No, this will not effectively help to reduce the fingerprint of your Browser.
A LOT more tracking services are integrated into the Firefox browser in various places (like New Tab page, Sync, Pocket, Shavar, Google Safebrowsing, OSCP, etc pp).
I wrote a more detailed article about this, and got an "as good as possible" as a result.
But yeah, please please start to use a Host Firewall where you can block on a per-domain and per-port and per-process basis (like LittleSnitch, OpenSnitch etc) to validate your assumptions. UIs will always lie to you, including the one from Firefox.
Set the browser.ml.chat.enabled and browser.ml.enabled to false as they intensively use the processor and drain the battery. All that to just find the best name for your tab groups. I prefer to have my laptop last one more hour instead.
yunruse · 12h ago
I took a brief gander at its code [0] and saw it mainly focusses on k-means clustering algorithms (in JS, no less). To my ken this is likely for suggesting new tabs, something a user is even less likely to use than renaming them.
Its constant drain even when not 'in use' seems to imply it's classifying tabs as they change page (though it might be telemetry or uncommented testing). If so, it's an example of premature optimisation gone very wrong.
It's a shame, because it overshadows the fact that naming tab groups is a perfect use case for an LLM, alongside keyboard suggestions and reverse dictionaries [1]. I'm ardently distrustful of LLMs for many, many purposes, but for the tiny parameter and token usage needed it's hard to not like. Which is a shame it's (somehow) such a drain.
[1] https://www.onelook.com/thesaurus/
Can be helpful in a pinch when a word's on the tip of your tongue, though its synonyms aren't always perfect.
aragilar · 3h ago
I recall an extension (I think by a Mozilla dev) which could do automatic grouping of tabs (back before tab groups was removed). I'm surprised this hasn't come back.
squigz · 7h ago
Does anyone here struggle so much with naming a group of tabs that you'd reach for an LLM? I mean... really? How often does a group of tabs need a more complex name than "Work", "Gaming", etc? Maybe a suffix for the work project?
st3fan · 10h ago
Wasn't that a bug that was fixed weeks ago? Like early August? If you are not averse to this feature then it is better to simply make sure you are running the latest version.
neobrain · 10h ago
It was also caught during progressive rollout, i.e. it never affected anyone who had disabled "studies" in their preferences.
olivergregory · 10h ago
I litterally gained one hour off my charged battery when I switched these two settings off, just a week ago, and I keep my browser up to date. So not for me.
privatelypublic · 9h ago
On an 80wh battery, say you go from 7hrs to 8hrs, so- 10wh saved over 8hrs. Thats a 1.125watt difference.
I propose the below as various factors that can be larger:
Slower fan speed because of lower ambient temperature.
Different dark/light ratio and/or adaptive screen brightness.
Wifi spectrum congestion, variable power levels to maintain proper SNR.
Wifi/ethernet- broadcast packets.
The list goes on. Most of these are below a watt, but demonstrate the point that you've got a lot more variables than just one setting in a browser.
craftkiller · 9h ago
You sound like 1.125 watts is insignificant to a laptop, but my laptop idles around 6 watts and it is currently using 8 watts since I've got some stuff running. Shaving off 1.125 watts is a 14-19% improvement.
Nab443 · 8h ago
The point is that the shaving might not be due to the firefox variable changes, but rather to other environmental differences.
privatelypublic · 7h ago
Exactly. And honestly- the screen is way way more than 1watt. According to RAPL power, a USB-PD power analyzer- changing the brightness on my 15" 4k OLED laptop screen can reduce power usage by 15-20W. The nature of OLED makes it hard to get a clear picture.
marc_abonce · 11h ago
I didn't know about this 2 settings but they were already disabled in my about:config. I wonder if Debian distributes a non-default about:config with Firefox.
tremon · 9h ago
They do, see /etc/firefox-esr/firefox-esr.js -- but the aforementioned settings are not in that file by default, and [0] seems to suggest Debian does not alter the compiled-in defaults either.
Some quick digging in the source suggests that it's simply not enabled by default in ESR 128. I don't know if that's because it's only enabled by default in a later release, or because it's disabled in all ESR releases; I suspect the former. Compare [1] and [2]:
-pref("browser.ml.enable", false); # in upstream/128.14.0esr
+pref("browser.ml.enable", true); # in upstream/142.0.1
The other pref, browser.ml.chat.enable[d] is not mentioned in that file at all.
(edit: according to [3a] and [3b], it's browser.ml.enable and browser.ml.chat.enabled... yay for consistency, I guess)
Thanks for the heads-up! Yeah, I'm running ESR 128 right now so when I upgrade to the next ESR I'll keep an eye on these settings.
geekamongus · 12h ago
I've been a Firefox die-hard since it was called Phoenix a couple decades ago. That said, over the last two months I've been testing Orion Browser (from Kagi, to which I subscribe), and am smitten with it. It's Apple only at the moment, which is a drawback, but if you live in that ecosphere, it's worth a look.
Orion is Webkit-based, can install extensions from Chrome OR Firefox, privacy respecting, and a whole lotta niceties for per-website tweaks and other customizations.
