Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Firefox Mozilla Open Source Privacy

Firefox Borrows From Tor Browser Again, Blocks Canvas Fingerprinting ( 92

An anonymous reader writes: Mozilla engineers have borrowed yet another feature from the Tor Browser and starting with version 58 Firefox will block attempts to fingerprint users using the HTML5 canvas element. The technique is widely used in the advertising industry to track users across sites. Firefox 58 is scheduled for release on January 16, 2018.

Canvas fingerprinting blocking is the second feature Mozilla engineers have borrowed from the Tor Project. Previously, Mozilla has added a mechanism to Firefox 52 that prevents websites from fingerprinting users via system fonts. Mozilla's efforts to harden Firefox are part of the Tor Uplift project, an initiative to import more privacy-focused feature from the Tor Browser into Firefox.

This discussion has been archived. No new comments can be posted.

Firefox Borrows From Tor Browser Again, Blocks Canvas Fingerprinting

Comments Filter:
  • by Anonymous Coward

    Web browsers should add these kind of features, not other silly stuff.

  • Fingerprint blocking is a good feature, unlike the last unnecessary "screen print" or whatever feature. However, I won't be "upgrading" because half the addons I need won't work. :( I suspect a lot of us will be stuck on older versions of Firefox for quite a while...

    • Re:Addons (Score:5, Informative)

      by serviscope_minor ( 664417 ) on Saturday November 04, 2017 @12:21PM (#55489213) Journal

      I've actually spoken informally to some firefox people in person regarding addons.

      They do know it's a problem, but they feel that the temporary disruption was worth it. They also know the new webextension system is not yet up to the task of replacing the old extensions, but neither is the old one is severely holding up the browser in terms of both security and performance.

      The idea is that they get the first version up and running, then work on improving the extension system to put back as many of the missing bits as they can, but in a manner which doesn't break performance or security. With luck, by the time the last pre change LTS goes out of support, the new extension will be able to support the kind of things that people need. Apparently there are quite a lot of heavy extension users at Mozilla so there's internal pressure to get firefox to be as good as it always was in this regard.

      Personally I'm optimistic that they can achieve their goal.

      • Re:Addons (Score:5, Interesting)

        by markdavis ( 642305 ) on Saturday November 04, 2017 @12:36PM (#55489287)

        I understand their reason and desire to switch to webextension, but the issue is that there are some things that many of us need to do that NO "webextension" addon is going to be allowed to do. This is because these new addons will not be allowed to modify the UI or underlying operation of the browser. Three such examples:

        FlashStopper (stops html5 video autoplay)
        ClassicThemeRestorer (makes the UI bearable)
        EnvironmentProxy (sets proxy based on environment variables)

        I am confident other important addons will be retained- I already see that UblockOrigin, Adblock Plus (as "AdBlock 57+"), and NukeAnything all work. But I can't bear to use the browser without certain other things.

        • Re: (Score:3, Insightful)

          by Anonymous Coward

          At this point it's become clear that anything more transformative than basic UI stuff is not something that can be properly supported while keeping the core product tenable. I too went through a denial phase where I presumed that it was possible to keep every addon working while fixing the core browser, if Mozilla just magically put in even more effort and didn't care what it actually cost, but we have to acknowledge reality sooner or later. We're not the ones doing the work, we're just complaining that we

          • Re:Addons (Score:5, Interesting)

            by markdavis ( 642305 ) on Saturday November 04, 2017 @02:17PM (#55489689)

            Well said. I think the main issue was and has been, however, that Mozilla hasn't really been listening to what the users (and often developers) are saying. We wouldn't complain about the loss of addons that modify the UI had Mozilla not taken away the native ability for user to control the UI. A classic example is "tabs on bottom." It was HUGELY unpopular when Firefox finally removed that single option. And there was really no good reason to remove it. Addons saved the day, and now that will be gone too. And they added insult to injury by adding stuff that users didn't care about or want, things like screenprint, hello, pocket... things that could have easily been optional or even included addons. Development resources that could have gone to filling that UI-control that users do want, and/or performance, and/or bug fixing.

            My example of the "Flash Stopper" addon really is a perfect example of the jam in which people find themselves. It is something the browser should be able to do, natively and correctly. Autoplay of video is a HUGE annoyance to many users. And the built-in feature that Firefox offers to supposedly help control the problem is just broken. Here is the bug report: [] 2 years and still broken! And now the addon that fixed the problem for perhaps 50,000 users (who managed to find it) will be forever gone because WebExtensions won't allow even third-parties to fix it.

            My other example- the Environment Proxy is another perfect example. Up to version XX (forget which), Firefox honored the environment variables for simple proxy control. And one day- BAM, it is just broken. An addon came out to work around the problem, and many years later, there is STILL no native fix. And WebExtensions will take away that solution, too.

            So please understand why I am complaining so loudly. It isn't just about not liking change, there are real issues that leave me and others in a real pickle.

            • Re: (Score:1, Insightful)

              by Anonymous Coward

              The problem here isn't that Mozilla chose to not replace everything, but that they chose a timeline that doesn't work for you. You expected them to miraculously have everything ready for you on a silver platter before they shipped an improved core browser, and when they decided they couldn't do everything before they *had* to ship a core browser, you found yourself in a pickle.

