Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Firefox Mozilla Privacy The Internet Technology

Firefox To Add Tor Browser Anti-Fingerprinting Technique Called Letterboxing (zdnet.com) 101

Mozilla is scheduled to add a new user anti-fingerprinting technique to Firefox with the release of version 67, scheduled for mid-May this year. "Called 'letterboxing,' this new technique adds 'gray spaces' to the sides of a web page when the user resizes the browser window, which are then gradually removed after the window resize operation has finished," reports ZDNet. From the report: Advertising networks often sniff certain browser features, such as the window size to create user profiles and track users as they resize their browser and move across new URLs and browser tabs. The general idea is that "letterboxing" will mask the window's real dimensions by keeping the window width and height at multiples of 200px and 100px during the resize operation -- generating the same window dimensions for all users -- and then adding a "gray space" at the top, bottom, left, or right of the current page.

The advertising code, which listens to window resize events, then reads the generic dimensions, sends the data to its server, and only after does Firefox remove the "gray spaces" using a smooth animation a few milliseconds later. In other words, letterboxing delays filling the newly-resized browser window with the actual page content long enough to trick the advertising code into reading incorrect window dimensions.
The feature was first developed for the Tor Browser, and can be seen in action here. In order to enable the feature in Firefox, "users will first need to visit the about:config page, enter 'privacy.resistFingerprinting' in the search box, and toggle the browser's anti-fingerprinting features to 'true,'" reports ZDNet.
This discussion has been archived. No new comments can be posted.

Firefox To Add Tor Browser Anti-Fingerprinting Technique Called Letterboxing

Comments Filter:
  • Well it's a step (Score:3, Insightful)

    by Anonymous Coward on Thursday March 07, 2019 @05:11AM (#58230038)

    A long way to go, but I like this direction.

    • Re:Well it's a step (Score:5, Interesting)

      by Joce640k ( 829181 ) on Thursday March 07, 2019 @08:16AM (#58230512) Homepage

      A long way to go, but I like this direction.

      Really? Firefox is still sending a stupidly detailed user-agent string, exact model of graphics card, list of plugins, list of installed fonts, screen resolution, time zone, etc.

      Hell, even your "Do Not Track" setting is useful to the people who want to track you - some people enable it, some people don't. Imagine that, a privacy-enhancing feature that decreases your privacy.

      • Re:Well it's a step (Score:4, Informative)

        by AmiMoJo ( 196126 ) on Thursday March 07, 2019 @12:04PM (#58231808) Homepage Journal

        They never sent stuff like a list of fonts, but the list can be gleaned via CSS. Simply create hidden CSS elements with every known font in use and then query them to see if that actual font was used. The browser will even helpfully not load the actual font because it can see that the element is hidden, to avoid your code grinding the computer to a halt.

        Screen resolution is the same. Even if they disable the direct JS query people would just make a bunch of CSS rules for different sizes and see which one is applied.

        The ability of CSS to adapt to things like screen size is generally a good thing, the problem is that Javascript can then figure out what it did. Blocking that is possible but will cause breakage, so it needs a major browser like Firefox to do it slowly and push web developers to fix the issues. If they do it quickly with massive breakage then users will complain.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      What a horrible way to spoof ad scripts.

      They abuse window dimensions, so the browser waste time & space drawing gray in order to faithfully report oddball window sizes?

      Don't waste time & space drawing gray. Just report fake rounded-down window sizes when the scripts query.

      There is no need to actually change the window size. Just lie to the ad scripts!

      • by Anonymous Coward

        Since ads don't identify themsleves as such when they query for the information all instances of code the request the window size will see the fake size, and thus the page as a whole will render as if the fake size were real.

        Padding it with grey is juts to make it look less shitty to the end user.

    • by Stan42 ( 5773912 )
      Why not just us Tor then, will it make any difference ? Learning here, thanks !
  • by Anonymous Coward
    Sure, but what happens when they deploy their missle-missle-anti-anti-anti-missle-anti-anti missles?
    • Re: (Score:3, Funny)

      by Anonymous Coward

      They learn to spell "missile" properly?