Orion indeed is a decent option for the privacy conscious as it is one of the few browsers that doesn't make any automated connections on startup (with the right config). But, if I remember right, they are still trying to get Ublock Origin to work perfectly on it (i.e. WebExtension support is still not fully supported on Orion).
PaleMoon ( http://www.palemoon.org/ ) is a hard fork of Firefox, with a mix of old tech (XUL) and new tech (from current codebase of Gecko), that is another full-featured zero-telemetry browser that doesn't make any automated connections. But on this too, the full features of uBlock Origin isn't supported as it is based on the abandoned uBlock Origin (legacy) codebase (though the legacy codebase has been updated by some PaleMoon developers, the original developers of uBlock Origin do not wish to support PaleMoon as it doesn't support WebExtension.
Then there's the Tor Browser ( https://www.torproject.org/ ) - it is a soft fork of Firefox, that supports the Tor network and has been configured by default to be "privacy hardened" - it has none of the crap that Mozilla bundles into Firefox, like Pocket, AI, Ads etc. The Tor software bundled in it can be easily deleted, to use it as privacy hardened Firefox. However, there are two issues with it - it does make unauthorised and unwanted automated connections (to SecureDrop) and you can no longer remove the NoScript browser extension that is bundled in it (you could from previous versions). When a browser maker forcefully bundles something in it, (however useful it may be), and does not allow you to modify it, that's well-founded ground to be suspicious of it. (Note: I did finally figure out that one can stop automated phoning to SecureDrop, after disabling it in about:rulesets ).
As the tor browser laid a good foundation to create a privacy hardened Firefox, there are many other browsers that are Forks of the Tor browser - the Mullvad Browser ( https://mullvad.net/en/browser ) is a popular one, and Mullvad bundles its VPN service in it instead of the Tor network. Last I checked, it made some automated connections on startup, so I didn't bother to explore it further).
iknowstuff · 11h ago
I just need it to stop using Safari’s slow ass animation for the two-finger trackpad swipe back gesture
ProAm · 6h ago
Apple is for suckers who want a parent to tell them what they can and cannot do with their own devices. (IMO)
BaudouinVH · 15m ago
Privacy Possum is better than Privacy Badger imho
rsync · 7h ago
A fools errand.
No matter how effective this list is, the settings will either revert, change, or be silently undone.
New settings will alter the efficacy of the old ones.
Existing settings will disappear.
The behavior you hoped to configure changed to its opposite.
Remember: there was one morning when we all woke up and saw every dns query sent to cloudflare doh by default, and with no opt-in.
ekianjo · 6h ago
> saw every dns query sent to cloudflare doh by default, and with no opt-in
If you want a hardened version of Firefox, download LibreWolf.
BaudouinVH · 8m ago
or Waterfox
userbinator · 11h ago
If the first item isn't "whitelist JS", you're doing it wrong. So many problems arise from letting any site run programs on your computer that it's best to reserve the privilege to the most trusted of sites.
stusmall · 10h ago
Meanwhile if I see that I just move on. It just isn't practical to have a workable browser with JS whitelisting for the general case. I doubt people who do this actually do any kind of thoughtful review before hitting "accept". It just adds manual toil with limited benefit.
If they are doing meaningful review, I question how much they actually get done in life.
Sophira · 1h ago
When it was developed, uMatrix was a brilliant method of being cautious about what runs, and it had a logger so you could easily see what domains you should enable the current domain to have access to.
I still use it honestly, but I'll need to move on at some point - not just because it's MV2-only, but also I've found a way in which uMatrix can be bypassed if a website were to specifically target it. (It doesn't affect uBlock Origin, although I haven't tested the Lite MV3 version.)
braiamp · 9h ago
I have NoScript by default set to no run. Some sites work better without it.
userbinator · 7h ago
I very clearly remember, many years ago, a site (which was otherwise perfectly usable) nagging me to "enable JS for a better experience"; curious, I did and was immediately assaulted with all manner of hostile and irritating crap like popups, text selection hijacking, and even attempts to disable the right-click menu. Hurriedly disabled JS again to regain sanity. Nope. I'm never falling for that again... Of course the problem these days is with sites that don't work at all without JS even if they're just static content, and I suspect part of the reason is to force-feed you the crap along with the real content.
userbinator · 7h ago
It's quite telling that even the mobile version of Chrome, well known for being the most user-hostile browser, has the option to whitelist or blacklist JS and various other features like location access.
Chrome didn't have anything other than a global JS on/off at first, so they clearly added this feature later.
mixmastamyk · 8h ago
You only have to whitelist your top sites once, not every day.
1oooqooq · 10h ago
and it's trivial to do with uBlock.
it have both a global option to disable js, and a option to set a keyboard shortcut to reenable as needed for each site.
amarder · 19h ago
This checklist is a work in progress, would love to hear your feedback.
Bender · 18h ago
Good work. There are some hardening options that you may be able to glean from ArkenFox [1] and Betterfox [2]. Another addon to consider listing is CSS Exfil protection [3a] CSS Exfil Test Site [3b].
Personally I leave the anonymous daily usage ping enabled in the (perhaps naive) hope that my use of Firefox being counted might help keep it afloat/popular. I guess that's not really in the spirit of a privacy-focused hardening guide but it is something that some may wish to consider.
