Firefox To Add Tor Browser Anti-Fingerprinting Technique Called Letterboxing (zdnet.com) 101
Mozilla is scheduled to add a new user anti-fingerprinting technique to Firefox with the release of version 67, scheduled for mid-May this year. "Called 'letterboxing,' this new technique adds 'gray spaces' to the sides of a web page when the user resizes the browser window, which are then gradually removed after the window resize operation has finished," reports ZDNet. From the report: Advertising networks often sniff certain browser features, such as the window size to create user profiles and track users as they resize their browser and move across new URLs and browser tabs. The general idea is that "letterboxing" will mask the window's real dimensions by keeping the window width and height at multiples of 200px and 100px during the resize operation -- generating the same window dimensions for all users -- and then adding a "gray space" at the top, bottom, left, or right of the current page.
The advertising code, which listens to window resize events, then reads the generic dimensions, sends the data to its server, and only after does Firefox remove the "gray spaces" using a smooth animation a few milliseconds later. In other words, letterboxing delays filling the newly-resized browser window with the actual page content long enough to trick the advertising code into reading incorrect window dimensions. The feature was first developed for the Tor Browser, and can be seen in action here. In order to enable the feature in Firefox, "users will first need to visit the about:config page, enter 'privacy.resistFingerprinting' in the search box, and toggle the browser's anti-fingerprinting features to 'true,'" reports ZDNet.
The advertising code, which listens to window resize events, then reads the generic dimensions, sends the data to its server, and only after does Firefox remove the "gray spaces" using a smooth animation a few milliseconds later. In other words, letterboxing delays filling the newly-resized browser window with the actual page content long enough to trick the advertising code into reading incorrect window dimensions. The feature was first developed for the Tor Browser, and can be seen in action here. In order to enable the feature in Firefox, "users will first need to visit the about:config page, enter 'privacy.resistFingerprinting' in the search box, and toggle the browser's anti-fingerprinting features to 'true,'" reports ZDNet.
Well it's a step (Score:3, Insightful)
A long way to go, but I like this direction.
Re: Well it's a step (Score:1)
_After all, you still see the ad eventually right?_
I dunno, what is an ad?
Re: (Score:2)
An ad is a message from a sponsor displayed in exchange for the sponsor's payment to a publisher (the operator of a website). If ads were banned, far more sites would have a paywall.
Re: (Score:2)
"If ads were banned, far more sites would have a paywall."
If ads were banned, far fewer sites would exist.
How you interpret that statement depends on whether you're an optimist or a pessimist.
Re: Well it's a step (Score:4, Interesting)
Note: I'm not a web designer or coder, so I could be talking out my ass when it comes to judging the difficulty involved. But I'd be willing to bet money on it.
Re:Well it's a step (Score:5, Interesting)
A long way to go, but I like this direction.
Really? Firefox is still sending a stupidly detailed user-agent string, exact model of graphics card, list of plugins, list of installed fonts, screen resolution, time zone, etc.
Hell, even your "Do Not Track" setting is useful to the people who want to track you - some people enable it, some people don't. Imagine that, a privacy-enhancing feature that decreases your privacy.
Re:Well it's a step (Score:4, Informative)
They never sent stuff like a list of fonts, but the list can be gleaned via CSS. Simply create hidden CSS elements with every known font in use and then query them to see if that actual font was used. The browser will even helpfully not load the actual font because it can see that the element is hidden, to avoid your code grinding the computer to a halt.
Screen resolution is the same. Even if they disable the direct JS query people would just make a bunch of CSS rules for different sizes and see which one is applied.
The ability of CSS to adapt to things like screen size is generally a good thing, the problem is that Javascript can then figure out what it did. Blocking that is possible but will cause breakage, so it needs a major browser like Firefox to do it slowly and push web developers to fix the issues. If they do it quickly with massive breakage then users will complain.
Re: (Score:2, Insightful)
What a horrible way to spoof ad scripts.
They abuse window dimensions, so the browser waste time & space drawing gray in order to faithfully report oddball window sizes?