    • by lgw ( 121541 )

      Sure, but what happens when they deploy their missle-missle-anti-anti-anti-missle-anti-anti missles?

      Those were banned by the anit-anti-missile missive.

  • Except there are literally hundreds [browserleaks.com] of additional data points which allow websites to uniquely [eff.org] identify [amiunique.org] you. The best you could do without too much hassle is to run the English version of Google Chrome under the latest release of Windows 10 without any extensions or additional fonts installed. But even that is not enough since you still expose your time zone, WebGL extensions and then there are evercookies, mouse tracking, canvas fingerprinting, etc. etc. etc. [wikipedia.org]

    It surely looks like the WWW was built with tr

    • The web was envisaged as being open by design. As it originated as something running on a closed corporate network, such openness such as identifiable information of the user wasn't considered remotely dodgy. It's only subsequently that such information has been considered to be morally dubious thanks to those who spotted a potential revenue source and exploited it.

    • Whitelisting (Score:5, Insightful)

      by DrYak ( 748999 ) on Thursday March 07, 2019 @06:41AM (#58230258) Homepage

      Saddly it seems that whitelisting Javascript (e.g.: the Firefox NoScript extension) and keeping it to the bare strict minimum required to successfully display a web page is the only practical way to avoid/diminish the online tracking.

      Luckily, it seems that nearly all the web rely on 3rd party libraries to do the tracking and thus blocking 3rd party libraries and only allowing select few helps increasing the protection against tracking.

      • Re:Whitelisting (Score:5, Interesting)

        by AmiMoJo ( 196126 ) on Thursday March 07, 2019 @08:34AM (#58230584) Homepage Journal

        Whitlisting Javascript won't actually protect you from this, not entirely. For example the site can use CSS to load a different resource based on your browser window size, which the server can log along with your IP address.

        It's extremely difficult to block everything that could be used to identify a browser. A better technique is to poison the data, making it unreliable and ever-changing.

        • Re: (Score:3, Insightful)

          by Anonymous Coward

          My browser strings used to show that my computer was an 8 bit Atari 800 with 16 MB of RAM, video card was a Hercules, the OS was MS-DOS 3.2, and that the web browser was Outlook Express. If the servers "need" to collect data then we should flood them with garbage data.

          • Re: Whitelisting (Score:2, Informative)

            by Anonymous Coward

            clearly uniquely identifiable and tracksble

          • by Anonymous Coward

            Even better, choke them with poisonous garbage. They want to read back stuff? Each time, pick one of these actions:

            1. Scramble whatever they read. Be it an ad cookie, screen size or other fingerprinting stuff. The data will be useless.

            2. Use the teergrube technique of sending them one byte per minute - tying up their server for a long time. The problem is not that you alone do this, but if they have 10 000 such connections.

            3. Attempt to force a buffer overflow down their throat. They expected a less than

          • Re:Whitelisting (Score:4, Insightful)

            by AmiMoJo ( 196126 ) on Thursday March 07, 2019 @12:00PM (#58231782) Homepage Journal

            That really helps them uniquely identify you, because you are the only one surfing the web on an Atari 800.

            What you need is an add-on that randomly changes the browser ID string every few minutes. Use a common but randomly selected one.

      • by Anonymous Coward
    • Re:Great (Score:4, Interesting)

      by Wycliffe ( 116160 ) on Thursday March 07, 2019 @09:07AM (#58230708) Homepage

      Except there are literally hundreds [browserleaks.com] of additional data points which allow websites to uniquely [eff.org] identify [amiunique.org] you.

      The point isn't just to identify you as unique but for you to both be unique the first time AND recognizable the next time you come back. This seems like a much easier problem to solve. Just change as many of the settings as you can each time you visit a website. If you had a browser capable of randomly tweaking settings at each page load it should be able to add enough noise that browser fingerprinting would become worthless. As an added bonus, not only would it protect your browser, the noise would add a touch of herd immunity and help other people with stock browsers as well. The goal shouldn't be to lock down a browser so that nothing is leaked but rather to leak so much random crap that it becomes worthless.

    • The best you could do without too much hassle is to run the English version of Google Chrome under the latest release of Windows 10

      Run the browser that spies on you under the OS that spies on you? What a great idea!