Some may argue that the data that is included is a bit much for a "daily usage ping," an assertion that I won't dispute—but I will say that I appreciate the fact that Firefox even provides this level of transparency in the first place:
NoScript to automatically disable JS on first load, something to deal with Cookies (like cookie auto delete) and making use of MultiAccount containers. (defo privacy badger installed as well).
This is quite a rudimentary checklist, and it won't provide much in terms of privacy protections, but it will break a number of sites.
The current state of browser-fingerprinting is off-the-rails, where they deny service if they don't get those fingerprints, and the browser to a lesser degree has had its securities/privacy protections gradually degraded.
Stock Firefox will not be able to provide any sufficient guarantees. There are patches that need to be re-compiled in, because there have been about:config options removed.
I highly suggest you review Arkenfox's work, most of the hardening feature he recommends will provide a better defense than nothing. He regularly also contributes to the Mullvad browser which implements most of his hardening and then some but also has some differentiation from the Tor Browser, but many of the same protections.
The TL;DR of the problemscope is that there are artifacts that must be randomized within a certain range. There are also artifacts that must be non-distinct so as to not provide entropy for identification (system fonts and such that are shared among many people in a cohort).
JS, and several other components, if its active will negate a lot of the defenses that have been developed to-date.
Additionally, it seems that in some regional localities Eclipse attacks may be happening (multi-path transparent MITM), by terminating encryption early or through Raptor.
At a bare minimum, there seem to be some bad actors that have mixed themselves into the root pki pool. I've seen valid issued Google Trust certs floating around that were not authorized by the owner of the SAN being visited, and it was transparent and targeted to that blog, but its also happened with vendors (providing VOIP related telco services).
It seems Some ISPs may be doing this to collect sensitive data for surveillance capitalism or other unknown malign purposes. In either case TLS can't be trusted.
michaelt · 10h ago
> I've seen valid issued Google Trust certs floating around that were not authorized by the owner of the SAN being visited
Did you confirm with the owner that they were unauthorized?
And can you point to the certificates in the Certificate Transparency logs?
ranger_danger · 14h ago
> JS, and several other components, if its active will negate a lot of the defenses that have been developed to-date.
I thought if you disabled JS, then that would greatly narrow down which user on the internet you are, since very few people (in comparison to everyone else in the world) actually do this.
> not authorized by the owner of the SAN being visited
Source?
> TLS can't be trusted
Do you have more info on this? Why are more people not worried about it?
trod1234 · 11h ago
> I thought if you disabled JS, then that would greatly narrow down which user on the internet you are...
It is a fundamentally cursed problem that has a lot of nuance.
You have buckets of people, and the entropy or difference between your collected artifacts and others must be sufficient to uniquely identify a single person, that is the point of fingerprinting. Your natural defense is in not sticking out of that group/crowd uniquely so others in the group may carry the same range of fingerprints.
At the same time, if you homogenize the artifacts to limit it down to a single fingerprint the sites will simply deny access.
Disabling JS altogether doesn't identify you aside from the fact that you are part of the overall group that has it disabled, the trade-off is that all the entropy JS would normally collect cannot be collected. So while they cannot identify you uniquely they can identify the group by denying that group, and that is the fundamental weakness of binary switches. Its a constant cat and mouse.
> not authorized by the owner of the SAN being visited.
> Source?
Firsthand experience with a large VOIP provider where communications would fail intermittently but in targeted ways that avoid common test failures. Call tests would intermittently but routinely fail in the silent-fail domain of interrupt driven calling (where you wouldn't know a call was inbound), and the failures would occur only in that domain. The issues were narrowed down to a mismatch in certificates through a lengthy support correspondence where the hosted certificate vs what was being provided at the edge were different. The artifacts were compared manually through correspondence.
The certificate revocation was revoked within 48h once the vendor reached out to Google, but we've seen it happen twice now. The standards in general use don't have a means aside from revocation to handle bad-acting at the root-PKI level. Chain of trust issues like this have been known about for over 2 decades in the respective fields.
> Do you have any more info on this? Why are more people not worried about it?
On the specifics? The Princeton Raptor attack paper (2015) covers the details.
Early termination of encryption, and traffic analysis are pretty bad.
Why more people aren't worried? I suppose its because most of the security industry (not all) has accepted the fact that device security is porous, and there isn't really much you can do to hold the manufacturer responsible or to make changes. Surveillance capitalism is also incentivized through profit motive to impose a state of complete and total dependency/compromise.
The state of security today, with your almost routine data breaches every quarter, is a direct consequence from lack of liability, accountability, and regulation, and honestly people in the overall media have stopped listening to many of the experts. They don't want to know how bad, bad is.
The breadth and depth of scale is enough to drive one a bit crazy when looking at the unvarnished reality, its such a complete departure from what is told that it becomes disbelief. The people are largely powerless to mitigate the issues as most of the market is silently nationalized in one form or another. Its no longer about the features people need, but about coercing the market where the only choice is what gets shoveled.
Do you suppose the average middle class worker has the headspace to worry about their county tracking their minute movements through suites of radio sensors (TPMS/OBD-2), or someone hacking into their car through the telematics unit while their driving and disabling the braking, or inducing race conditions related to safety-critical systems.
