No, this will not effectively help to reduce the fingerprint of your Browser.
A LOT more tracking services are integrated into the Firefox browser in various places (like New Tab page, Sync, Pocket, Shavar, Google Safebrowsing, OSCP, etc pp).
I wrote a more detailed article about this, and got an "as good as possible" as a result.
But yeah, please please start to use a Host Firewall where you can block on a per-domain and per-port and per-process basis (like LittleSnitch, OpenSnitch etc) to validate your assumptions. UIs will always lie to you, including the one from Firefox.
Yes, sadly Little Snitch (or a similar app) is required to tame Firefox. It's a real shame since they use "Privacy" as selling point, but for me that starts with being transparent about what they do behind the users' backs with very clear ways to disable any nonsense (no about:config or policy BS, but proper GUI exposed options), or even better with a proper opt-in to those "security" and comfort features.
It pretty much eroded any trust I had in this browser and Mozilla (they are no more better than Google, Meta, Apple in that regard.) If it wasn't for uBlock Origin and availability for older OSX versions I would ditch it (the Dynasty build is the only option I have for a recent browser on my old Mac.)
Is this available as pastable text, ideally with the explanation parts as comment blocks?
Happy to see you recommend uBlock Origin and LocalCDN. I would humbly suggest ClearURLs might belong. Another excellent "set it and forget it" extension that skips common tracking redirects.
I was actually reading its codebase and wasn't happy with it due to potential sanitization problems with its regex usage and other things. So I kind of wrote it from scratch and it got to be something different.
But as always with my projects, nothing is ever really finished or usable.
My dream is a user-friendly network-level firewall of some kind which can selectively block requests to domains on the entire network level. Something like uMatrix but for your entire network.
Imagine being able to block `ads.google.com` or whatever from all of your devices at once but without having to rely on local DNS. Or being able to block `pornhub.com` from just some of your devices but not all of them.
I assume the technology to do this is readily available in the form of parental control software or enterprise/office firewalls. However on the consumer level I don't know of anything which does this effectively.
>No, this will not effectively help to reduce the fingerprint of your Browser.
Ironically many of your fingerprinting tweaks in your article make your more fingerprintable, because disabling random web APIs makes you stick out like a sore thumb (think https://xkcd.com/1105/). Besides, most of the configs you're modifying for anti-fingerprinting purposes are already covered by RFP.
>A LOT more tracking services are integrated into the Firefox browser in various places (like New Tab page, Sync, Pocket, Shavar, Google Safebrowsing, OSCP, etc pp).
Can you elaborate on how these services are "tracking"? Except for maybe safebrowsing, and OSCP, none of these services actually send information on what sites you visit. Unless you mean "tracking" to mean "make connections to the internet".
The real question is on what OSI layer are you willing to die.
TCP fingerprinting is a real threat and most surveillance systems can identify your unique connection pretty easily, thanks to the quantum surveillance technique where closer surrounding and compromised hops will send you packets faster than the actual endpoint because they are geographically closer to you.
A real privacy aware browser caches everything, and scatters requests as much as possible through different network paths, and farbles Web APIs of the most common system and browser combination (which is Microsoft Edge or Google Chrome on Windows/Android).
I tried to implement all that, but I gave up working on that after I've been targeted in 2021. Maybe I have the time to get back to it after I am done with my current mission.
AFAIK none of these check for changing fingerprints. Your browser could report a very unique screen resolution, but could be configured to change it periodically. How much does that fool fingerprinting algorithms?
I guess it would, but the problem of getting "bad karma" points on payment processors, etc. remains.
Further, this is not the only form of fingerprinting, there is also e.g. TLS fingerprinting [1].
Programmers should tell people that browsers and the internet are not private, and that everyone who claims otherwise does not tell the truth.
There should be more discussions between people more skilled than me, if and how such methods can be prevented. And that should be documented well. Including how to prevent getting blocked on sites.
A creative attempt would be when millions or billions of users have a software (self chosen!) which randomly visits sites, when the computer is not busy. This would not prevent fingerprinting, but the collected data would be useless (Someone in the other thread suggested that).
Another method would be to declare it illegal and require workers to report such methods to the authorities.
Set the browser.ml.chat.enabled and browser.ml.enabled to false as they intensively use the processor and drain the battery. All that to just find the best name for your tab groups. I prefer to have my laptop last one more hour instead.
I took a brief gander at its code [0] and saw it mainly focusses on k-means clustering algorithms (in JS, no less). To my ken this is likely for suggesting new tabs, something a user is even less likely to use than renaming them.
Its constant drain even when not 'in use' seems to imply it's classifying tabs as they change page (though it might be telemetry or uncommented testing). If so, it's an example of premature optimisation gone very wrong.