    • Comment removed based on user account deletion
  • by Anonymous Coward

    Isn't it trivial to write some java script to delay a bit before reading browser dimensions?

  • by Anonymous Coward

    privacy.resistFingerprinting will set your useragent to Firefox 60 as i discovered when i visited the addons site in 65 and the page said i was running an incompatible version, a quick check of my useragent confirmed it was reporting 60, setting privacy.resistFingerprinting to the default false put the UA back to normal

  • by dshk ( 838175 ) on Thursday March 07, 2019 @06:13AM (#58230202)
    Fingerprinting is useful for moderation and in the fightagainst trolls, cheaters etc. It is about identifying a computer, not about identifying a person. If they make moderation harder, then there will be less place to socialize on the web. Moreover, income from untargetted ads is only 1/3 - 1/10 of the income for targetted ads. The reduced income results in less service. People could easily pay to replace ad income, but microtransactions haven't taken off for 20 years. They cannot win either, at most they make the monopolies of the internet stronger. It seems the developer community around the web shoot itself in the foot.
    • by Anonymous Coward

      show us 1 discussion site that uses fingerprinting like you say ?
      and fuck the advert companies, who gives a shit if they dont receive money, 10% of free money if still free, its not as if they had to work for it

    • by Anonymous Coward

      Yah, and mass surveillance is useful to fight crime. Go live in China if you like that.

      I think what we need is a proxy in front of the browser (it has to handle TLS) which just manipulates the outgoing requests and LIES to the website. Because we have been given all reasons to mistrust most of them.

    • Fingerprinting is useful for moderation and in the fightagainst trolls, cheaters etc.

      That is one of it's uses, sure. And that same use would happen if you required everyone to have a verified photo ID. This benefit isn't worth the cost.

      . It is about identifying a computer, not about identifying a person

      I assume you know this is a lie. IDing a computer that looks at X, and IDing that same computer as signed into FB as Joe Schmo (at the same time?) is a clear way to link Joe Schmo to X.

      They cannot win eit

      • IDing a computer that looks at X, and IDing that same computer as signed into FB as Joe Schmo (at the same time?) is a clear way to link Joe Schmo to X.

        It doesn't work so well when Joe Schmo logs into Facebook from the same public library computer from which other patrons log into Facebook.

        • I don't see why. You're ignoring time information. And ad networks are both aware of computer sharing and very good at disambiguating the users.

          I mean, sure, Jow could use a public computer for X (which can no longer be something he cannot view in public, like porn or personal financial data). He could then leave, and come back later to use Facebook. But that's not what people really do. They have FB in one tab and X in another.

  • resources (Score:5, Insightful)

    by sad_ ( 7868 ) on Thursday March 07, 2019 @06:30AM (#58230236) Homepage

    people wonder why are todays computers, which are so powerful, so slow?
    well, this is the answer, first you have code running trying to identify who you are, then you have code running that tries to trick the other code detection mechanism. many cpu cycles are lost.

    cpu cycles are not the only wasted resource, mind you. there is also somebody coding all this stuff, which otherwise perhaps could have been implementing really cool things.

    • people wonder why are todays computers, which are so powerful, so slow?

      No they don't. We're dedicating very few resources to actually tracking. Most slowdowns are the result of poorly designed software or ignorant people realising how much more we're doing in software these days.

      There's no reason a tracking script (or 10) should have any impact on page load times. There's also no reason to for anyone to think that using a browser from the early 00s would even function in today's internet.

      And as if to poetically prove the point I just got an email notification in my browser jus

    • This among other reasons is why I wish the Mozilla folks would integrate CPU throttling for background tabs. Chrome and Opera both have it. It is extremely effective and drives down CPU usage greatly for those of us who normally have a handful (or more) of tabs open. Hopefully, it's being worked on and I just can't see a single shred of evidence to that end because it's all being done quietly? It'd be a MUCH better feature than this letterboxing shit sounds like.
  • Maybe this is a stupid question, but wouldn't a better solution simply be to deny "advertising code" from being able to access the window size? Why does any website need to be told what your window size is anyway, or for that matter, why does it need to be told anything at all about you?

