If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
|
Thread Tools | Rate Thread | Display Modes |
#16
|
|||
|
|||
Firefox 72.0.1 fixes a security vulnerability that is actively exploited
On Mon, 13 Jan 2020 00:57:35 +0000 (UTC), Spamblk wrote:
To minimize the fingerprinting the TOR browser could possibly do this by adapting a common browser useragent string and all of its engines features. I appreciate the purposefully helpful conversation on browser privacy. Thanks for the information about the web kit where it's my understanding, from what I recall, that at least the Firefox-based Tor browser bundle (aka TBB, or tbb) anonymizes certain fingerprinting things. o 9/2019: Browser Fingerprinting: An Introduction and the Challenges Ahead https://blog.torproject.org/browser-fingerprinting-introduction-and-challenges-ahead Here are more test sites which I found while searching for details: o https://www.deviceinfo.me o https://amiunique.org o https://panopticlick.eff.org Where all say I have "partial" fingerprinting protection under the tbb. What we'd care about is "what fingerprinting things" the tbb anonyizes: o https://www.torproject.org/ "Tor Browser aims to make all users look the same, making it difficultfor you to be fingerprinted based on your browser and device information." But it gets complex fast, as this font question attests to: https://tor.stackexchange.com/questions/1619/fingerprint-effect-of-changing-tbb-default-font-size To better understand how the tbb resists fingerprinting, we'd have to look individually, one by one, at how it resists each fingerprinting technique: o User agent header o Accept header o Connection header o Encoding header o Language header o list of plugins o platform o cookies preferences (allowed or not) o Do Not Track preferences (yes, no or not communicated) o timezone o screen resolution and its color depth o use of local storage o use of session storage o a picture rendered with the HTML Canvas element o a picture rendered with WebGL o the presence of AdBlock o the list of fonts https://restoreprivacy.com/browser-fingerprinting/ But there's more, which I found by running the tests in three separate tabs of the tbb, where fingerprinting includes things in each test not in the other tests, e.g., o Upgrade Insecure Requests header o Referer header o Cache-Control header o BuildId of the browser o Supported Audio formats o Supported Video formats https://amiunique.org/faq But there's more than that, e.g., even your "previous tab name" and your "battery status" can be fingerprinted (both useful in the short term). My main question is why does a browser _need_ all that information? |
Ads |
#17
|
|||
|
|||
Firefox 72.0.1 fixes a security vulnerability that is actively exploited
On Mon, 13 Jan 2020 01:02:06 GMT, Melzzzzz wrote:
Yep. It is really difficult to hide browser info, while still wanting sites to work properly. But question is: how usefull is that info? I mean screen res and all that? I agree with you, Melzzzzz that a browser seems to "ask for" way more information than it should ever _need_ to know. For example, you bring up screen resolution, which, at least, the TBB anonymizes (AFAIK) to 1000x1000x24 which works just fine as long as you don't resize your browser window (AFAIK). So why can't _all_ browsers simply use 1000x1000x24 by default? Likewise, why does a browser _need_ your timezone? o What other program you own (besides the clock) need a timezone? While I don't know how to anonymize the screen resolution, at least you can anonymize the timezone on Windows & Linux with a simple script, e.g., o tzutil.exe /g o tzutil.exe /s "Pacific Standard Time" Where you then need a freeware clock that works outside machine settings: o http://www.clocx.net/download.php o https://www.dualitysoft.com/dsclock/index.html etc. In short, I echo your sentiment asking "Why" a browser needs this stuff? |
#18
|
|||
|
|||
Firefox 72.0.1 fixes a security vulnerability that is activelyexploited
On 2020-01-13, Arlen Holder wrote:
On Mon, 13 Jan 2020 01:02:06 GMT, Melzzzzz wrote: Yep. It is really difficult to hide browser info, while still wanting sites to work properly. But question is: how usefull is that info? I mean screen res and all that? I agree with you, Melzzzzz that a browser seems to "ask for" way more information than it should ever _need_ to know. Browser can access any info any application can access. For example, you bring up screen resolution, which, at least, the TBB anonymizes (AFAIK) to 1000x1000x24 which works just fine as long as you don't resize your browser window (AFAIK). So why can't _all_ browsers simply use 1000x1000x24 by default? Likewise, why does a browser _need_ your timezone? o What other program you own (besides the clock) need a timezone? To display proper time? While I don't know how to anonymize the screen resolution, at least you can anonymize the timezone on Windows & Linux with a simple script, e.g., o tzutil.exe /g o tzutil.exe /s "Pacific Standard Time" Where you then need a freeware clock that works outside machine settings: o http://www.clocx.net/download.php o https://www.dualitysoft.com/dsclock/index.html etc. In short, I echo your sentiment asking "Why" a browser needs this stuff? Malicious software can do much more then collect some info widelly available. -- press any key to continue or any other to quit... U ničemu ja ne uživam kao u svom statusu INVALIDA -- Zli Zec Svi smo svedoci - oko 3 godine intenzivne propagande je dovoljno da jedan narod poludi -- Zli Zec Na divljem zapadu i nije bilo tako puno nasilja, upravo zato jer su svi bili naoruzani. -- Mladen Gogala |