It's a shame, because it overshadows the fact that naming tab groups is a perfect use case for an LLM, alongside keyboard suggestions and reverse dictionaries [1]. I'm ardently distrustful of LLMs for many, many purposes, but for the tiny parameter and token usage needed it's hard to not like. Which is a shame it's (somehow) such a drain.
Does anyone here struggle so much with naming a group of tabs that you'd reach for an LLM? I mean... really? How often does a group of tabs need a more complex name than "Work", "Gaming", etc? Maybe a suffix for the work project?
I recall an extension (I think by a Mozilla dev) which could do automatic grouping of tabs (back before tab groups was removed). I'm surprised this hasn't come back.
Wasn't that a bug that was fixed weeks ago? Like early August? If you are not averse to this feature then it is better to simply make sure you are running the latest version.
I litterally gained one hour off my charged battery when I switched these two settings off, just a week ago, and I keep my browser up to date. So not for me.
I didn't know about this 2 settings but they were already disabled in my about:config. I wonder if Debian distributes a non-default about:config with Firefox.
They do, see /etc/firefox-esr/firefox-esr.js -- but the aforementioned settings are not in that file by default, and [0] seems to suggest Debian does not alter the compiled-in defaults either.
Some quick digging in the source suggests that it's simply not enabled by default in ESR 128. I don't know if that's because it's only enabled by default in a later release, or because it's disabled in all ESR releases; I suspect the former. Compare [1] and [2]:
-pref("browser.ml.enable", false); # in upstream/128.14.0esr
+pref("browser.ml.enable", true); # in upstream/142.0.1
The other pref, browser.ml.chat.enable[d] is not mentioned in that file at all.
(edit: according to [3a] and [3b], it's browser.ml.enable and browser.ml.chat.enabled... yay for consistency, I guess)
I've been a Firefox die-hard since it was called Phoenix a couple decades ago. That said, over the last two months I've been testing Orion Browser (from Kagi, to which I subscribe), and am smitten with it. It's Apple only at the moment, which is a drawback, but if you live in that ecosphere, it's worth a look.
Orion is Webkit-based, can install extensions from Chrome OR Firefox, privacy respecting, and a whole lotta niceties for per-website tweaks and other customizations.
Orion indeed is a decent option for the privacy conscious as it is one of the few browsers that doesn't make any automated connections on startup (with the right config). But, if I remember right, they are still trying to get Ublock Origin to work perfectly on it (i.e. WebExtension support is still not fully supported on Orion).
PaleMoon ( http://www.palemoon.org/ ) is a hard fork of Firefox, with a mix of old tech (XUL) and new tech (from current codebase of Gecko), that is another full-featured zero-telemetry browser that doesn't make any automated connections. But on this too, the full features of uBlock Origin isn't supported as it is based on the abandoned uBlock Origin (legacy) codebase (though the legacy codebase has been updated by some PaleMoon developers, the original developers of uBlock Origin do not wish to support PaleMoon as it doesn't support WebExtension.
Then there's the Tor Browser ( https://www.torproject.org/ ) - it is a soft fork of Firefox, that supports the Tor network and has been configured by default to be "privacy hardened" - it has none of the crap that Mozilla bundles into Firefox, like Pocket, AI, Ads etc. The Tor software bundled in it can be easily deleted, to use it as privacy hardened Firefox. However, there are two issues with it - it does make unauthorised and unwanted automated connections (to SecureDrop) and you can no longer remove the NoScript browser extension that is bundled in it (you could from previous versions). When a browser maker forcefully bundles something in it, (however useful it may be), and does not allow you to modify it, that's well-founded ground to be suspicious of it. (Note: I did finally figure out that one can stop automated phoning to SecureDrop, after disabling it in about:rulesets ).
As the tor browser laid a good foundation to create a privacy hardened Firefox, there are many other browsers that are Forks of the Tor browser - the Mullvad Browser ( https://mullvad.net/en/browser ) is a popular one, and Mullvad bundles its VPN service in it instead of the Tor network. Last I checked, it made some automated connections on startup, so I didn't bother to explore it further).
If the first item isn't "whitelist JS", you're doing it wrong. So many problems arise from letting any site run programs on your computer that it's best to reserve the privilege to the most trusted of sites.
Meanwhile if I see that I just move on. It just isn't practical to have a workable browser with JS whitelisting for the general case. I doubt people who do this actually do any kind of thoughtful review before hitting "accept". It just adds manual toil with limited benefit.
If they are doing meaningful review, I question how much they actually get done in life.
When it was developed, uMatrix was a brilliant method of being cautious about what runs, and it had a logger so you could easily see what domains you should enable the current domain to have access to.
