/tech/ - Technology

so did they fix the over a decade old bug that gives you a unique fingerprint depending on what add-ons you have installed

That was the first thing I noticed too. At first I actually thought spellchecking was broken. But no, now I need to make twice the amount of clicks to change languages just because they added a feature nobody needs or ever asked for. I guess at Mozilla programmers only get promoted for adding useless features and doing needless redesigns.

>>14667
I appreciate where you're coming from on this, but that really probably isn't malicious.

A website can probably fingerprint your browser pretty good anyway – this depends on the particulars of what browser and computer you're using, but it is totally reasonable to figure out what GPU you have (based on how WebGL renders) and what your screen resolution is, and narrow your device down to a specific phone or range of phones. Now, if I know what kind of phone you're using and what your IP address is, I might be able to nab another detail to guess pretty well when you switch IPs. Maybe you set the font size on your device to a non-default setting, for instance. Maybe you're the only person in your town with that particular font size on that particular phone model. A website is allowed to query the DOM and see how big text renders. I'm not saying we should allow more data to leak just because some already is, but plugging this one hole won't solve the problem. The problem is in how we expect browsers to check on how things have rendered. This is really useful if you're developing websites that need to work across platforms (as you can adjust what you render based on what features are available in a browser, reposition elements based on how long the content is after rendering text at a desired level, etc.), but bad for security. There are solutions being worked on, projects that allow rendering and no DOM queries, but we haven't settled on one yet and most people don't care. It will emerge.

It's useful to be able to see if you have a given browser extension. If I'm making a website that uses Metamask, I need to display one thing if that extension is available and another if it
isn't. Obviously that turns into a fingerprint when you add enough extensions, but there is a legit use case for the website being able to tell what extensions are present.

Mozilla has made a nominal effort to stop fingerprinting via a deny-list: https://blog.mozilla.org/security/2020/01/07/firefox-72-fingerprinting/ This could be seen as too little too late, but I hope the above couple of points have explained the tough situation they're in with regard to blocking this behavior altogether. The internet as you know it relies on this. If Firefox seriously stopped letting browsers do all activity that can be used for fingerprinting, it would break so many websites that you'd probably switch to something else. Hell, just turn off JavaScript and nobody will be able to fingerprint you based on extensions, problem solved ;)

>>14684
>It's useful to be able to see if you have a given browser extension. If I'm making a website that uses Metamask, I need to display one thing if that extension is available and another if it isn't.
fucking nobody does this except websites that get pissy if you use adblockers and thats what issue trackers are for
simply replying #notanissue #wontfix wouldve been much shoter

>just turn off JavaScript and nobody will be able to fingerprint you based on extensions
ah so you dont even know what issue im actually talking about, thanks mozillatard

>>14686
>fucking nobody does this except websites that get pissy if you use adblockers and thats what issue trackers are for
I have literally used this, and not for malicious purposes.
>ah so you dont even know what issue im actually talking about
I guess not, I was thinking of navigator.plugins. I guess it's deprecated, and hasn't allowed enumeration since 2014. I never used it that way, since I wasn't trying to fingerprint based on it but rather query for a specific plugin, but disabling enumeration isn't a perfect fix obviously. What issue are you referring to? Please either use specific enough language that the issue will be immediately visible in search engine results or provide a link.

>>14686
>>just turn off JavaScript and nobody will be able to fingerprint you based on extensions
>ah so you dont even know what issue im actually talking about, thanks mozillatard

what the fuck are you talking about? if javascript is turned off, the only data that the server should see is in the requests that you make to it by clicking links or form buttons (which can include some identify information in the headers like your ip address, browser, operating system, and a unique id generated by the server and sent to the browser in a prior header… but i've never heard of plugins being listed there).

>>14667
>>14686
You're fucked either way, you should use tor if you want privacy sadly.
https://noscriptfingerprint.com/

>>14688
>>14692
I think he's talking about this bug.

>WebExtensions can be used as user fingerprint
https://bugzilla.mozilla.org/show_bug.cgi?id=1372288

>>14694
That relies on JavaScript, which he indicated the problem he was talking about did not.