Announcement

Collapse
No announcement yet.

Firefox 29 Beta Pulls In Many Features

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #21
    Blocking plugin enumeration is major plus

    Preventing websites from being able to enumerate plugins denies malicious "browser fingerprinters" a key piece of information used to track you even after you toss your cookies and your Flash cookies. I've taken to keeping all plugins disabled and turning them on only to actually use them to limit fingerprintablity. I will test this against Panoptickick when Firefox 29 has been out long enough to prevent the useragent from coming up as rare.

    Comment


    • #22
      Originally posted by Luke View Post
      Preventing websites from being able to enumerate plugins denies malicious "browser fingerprinters" a key piece of information used to track you even after you toss your cookies and your Flash cookies. I've taken to keeping all plugins disabled and turning them on only to actually use them to limit fingerprintablity. I will test this against Panoptickick when Firefox 29 has been out long enough to prevent the useragent from coming up as rare.
      Note that now sites can't enumerate (ie list) every plugin installed, but they still can query for specific plugins and their version. So this would help with fingerprinting only if you have some non-common plugin installed.
      I'd expect sites like panopticlick to just get an huge list of existing plugins. In fact, they probably have one already, since they can just get it from browsers that allow fingerprinting.

      https://bugzilla.mozilla.org/show_bug.cgi?id=757726

      Comment


      • #23
        This means plugins should still be disabled except when actually used

        Originally posted by Spittie View Post
        Note that now sites can't enumerate (ie list) every plugin installed, but they still can query for specific plugins and their version. So this would help with fingerprinting only if you have some non-common plugin installed.
        I'd expect sites like panopticlick to just get an huge list of existing plugins. In fact, they probably have one already, since they can just get it from browsers that allow fingerprinting.

        https://bugzilla.mozilla.org/show_bug.cgi?id=757726
        Thanks for the update. There are certain other considerations in masking a browser: First of all, if you use the common tactic of having a browser report it is running under Windows, be sure not to allow ANY plugins and not to use Gstreamer for HTML5 video playback unless Firefox does not report how it plays back HTML5. I do not know if Firefox will identify the backend used for HTML5 playback right now, so I let it report that it is running under Linux. Torbrowser reports itself as Windows, the useragent comes up as matching that of one in 155 browsers. Firefox on Ubuntu by default comes up with a useragent string matching one in 885, still not very unique by itself, but there's a lot more information to worry about. Plugins, fonts, and HTTP accept headers are the worst culprits.

        Fonts are greatly reduced as a fingerprintable item when Java is not installed and Flash is kept disabled until it has to be used.

        The big problem right now is HTTP_ACCEPT Headers when Javascript is enabled. That alone can report 21 bits of identifying data out of about 30 needed to ID a browser as unique when Javascript is enabled! With NoScript blocking Javascript except when deliberately enabled, a random site for which it has not been enabled only gets 5-6 bits of identifying information.

        When I have direct reason to suspect fingerprinting (need to follow a link to Google, Youtube or Facebook), I use Torbrowser. After all, Google for years used IP addresses as their main cookieless tracking system to build unwanted Google search histories. A dynamic IP address will block that, but surely Google expects that in today's world of so many mobile devices, thus their controversial 2012 privacy policy that explicitly allows collecting "device information." Torbrowser is built to make fingerprinting sufficiently difficult that no nations's courts can admit it and nobody's "security" services effectively track users by browser fingerprint.

        Currently Torbrowser with javascript ON is coming up as one in 10,446, barely more unique that regular Firefox with Javascript OFF (one in 9,702).

        Comment


        • #24
          Originally posted by Luke View Post
          [...]
          Thanks for the explanation, but you don't really have to explain all of this to me - I'm pretty much a tinfoiler too

          I was merely stating that it won't help much. Anyway, after reading the full bug report, it seems that plugins are still enumerable, just not all of them. navigator.plugins will just return common plugin (flash, java and quicktime, If I'm reading it right) instead of everything.

          Comment


          • #25
            Originally posted by Ferdinand View Post
            https://areweslimyet.com/

            Where? I don't see it.
            I take it back.

            I am running a ton of tabs (multiple hundreds) and the memory use generally tends to hover around the same amount.

            However, i noticed that closing a few tabs i have brought the total back down to only about +5-10%, which is probably within the margin of error.

            So i think i just happened to have a few extra busy tabs open causing most of what i saw.

            Comment

            Working...
            X