              Anyone complaining that they're "not listening" is honestly just full of themselves at this point. Mozilla clearly are listening: th

          • At this point it's become clear that anything more transformative than basic UI stuff is not something that can be properly supported

            Even the UI isn't malleable enough.

            I tried Firefox 57 during the first few days of beta. When reaching for Ctrl+W, Ctrl+Tab, or Ctrl+Shift+Tab while researching sources to cite in a Slashdot comment, I would often accidentally press the adjacent Ctrl+Q, causing data loss in forms that neither the browser nor the website knows how to save. Firefox's Restore Previous Session doesn't save script-built forms, such as Slashdot's inline reply form. Nor does Slashdot save them at Preview.

            The Keybinder extension wo

        • This is because these new addons will not be allowed to modify the UI or underlying operation of the browser.

          Not so much. Firefox's UI can be modified with CSS. Just like when Australis was first introduced.

          Tree Style Tab is running in a customizable sidebar; normal tabs at the top can be hidden - with CSS. Try that in Chrome... The least useless SideTabs for Chrome is Sidewise, and it has to run in a completely separate window.

          There's also Tab Center Redux [] - a continuation of Mozilla's Tab Center [] (Test Pilot experiment), which completely replaces top tabs with side tabs.

          And for all the curmudgeons that reject cha

        • There's also the problem that defining a new API is something that's been put off for way too long, because they wasted so much time with marketing gimmicks and UI redesigns.

          It's an extensive change and certainly not easy, but it's clear to the Mozilla community that many things in the browser have been broken and essentially ignored for the better part of 10 years (freezes due to cycle collections, for example, which IMO is a bigger problem than raw performance). Once Chrome launched, Mozilla had an, "Oh,

      • Asshole hangs out with assholes. Whodathunkit?

      • Refusing to break backwards compatibility is how you end up in the situation Microsoft is in.

        Sometimes you need to clean out the attic. I've tested betas and am fairly impressed. Anything that is used will get ported or someone will make something to do something similar.

      • by Anonymous Coward

        It's not a terrible idea to get WebExtensions running and ramp up to a better feature set. It's turning off the old extension system while the new API implementation is still bare-bones which is causing the problem.

    • by MrL0G1C ( 867445 )

      https://www.waterfoxproject.or... []
      A fork that continues 'legacy' support.

  • Speaking of Firefox (Score:5, Informative)

    by wjcofkc ( 964165 ) on Saturday November 04, 2017 @12:18PM (#55489203)
    If like me you gave up on it years ago because it became bloated and slow, try out the latest beta. It's really fast even under a heavy load.
    • by antdude ( 79039 )

      OK, but what about the old extensions? :P

    • Memory usage got really bad in a recent release. Previously I'd have 10 windows open with around 100 tabs total, and that took up about 2 GB of RAM. For the last few weeks though, those same 10 windows/100 tabs causes Firefox to get up to 6 GB memory usage.
  • by FatdogHaiku ( 978357 ) on Saturday November 04, 2017 @12:33PM (#55489271)
    OK, "Mozilla engineers have borrowed yet another feature from the Tor Browser" sounds like they are ripping off some projects better design features, but to be fair, the Tor Browser is BUILT on Firefox to begin with.
    That being the case, how is this not just common sense on the part of Mozilla to use features of the derivative to make their own browser better? Tor is still using the Mozilla Public License for their browser so I just don't get the slant of the headline... []
    • Tor and Mozilla folks work together on these things. That's what they themselves say.

      • That only makes sense. My problem was with the confusing headline, the way it reads, there is something wrong with their arrangement, and I just don't see that...
  • Hope this trickles out as I have given up on Firefox and now use Pale Moon.
  • by Anonymous Coward

    I like the idea that Mozilla is working with the Tor guys, they have a lot in common.

    But not this. Tor users want to blend together to appear indistinguishable because that's what Tor itself does. But normal browser users aren't behind Tor. They don't have the same use case. What's the point of looking exactly like every other browser if you continue to use the same IP address for days at a time?

    Instead of just trying to block fingerprinting outright, Mozilla should be looking at ways to corrupt fingerp

  • Pale Moon (Score:3, Informative)

    by Paronymous_Coward ( 2744659 ) on Saturday November 04, 2017 @03:50PM (#55489991)
    Pale Moon [], a Firefox fork, has had this for ages in about:config
    Just set "canvas.poisondata" to "true"
    • by Anonymous Coward

      And the benefits for the feature there are rendered nonexistent, because you're one of a few thousand people using Pale Moon, and one of the ever fewer subset of those users who have toggled that feature.

  • by madbrain ( 11432 ) on Saturday November 04, 2017 @06:51PM (#55490529) Homepage

    Hey Mozilla engineers, if you really want to lower tracking for your users, you should change the default 3rd party cookies setting from "allow from visited" to "never". No more seeing ads for the things you have searched for, after doing that, among other things.

    It breaks a few low-value sites like some message boards, but screw those. Privacy is more important.

  • Just read the bugzilla thread. [] This is part of the `privacy.resistFingerprinting` preference which is disabled by default for all users. So developers who actually legitimately use canvas shouldn't be hit too hard. Just another post on the FAQ page.

A bug in the hand is better than one as yet undetected.