arkenfox / user.js

Firefox privacy, security and anti-tracking: a comprehensive user.js template for configuration and hardening
MIT License
10.28k stars 519 forks source link

Firefox, with slightly modified Arkenfox, fingerprinting with latest 124.0.1 64 bit update breaks, now "unique" #1821

Closed joes0451 closed 7 months ago

joes0451 commented 7 months ago

Just wanted you to know about this. If this isn't helpful feel free to ignore or remove it. The latest Firefox update 124.0.1 64 bit on Windows, breaks fingerprinting to "unique" with my slightly modified Arkenfox settings. For the past two or so updates it stayed fine, but with this latest Firefox update fingerprinting seems to have broken.

I also tried a different Profile that used different settings and it also reports "unique" from EFF's site. Thanks and keep up the great work!

Here are my changes:

user_pref("browser.startup.page", 1);

user_pref("browser.startup.homepage", "about:home");

user_pref("extensions.pocket.enabled", false); user_pref("identity.fxaccounts.enabled", false);

user_pref("privacy.clearOnShutdown.cache", false); user_pref("privacy.clearOnShutdown.downloads", false); user_pref("privacy.clearOnShutdown.formdata", false); user_pref("privacy.clearOnShutdown.history", false); user_pref("privacy.clearOnShutdown.sessions", false); user_pref("privacy.clearOnShutdown.cookies", false);

user_pref("browser.newtabpage.enabled", true); // This fixes the new tab Home problem

rusty-snake commented 7 months ago

unique

and stable?

Anyway, not real world.

Thorin-Oakenpants commented 7 months ago

first, none of those overrides (should) have anything to do with web content or passive fingerprinting

second, sites cannot tell you your uniqueness - they are seriously flawed (not going to list all the reasons why, yet again)

anyway, I just checked EFF, first time with this profile, and I get 1 in 4.5k. I'm on windows 11. So I'm not even trying but I'm protected. Maybe your fonts are different to mine due to a different windows version or language, but the kBaseFonts should be stable since win10 (if I recall correctly with windows system fonts), or maybe it's language, or touch. But doesn't really matter since you used to but are now not. I do know the audio FP changed for ARM (I think this release from memory) see next comment

so .. I'm not even trying and I'm protected - but not really. These tests are fucking useless for entropy


pile of useless analysis for you

kBaseFonts for windows

'windows': [
    'AlternateGothic2 BT', // ?
    // 7
    'Arial','Calibri','Cambria','Cambria Math','Candara','Comic Sans MS','Consolas','Constantia','Corbel','Courier New','Ebrima',
    'Gabriola','Georgia','Impact','Lucida Console','Lucida Sans Unicode','MS Gothic','MS PGothic','MS UI Gothic','MV Boli',
    'Malgun Gothic','Marlett','Microsoft Himalaya','Microsoft JhengHei','Microsoft New Tai Lue','Microsoft PhagsPa',
    'Microsoft Sans Serif','Microsoft Tai Le','Microsoft YaHei','Microsoft Yi Baiti','MingLiU-ExtB','MingLiU_HKSCS-ExtB',
    'Mongolian Baiti','NSimSun','PMingLiU-ExtB','Palatino Linotype','Segoe Print','Segoe Script','Segoe UI','Segoe UI Symbol',
    'SimSun','SimSun-ExtB','Sylfaen','Symbol','Tahoma','Times New Roman','Trebuchet MS','Verdana','Webdings','Wingdings',
    // 7 but not detected if font-vis < 3: 1720408
    'Franklin Gothic Medium',
    // 8
    'Gadugi','Nirmala UI','Microsoft JhengHei UI','Microsoft YaHei UI','Myanmar Text',
    // 8.1
    'Javanese Text','Leelawadee UI','Segoe UI Emoji','Sitka Banner','Sitka Display',
    'Sitka Heading','Sitka Small','Sitka Subheading','Sitka Text','Yu Gothic',
    // 10
    'Bahnschrift','HoloLens MDL2 Assets','Segoe MDL2 Assets','Segoe UI Historic','Yu Gothic UI',
    // localized: kBase: detected FF119+: 1850672
    '微软雅黑','MS ゴシック','MS Pゴシック','宋体','游ゴシック', // Microsoft YaHei, MS Gothic, MS PGothic, SimSun, Yu Gothic 
    // FontSubstitutes
    'MS Shell Dlg','MS Shell Dlg \\32', // might differ based on system locale/install
    'Helv','Helvetica','Times','Tms Rmn', // seems stable

