Trace - good security addon? What do you think?

[ReporterX]

More powerful than CanvasBlocker.

Trace can protect against:

Canvas Fingerprinting (Video)
Audio Fingerprinting (Advanced)
WebGL Fingerprinting (New!)
JS Crypto Currency Mining
WebRTC Leakage
User-Agent Tracking (Advanced)
Hardware Fingerprinting
Browser plugin fingerprinting (Advanced)
Beacon Requests
Bad Top Level Domains
Hyperlink Auditing
HTTP Referrer Headers (Video)
Chrome Header Tracking
E-Tag Tracking
URL Tracking Parameters
Specific Tracking Cookies

It looks promising.

[KOLANICH]

JS Crypto Currency Mining Beacon Requests Hyperlink Auditing

μBO

Bad Top Level Domains

WUT?

WebGL Fingerprinting (New!)

NoScript

User-Agent Tracking (Advanced)

What do they mean?

Browser plugin fingerprinting (Advanced)

I am not using any plugins at least since 2008. And NPAPI is already removed from browsers.

HTTP Referrer Headers (Video)

claustromaniac/poop

URL Tracking Parameters

There are plenty addons and userscripts for that

[crssi]

@ReporterX A lot was written here already. The verdict is not promising.

@KOLANICH

WebGL Fingerprinting (New!)

NoScript

How NoScript fights against WebGL Fingerprinting?

[KOLANICH]

How NoScript fights against WebGL Fingerprinting?

just disables WebGL ;)

[crssi]

You do not need NoScript for that. Actually I really do not know why would you need NoScript for anything. ;)

[polyzen]

User-Agent Tracking (Advanced)

What do they mean?

Sounds like UA spoofing.

HTTP Referrer Headers (Video)

claustromaniac/poop

I've been using Referer Control, but apparently development is behind closed doors and the Fx development halted over a year ago. Will check this out, thanks!

Get Trace Premium

[Thorin-Oakenpants]

I'll put the conclusion at the top to save people reading: don't bother with Trace. There is almost nothing in there that is not already covered by prefs or Firefox, or covered (usually better) by other extensions

---

As discussed once before, just the interface and colors indicate (to me) someone with little experience in code, and I have to say, when they list Battery, alarms start to go off. Or to put it more mildly, as KOLANICH would say WUT?. Parts of the list smack of "trying to sound impressive". This is just the initial vibe I get from the whole thing. It's trying to do too much. The github repo can also tell a story (its been almost a year). But lets break some of this down (yes, I know not everyone wants to use RFP, but to me it's a no-brainer since it covers so much).

tl;dr: it does not inspire me with any confidence

https://github.com/jake-cryptic/AbsoluteDoubleTrace/

Redundant

• Beacon/'Ping' Requests
  • ping is disabled by default via a pref
  • beacon is disabled by a pref
• Hyperlink Auditing
  • prefetching is covered by pref(s)
• JS Battery API Logging
  • WUT?

Fingerprinting

• Canvas Fingerprinting
  • covered by RFP
  • note that RFP is still a work-in-progress, e.g WebGL readPixels
  • non-RFP, webGL users can use Canvas Blocker, see point below for audio
• Audio Fingerprinting
  • we disable audio: dom.webaudio.enabled
  • for those who don't disable it, I would rather they used CanvasBlocker. kkapsner's reputation is immeasurable
• Browser Plugin Fingerprinting
  • The only plugin allowed is Flash so entropy is not high (1bit, since metrics indicate 50/50)
  • RFP pref covers this
• Hardware Fingerprinting
  • RFP already does a lot of this, most RFP ALTs come from a now almost empty hardware section
  • I would need to look more into what exactly he is trying to protect here
• Screen Resolution Tracking
  • RFP covers this, esp 67+ when you can use letterboxing: mitigates chrome changes and many other issues (resizing, maximizing, full-screen). RFP also covers css media which extensions can't.
  • For those not using RFP, I'd prefer they used something like Chameleon where @sereneblue has a lot of reputation in my book as knowledgeable, approachable, makes fixes as fast AF, etc.
• User-Agent Tracking
  • RFP covers this, Use something like Chameleon if you must spoof. But again, non RFP users shouldn't really even bother trying to mask this, stable or esr is your best metric: no information paradoxes, no breakage, etc. I know most FP scripts don't try and dig too deep, but at the end of the day, you cannot hide that you are using Firefox, it's version, or the OS you are using.

