Thorin-Oakenpants
commented
1 month ago and?
Closed mik0l closed 1 month ago
Thorin-Oakenpants
commented
1 month ago and?
mik0l
commented
1 month ago Why disable session tickets? In v107, the privacy issue to have been resolved https://bugzilla.mozilla.org/show_bug.cgi?id=1720601
Thorin-Oakenpants
commented
1 month ago we don't disable them ... we explicitly tell users not to fucking disable them - the entire 7000 section is commented out for prefsCleaner and titled DON'T BOTHER with [why] reasons
mik0l
commented
1 month ago Firefox disables this in private mode. The Label needs to be set to bug.
https://www.ssllabs.com/ssltest/viewMyClient.html
rusty-snake
commented
1 month ago I think you're on the wrong issue tracker for a Firefox "bug".
Thorin-Oakenpants
commented
1 month ago The tag needs to be set to bug.
what tag?
Look. Some websites, and especially when incognito/PB mode were introduced to browsers, wanted to punish users for using that mode, because it effectively hurt their advert tracking models (wah wah someone call a wambulance 🚑 ) - so they would restrict loading articles and so on with warnings. And they did this within levels of confidence.
So chrome introduced IDB in incognito mode to negate that, but it can still be deduced based on timing. Gecko followed suit recently - there's a whole meta on making PB mode behave more like normal mode. But the aim is not to make them identical - it is to eliminate the artificial pain points websites use to create friction. This includes getting service workers into PB mode, making clearKey user persistent mode (but ignore the flag and sanitize on close), and so on.
But there's always going to be something that can used to determine with some degree of confidence that you are in pb mode - such as FPP characteristics. This repo is not going to change prefs chasing some unrealistic FP - and especially not going to modify passive fingerprints in any mode.
There may be a reason why FF doesn't make this true for normal mode. Maybe they will if you ask them
mik0l
commented
1 month ago what tag?
The label name should have been set "bug". This also affects the Mullvad browser, as it always runs in private mode
Thorin-Oakenpants
commented
1 month ago This also affects the Mullvad browser, as it always runs in private mode
this is not an issue for TB/MB - all users look the same
It only becomes an issue if you are 1. using normal and pb mode and 2. for some reason you are trying to hide the differences. No-one is trying to do point 2 as an end-goal
Looks like the pref is active in private mode:
security.ssl.disable_session_identifiers= trueThis can be seen from JA3 fingerprint: https://browserleaks.com/tls