    /* ignore
    // https://searchfox.org/mozilla-central/source/gfx/thebes/gfxDWriteFontList.cpp#1990
    'MS Sans Serif','MS Serif','Courier','Small Fonts','Roman',
    // variants
    'Arial Black','Arial Narrow','Segoe UI Light','Segoe UI Semibold', // 7
    'Calibri Light','Calibri Light Italic','Segoe UI Semilight', // 8
    // 8.1
    'Leelawadee UI Semilight','Microsoft JhengHei Light','Microsoft JhengHei UI Light',
    'Microsoft YaHei Light','Microsoft YaHei UI Light','Nirmala UI Semilight','Segoe UI Black','Yu Gothic Light',
    // 10
    'Bahnschrift Light','Bahnschrift SemiBold','Bahnschrift SemiLight','Candara Light','Corbel Light',
    'Malgun Gothic Semilight','Yu Gothic Medium','Yu Gothic UI Light','Yu Gothic UI Semilight','Yu Gothic UI Semibold',
    */
],

The above list is from TZP. I ignore testing variants (black, light .. etc) as these are not always reliable on first run since they may require a fallback to be cached during the browser session. I also use a stable font testing string (because some chars are also unreliable unless already mapped via async fallback). I do not care how EFF does their test, but their font list being tested is consistent. Note, a detected font does not mean you have that font - it means the size changed when you asked for it, so it could be an font alias. Some of these "aliases" are windows specific and depend on your OS language.

Another reason you could be different to me is that you are not at 1600 with by 900 height - maybe your screen is too small.

Another is touch support: e.g. my touch capable win11 laptop is different to my desktop rig

And maybe your language is different (not to be confused with locale). So my web content request is en-US, en.

I don't see why anything else should be different: FYI here is my windows 11


FYI

my fonts: all of these are available in windows 7+

only listing them for you if you want to compare against your own. The point is not that your fonts changed, but something may have changed (or not, maybe you just have always had something different but someone else in your buckets hasn't tested recently)

Arial, Arial Black, Calibri, Cambria, Cambria Math, Comic Sans MS, Consolas, Courier, Courier New, Georgia, Helvetica, Impact, Lucida Console, Lucida Sans Unicode, Microsoft Sans Serif, MS Gothic, MS PGothic, MS Sans Serif, MS Serif, Palatino Linotype, Segoe Print, Segoe Script, Segoe UI, Segoe UI Light, Segoe UI Semibold, Segoe UI Symbol, Tahoma, Times, Times New Roman, Trebuchet MS, Verdana, Wingdings
Thorin-Oakenpants commented 7 months ago

I do know the audio FP changed for ARM (I think this release from memory)

from previous comment. so I struck that out. The change was for x86/AMD which includes me, and I'm still 1 in 4.5k or whatever. ARM didn't change. So this is definitely a red herring when it comes to why EFF is spewing even more BS that normal

joes0451 commented 7 months ago

Hey,

I just wanted to let you know that in my case it went to "unique", and that indeed the changes I made to user.js didn't have much to do with fingerprinting, but I listed them so you would know what they were. I'm using Windows 10. Keep up the great work! Joe Siebenmann

On Tue, Mar 26, 2024 at 4:01 PM Thorin-Oakenpants @.***> wrote:

first, none of those overrides (should) have anything to do with web content or passive fingerprinting

second, sites cannot tell you your uniqueness - they are seriously flawed (not going to list all the reasons why, yet again)

anyway, I just checked EFF, first time with this profile, and I get 1 in 4.5k. I'm on windows 11. So I'm not even trying but I'm protected. Maybe your fonts are different to mine due to a different windows version or language, but the kBaseFonts should be stable since win10 (if I recall correctly with windows system fonts), or maybe it's language, or touch. But doesn't really matter since you used to but are now not. I do know the audio FP changed for ARM (I think this release from memory)

so .. I'm not even trying and I'm protected - but not really. These tests are fucking useless for entropy