While we may not care domestically about many of these things when we are told, given our stance on free-speech, if your a critic of China; they might care, and no ones stopping them because the security deficits are almost equally imposed through inaction as they are through action.
Many of these uses are also no commonly disclosed; and manipulated rhetoric is jamming communication channels.
Cable modem security for instance requires a mandated backward compatibility to a 48bit RSA key (Cyphercon Talk), and while there are elevated security modes it boots in that mode, and pulls the config down remotely making it vulnerable to Eclipse.
Money-printing is largely what drives these incentives towards a dysfunctional market.
- hooks between network steps
- hooks between steps while rendering/interacting with a website
Things that I want to do but I can't:
- catch a request and modify it, e.g. when a webpage tells my browser to visit ajax.googleapis.com/jquery.js then my browser SHOULD NOT DO IT. Seriously, just don't start running shit on my computer when I click something. Noone wants that, apart from Google. Not the users. I should be able to modify that request, and serve jquery from somewhere else.
- stop the browser's javascript execution
- run my own javascript (these two are currently unavailable together, if you don't allow javascript on a webpage, then you can't run your own) (or modify HTML/DOM in some other language)
I don't think Firefox is worth supporting, I believe it is a Trojan Horse of Google (or at least a Useful Idiot), and its existence is the main reason we have exactly 0 browsers (open source or proprietary) right now. It should die, so something else might flourish.
cxplay · 2h ago
Firefox doesn't "help your privacy" and make promises just because it's developed by Mozilla, and Chromium doesn't become worse than Firefox just because it's developed by Google. As others have said, this article feels like it was written in LLM.
merek · 6h ago
Will enabling "HTTPS-Only Mode" block http://localhost? If so, it would interfere with web development.
sltkr · 5h ago
No, it doesn't block localhost.
Also you can add exceptions, so if you have e.g. a HTTP-only server on your local network, you can whitelist it manually.
Refreeze5224 · 5h ago
No, you can always continue on to non-HTTPS pages.
qingcharles · 4h ago
Can you create some certs for yourself?
navigate8310 · 11h ago
Or use LibreWolf and call it a day.
Dwedit · 8h ago
Librewolf randomizes your time zone data on every page load, screwing with websites. It's on by default, and can be turned off.
mixmastamyk · 11h ago
It’s not directly in popular distributions unfortunately.
pndy · 5m ago
It's available as flatpak for a while - if that changes anything
backscratches · 10h ago
True but the next best thing is arkenfox which is even more of a pain. Librefox makes a lot of the flags toggleable/visible in settings which is convenient too.
temp0826 · 13h ago
I just want something (config or extension or instructions or whatever) to give me the best (rather, most common/average) fingerprint possible according to that EFF tool. Does that exist?
henrixd · 6h ago
You have to choose from one of two strategies, either you go with tor-browser (also includes Mulvad-browser) route and try make your browser indistinguishable from others or you randomize values to make stable fingerprinting impossible.
When trying to be similar to everyone else, even small changes to the browser, like changing window size, can make you easily identifiable from everyone else. Randomizing will allow you to modify your browser. None of the fingerprinting protections matter if you use your browser and session to login to some sites.
I use multiple browsers. One is for login to sites and tor-browser is for most of my browsing.
This is easily the best fingerprinting extension that I have found so far:
https://jshelter.org/
I'm not aware of any FOSS browser setup that can actually result in a random FP ID shown in creepjs on every page load (please prove me wrong).
efilife · 12h ago
This probably won't be perfect on the EFF tool but try arkenfox
temp0826 · 7h ago
I think it just makes me a little sad that despite the effort I've put in, that tool (called Cover Your Tracks btw, or other ones like amiunique) still report that I am indeed unique.
Dwedit · 8h ago
How would you know if DuckDuckGo actually respected privacy? It's a black box.
mixmastamyk · 8h ago
DDG reports all clicks to links.duckduckgo.com and improving.duckduckgo.com, etc. Which AdGuard seems to block, and maybe one of my browser settings/extensions as well.
Dwedit · 2h ago
Allegedly they do that for "referer protection" reasons to hide the search term that was used to get to the site.
50208 · 11h ago
Thanks for this ... great start. Mozilla Firefox COULD be an even more powerful source for good. Stop focusing on BS VPN, AI, etc ... focus on great browser, security, privacy. There is a possible niche for a centrally managed, security focused browser for companies ... like the Island Browser ... as an option.
dotcoma · 19h ago
Shouldn’t Firefox come hardened out of the box ?
jdlshore · 13h ago
There’s tradeoffs between privacy and convenience. Mozilla makes a particular set of tradeoffs, based on their judgment of what the average user will put up with; checklists like this allow you to make more aggressive tradeoffs.
Isn't that just to provide the search engine default? Which is easily changed?
50208 · 10h ago
That would be a great move by Mozilla. Have a "secure" version: Firefox, Firefox ESR, and Firefox SECURE. Or maybe just provide a switch to turn on.
542458 · 10h ago
90% of the stuff in the OP will break certain sites… The problem is that non-technical users will think “oh, privacy, that’s good” (which it is, don’t get me wrong), click the “max privacy” option, but then be unable to fix things when they don’t work and switch back to Chrome.