    • by tepples ( 727027 )

      Why does any website need to be told what your window size is anyway

      In order to choose the correct size of image to present to you, so that you don't end up wasting metered bandwidth downloading photos big enough to fill a 4K monitor just to display them on a smartphone's 480x800 pixel display.

  • by Anonymous Coward

    The advertising code, which listens to window resize events

    See, the problem is we seem to have reached the point of stupid where we let any random web page run scripts, as well as pulling in from any number of external assholes and parasites.

    So, I treat ad networks for what they are .. useless sacks of shit who add no value to my life, consume my resources, and wish to harvest my personal information against my wishes. And my solution to that is to block the fuck out of these pieces of shit.

    We need to get

    • by tepples ( 727027 )

      Anonymous Coward wrote:

      Sorry, but if you work for an analytics company, or an internet ad company, you really are a sack of shit

      Then let's discuss how to make "Internet ad companies" and the "sack[s] of shit" who work for them obsolete. It sounds like you and other Slashdot users like you want one of three things to happen: either A. you want to keep ads but destroy "Internet ad companies", or B. you want to fund the operation of websites through payments from users, or C. you want to fund the operation of websites through some means other than ads or paywalls.

      In case A, each website would have to hire, much a

      • by Wulf2k ( 4703573 )

        I'm all for case C.

        If it can't fund itself, does it really need to exist?

        If it's something that needs to exist, can't it fund itself?

        People get things goings at the "individual's hobby" level. Shouldn't anything grander than that be even easier to get and keep going?

  • The general idea is that "letterboxing" will mask the window's real dimensions by keeping the window width and height at multiples of 200px and 100px during the resize operation -- generating the same window dimensions for all users.

    Okay, who here has a monitor with a display resolution that is a perfect multiple of 100 in both X and Y? Not most people, that's who.

    Does everyone who works on Firefox have an old 800x600 CRT or a laptop with a 1600x900 display or something? Because in the real world, there's a [wikipedia.org]

    • The way I read the summary was that the browser would maintain a "virtual window" inside of the real window. The real window could have any size; it is the size of the virtual window which would be quantised to 100px steps, and the gap between the real window and the virtual window would be the "letterbox".

      • But the point of this virtual window is that it is the value returned to the scripts, which is going to make it easier to target Firefox users.

    • Re:Idiots! (Score:4, Insightful)

      by tepples ( 727027 ) <.tepples. .at. .gmail.com.> on Thursday March 07, 2019 @08:53AM (#58230666) Homepage Journal

      DontBeAMoran ( 4843879 ) wrote:

      So congratulations, idiots. You just gave advertisers a way to target Firefox users even if they use a fake user agent string.

      Targeting "Firefox users" isn't as valuable as targeting "D. B. A. Moran" who lives on 484 38th Street, apartment 79.

    • We won't even talk about the problems this is going to create for web programmers who need to rely on knowing the exact size of the display for real-world purposes.

      What uses are these?

      • It's used to align things when CSS fails to have a proper solution. It's used for interfaces, games, etc. It can be used to determine what resolution of image to dynamically fetch for your device. No point in downloading a 4K photo for a laptop that's not even full HD.

        • by nadass ( 3963991 )

          It's used to align things when CSS fails to have a proper solution. It's used for interfaces, games, etc. It can be used to determine what resolution of image to dynamically fetch for your device. No point in downloading a 4K photo for a laptop that's not even full HD.

          You should be programming for the RELATIVE CONTENT POSITIONING and allow auxiliary scripts to dynamically fetch the right-sized create assets... Unless you're talking about scroll-over advertisements that are supposed to take over the entire screen, then yeah sure I can see why you're upset.

          The year 2001 called, it wants its fixed content positioning CSS definitions back...

          • Relative positioning usually works, but sometimes you need to calculate something and position things manually.

            Also... "allow auxiliary scripts to dynamically fetch the right-sized create assets...", how do you do that if not via javascript and reading the screen size?

"...a most excellent barbarian ... Genghis Kahn!" -- _Bill And Ted's Excellent Adventure_

Working...