This is a good use of Firefox resources. Unfortunately Firefox is at a natural disadvantage for fingerprinting by virtue of being used by such a small number of users.
There was a commenter some time back showing that browser statistics were easy to skew. Safari and Firefox are less likely to show up in analytics, so website owners think they're less important than they really are. Conflating client-side with server-side analytics showed quite a gap.
Most of the people who are just looking at browser statistics for the purpose of managing a website are using simple tools that just simply collect data from user agent strings. Determining browser from this isn't 100% straightforward, but it's enough to give website operators a rough idea of what browser to target. This data was more important in the days when everything wasn't Chrome/Android/iOS, and it actually mattered what version of IE your users were running.
If you're doing fingerprinting for tracking purposes, you're gonna be tracking a lot more in-depth data.
But in the end, there are pretty much three types of Internet user today: 1. The person who uses the default browser installed on their device. 2. The user who always downloads Chrome when they first get a new computer. and 3. Nerds who do something else.
I don't disagree, but it makes for bad web development practices. Google Analytics is still the de facto king everywhere I've worked, but it's going to more often Safari and Firefox than other browsers due to tracking protections and users being more likely to run ad blockers. Then there's all the edge cases like Brave.
I don't remember the discrepancy that the study found, but it's significant.
So… we keep optimising for Chrome, as if that's the bulk of our audience. That makes things shittier for everybody else, and we think it's okay because they're such a small part of the group. This reminds me of a former client burning almost 9 million euros every year because they excluded IE6–8 from their reporting, yet they would account for 15% of the traffic.
>This is a good use of Firefox resources. Unfortunately Firefox is at a natural disadvantage for fingerprinting by virtue of being used by such a small number of users.
I'd rather be trackable but secure -- the big draw for me is NoScript. Paired with uBlock, I'm safe from malvertising[1]
You're more trackable by using NoScipt and there's no good reason to use it if you know how to properly use uBlock: https://github.com/arkenfox/user.js/wiki/4.1-Extensions#-don...
uBlock is a content blocker so it can do everything NoScript can if you learn its advanced UI usage. Using additional extensions makes you more trackable.
>You're more trackable by using NoScipt and there's no good reason to use it if you know how to properly use uBlock
What data do you have to support this assertion? uBlock doesn't seem to have the ability to selectively enable only JS nessecary for functionality, and if it does, the UI makes it much more difficult to enable.
I just ran a test -- merely uBlock use renders me unique, whereas one in 5742.77 had the same fingerprint as me when using NoScript. (I suspect that's the number of people also using Firefox with NoScript who own this particular monitor size)
A big chunk of the fingerprinting techniques require JS -- it's pretty hard to ascertain what specific extensions are installed with it. I tested disabling it and it didn't seem to do much difference in terms of bits of entropy on EFF's tool.
I encourage you to try for yourself and then think hard on your advice.
I cannot judge the validity of your test and I have done any tests myself. I encourage you to read the link from post to the top firefox hardening resource (arkenfox) that labels NoScript redundant. This is further backed up by another top privacy resource: https://www.privacyguides.org/en/browser-extensions/ This also links to the uBlock docs which outline different modes. Medium/hard modes make NoScript redundant.
>I cannot judge the validity of your test and I have done any tests myself.
I'm going to assume you meant to say "I have not".
If you can't judge the validity, maybe you shouldn't give out advice that might be read by vulnerable populations, given the sources you list do not address my points.
I often think about this in connection with my user agent. I am sure it helps identify me. If I spoofed a Chrome/Windows UA that would probably be better from a privacy perspective. But if we all do that then web designers will never know that we exist. I want people to know there are Firefox and Linux users out there.
Easy to detect but companies are lazy. I remember when Netflix first worked for Linux on chrome but not Firefox. I changed my agent and was good to go. After some months I emailed them asking to lift the agent block. They assured me they weren't blocking by agent. I sent them screenshots. They doubled down. So I said ¯\_(ツ)_/¯ and just kept using the agent until they unblocked it
Absolutely, but the parent was speaking about privacy. Access is a different story, because you can test different user agent strings, and immediately determine whether you get access. By contrast, you can't change a user agent string and readily determine whether or not you've broken someone's ability to track you.
My example of access is just a clearer example of laziness. Maybe they were tracking but it seems unlikely, right? If they were, why not block? Laziness is a much better explanation.
I can get feedback with access, I can't get feedback with tracking. That's why I mentioned access.
They probably weren't tracking you, that was probably a case of directing a user toward a supported browser for customer support purposes. I would imagine that was a requirement in somebody's Jira ticket, solved with a few lines of code.
By contrast, tracking people on the web is a multibillion dollar industry, and there are out of the box commercial libraries that do very sophisticated tracking. None of these solutions rely on user agent string alone.
The vast majority of websites by count are not doing anything sophisticated. But some are.
The announcement came with the claim about DRM. So I believe there was some "legal" issue about it. I'm also sure they didn't actually care that much.
> By contrast, tracking people on the web is a multibillion dollar industry
Of which Netflix is a part of.
> The vast majority of websites by count are not doing anything sophisticated. But some are.
And this is my point. Somewhere like fingerprint.com is trying to use all the tools available. But most places aren't. Facebook and Google? Sure, I buy that. But mentioning that many places are lazy is not the same thing. It is a game where we can't win completely and we still need to let people know that small gains are still meaningful. A major problem we face with privacy is that people feel so powerless that it is useless to fight back. But that's not true. Just because your bulletproof vest doesn't stop a missile doesn't make it useful. A bulletproof vest that only stops small caliber is still better than no vest, since most shots are small caliber. Pareto is still alive and well here.
Yes, there are plugins (e.g. widevine) that do DRM and they have/had varying browser/os compatibility.
But ultimately, Netflix is just trying to check a box in their contractual obligations, and/or prevent high-schoolers with chrome dev tools from sending movies to all their friends. They're not really interested in spending large sums of money to figure out your browsing history. It's just not relevant to their revenue stream.
>> tracking people on the web is a multibillion dollar industry
> Of which Netflix is a part of.
I was referring to businesses that do web activity tracking as their primary business. Facebook and Google's primary business is advertising, which isn't the same thing, and they control enough products that they don't actually have to do very much fingerprinting in order to target ads effectively. Most of their data, people voluntarily hand over. I was getting more at the big ecosystem of commercial tools that others can implement that do these sorts of things. e.g fingerprint.com and many others.
If a website has 100 visitors, and 99 of them use Chrome, and 1 user uses Firefox, it doesn't matter how good their fingerprinting resistance is, they're always the one using Firefox.
Firefox is low on browser count but it's still around 4%[0]. That's enough that there will be lots of collisions. Even a small percent of a very large number is a very large number
However, if you're trying to search for somebody, and you're able to eliminate 96% of the data, you're in a much better position to accomplish your goal.
Whether or not you should care about this depends on what kind of tracking threats you're trying to avoid.
I mean yes and no. Raw numbers still matter. It's all about context. If you have a billion visitors and rule out 96% of them, sure, searching 4 million it's easier but it's still such a large number that that alone isn't enough. That's all I'm trying to say.
> if another Firefox user comes they are indistinguishable from each other,
Even if every Firefox browser gave off the exact same fingerprint, that wouldn't make the network traffic indistinguishable between Firefox users. There is a lot of entropy that is provided by your network stack of your device, the networks you connect to in order to get to the end website, the behavior of your requests, etc.
Now, most websites aren't doing this kind of analysis. But it isn't unheard of or impossible. There are major websites that are known to do TLS fingerprinting.