Don't waste time & space drawing gray. Just report fake rounded-down window sizes when the scripts query.
There is no need to actually change the window size. Just lie to the ad scripts!
Re: (Score:1)
Since ads don't identify themsleves as such when they query for the information all instances of code the request the window size will see the fake size, and thus the page as a whole will render as if the fake size were real.
Padding it with grey is juts to make it look less shitty to the end user.
Re: (Score:1)
Arms races (Score:1)
Re: (Score:3, Funny)
They learn to spell "missile" properly?
Re: (Score:3)
I think I was vaccinated for the missles once.
Re: (Score:3)
Sure, but what happens when they deploy their missle-missle-anti-anti-anti-missle-anti-anti missles?
Those were banned by the anit-anti-missile missive.
Re: really? another about:config entry? (Score:1)
Ad interference or blocking sometimes has the nice side effect of letting through the better ads, like the humorous ones or the higher quality longer running ads like those multi part ads some of the agencies make for long running campaigns
Great (Score:2)
Except there are literally hundreds [browserleaks.com] of additional data points which allow websites to uniquely [eff.org] identify [amiunique.org] you. The best you could do without too much hassle is to run the English version of Google Chrome under the latest release of Windows 10 without any extensions or additional fonts installed. But even that is not enough since you still expose your time zone, WebGL extensions and then there are evercookies, mouse tracking, canvas fingerprinting, etc. etc. etc. [wikipedia.org]
It surely looks like the WWW was built with tr
Re: (Score:2)
The web was envisaged as being open by design. As it originated as something running on a closed corporate network, such openness such as identifiable information of the user wasn't considered remotely dodgy. It's only subsequently that such information has been considered to be morally dubious thanks to those who spotted a potential revenue source and exploited it.
Whitelisting (Score:5, Insightful)
Saddly it seems that whitelisting Javascript (e.g.: the Firefox NoScript extension) and keeping it to the bare strict minimum required to successfully display a web page is the only practical way to avoid/diminish the online tracking.
Luckily, it seems that nearly all the web rely on 3rd party libraries to do the tracking and thus blocking 3rd party libraries and only allowing select few helps increasing the protection against tracking.
Re:Whitelisting (Score:5, Interesting)
Whitlisting Javascript won't actually protect you from this, not entirely. For example the site can use CSS to load a different resource based on your browser window size, which the server can log along with your IP address.
It's extremely difficult to block everything that could be used to identify a browser. A better technique is to poison the data, making it unreliable and ever-changing.
Re: (Score:3, Insightful)
My browser strings used to show that my computer was an 8 bit Atari 800 with 16 MB of RAM, video card was a Hercules, the OS was MS-DOS 3.2, and that the web browser was Outlook Express. If the servers "need" to collect data then we should flood them with garbage data.
Re: Whitelisting (Score:2, Informative)
clearly uniquely identifiable and tracksble
Re: (Score:1)
Even better, choke them with poisonous garbage. They want to read back stuff? Each time, pick one of these actions:
1. Scramble whatever they read. Be it an ad cookie, screen size or other fingerprinting stuff. The data will be useless.
2. Use the teergrube technique of sending them one byte per minute - tying up their server for a long time. The problem is not that you alone do this, but if they have 10 000 such connections.
3. Attempt to force a buffer overflow down their throat. They expected a less than
Re:Whitelisting (Score:4, Insightful)
That really helps them uniquely identify you, because you are the only one surfing the web on an Atari 800.
What you need is an add-on that randomly changes the browser ID string every few minutes. Use a common but randomly selected one.
Re: (Score:1)
https://www.eff.org/privacybad... [eff.org]
Re:Great (Score:4, Interesting)
Except there are literally hundreds [browserleaks.com] of additional data points which allow websites to uniquely [eff.org] identify [amiunique.org] you.
