Experiences with Hardened Firefox: share your thoughts

[Thorin-Oakenpants]

reddit post

I've bookmarked this, and opened this ticket as my reminder. Feel free guys 'n gals to post your experiences here or at reddit ...

Can someone with a reddit account let the reddit OP know the points below). It's always good to get feedback ? - TIA

Some comments for the reddit OP

• HWA is not disabled (not since the snappening and cleanup I did last year)
• RFP on non en-US builds only prompts for spoof_english and is not enforced
  • You can use RFP without the language/locale changes
  • Timezone is tied to RFP though: but you can use an extension to override it: i.e for site like concert times, sports kick-off times etc, or your gmail account where you can end receiving past replies from the future: i.e where you really want to be told the correct time as per your timezone (this has caught me out in the past and I missed events) - then use a whitelist to spoof the timezone as your real timezone. IDK if such an extension exists
• fonts
  • There is no RFP protection for fonts.
  • You can flip 1401 and instead try pref 1409 and manually in about:config put in the value Tor Browser uses for your OS. I say manually because it might contain non-Ascii chars like in the start of this Windows one: Arial, Batang, 바탕, Cambria Math, Courier New, Euphemia, Gautami, Georgia, Gulim, 굴림, GulimChe, 굴림체 . You can get the value by just looking in your Tor Browser.
  • I don't know if this will fix a lot of missing icons/glyphs that rely on system fonts (we're not blocking downloadable fonts), but it should help
  • Other than that, because I use 1401 and 1409: I see missing glyphs a lot: but I can guess based on the url link: and for sites I use a lot, I just know what they are now.
• reCAPTCHA hell - there's nothing that can be done: what's especially annoying is that the timing mitigations of RFP cause the whole exercise (where it replaces tiles) to go really slowly. Personally, I haven't had to answer a reCAPTCHA for about a year. I just refuse to use sites that use it. I know that's not possible for everyone though
• FPI: it's unfortunate that some sites use 3rd parties as some sort of 1st party login flow: the answer is coming - it's called dynamic FPI: but don't hold your breath
• clipboard events
  • it only breaks on some sites: e.g wordpress AFAIK, but not e.g on github
  • I'm actually wondering if this should be made inactive - see #887
• WebGL can be very high entropy
  • The threat is fingerprinting: depending on your setup (e.g. a hardened uBO/uMatrix setup), the existence of fingerprinting scripts is highly reduced
  • personally, I would use a dedicated profile/browser for entertainment purposes: DRM, netflix, widevine, webgl

As for the RFP effects on panopticlick, amiunique etc: ignore them. The data sets and entropy are tainted due to the nature of the sites, the type of people they attract (i.e they are not real world), the small sample sizes, the limited tests (in some cases), the users of said site making numerous repeat visits with various tweaks further poisoning the data sets, and other reasons which I can't be arsed going into... trust in math, science and logic and all is good. RFP is your only hope.

Compartmentalize

I have multiple other browsers: so if I need to, for really problematic sites I can just use e.g. Nightly (which is basically a very slightly UI tweaked profile, auto-sanitizing, with uBO as a bare minimum: it's my test version)

[crssi]

reCAPTCHA: if needed then if possible I use the audio and not tiles FPI: I use Temporary Containers in Auto mode. In my config left mouse click does not force new container, but middle does when different domain destination, so logins does not break and I use middle button a lot and I do not reuse tabs WebGL: doesn't CanvasBlocker deal with it good enough?

[Thorin-Oakenpants]

re 1409's whitelist - don't forget to add your firefox emoji font Twemoji Mozilla

[Thorin-Oakenpants]

oh well, that was fun. The reddit thread died, and only crssi mentioned his his workarounds / experiences.

@crssi I don't use CanvasBlocker, but sure, webgl canvas is protected. I'm not sure what else about webgl CB covers. RFP spoofs some values like vendor. So assuming RFp is still needed, then I assume you would set CB to block fake canvas (this way RFP still returns the white RFP canvas hash) and webgl canvas would not be covered/blocked by RFP and would thus get randomized IDK if that's possible in CB

@kkapsner

[kkapsner]

CB covers the image and also some parameters that make sense: https://github.com/kkapsner/CanvasBlocker/issues/329 You can also set values for the vendor.