pile of useless analysis for you

kBaseFonts for windows

'windows': [ 'AlternateGothic2 BT', // ? // 7 'Arial','Calibri','Cambria','Cambria Math','Candara','Comic Sans MS','Consolas','Constantia','Corbel','Courier New','Ebrima', 'Gabriola','Georgia','Impact','Lucida Console','Lucida Sans Unicode','MS Gothic','MS PGothic','MS UI Gothic','MV Boli', 'Malgun Gothic','Marlett','Microsoft Himalaya','Microsoft JhengHei','Microsoft New Tai Lue','Microsoft PhagsPa', 'Microsoft Sans Serif','Microsoft Tai Le','Microsoft YaHei','Microsoft Yi Baiti','MingLiU-ExtB','MingLiU_HKSCS-ExtB', 'Mongolian Baiti','NSimSun','PMingLiU-ExtB','Palatino Linotype','Segoe Print','Segoe Script','Segoe UI','Segoe UI Symbol', 'SimSun','SimSun-ExtB','Sylfaen','Symbol','Tahoma','Times New Roman','Trebuchet MS','Verdana','Webdings','Wingdings', // 7 but not detected if font-vis < 3: 1720408 'Franklin Gothic Medium', // 8 'Gadugi','Nirmala UI','Microsoft JhengHei UI','Microsoft YaHei UI','Myanmar Text', // 8.1 'Javanese Text','Leelawadee UI','Segoe UI Emoji','Sitka Banner','Sitka Display', 'Sitka Heading','Sitka Small','Sitka Subheading','Sitka Text','Yu Gothic', // 10 'Bahnschrift','HoloLens MDL2 Assets','Segoe MDL2 Assets','Segoe UI Historic','Yu Gothic UI', // localized: kBase: detected FF119+: 1850672 '微软雅黑','MS ゴシック','MS Pゴシック','宋体','游ゴシック', // Microsoft YaHei, MS Gothic, MS PGothic, SimSun, Yu Gothic // FontSubstitutes 'MS Shell Dlg','MS Shell Dlg \32', // might differ based on system locale/install 'Helv','Helvetica','Times','Tms Rmn', // seems stable

/ ignore // https://searchfox.org/mozilla-central/source/gfx/thebes/gfxDWriteFontList.cpp#1990 'MS Sans Serif','MS Serif','Courier','Small Fonts','Roman', // variants 'Arial Black','Arial Narrow','Segoe UI Light','Segoe UI Semibold', // 7 'Calibri Light','Calibri Light Italic','Segoe UI Semilight', // 8 // 8.1 'Leelawadee UI Semilight','Microsoft JhengHei Light','Microsoft JhengHei UI Light', 'Microsoft YaHei Light','Microsoft YaHei UI Light','Nirmala UI Semilight','Segoe UI Black','Yu Gothic Light', // 10 'Bahnschrift Light','Bahnschrift SemiBold','Bahnschrift SemiLight','Candara Light','Corbel Light', 'Malgun Gothic Semilight','Yu Gothic Medium','Yu Gothic UI Light','Yu Gothic UI Semilight','Yu Gothic UI Semibold', /],

The above list is from TZP. I ignore testing variants (black, light .. etc) as these are not always reliable on first run since they may require a fallback to be cached during the browser session. I also use a stable font testing string (because some chars are also unreliable unless already mapped via async fallback). I do not care how EFF does their test, but their font list being tested is consistent. Note, a detected font does not mean you have that font - it means the size changed when you asked for it, so it could be an font alias. Some of these "aliases" are windows specific and depend on your OS language.

Another reason you could be different to me is that you are not at 1600 with by 900 height - maybe your screen is too small.

Another is touch support: e.g. my touch capable win11 laptop is different to my desktop rig

And maybe your language is different (not to be confused with locale). So my web content request is en-US, en.

I don't see why anything else should be different: FYI here is my windows 11

  • user agent: Mozilla/5.0 (Windows NT 10.0; rv:124.0) Gecko/20100101 Firefox/124.0
  • HTTP_ACCEPT Headers: text/html, /; q=0.01 gzip, deflate, br en-US,en;q=0.5
    • could be different to me or from earlier, maybe you changed it
  • plugins: hardcoded result if default enabled (which AF enforces)
  • timezone: 0 offset and timezonename UTC (hardcoded RFP)
  • screen size and color depth: 1600x900x24
    • could be different to me, also you may have disabled letterboxing?
  • system fonts: blah, see above: it says I have 32
  • cookies enabled: yes (maybe you blocked them in uBO or site settings)
  • supercookie test: yes yes no false true
  • canvas: randomized
  • webgl: d928a8c2420ac1b95e719f20d5d93341 <-- means it is disabled
  • webgl vendor & renderer : TypeError: e is null
  • DNT: true (because we are on ETP Strict)
  • language: en-US (see the accept header above)
  • platform: Win32 (FYI: it is always 32 on windows, despite being 64bit: from an old legacy flash issue)
  • touch support: 0, false, false
  • ad blocker: no javascript (uBO is enabled for the test)
  • audiocontext: 35.749972093850374 (this is what x86 + amd report)
  • cpu class: n/a (not a gecko thing)
  • hardware concurrency: 2 (hardcoded RFP)
  • device memory: n/a (not a gecko thing)

