent string and all of its engines features.

I appreciate the purposefully helpful conversation on browser privacy.

Thanks for the information about the web kit where it's my understanding,
from what I recall, that at least the Firefox-based Tor browser bundle (aka
TBB, or tbb) anonymizes certain fingerprinting things.

Certain but probably not all fingerprinting things (my
perhaps not so humble opinion not based on ever
downloading or trying TOR, though).

https://www.torproject.org/
"Tor Browser aims to make all users look the same,
making it difficultfor you to be fingerprinted
based on your browser and device information."


Keyword here is "aims". Having an aim is not the same
thing as success with that aim. Its like the Mozilla
preference "privacy.resistFingerprinting" NB the
preference is not called "privacy.stopFingerprinting"
possibly because Mozilla does not supply a means to stop
fingerprinting. Put another way it might resist a few
fingerprinting attributes but few plans to stop all
of them.

Fingerprinting is here to stay.


My main question is why does a browser _need_ all that information?


IMO a browser doesn't.

Melzzzzz wrote in :

On 2020-01-13, Spamblk wrote:
SNIP
browser by adopting all of those engines features whilst disabling all
unique Gecko engine features.

Browser fingerprinting is here to stay.

Yep. It is really difficult to hide browser info, while still wanting
sites to work properly. But question is: how usefull is that info?
I mean screen res and all that?


Screen resolution on its own? Probably little value.

As the EFF explains, though, it is the combination.

Fonts, language, Geolocation(Country, State, province),
timezones, fonts installed, extensions, screen width,
height, viewport width and height.... Then if you are
a Mozilla browser with a userAgent string trying to
pretend to be a Webkit browser sites can flag this
rare combination into another useful few bits of
a unique ID.

It was not always like this. Back in the days of NCSA
Mosaic the idea was HTML would be a flexible markup
language. HTML would be so adaptable that if your
screen resolution was 40 chars or 140 chars the display
attributes would be used at the client side to display
the markup. Sites back then didn't know your screen
resolution yet if I recall righly there were few
display issues arising.

On Mon, 13 Jan 2020 11:31:46 +0000 (UTC), Spamblk wrote:

Its like the Mozilla
preference "privacy.resistFingerprinting"

Nice suggestion! Much appreciated!
1. Start a Mozilla-based browser
2. about:config
3. privacy.resistFingerprinting
o privacy.resistFingerprinting true
o privacy.resistFingerprinting.autoDeclineNoUserInpu tCanvasPrompts true
o privacy.resistFingerprinting.jsmloglevel Warn
o privacy.resistFingerprinting.reduceTimerPrecision. jitter true
o privacy.resistFingerprinting.reduceTimerPrecision. microseconds 1000
o privacy.resistFingerprinting.target_video_res 480
o services.sync.prefs.sync.privacy.resistFingerprint ing true
o services.sync.prefs.sync.privacy.resistFingerprint ing.reduceTimerPrecision.jitter true
o services.sync.prefs.sync.privacy.resistFingerprint ing.reduceTimerPrecision.microseconds true

I had not known about these until now.
Thanks for providing helpful fingerprinting advice for Mozilla browsers.

--
Usenet is a public potluck where purposefully helpful adults share knowledge.

Arlen Holder wrote in
:

Thanks

You're welcome.

for providing helpful

Opportunity to point out that

fingerprinting advice

Firefox is that whilst it may be "resisted" it cannot be stopped.

for Mozilla browsers.

On Tue, 14 Jan 2020 03:17:07 +0000 (UTC), Spamblk wrote:

Firefox is that whilst it may be "resisted" it cannot be stopped.

We can't forever put off tyranny, death and destruction either; but it
doesn't mean we shouldn't constantly try.

Arlen Holder wrote in
:

On Tue, 14 Jan 2020 03:17:07 +0000 (UTC), Spamblk wrote:

Firefox is that whilst it may be "resisted" it cannot be stopped.

We can't forever put off tyranny, death and destruction either; but it
doesn't mean we shouldn't constantly try.


If Firefox puts 50 or more fingerprinting features into it's increasing
Chrome-like bloated browser then providing a few preferences which it
claims resists fingerprinting (without really defining what it means
by "resist"), so what?

So the nice Mozilla folks load their browser with specific Gecko-centric
features and extensions for sites to datamine and enjoy then provide
a few preferences to persuade the proles that one or two can be resisted.

Holy fingerprinting bloated browser, Batman!!

If you want to resist fingerprinting have a few portable browsers
at hand to run at various times. You aint gonna resist fingerprinting
using only Mozilla's webextensions compatible, bloated, Gecko-centric CSS
using, relentlessly home-phoning browser.

Don't agree? Fine. I'm outta this thread.