[Jojuh]

Reddit OP here, thank you for the replies, especially about the RFP entropy. I understand that it is the best available solution for fingerprint blocking right now, but for me privacy is not black and white, I'm just trying to minimize the presence I leave on sites and so wanted to experiment what could cause me (or someone other) to NOT implement these solutions. Yes I agree that I maybe should be using something else for streaming, work stuff etc. but for now it is a matter of consistence. This is after all not my area of expertise so I'm thankful for guys like you who put an effort into this.

I'll have to check my settings concerning HWA and fonts, I'm kinda lazy in updating the user.js template so I might have some obsolete config going on with those. And I really need to figure a way to sync things between machines so I'm not lagging on settings.

reCAPTCHA: For me audio does not work. I have tried that with different settings enabled/disabled and it never works, just forces me on tiles. At least now I know why it is so slow (timing mitigation).

[crssi]

@Jojuh for audio to work I have override with

/* 2510  */ user_pref("dom.webaudio.enabled", true);

where CanvarBlocker comes to audio RFP rescue.

For any other overrides that I use, peek into my FF repo. 😉

[Thorin-Oakenpants]

re RFP

and other reasons which I can't be arsed going into

some more reasons I'll quickly mention

• the tests can be faulty
  • e.g both Panopticlick and amiunique give false positives on fonts: however, I think those false positives are consistent (somewhat: e.g if you have arial, you will always get arial baltic)
  • e.g. OpenWPM's audioContext test always returns ac-outputLatency as zero (unless RFP is on) which is incorrect
• the tests aren't very smart
  • fingerprinting likes stability but these all-inclusive entropy tests fuck things up
  • e.g. amiunique always includes the device ids of your media devices: but in Firefox these ids are temporary
• tests get out of date / misconstrue the danger
  • e.g amiunique misses audio tests because they are now behind a user gesture
  • tests should always present a worst case scenario so when you don't do that, it's misleading

I'll have to check my settings concerning ...

We have some cool things to reset things.

• pref cleaner scripts
  • basically: close FF, run the script and it will reset every pref in the user.js. Restart FF and the user.js reapplies those that are active

After the pref cleaner, which uses the user.js, there may be other things not in the user.js, and you can use our scratchpad-scripts

• removed items : resets items we used to have in the user.js - this is our only record of those. You don't need them and they are best left at default
• FF68-deprecated : will reset everything that is no longer used in FF68+: this used to all be in the user.js, but we've since archived large chunks of it out

[zdat]

I've been setting 1401 to 1, then using uBlock to block all remote fonts, then allow fonts for sites I choose on my uBlock rules. Is this a bad way of doing it, fingerprinting wise? I'll try and better understand what you suggest here because I always wondered why fonts are fine on Tor.

[Thorin-Oakenpants]

• 1401 is about fonts installed on your OS and is a direct device fingerprinting metric
• remote/downloadable fonts are about pulling content from a third party = possible tracking

Two totally different things

Edit: also depending on your extensions and their configs: there are CSP issues. See the wiki page on extensions: so personally I do not block fonts with uBO because of this

[zdat]

Thanks, I understand better now. So 1401 is allowing (or blocking) websites choosing fonts from your system to display the website. In 1409 you can choose which fonts a website has to choose from.

So can't you just list default fonts included in Windows 10 in font.system.whitelist to make it as generic as possible? Is that what Tor's font.system.whitelist does?

Edit: Here pretty much answers my question.

[Thorin-Oakenpants]

the whitelist pref was added specifically as part of the Tor Uplift: so yup, it's used by TB. Note that the values differ per major OS (windows, linux, and mac - and android I don't think uses one yet)

Firefox hasn't done anything with it yet, as it requires bundling fonts. However, this would increase the deployment size - and over 100's of millions of installs, (and updates?) this is rather major. So they were thinking along the lines of using kinto to download the fonts in the background if RFP was on. Note that the whitelist pref is not tied to RFP, but it would only be useful to those who are actually using anti-fingerprinting - and for FF users, the number of deployments over kinto would be small (not hundreds of millions)

Additionally, Firefox caters for a lot more languages than TB. TB only adds bundled fonts for the languages they support. So whereas on Windows, TB bundles 5 fonts (plus an emoji font they don't need to), FF might have to bundle 20 or 50 or more. And they would have to work out a new whitelist to cover all those languages.