I still use it honestly, but I'll need to move on at some point - not just because it's MV2-only, but also I've found a way in which uMatrix can be bypassed if a website were to specifically target it. (It doesn't affect uBlock Origin, although I haven't tested the Lite MV3 version.)
It's quite telling that even the mobile version of Chrome, well known for being the most user-hostile browser, has the option to whitelist or blacklist JS and various other features like location access.
Chrome didn't have anything other than a global JS on/off at first, so they clearly added this feature later.
I have also found that since using Noscript that way and only whitelisting the few sites I actually use interactively, now because all the Cookie warning garbage, clicking away of subscribe dialogs etc is gone, all in all I do less manual annoying interaction on sites I visit.
Thanks for this ... great start. Mozilla Firefox COULD be an even more powerful source for good. Stop focusing on BS VPN, AI, etc ... focus on great browser, security, privacy. There is a possible niche for a centrally managed, security focused browser for companies ... like the Island Browser ... as an option.
Readit News
No, this will not effectively help to reduce the fingerprint of your Browser.
A LOT more tracking services are integrated into the Firefox browser in various places (like New Tab page, Sync, Pocket, Shavar, Google Safebrowsing, OSCP, etc pp).
I wrote a more detailed article about this, and got an "as good as possible" as a result.
But yeah, please please start to use a Host Firewall where you can block on a per-domain and per-port and per-process basis (like LittleSnitch, OpenSnitch etc) to validate your assumptions. UIs will always lie to you, including the one from Firefox.
[1] https://cookie.engineer/weblog/articles/firefox-privacy-guid...
It pretty much eroded any trust I had in this browser and Mozilla (they are no more better than Google, Meta, Apple in that regard.) If it wasn't for uBlock Origin and availability for older OSX versions I would ditch it (the Dynasty build is the only option I have for a recent browser on my old Mac.)
Happy to see you recommend uBlock Origin and LocalCDN. I would humbly suggest ClearURLs might belong. Another excellent "set it and forget it" extension that skips common tracking redirects.
https://addons.mozilla.org/firefox/addon/clearurls/
https://github.com/ClearURLs/Addon
I was actually reading its codebase and wasn't happy with it due to potential sanitization problems with its regex usage and other things. So I kind of wrote it from scratch and it got to be something different.
But as always with my projects, nothing is ever really finished or usable.
[1] https://github.com/cookiengineer/defiant
Imagine being able to block `ads.google.com` or whatever from all of your devices at once but without having to rely on local DNS. Or being able to block `pornhub.com` from just some of your devices but not all of them.
I assume the technology to do this is readily available in the form of parental control software or enterprise/office firewalls. However on the consumer level I don't know of anything which does this effectively.
Deleted Comment
I would add `layout.css.font-visibility=1` to hide all non-default fonts (makes a canvas font rendering test less useful).
Ironically many of your fingerprinting tweaks in your article make your more fingerprintable, because disabling random web APIs makes you stick out like a sore thumb (think https://xkcd.com/1105/). Besides, most of the configs you're modifying for anti-fingerprinting purposes are already covered by RFP.
>A LOT more tracking services are integrated into the Firefox browser in various places (like New Tab page, Sync, Pocket, Shavar, Google Safebrowsing, OSCP, etc pp).
Can you elaborate on how these services are "tracking"? Except for maybe safebrowsing, and OSCP, none of these services actually send information on what sites you visit. Unless you mean "tracking" to mean "make connections to the internet".
TCP fingerprinting is a real threat and most surveillance systems can identify your unique connection pretty easily, thanks to the quantum surveillance technique where closer surrounding and compromised hops will send you packets faster than the actual endpoint because they are geographically closer to you.
A real privacy aware browser caches everything, and scatters requests as much as possible through different network paths, and farbles Web APIs of the most common system and browser combination (which is Microsoft Edge or Google Chrome on Windows/Android).
I tried to implement all that, but I gave up working on that after I've been targeted in 2021. Maybe I have the time to get back to it after I am done with my current mission.
Deleted Comment
Dead Comment
https://fingerprint.com/
In my tests only Tor was able to prevent that, but using Tor will give you bad rankings on payment sites like PayPal, you may even get banned there.
I learned this from here:
https://news.ycombinator.com/item?id=35243355
That site is now black, surely a coincidence. Here the archive.org link:
https://web.archive.org/web/20250801173508/https://www.bites...
Have a local copy.
Is this an ad? Of all the things I was expecting to see when I clicked that, "Contact Sales" was not one of them.
https://github.com/bitestring/bitestring.github.io/blob/main...
Further, this is not the only form of fingerprinting, there is also e.g. TLS fingerprinting [1].
Programmers should tell people that browsers and the internet are not private, and that everyone who claims otherwise does not tell the truth.
There should be more discussions between people more skilled than me, if and how such methods can be prevented. And that should be documented well. Including how to prevent getting blocked on sites.