#19
|
|||
|
|||
Firefox 72.0.1 fixes a security vulnerability that is actively exploited
Arlen Holder wrote in : On Mon, 13 Jan 2020 00:57:35 +0000 (UTC), Spamblk wrote: To minimize the fingerprinting the TOR browser could possibly do this by adapting a common browser useragent string and all of its engines features. I appreciate the purposefully helpful conversation on browser privacy. Thanks for the information about the web kit where it's my understanding, from what I recall, that at least the Firefox-based Tor browser bundle (aka TBB, or tbb) anonymizes certain fingerprinting things. Certain but probably not all fingerprinting things (my perhaps not so humble opinion not based on ever downloading or trying TOR, though). https://www.torproject.org/ "Tor Browser aims to make all users look the same, making it difficultfor you to be fingerprinted based on your browser and device information." Keyword here is "aims". Having an aim is not the same thing as success with that aim. Its like the Mozilla preference "privacy.resistFingerprinting" NB the preference is not called "privacy.stopFingerprinting" possibly because Mozilla does not supply a means to stop fingerprinting. Put another way it might resist a few fingerprinting attributes but few plans to stop all of them. Fingerprinting is here to stay. My main question is why does a browser _need_ all that information? IMO a browser doesn't. |
#20
|
|||
|
|||
Firefox 72.0.1 fixes a security vulnerability that is actively exploited
Melzzzzz wrote in : On 2020-01-13, Spamblk wrote: SNIP browser by adopting all of those engines features whilst disabling all unique Gecko engine features. Browser fingerprinting is here to stay. Yep. It is really difficult to hide browser info, while still wanting sites to work properly. But question is: how usefull is that info? I mean screen res and all that? Screen resolution on its own? Probably little value. As the EFF explains, though, it is the combination. Fonts, language, Geolocation(Country, State, province), timezones, fonts installed, extensions, screen width, height, viewport width and height.... Then if you are a Mozilla browser with a userAgent string trying to pretend to be a Webkit browser sites can flag this rare combination into another useful few bits of a unique ID. It was not always like this. Back in the days of NCSA Mosaic the idea was HTML would be a flexible markup language. HTML would be so adaptable that if your screen resolution was 40 chars or 140 chars the display attributes would be used at the client side to display the markup. Sites back then didn't know your screen resolution yet if I recall righly there were few display issues arising. |
#21
|
|||
|
|||
Firefox 72.0.1 fixes a security vulnerability that is actively exploited
On Mon, 13 Jan 2020 11:31:46 +0000 (UTC), Spamblk wrote:
Its like the Mozilla preference "privacy.resistFingerprinting" Nice suggestion! Much appreciated! 1. Start a Mozilla-based browser 2. about:config 3. privacy.resistFingerprinting o privacy.resistFingerprinting true o privacy.resistFingerprinting.autoDeclineNoUserInpu tCanvasPrompts true o privacy.resistFingerprinting.jsmloglevel Warn o privacy.resistFingerprinting.reduceTimerPrecision. jitter true o privacy.resistFingerprinting.reduceTimerPrecision. microseconds 1000 o privacy.resistFingerprinting.target_video_res 480 o services.sync.prefs.sync.privacy.resistFingerprint ing true o services.sync.prefs.sync.privacy.resistFingerprint ing.reduceTimerPrecision.jitter true o services.sync.prefs.sync.privacy.resistFingerprint ing.reduceTimerPrecision.microseconds true I had not known about these until now. Thanks for providing helpful fingerprinting advice for Mozilla browsers. -- Usenet is a public potluck where purposefully helpful adults share knowledge. |
#22
|
|||
|
|||
Firefox 72.0.1 fixes a security vulnerability that is actively exploited
Arlen Holder wrote in : Thanks You're welcome. for providing helpful Opportunity to point out that fingerprinting advice Firefox is that whilst it may be "resisted" it cannot be stopped. for Mozilla browsers. |
#23
|
|||
|
|||
Firefox 72.0.1 fixes a security vulnerability that is actively exploited
On Tue, 14 Jan 2020 03:17:07 +0000 (UTC), Spamblk wrote:
Firefox is that whilst it may be "resisted" it cannot be stopped. We can't forever put off tyranny, death and destruction either; but it doesn't mean we shouldn't constantly try. |
#24
|
|||
|
|||
Firefox 72.0.1 fixes a security vulnerability that is actively exploited
Arlen Holder wrote in : On Tue, 14 Jan 2020 03:17:07 +0000 (UTC), Spamblk wrote: Firefox is that whilst it may be "resisted" it cannot be stopped. We can't forever put off tyranny, death and destruction either; but it doesn't mean we shouldn't constantly try. If Firefox puts 50 or more fingerprinting features into it's increasing Chrome-like bloated browser then providing a few preferences which it claims resists fingerprinting (without really defining what it means by "resist"), so what? So the nice Mozilla folks load their browser with specific Gecko-centric features and extensions for sites to datamine and enjoy then provide a few preferences to persuade the proles that one or two can be resisted. Holy fingerprinting bloated browser, Batman!! If you want to resist fingerprinting have a few portable browsers at hand to run at various times. You aint gonna resist fingerprinting using only Mozilla's webextensions compatible, bloated, Gecko-centric CSS using, relentlessly home-phoning browser. Don't agree? Fine. I'm outta this thread. |
|
Thread Tools | |
Display Modes | Rate This Thread |
|
|