1oooqooq · 10h ago
remember that "firefox -p" opens the profile manager so you can have one profile without the last two items on that list, just for when you need one or two sites that have broken login code that requires 3rd party cookie (it's always for malicious reasons rather than incompetence, but if you have to login you have to login)
panarky · 8h ago
Hypersegregate browsing with profiles.
One profile for banks, a different profile for Amazon, a third profile for Google sites, a fourth for news sites I log into, a fifth for news sites I don't log into, a sixth that automatically forgets everything on exit for sites that UBO breaks.
Then delete all data on each profile periodically, weekly for news sites, monthly for Amazon and banking sites.
It's a giant pain in the ass juggling all these profiles. Seems like there should be a browser that automatically and transparently isolates every site in its own profile.
pndy · 8h ago
Mozilla introduced new profile manager for Firefox somewhere around May. This thing uses new storage format and ignores already existing "old" profiles, except for the default one. Data remains untouched, profiles created in the past are still here accessible by about:profile and if you don't want to use that new profile manager set browser.profiles.enabled entry to false.
From what I've seen around people using the popular customized Firefox variants, like Floorp, Librewolf were surprised by this and not fond of the change.
mixmastamyk · 13h ago
There are things I also do like removing sponsored links on the about page and url bar. Also disable type-ahead to search engine.
My understanding is that Privacy Badger no longer learns by default. I never wanted that, just block known things, like search engine click hijacks.
I’m not sure what to do about the user agent header. Changing or simplifying it tends to break sites. Also I’d like to promote Linux there but that’s at odds with privacy.
mixmastamyk · 11h ago
Sorry, not the about page, the newtab page.
positron26 · 2h ago
My entire feeling about privacy is that, while surveillance economy tends to amplify the worst parts, ultimately, Richard Thieme's presentation is right: https://www.youtube.com/watch?v=atDgnkvzD8I
Thought experiment: in 100 years or even ten, can you imagine that there will not be tiny little camera robots that can get into the home of every person alive? Wouldn't every single living person be prone to having nude and unflattering, private moments leaked all over the internet?
Socially, if privacy is a construct, then so is the fallout we expect others and ourselves to feel when privacy is violated. To some extent, not all, this is self-inflicted Victorian thinking. To the extent that it's true, part of the answer is, in the words of the brave (lol) Michael Cohen, "So what?" Really, so what? I hope we can get to that kind of reaction to adults having their privacy upended because it just takes so much of the bite out of the problem, the shame that relatively innocent people would experience for something completely out of their control.
As far as the getting it back under control thing, we may also be coming to a point that more technologies are so dangerous or impactful that there becomes a need for more strict control so that powerful tech like miniaturization produces paper trails and the use of such technology comes with an implicit requirement for openness. I don't really care that people can use miniaturization, but I care if they can anonymize it to the extent that we create a lawless society with no remaining means of accountability.
What *will* Russia and North Korea do when it becomes plausible to unleash little robot assassins either in small numbers to target individuals or mass numbers to carry out what is essentially nuclear scale death without nuclear scale fallout and destruction? It is plausible that this is a new facet of WMDs and MAD-based deterrence.
Privacy, robots, and the inevitable slide into world war 3.
piskov · 12h ago
After the shit Mozilla pulled with ad/tracking this summer, the first step for improved privacy should be to delete firefox and switch to brave / what have you.
creesch · 12h ago
> switch to brave
Fun suggestion to switch to a browser that has a company behind it that has pulled a lot of shady stuff related to ads and tracking. A company where privacy is more marketing than a core value.
If you are one of those folks who don't care about the political arguments, feel free to skip over paragraph one and two. Paragraph three till ten cover actual shady stuff done by brave the company itself.
There is one more thing I can add to the list, though it wasn't as widely published about. At some point the team behind Brave decided to implement browser extension support from scratch and only support specific extensions. Which sounds okay in theory until you realize how they did so. Without involving the extension creator they would fork a version of the extension and bake that into Brave. They did so without informing the extension creator, meanwhile users would still go to the extension creator for support who couldn't fix a thing.
Every time one of these things come up, the Brave team either is irked (but changes it anyway) or goes "oh, yeah we'll remove it in the future". This to me indicates a company culture where there is no thinking ahead about the impact of features or where they simply don't care as long as they aren't called out on it.
This consistent pattern over a period of years has, to me anyway, shown that issues such as privacy or even being user centered are not a core part of their thinking but merely a marketing gimmick.
And to be ahead of the curve on some other things I have heard people say over this. Just that Mozilla sucks doesn't mean alternatives can't be worse.
piskov · 11h ago
Could you actually cite some from Brave’s privacy policy (as firefox has now) to corroborate these claims
creesch · 11h ago
See my updated comment, that contains all the details you should need. Unfortunately nothing about their privacy policy, I personally feel that actions taken by brave speak louder than whatever they have in their written policy.
backscratches · 10h ago
A fork of Firefox like librewolf is even better incentives I think
https://fingerprint.com/
In my tests only Tor was able to prevent that, but using Tor will give you bad rankings on payment sites like PayPal, you may even get banned there.