A creative attempt would be when millions or billions of users have a software (self chosen!) which randomly visits sites, when the computer is not busy. This would not prevent fingerprinting, but the collected data would be useless (Someone in the other thread suggested that).
Another method would be to declare it illegal and require workers to report such methods to the authorities.
[1] https://roundproxies.com/blog/what-is-tls-fingerprint/
Its constant drain even when not 'in use' seems to imply it's classifying tabs as they change page (though it might be telemetry or uncommented testing). If so, it's an example of premature optimisation gone very wrong.
It's a shame, because it overshadows the fact that naming tab groups is a perfect use case for an LLM, alongside keyboard suggestions and reverse dictionaries [1]. I'm ardently distrustful of LLMs for many, many purposes, but for the tiny parameter and token usage needed it's hard to not like. Which is a shame it's (somehow) such a drain.
[0] https://github.com/mozilla-firefox/firefox/blob/7b42e629fdef... exports a SmartTabGroupingManager, though how or why that is used without being asked eludes me
[1] https://www.onelook.com/thesaurus/ Can be helpful in a pinch when a word's on the tip of your tongue, though its synonyms aren't always perfect.
Some quick digging in the source suggests that it's simply not enabled by default in ESR 128. I don't know if that's because it's only enabled by default in a later release, or because it's disabled in all ESR releases; I suspect the former. Compare [1] and [2]:
The other pref, browser.ml.chat.enable[d] is not mentioned in that file at all.(edit: according to [3a] and [3b], it's browser.ml.enable and browser.ml.chat.enabled... yay for consistency, I guess)
[0] https://sources.debian.org/src/firefox-esr/128.14.0esr-1~deb...
[1] https://salsa.debian.org/mozilla-team/firefox/-/blame/upstre...
[2] https://salsa.debian.org/mozilla-team/firefox/-/blame/upstre...
[3a] https://salsa.debian.org/mozilla-team/firefox/-/blame/esr128...
[3b] https://salsa.debian.org/mozilla-team/firefox/-/blame/esr128...
Orion is Webkit-based, can install extensions from Chrome OR Firefox, privacy respecting, and a whole lotta niceties for per-website tweaks and other customizations.
[0] https://kagi.com/orion/
PaleMoon ( http://www.palemoon.org/ ) is a hard fork of Firefox, with a mix of old tech (XUL) and new tech (from current codebase of Gecko), that is another full-featured zero-telemetry browser that doesn't make any automated connections. But on this too, the full features of uBlock Origin isn't supported as it is based on the abandoned uBlock Origin (legacy) codebase (though the legacy codebase has been updated by some PaleMoon developers, the original developers of uBlock Origin do not wish to support PaleMoon as it doesn't support WebExtension.
Then there's the Tor Browser ( https://www.torproject.org/ ) - it is a soft fork of Firefox, that supports the Tor network and has been configured by default to be "privacy hardened" - it has none of the crap that Mozilla bundles into Firefox, like Pocket, AI, Ads etc. The Tor software bundled in it can be easily deleted, to use it as privacy hardened Firefox. However, there are two issues with it - it does make unauthorised and unwanted automated connections (to SecureDrop) and you can no longer remove the NoScript browser extension that is bundled in it (you could from previous versions). When a browser maker forcefully bundles something in it, (however useful it may be), and does not allow you to modify it, that's well-founded ground to be suspicious of it. (Note: I did finally figure out that one can stop automated phoning to SecureDrop, after disabling it in about:rulesets ).
As the tor browser laid a good foundation to create a privacy hardened Firefox, there are many other browsers that are Forks of the Tor browser - the Mullvad Browser ( https://mullvad.net/en/browser ) is a popular one, and Mullvad bundles its VPN service in it instead of the Tor network. Last I checked, it made some automated connections on startup, so I didn't bother to explore it further).
Dead Comment
No matter how effective this list is, the settings will either revert, change, or be silently undone.
New settings will alter the efficacy of the old ones.
Existing settings will disappear.
The behavior you hoped to configure changed to its opposite.
Remember: there was one morning when we all woke up and saw every dns query sent to cloudflare doh by default, and with no opt-in.
True. And most people don't even know it.
Dead Comment
If they are doing meaningful review, I question how much they actually get done in life.
I still use it honestly, but I'll need to move on at some point - not just because it's MV2-only, but also I've found a way in which uMatrix can be bypassed if a website were to specifically target it. (It doesn't affect uBlock Origin, although I haven't tested the Lite MV3 version.)
Chrome didn't have anything other than a global JS on/off at first, so they clearly added this feature later.
it have both a global option to disable js, and a option to set a keyboard shortcut to reenable as needed for each site.
https://wiki.archlinux.org/title/Firejail