Tracking

• Bad Top Level Domains, JS Crypto Currency Mining, Specific Tracking Cookies
  • feature creep. Not even sure what some of these mean (bad top level domains?). Just use FF's built in TP and SB, and of course nothing beats well maintained (by thousands of people) lists in uBO.
• Google Header Tracking, URL Tracking Parameters
  • utm's etc: already covered mostly by neatURL: single dedicated extension focused on one job. So adding Trace just for this is a waste of time.
  • what does google header tracking mean? Anyone want to find out?

Other

• WebRTC Leakage
  • we disable WebRTC by default
  • uM can also handle this
  • prefs can handle this
• HTTP Referrer Headers
  • uMatrix has a on/off per domain solution
  • Smart Referer is a dedicated extension with fine grained controls
• E-Tag Tracking
  • ever since we made this issue more mainstream with our header editing solution (and the ghacks article), every tom dick and harry extension now adds it to their core items. That's fine, but we already have two cool solutions
    • header editor: a tool that offers features for all of us not present in other extensions
    • etag stoppa by :cat2: (where is he, I fear for him)

[Thorin-Oakenpants]

The github page is not even in sync with the AMO one

• WebGL Fingerprinting (New!)
  • we disable webgl it in the user.js
  • Canvas Blocker already protects against readPixels
  • TB 8.5* now allows webGL, but blocks parts of it: such as readPixels
  • RFP will eventually get to this

Some some thoughts on that for now. WebGL is very high entropy. Anyone who needs it for particular sites, for now, should use a secondary browser/profile IMO

[ReporterX]

Bad Top Level Domains

WUT?

https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap

User-Agent Tracking (Advanced)

What do they mean?

User agent randomizer/spoofing, I guess.

URL Tracking Parameters

There are plenty addons and userscripts for that

What addons or userscripts are you using?

A point of notice: The more addons with similar features installed, you increase the chance of conflicts among different addons. They may not work properly.

[ReporterX]

The github repo can also tell a story (its been almost a year).

v2.2.6 12 days ago
It seeems the author is still maintaining the addon.

But lets break some of this down (yes, I know not everyone wants to use RFP, but to me it's a no-brainer since it covers so much).

RFP does not have good fine-grained controls. It is mostly all-or-nothing. RFP will break quite a few websites. This addon has a whitelist. You can control what is allowed in one site via interface. Easier to manage.

Google Header Tracking what does google header tracking mean? Anyone want to find out?

[ReporterX]

I tried this addon anyway. It doesn't hurt to try. One can always disable/remove it after trial.

There is a complete list of features offered in the addon.

You can click to see the explanation of every feature offered.

For the first time you run, it gives you three standard sets ranging from low to high protection, one-click set-up.

Trace Features

Canvas Fingerprint Protection Audio Fingerprint Protection WebRTC Protection Ping Protection Screen Resolution Tracking Protection Hardware Fingerprint Protection WebGL Fingerprinting Protection (Beta) Battery API Protection Network Information Spoofer

Advanced features

Referer Controller Cookie Eater Google Header Removal User-Agent Randomiser Proxy IP Header Spoofing getClientRects Protection JS Plugin Hide window.opener Protection (Beta) E-Tag Tracking Protection

Browser Settings

Network Prediction Hyperlink Auditing

Web Request Settings

Web Request Controller Bad TLD Protection URL Tracking Cleaner

Whitelist

[Thorin-Oakenpants]

didn't mean to imply it wasn't maintained: there are more "metrics" there than just updates

RFP does have some fine grained controls (per domain canvas). The thing is, either you buy into it totally (and properly: e.g enforced) or you're wasting your time. That's a pretty general statement and obviously there are many edge cases

example: time zone spoofing. If you use gmail, and log into gmail, then spoofing the time zone becomes kinda useless: it depends on other factors too: your gmail account might be a temp or anonymous one that doesn't link to the real you. OpSec factors abound. Additionally, it will screw up your email/calendar etc dates/times when using other (non-spoofed) apps, e.g gmail app on your phone, gmail on another browser. So something like this could get (and there is a bugzilla for it) a per site exception

But long story short, almost all RFP measures need to be enforced and unable to be over-riden by the end user. Most end-users have NFI of the ramifications. And there is even a bugzilla open for how to harden the RFP measures so end users can't fuck with them.