I learned this from here:
https://news.ycombinator.com/item?id=35243355
That site is now black, surely a coincidence. Here the archive.org link:
https://web.archive.org/web/20250801173508/https://www.bites...
Have a local copy.
No, this will not effectively help to reduce the fingerprint of your Browser.
A LOT more tracking services are integrated into the Firefox browser in various places (like New Tab page, Sync, Pocket, Shavar, Google Safebrowsing, OSCP, etc pp).
I wrote a more detailed article about this, and got an "as good as possible" as a result.
But yeah, please please start to use a Host Firewall where you can block on a per-domain and per-port and per-process basis (like LittleSnitch, OpenSnitch etc) to validate your assumptions. UIs will always lie to you, including the one from Firefox.
[1] https://cookie.engineer/weblog/articles/firefox-privacy-guid...
Its constant drain even when not 'in use' seems to imply it's classifying tabs as they change page (though it might be telemetry or uncommented testing). If so, it's an example of premature optimisation gone very wrong.
It's a shame, because it overshadows the fact that naming tab groups is a perfect use case for an LLM, alongside keyboard suggestions and reverse dictionaries [1]. I'm ardently distrustful of LLMs for many, many purposes, but for the tiny parameter and token usage needed it's hard to not like. Which is a shame it's (somehow) such a drain.
[0] https://github.com/mozilla-firefox/firefox/blob/7b42e629fdef... exports a SmartTabGroupingManager, though how or why that is used without being asked eludes me
[1] https://www.onelook.com/thesaurus/ Can be helpful in a pinch when a word's on the tip of your tongue, though its synonyms aren't always perfect.
I propose the below as various factors that can be larger:
Slower fan speed because of lower ambient temperature.
Different dark/light ratio and/or adaptive screen brightness.
Wifi spectrum congestion, variable power levels to maintain proper SNR.
Wifi/ethernet- broadcast packets.
The list goes on. Most of these are below a watt, but demonstrate the point that you've got a lot more variables than just one setting in a browser.
Some quick digging in the source suggests that it's simply not enabled by default in ESR 128. I don't know if that's because it's only enabled by default in a later release, or because it's disabled in all ESR releases; I suspect the former. Compare [1] and [2]:
The other pref, browser.ml.chat.enable[d] is not mentioned in that file at all.(edit: according to [3a] and [3b], it's browser.ml.enable and browser.ml.chat.enabled... yay for consistency, I guess)
[0] https://sources.debian.org/src/firefox-esr/128.14.0esr-1~deb...
[1] https://salsa.debian.org/mozilla-team/firefox/-/blame/upstre...
[2] https://salsa.debian.org/mozilla-team/firefox/-/blame/upstre...
[3a] https://salsa.debian.org/mozilla-team/firefox/-/blame/esr128...
[3b] https://salsa.debian.org/mozilla-team/firefox/-/blame/esr128...
Orion is Webkit-based, can install extensions from Chrome OR Firefox, privacy respecting, and a whole lotta niceties for per-website tweaks and other customizations.
[0] https://kagi.com/orion/
PaleMoon ( http://www.palemoon.org/ ) is a hard fork of Firefox, with a mix of old tech (XUL) and new tech (from current codebase of Gecko), that is another full-featured zero-telemetry browser that doesn't make any automated connections. But on this too, the full features of uBlock Origin isn't supported as it is based on the abandoned uBlock Origin (legacy) codebase (though the legacy codebase has been updated by some PaleMoon developers, the original developers of uBlock Origin do not wish to support PaleMoon as it doesn't support WebExtension.
Then there's the Tor Browser ( https://www.torproject.org/ ) - it is a soft fork of Firefox, that supports the Tor network and has been configured by default to be "privacy hardened" - it has none of the crap that Mozilla bundles into Firefox, like Pocket, AI, Ads etc. The Tor software bundled in it can be easily deleted, to use it as privacy hardened Firefox. However, there are two issues with it - it does make unauthorised and unwanted automated connections (to SecureDrop) and you can no longer remove the NoScript browser extension that is bundled in it (you could from previous versions). When a browser maker forcefully bundles something in it, (however useful it may be), and does not allow you to modify it, that's well-founded ground to be suspicious of it. (Note: I did finally figure out that one can stop automated phoning to SecureDrop, after disabling it in about:rulesets ).
As the tor browser laid a good foundation to create a privacy hardened Firefox, there are many other browsers that are Forks of the Tor browser - the Mullvad Browser ( https://mullvad.net/en/browser ) is a popular one, and Mullvad bundles its VPN service in it instead of the Tor network. Last I checked, it made some automated connections on startup, so I didn't bother to explore it further).
No matter how effective this list is, the settings will either revert, change, or be silently undone.
New settings will alter the efficacy of the old ones.
Existing settings will disappear.
The behavior you hoped to configure changed to its opposite.
Remember: there was one morning when we all woke up and saw every dns query sent to cloudflare doh by default, and with no opt-in.
True. And most people don't even know it.
If they are doing meaningful review, I question how much they actually get done in life.