The point isn't just to identify you as unique but for you to both be unique the first time AND recognizable the next time you come back. This seems like a much easier problem to solve. Just change as many of the settings as you can each time you visit a website. If you had a browser capable of randomly tweaking settings at each page load it should be able to add enough noise that browser fingerprinting would become worthless. As an added bonus, not only would it protect your browser, the noise would add a touch of herd immunity and help other people with stock browsers as well. The goal shouldn't be to lock down a browser so that nothing is leaked but rather to leak so much random crap that it becomes worthless.
Re: (Score:2)
The best you could do without too much hassle is to run the English version of Google Chrome under the latest release of Windows 10
Run the browser that spies on you under the OS that spies on you? What a great idea!
Re: (Score:2)
Can't the javascript code just delay? (Score:2, Insightful)
Isn't it trivial to write some java script to delay a bit before reading browser dimensions?
Caveat (Score:1)
privacy.resistFingerprinting will set your useragent to Firefox 60 as i discovered when i visited the addons site in 65 and the page said i was running an incompatible version, a quick check of my useragent confirmed it was reporting 60, setting privacy.resistFingerprinting to the default false put the UA back to normal
Contraproductive (Score:3)
Re: (Score:1)
show us 1 discussion site that uses fingerprinting like you say ?
and fuck the advert companies, who gives a shit if they dont receive money, 10% of free money if still free, its not as if they had to work for it
Re:Contraproductive my ass. (Score:1)
Yah, and mass surveillance is useful to fight crime. Go live in China if you like that.
I think what we need is a proxy in front of the browser (it has to handle TLS) which just manipulates the outgoing requests and LIES to the website. Because we have been given all reasons to mistrust most of them.
Re: (Score:3)
That is one of it's uses, sure. And that same use would happen if you required everyone to have a verified photo ID. This benefit isn't worth the cost.
I assume you know this is a lie. IDing a computer that looks at X, and IDing that same computer as signed into FB as Joe Schmo (at the same time?) is a clear way to link Joe Schmo to X.
Public web terminals (Score:2)
IDing a computer that looks at X, and IDing that same computer as signed into FB as Joe Schmo (at the same time?) is a clear way to link Joe Schmo to X.
It doesn't work so well when Joe Schmo logs into Facebook from the same public library computer from which other patrons log into Facebook.
Re: (Score:2)
I don't see why. You're ignoring time information. And ad networks are both aware of computer sharing and very good at disambiguating the users.
I mean, sure, Jow could use a public computer for X (which can no longer be something he cannot view in public, like porn or personal financial data). He could then leave, and come back later to use Facebook. But that's not what people really do. They have FB in one tab and X in another.
resources (Score:5, Insightful)
people wonder why are todays computers, which are so powerful, so slow?
well, this is the answer, first you have code running trying to identify who you are, then you have code running that tries to trick the other code detection mechanism. many cpu cycles are lost.
cpu cycles are not the only wasted resource, mind you. there is also somebody coding all this stuff, which otherwise perhaps could have been implementing really cool things.
Re: (Score:2)
people wonder why are todays computers, which are so powerful, so slow?
No they don't. We're dedicating very few resources to actually tracking. Most slowdowns are the result of poorly designed software or ignorant people realising how much more we're doing in software these days.
There's no reason a tracking script (or 10) should have any impact on page load times. There's also no reason to for anyone to think that using a browser from the early 00s would even function in today's internet.
And as if to poetically prove the point I just got an email notification in my browser jus
Re: (Score:2)
Re: (Score:1)
Boo hoo. Stop bitching and work around it. If you're even half-decent you'll find a way, but most video game developers are lazy bastards like yourself who couldn't code a Hello World without a dozen proprietary clutches and middleware packages. You think we give a shit about your game? This is our privacy at stake, here. Find another way to identify me, asshole.
Maybe this is a stupid question (Score:1)
Maybe this is a stupid question, but wouldn't a better solution simply be to deny "advertising code" from being able to access the window size? Why does any website need to be told what your window size is anyway, or for that matter, why does it need to be told anything at all about you?