I am 100% in the boat with making end-users either be all-in or they can fuck off :) Sorry for the language. End users who only partially want features only ruin it for the rest of us. Lowering entropy requires everyone to have the same fingerprint. That said, usability is also important for uptake. It's a delicate process and no easy answers. There will always be trade-offs.

This addon has a whitelist. You can control what is allowed in one site

These have whitelists:

• Canvas (RFP, canvasblocker)
• Audio (canvasblocker)
• Referrers (uMatrix basic on/off and prefs for default values: Smart Referrer very fine grained)
• utms etc (neatURL)
• chameleon has whitelisting (i think) @sereneblue

These don't need whitelists

• beacon, ping, webrtc, UA spoofing (but can be handy for usability eg saying you're chrome for a google service)
• wow, the fact he even allows PING as allowed is ludicrous IMO. It's default off in FF since day 1 and no-one in the world has ever needed it on
• etag (IMO) - maybe useful or used by some really secure fingerprinting sites for verification
• screen resolution - maybe useful to fix breakage, but this breakage is caused by the method: RFP and TB use the inner window measurements and spoofs everything to that. Chameleon and others do the reverse, i.e they use an arbitrary screen measurement (e.g 1920x1080) and spoof inner window etc. I know which one will cause issues, and which won't.

I'll stop there. Most extensions or alternatives we already mention, have white/black listing. But for sure, depending on the end users needs, some whitelisting of some features are always useful.

---

OMG: cookie eater. So now it's trying to also remove cookies on demand? This AIO approach is becoming overkill IMO. Jack of all trades and master of none is a phrase that starts to spring to mind.

I also see DOMRect protection listed now: he's only listing getClientRects, so it would be interesting if he covered all bases, eg getBoundingClientRect. CanvasBlocker covers all of this.

[ReporterX]

• etag (IMO) - maybe useful or used by some really secure fingerprinting sites for verification

It can be used to track users without using cookies or even Javascript. https://lucb1e.com/rp/cookielesscookies/

OMG: cookie eater. So now it's trying to also remove cookies on demand? This AIO approach is becoming overkill IMO. Jack of all trades and master of none is a phrase that starts to spring to mind.

This is what the author said about this feature: "Trace protects you in a unique way, instead of deleting the cookies from your machine, Trace intercepts the network requests and reads the Set-Cookie and Cookie headers, evaluates their contents depending on your settings and then will deal with them appropriately. "

You can set to remove cookies based on different settings.

---

So it appears what Trace offers but is not covered by the recommended list of addons (without RFP):

• Screen Resolution Tracking Protection
• Hardware Fingerprint Protection
• E-Tag Tracking Protection
• Network Information Spoofer (or is there a pref to change this?)
• JS Plugin Hide
• window.opener Protection (Beta)
  • per site whitelist for each protection

[Thorin-Oakenpants]

Yup, I know what etag is, I was saying that whitelisting for etag protection might be useful

[Thorin-Oakenpants]

Ahh, OK, so its the same sort of cookie protection as uBO, and doesn't block JS reading and setting cookies

[Thorin-Oakenpants]

Network Information Spoofer

Its covered by RFP, and there's a pref for non RFP users (which is global not granular). It's also one of those things where I don;t think it needs to be granular

[Thorin-Oakenpants]

JS Plugin Hide

Are all the names changing on a weekly basis or something. Flash is the only plugin. Flash users are 50/50 in metrics (but yeah, Flash can leak extremely high font entropy as it also incorporates font order).

I am not interested in Flash protection TBH - flash users if they really need it, should use a secondary browser/profile. It is and always has been a huge attack vector in terms of security and FP'ing, and it is long overdue a death. I'm not going to encourage users for workarounds

[ReporterX]

Network Information Spoofer

Its covered by RFP, and there's a pref for non RFP users (which is global not granular). It's also one of those things where I don;t think it needs to be granular

What pref is it for non-RFP users? Thanks.

[Thorin-Oakenpants]

user_pref("dom.netinfo.enabled", false); // [DEFAULT: true on Android]

default false on desktop