FYI

my fonts: all of these are available in windows 7+

  • Arial Black can be problematic on first use and from memory this is one added via MS office etc, i.e not bundled with the OS
  • Helvetica is a FontSubtitute (reg entry) but a common one since Helvetica is a core font for all windows versions
  • Segoe UI variants Light/Semibold can be problematic on first use

only listing them for you if you want to compare against your own. The point is not that your fonts changed, but something may have changed (or not, maybe you just have always had something different but someone else in your buckets hasn't tested recently)

Arial, Arial Black, Calibri, Cambria, Cambria Math, Comic Sans MS, Consolas, Courier, Courier New, Georgia, Helvetica, Impact, Lucida Console, Lucida Sans Unicode, Microsoft Sans Serif, MS Gothic, MS PGothic, MS Sans Serif, MS Serif, Palatino Linotype, Segoe Print, Segoe Script, Segoe UI, Segoe UI Light, Segoe UI Semibold, Segoe UI Symbol, Tahoma, Times, Times New Roman, Trebuchet MS, Verdana, Wingdings

— Reply to this email directly, view it on GitHub https://github.com/arkenfox/user.js/issues/1821#issuecomment-2021356333, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADGNIQCVWADBN674B3F3ETLY2HHZJAVCNFSM6AAAAABFJOTQW6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMRRGM2TMMZTGM . You are receiving this because you authored the thread.Message ID: @.***>

Thorin-Oakenpants commented 7 months ago

sure :) I keep meaning to fill in this bit .. and I'm meant to be writing re-writing the Tor Browser fingerprinting docs ... and I thought I would do it all in one hit so to speak with a long blog entry (or several smaller ones) ... so I'll get around to it one day

Thorin-Oakenpants commented 7 months ago

for your amusement ... so I went back and did another coveryourtracks test. I haven't done one for months, until the one earlier

So earlier I was 1 in 4.5k. The new test was 1 in almost 12k. Which is nuts because 124 has only been out for a week so any old data being dropped should have made it better! not worse. Even if a heap more people tested today, it would take a lot to move the needle of the non-matches

by that I mean

Anyway ... back to the amusing part .. I kept repeating the test (closing FF and sanitizing in between: pretty sure they give you a cookie and if they re-ID you and you have the same FP they don't add it to the dataset)

one in 11845.19
one in 11148.47 (-697)
one in 10529.33 (-619) 78 less
one in 9975.37 (-554) 65 less > 13
one in 9476.75 (-499) 55 less > 10 > 3
one in 9025.52 (-452) 47 less > 8 > 2
one in 8615.73 (-410) 42 less > 5 > 3 [1]

[1] I did an estimate

So I think you can see where this is going. A few more tests and I'll be back to 1 in 4.5k. Or put another way, it only takes a few people with the same FP doing a few tests to make a mockery of this entropy

I could probably use this decreasing curve to determine the actual number of FPs in their set and how many match mine or how many more I need to get to 1 in 10 or whatever. I could write a script and run it for a week, that'll fuck everyone up ;)

Thorin-Oakenpants commented 7 months ago

haven't been back since my past post - now I am one in 2238.5 ... at this rate, in a week, half the world will match me :) This is why small tainted datasets are utter BS

and my next visit I am one in 5082.14 .. the site is fucking whack for starters, but when it can't even keep it's tainted numbers in line, it's just a meme/joke

Thorin-Oakenpants commented 7 months ago

Ha, worked it out

Sometimes it thinks my fonts are randomized, other times it doesn't. This is because some fonts, especially weighted ones (bold, light etc) in a font family don't change on first use in a session (but do get cached by the browser). Some sort of async fallback but for family variants. So here on the first page it doesn't load them, but on the third party test it does, so it thinks they're randomized

Arial Black, Segoe UI Light, Segoe UI Semibold

When it thinks I'm randomized (there is no extension or gecko code in the world that randomizes your fonts) I am more unique, to be expected given that it requires a session where a site hasn't tried to try to load one of those three variants (which are allowed in RFP font vis level) - and for myself, I'm always loading a local copy of TZP

So that's another lesson about these sites: how do you know the test is correct, and do you even know what the test is doing.