I still use it honestly, but I'll need to move on at some point - not just because it's MV2-only, but also I've found a way in which uMatrix can be bypassed if a website were to specifically target it. (It doesn't affect uBlock Origin, although I haven't tested the Lite MV3 version.)
Chrome didn't have anything other than a global JS on/off at first, so they clearly added this feature later.
it have both a global option to disable js, and a option to set a keyboard shortcut to reenable as needed for each site.
[1] - https://github.com/arkenfox/user.js
[2] - https://github.com/yokoffing/Betterfox
[3a] - https://addons.mozilla.org/en-US/firefox/addon/css-exfil-pro...
[3b] - https://www.mike-gualtieri.com/css-exfil-vulnerability-teste...
https://codeberg.org/librewolf/settings/src/branch/master/li...
https://github.com/intika/Librefox/issues/125
Some may argue that the data that is included is a bit much for a "daily usage ping," an assertion that I won't dispute—but I will say that I appreciate the fact that Firefox even provides this level of transparency in the first place:
https://dictionary.telemetry.mozilla.org/apps/firefox_deskto...
The current state of browser-fingerprinting is off-the-rails, where they deny service if they don't get those fingerprints, and the browser to a lesser degree has had its securities/privacy protections gradually degraded.
Stock Firefox will not be able to provide any sufficient guarantees. There are patches that need to be re-compiled in, because there have been about:config options removed.
I highly suggest you review Arkenfox's work, most of the hardening feature he recommends will provide a better defense than nothing. He regularly also contributes to the Mullvad browser which implements most of his hardening and then some but also has some differentiation from the Tor Browser, but many of the same protections.
The TL;DR of the problemscope is that there are artifacts that must be randomized within a certain range. There are also artifacts that must be non-distinct so as to not provide entropy for identification (system fonts and such that are shared among many people in a cohort).
JS, and several other components, if its active will negate a lot of the defenses that have been developed to-date.
Additionally, it seems that in some regional localities Eclipse attacks may be happening (multi-path transparent MITM), by terminating encryption early or through Raptor.
At a bare minimum, there seem to be some bad actors that have mixed themselves into the root pki pool. I've seen valid issued Google Trust certs floating around that were not authorized by the owner of the SAN being visited, and it was transparent and targeted to that blog, but its also happened with vendors (providing VOIP related telco services).
It seems Some ISPs may be doing this to collect sensitive data for surveillance capitalism or other unknown malign purposes. In either case TLS can't be trusted.
Did you confirm with the owner that they were unauthorized?
And can you point to the certificates in the Certificate Transparency logs?
I thought if you disabled JS, then that would greatly narrow down which user on the internet you are, since very few people (in comparison to everyone else in the world) actually do this.
> not authorized by the owner of the SAN being visited
Source?
> TLS can't be trusted
Do you have more info on this? Why are more people not worried about it?
It is a fundamentally cursed problem that has a lot of nuance.
You have buckets of people, and the entropy or difference between your collected artifacts and others must be sufficient to uniquely identify a single person, that is the point of fingerprinting. Your natural defense is in not sticking out of that group/crowd uniquely so others in the group may carry the same range of fingerprints.
At the same time, if you homogenize the artifacts to limit it down to a single fingerprint the sites will simply deny access.
Disabling JS altogether doesn't identify you aside from the fact that you are part of the overall group that has it disabled, the trade-off is that all the entropy JS would normally collect cannot be collected. So while they cannot identify you uniquely they can identify the group by denying that group, and that is the fundamental weakness of binary switches. Its a constant cat and mouse.
> not authorized by the owner of the SAN being visited. > Source?
Firsthand experience with a large VOIP provider where communications would fail intermittently but in targeted ways that avoid common test failures. Call tests would intermittently but routinely fail in the silent-fail domain of interrupt driven calling (where you wouldn't know a call was inbound), and the failures would occur only in that domain. The issues were narrowed down to a mismatch in certificates through a lengthy support correspondence where the hosted certificate vs what was being provided at the edge were different. The artifacts were compared manually through correspondence.
The certificate revocation was revoked within 48h once the vendor reached out to Google, but we've seen it happen twice now. The standards in general use don't have a means aside from revocation to handle bad-acting at the root-PKI level. Chain of trust issues like this have been known about for over 2 decades in the respective fields.
> Do you have any more info on this? Why are more people not worried about it?
On the specifics? The Princeton Raptor attack paper (2015) covers the details. Early termination of encryption, and traffic analysis are pretty bad.
Why more people aren't worried? I suppose its because most of the security industry (not all) has accepted the fact that device security is porous, and there isn't really much you can do to hold the manufacturer responsible or to make changes. Surveillance capitalism is also incentivized through profit motive to impose a state of complete and total dependency/compromise.
The state of security today, with your almost routine data breaches every quarter, is a direct consequence from lack of liability, accountability, and regulation, and honestly people in the overall media have stopped listening to many of the experts. They don't want to know how bad, bad is.
The breadth and depth of scale is enough to drive one a bit crazy when looking at the unvarnished reality, its such a complete departure from what is told that it becomes disbelief. The people are largely powerless to mitigate the issues as most of the market is silently nationalized in one form or another. Its no longer about the features people need, but about coercing the market where the only choice is what gets shoveled.