Re: (Score:2)
Why does any website need to be told what your window size is anyway
In order to choose the correct size of image to present to you, so that you don't end up wasting metered bandwidth downloading photos big enough to fill a 4K monitor just to display them on a smartphone's 480x800 pixel display.
There's your problem ... (Score:1)
See, the problem is we seem to have reached the point of stupid where we let any random web page run scripts, as well as pulling in from any number of external assholes and parasites.
So, I treat ad networks for what they are .. useless sacks of shit who add no value to my life, consume my resources, and wish to harvest my personal information against my wishes. And my solution to that is to block the fuck out of these pieces of shit.
We need to get
Re: (Score:3)
Anonymous Coward wrote:
Sorry, but if you work for an analytics company, or an internet ad company, you really are a sack of shit
Then let's discuss how to make "Internet ad companies" and the "sack[s] of shit" who work for them obsolete. It sounds like you and other Slashdot users like you want one of three things to happen: either A. you want to keep ads but destroy "Internet ad companies", or B. you want to fund the operation of websites through payments from users, or C. you want to fund the operation of websites through some means other than ads or paywalls.
In case A, each website would have to hire, much a
Re: (Score:3)
You appear to suggest that users "name and shame and boycott" any website that relies on an ad network or ad exchange. Let's assume for purposes of argument that you operate a website or web application, and you want to fund the website's operation while avoiding this boycott. What would be your next step?
Re: (Score:2)
I'm all for case C.
If it can't fund itself, does it really need to exist?
If it's something that needs to exist, can't it fund itself?
People get things goings at the "individual's hobby" level. Shouldn't anything grander than that be even easier to get and keep going?
Idiots! (Score:1)
Okay, who here has a monitor with a display resolution that is a perfect multiple of 100 in both X and Y? Not most people, that's who.
Does everyone who works on Firefox have an old 800x600 CRT or a laptop with a 1600x900 display or something? Because in the real world, there's a [wikipedia.org]
Re: (Score:1)
The way I read the summary was that the browser would maintain a "virtual window" inside of the real window. The real window could have any size; it is the size of the virtual window which would be quantised to 100px steps, and the gap between the real window and the virtual window would be the "letterbox".
Re: (Score:2)
But the point of this virtual window is that it is the value returned to the scripts, which is going to make it easier to target Firefox users.
Re: (Score:2)
You think people using Opera, a now-owned-by-China browser, are smarter?
You think people who use Internet Explorer, which has been abandoned by Microsoft itself over a year ago, are smarter than people who use Edge?
You're a dumbass.
Re: (Score:2)
You're a dumbass.
Says the Chrome user.....
Re:Idiots! (Score:4, Insightful)
DontBeAMoran ( 4843879 ) wrote:
So congratulations, idiots. You just gave advertisers a way to target Firefox users even if they use a fake user agent string.
Targeting "Firefox users" isn't as valuable as targeting "D. B. A. Moran" who lives on 484 38th Street, apartment 79.
Re: (Score:2)
What uses are these?
Re: (Score:2)
It's used to align things when CSS fails to have a proper solution. It's used for interfaces, games, etc. It can be used to determine what resolution of image to dynamically fetch for your device. No point in downloading a 4K photo for a laptop that's not even full HD.
Re: (Score:1)
It's used to align things when CSS fails to have a proper solution. It's used for interfaces, games, etc. It can be used to determine what resolution of image to dynamically fetch for your device. No point in downloading a 4K photo for a laptop that's not even full HD.
You should be programming for the RELATIVE CONTENT POSITIONING and allow auxiliary scripts to dynamically fetch the right-sized create assets... Unless you're talking about scroll-over advertisements that are supposed to take over the entire screen, then yeah sure I can see why you're upset.
The year 2001 called, it wants its fixed content positioning CSS definitions back...
Re: (Score:2)
Relative positioning usually works, but sometimes you need to calculate something and position things manually.
Also... "allow auxiliary scripts to dynamically fetch the right-sized create assets...", how do you do that if not via javascript and reading the screen size?