In an ideal solution, OS fonts would be ignored for web content, and all fonts would be bundled, and there would be no whitelist - and everyone would have the same fonts regardless of os, and the same version of each font (because there is entropy in that as well: e.g unicode additions)

TB's font whitelist is not perfect (but it absolutely reduces the number of results per os). e.g:

• some windows users will report arial narrow and some won't - because the whitelist is listing font families, not individual fonts - and other factors such as GDI and DirectWrite change this
• different windows installs have different fonts
  • by this I mean the whitelist is small'ish with very common windows fonts, but it was created years ago. Since then a lot has changed
  • e.g. my windows 7 (bare metal) vs windows 10 (vm) has a huge difference
  • windows install configs come in a zillion locales
  • I can't be bothered to look up the source, but there is a ticket for mozilla to limit fonts to "system fonts" - i.e not installed (so it would not include crap from adobe or open office etc) - and this lead me to a discussion on github where a safari dev discussed that that couldn't make all safari users have the same fonts (and apple OSes are very controlled) simply because of the vast number of additional apple font packages and languages etc. And of course, shit has to be legible and end-user pleasing for apple. So even safari has font entropy

fuck .. i didn't expect to write a book...

---

I use the whitelist, it's fucking great. It won't make you the same as TB users (because you haven't got the bundled fonts), but it will severely limit the damage FP scripts can do. Querying huge fonts lists can be intensive: so most FP scripts use a small list

Do note though, that TB's whitelist doesn't even include the bundled emoji font TwemojiMozilla.ttf (which comes with Firefox and very recently on stable TB: before then it was EmojiOne). The name to add to the whitelist is Twemoji Mozilla

I also don't add the pref via user.js since it contains non-western chars

[zdat]

Thanks for the reply. Really all this font stuff is more than I'm willing to learn, especially when there's no end all solution yet.

Don't understand why there's no way to just use the standard fonts/families/whatever there is for a Win7/10 US Home, but I'll just know there isn't.

You can flip 1401 and instead try pref 1409 and manually in about:config put in the value Tor Browser uses for your OS. I say manually because it might contain non-Ascii chars like in the start of this Windows one: Arial, Batang, 바탕, Cambria Math, Courier New, Euphemia, Gautami, Georgia, Gulim, 굴림, GulimChe, 굴림체 . You can get the value by just looking in your Tor Browser.

Why would I remove these non-Ascii chars? Why not leave them in?

I added all the fonts in TOR's font.system.whitelist to Firefox's. amiunique.org is reporting more fonts than Fireofx though. (...and XX others compared to Firefox's ...and XX others). I pasted them in notepad and they are definitely the same. Any explanation for that? I tried adding it via about:config and I get the same result as adding via user.js.

Do note though, that TB's whitelist doesn't even include the bundled emoji font TwemojiMozilla.ttf (which comes with Firefox and very recently on stable TB: before then it was EmojiOne). The name to add to the whitelist is Twemoji Mozilla

What does that exactly do? Displays Emojis? But if I deviate from TORs whitelist wouldn't I be unique then?

Really I need a simple explanation for the best solution we have at the moment because this font stuff is a bit much for what I'm willing to learn about for now.

Thanks for your help.

[Thorin-Oakenpants]

Why would I remove these non-Ascii chars? Why not leave them in?

Sorry .. not sure if I used the right word: ascii. Maybe I meant ANSI

I'm not saying to remove anything. The user.js is an ANSI file, so it won't encode all possible characters and instead retain them as ?. So your pref would end up like this Arial, Batang, ??, Cambria Math. Open your user.js and paste 바탕 in and you'll see what I mean.

Maybe you can change the user.js to UTF-8 encoding, but I haven't bothered. And if you auto-update from the github repo, the one on here is not UTF-8

What I was actually saying was for you to apply the pref value directly via about:config if your whitelist contains any non-ansi characters

Don't understand why there's no way to just use the standard fonts/families/whatever there is for a Win7/10 US Home, but I'll just know there isn't.

Because no-one has collated any data on the thousands of combos of windows installs: major (7,8.1,10), types (home, pro, enterprise, lite), and languages/regions. I'm not an expert on windows installs - but like I said with the apple case: the difference due to languages used on the system greatly affects the fonts actually present: and even Safari's limiting to non-installed fonts still creates lots of entropy

• https://bugzilla.mozilla.org/show_bug.cgi?id=1388743
• https://bugzilla.mozilla.org/show_bug.cgi?id=1582687