Do you suppose the average middle class worker has the headspace to worry about their county tracking their minute movements through suites of radio sensors (TPMS/OBD-2), or someone hacking into their car through the telematics unit while their driving and disabling the braking, or inducing race conditions related to safety-critical systems.
While we may not care domestically about many of these things when we are told, given our stance on free-speech, if your a critic of China; they might care, and no ones stopping them because the security deficits are almost equally imposed through inaction as they are through action.
Many of these uses are also no commonly disclosed; and manipulated rhetoric is jamming communication channels.
Cable modem security for instance requires a mandated backward compatibility to a 48bit RSA key (Cyphercon Talk), and while there are elevated security modes it boots in that mode, and pulls the config down remotely making it vulnerable to Eclipse.
Money-printing is largely what drives these incentives towards a dysfunctional market.
https://cyphercon.com/portfolio/exposing-the-threat-uncoveri...
https://www.youtube.com/watch?v=_hk2DsCWGXs
Also you can add exceptions, so if you have e.g. a HTTP-only server on your local network, you can whitelist it manually.
When trying to be similar to everyone else, even small changes to the browser, like changing window size, can make you easily identifiable from everyone else. Randomizing will allow you to modify your browser. None of the fingerprinting protections matter if you use your browser and session to login to some sites.
I use multiple browsers. One is for login to sites and tor-browser is for most of my browsing.
This is easily the best fingerprinting extension that I have found so far: https://jshelter.org/
UBO is enough; https://github.com/arkenfox/user.js/wiki/4.1-Extensions#-don...
A better test would be CreepJS in my opinion: https://abrahamjuliot.github.io/creepjs/
I'm not aware of any FOSS browser setup that can actually result in a random FP ID shown in creepjs on every page load (please prove me wrong).
One profile for banks, a different profile for Amazon, a third profile for Google sites, a fourth for news sites I log into, a fifth for news sites I don't log into, a sixth that automatically forgets everything on exit for sites that UBO breaks.
Then delete all data on each profile periodically, weekly for news sites, monthly for Amazon and banking sites.
It's a giant pain in the ass juggling all these profiles. Seems like there should be a browser that automatically and transparently isolates every site in its own profile.
From what I've seen around people using the popular customized Firefox variants, like Floorp, Librewolf were surprised by this and not fond of the change.
My understanding is that Privacy Badger no longer learns by default. I never wanted that, just block known things, like search engine click hijacks.
I’m not sure what to do about the user agent header. Changing or simplifying it tends to break sites. Also I’d like to promote Linux there but that’s at odds with privacy.
Thought experiment: in 100 years or even ten, can you imagine that there will not be tiny little camera robots that can get into the home of every person alive? Wouldn't every single living person be prone to having nude and unflattering, private moments leaked all over the internet?
Socially, if privacy is a construct, then so is the fallout we expect others and ourselves to feel when privacy is violated. To some extent, not all, this is self-inflicted Victorian thinking. To the extent that it's true, part of the answer is, in the words of the brave (lol) Michael Cohen, "So what?" Really, so what? I hope we can get to that kind of reaction to adults having their privacy upended because it just takes so much of the bite out of the problem, the shame that relatively innocent people would experience for something completely out of their control.
As far as the getting it back under control thing, we may also be coming to a point that more technologies are so dangerous or impactful that there becomes a need for more strict control so that powerful tech like miniaturization produces paper trails and the use of such technology comes with an implicit requirement for openness. I don't really care that people can use miniaturization, but I care if they can anonymize it to the extent that we create a lawless society with no remaining means of accountability.
What *will* Russia and North Korea do when it becomes plausible to unleash little robot assassins either in small numbers to target individuals or mass numbers to carry out what is essentially nuclear scale death without nuclear scale fallout and destruction? It is plausible that this is a new facet of WMDs and MAD-based deterrence.
Privacy, robots, and the inevitable slide into world war 3.
Fun suggestion to switch to a browser that has a company behind it that has pulled a lot of shady stuff related to ads and tracking. A company where privacy is more marketing than a core value.
Edit: Since people are going to ask anyway, here is an article that covers a lot of the shady stuff brave pulled https://thelibre.news/no-really-dont-use-brave/
If you are one of those folks who don't care about the political arguments, feel free to skip over paragraph one and two. Paragraph three till ten cover actual shady stuff done by brave the company itself.
There is one more thing I can add to the list, though it wasn't as widely published about. At some point the team behind Brave decided to implement browser extension support from scratch and only support specific extensions. Which sounds okay in theory until you realize how they did so. Without involving the extension creator they would fork a version of the extension and bake that into Brave. They did so without informing the extension creator, meanwhile users would still go to the extension creator for support who couldn't fix a thing.
Every time one of these things come up, the Brave team either is irked (but changes it anyway) or goes "oh, yeah we'll remove it in the future". This to me indicates a company culture where there is no thinking ahead about the impact of features or where they simply don't care as long as they aren't called out on it.
This consistent pattern over a period of years has, to me anyway, shown that issues such as privacy or even being user centered are not a core part of their thinking but merely a marketing gimmick.
And to be ahead of the curve on some other things I have heard people say over this. Just that Mozilla sucks doesn't mean alternatives can't be worse.