The article has some factual errors about how fingerprinting and fingerprinting resistance works in Firefox.
I’m not going to point out all the errors, but wanted to share some of the criticism that I’ve seen over the last couple of days.
In Firefox, the Fingerprinting Resistance pref is mostly based on the original Tor design documents, which focus on uniformity. I.e., the intent is that ideally every Tor browser user should get the very same fingerprint.
Other browsers approach fingerprinting differently and try to seed randomized input into the fingerprinting library - essentially provoking the fingerprint to be different across sessions.
A co-worker pointed out that it’s not interesting to see if you get the same fingerprint in the same browser after 3 refreshes. The more interesting thing is to find out if every web site user gets a different one that stays constant. The section at https://educatedguesswork.org/posts/private-browsing/#preventing-fingerprinting might be interesting here.
P.S: I work on Firefox Security stuff, but definitely not on privacy features. I do not speak for Mozilla here and I do not have any special insights other than what could be seen from staring at our code.
The Firefox approach sounds right here. If you’re generating random patterns in a smallish space, there’s a danger that someone will be able to infer your identity from a set of accesses. If I leave the same fingerprint on every visit to a site and so does every other Firefox user then the fact that the fingerprint is the same every visit doesn’t help with tracking.
Given there are companies selling fingerprinting as a service, if you want to really protect yourself from fingerprinting, you should use Tor Browser or Firefox with resistFingerprinting=true.
I did some browsers tests against fingerprinting, and without trying to make any advertising, Brave was the hardest to fingerprint (with default settings). And even if I dislike Brave, on mobile, it’s the only alternative for me. For desktop I still use Firefox customized in this regard (as the author mentions).
Tor is not an option, because it will make my Internet extremely slow. The added privacy benefits are not worth the abysmal browsing experience.
Does fingerprinting work to distinguish very popular and uniform devices such as the iphone? Can you distinguish two iphones with fingerprinting alone?
Absolutely. First imagine all iPhone devices. You can distinguish many just by OS revision, which is helpfully sent in the useragent by Safari to every website. You can distinguish by language, whether JS is enabled, and JS is used to do all kinds of fun things by trackers/stalkers. You can use JS or even plain html to determine screen width and therefore narrow down device model. If you have an iPhone, look under general settings, safari to see all the user-configurable options available. There are a lot! When you combine all inputs, many users stand out plain as day.
The article has some factual errors about how fingerprinting and fingerprinting resistance works in Firefox. I’m not going to point out all the errors, but wanted to share some of the criticism that I’ve seen over the last couple of days.
In Firefox, the Fingerprinting Resistance pref is mostly based on the original Tor design documents, which focus on uniformity. I.e., the intent is that ideally every Tor browser user should get the very same fingerprint.
Other browsers approach fingerprinting differently and try to seed randomized input into the fingerprinting library - essentially provoking the fingerprint to be different across sessions.
A co-worker pointed out that it’s not interesting to see if you get the same fingerprint in the same browser after 3 refreshes. The more interesting thing is to find out if every web site user gets a different one that stays constant. The section at https://educatedguesswork.org/posts/private-browsing/#preventing-fingerprinting might be interesting here.
P.S: I work on Firefox Security stuff, but definitely not on privacy features. I do not speak for Mozilla here and I do not have any special insights other than what could be seen from staring at our code.
The Firefox approach sounds right here. If you’re generating random patterns in a smallish space, there’s a danger that someone will be able to infer your identity from a set of accesses. If I leave the same fingerprint on every visit to a site and so does every other Firefox user then the fact that the fingerprint is the same every visit doesn’t help with tracking.
TL;DR:
I did some browsers tests against fingerprinting, and without trying to make any advertising, Brave was the hardest to fingerprint (with default settings). And even if I dislike Brave, on mobile, it’s the only alternative for me. For desktop I still use Firefox customized in this regard (as the author mentions).
Tor is not an option, because it will make my Internet extremely slow. The added privacy benefits are not worth the abysmal browsing experience.
I use firefox mobile, works quite nicely for me.
Edit: but it does not resist fingerprinting. Just tested.
Yes, if you do the same tests with Brave you will probably see better results. That’s unfortunate, but at least it works.
Does fingerprinting work to distinguish very popular and uniform devices such as the iphone? Can you distinguish two iphones with fingerprinting alone?
Absolutely. First imagine all iPhone devices. You can distinguish many just by OS revision, which is helpfully sent in the useragent by Safari to every website. You can distinguish by language, whether JS is enabled, and JS is used to do all kinds of fun things by trackers/stalkers. You can use JS or even plain html to determine screen width and therefore narrow down device model. If you have an iPhone, look under general settings, safari to see all the user-configurable options available. There are a lot! When you combine all inputs, many users stand out plain as day.