Looking for new maintainer(s) for RAS

[dillbyrne]

Hello all

Firstly I want to say in advance that I wish to avoid a ublock/ublock origin situation so interested parties please keep that in mind.

I have stated before that I was not planning to port the project to web extensions due to various API limitations and lack of time and the fact I was spending the time I had having to fix the addon due to underlying browser changes rather than researching and adding new features (the fun stuff :smile: ). Anyway I'm not here to complain , I understand why mozilla is doing what they are doing and wish them the best of luck.

Now that that is out of the way, I would like to see the addon live on so that users can keep on using it. I have stated before that a team of people would be better suited to a project like this as it is a cat and mouse game with the fingerprinting / anti-privacy side and they have much more resources to throw at the problem.

I think @alct , @Noitidart and @Mylainos would be well suited if they are interested ? Others are of course welcome. Reply below and we can get the ball rolling.

Alct was responsible for the visual redesign of RAS and is involved with the Net Users' Rights Protection Association.

Noitidart is a member of the AMO review team and is a fellow addon dev with a lot of cool addons and a lot of addon development experience.

Mylainos took the initiative and has been working on a webextensions version of RAS for some time but it still requires the nightly version of the browser and an experimental plugin to allow modifications of preferences.

Any interested parties let me know and we'll take it from there. I will sign over the the addon on AMO so users can have a smooth transition to who ever takes over RAS.

For the record and for those who are new to the project, I intended to keep supporting it and improving it before web extensions and the unstable transition got it the way.

I will update this issue with news regarding new developers and what not.

Thanks for all the support along the way.

Dill

[Noitidart]

Thanks @dillbyrne for considering me qualified to help out. I really would love to someday. I am currently busy with a non-code/non-AMO related situation, so I can't right now, but I will definitely look back here after that settles out.

Quick question - is this message a call to put together a team which you would be apart of? Or are you looking to step out completely?

it is a cat and mouse game with the fingerprinting / anti-privacy side and they have much more resources to throw at the problem.

This is so true.

This is really a great addon. Webext has a lot of limitations that will interfere with this. Major props to @Mylainos for be courageous enough to try it out.

And major props to @dillbyrne for maintaining it and growing it to what it became.

[LimboSlam]

Hey @dillbyrne, I'm sorry to hear this. I hope development continues. So, I'll get the word out to some of my fellow add-on/extension buddies. :)

Also, whoever takes over as the new maintainer and decides to stick with the good old XUL/XPCOM, I would like you to know that there is always a place at The Pale Moon Project for this propelling technology.

[dillbyrne]

@Noitidart No problem. I hope it all works out for you :+1:

To answer your question I will be out of the picture but I would available to any person(s) who takeover if they had any questions.

For the user's sake I'm hoping to find others that would be interested in doing a webext version, either by helping Mylainos if he is still interested or building upon his work if not. Any sdk forks are a waste of time at this stage as they will be killed by the switch to web extensions.

@LimboSlam Thanks :+1: . This addon is not xul though. It is built using the addon sdk.

[Osahashi]

209,702 current users and there is no alternative to RAS. Please don't let it die guys! Over 200k people trust in you!

[Drugoy]

I'd rather see RAS officially freeze forever and let the new project have a name like RAS2, RAS+ or RAS-we (webextension).

Why?

Because not everyone is going to go along with mozilla's bullshit, many users will just stay with the older Firefox versions (that still have XUL support). And not just stay - even on new desktops they will install the same older Firefox version (again, just to have XUL support). There are also some 3rd party firefox-based browsers that appeared for the sole purpose to fight against mozilla bullshit.

In that case - those users wouldn't need to figure out what was the last version of RAS that was fully compatible with their browser and the new extension would get the new user base, even statistics would be more precise.

tl;dr: let RAS just die and let new separate extension appear.

[Drugoy]

Also, while we are at it... To whomever becomes the part of the new dev-team (I hope it will be a team):

Can we have RAS finally stop being a swiss-knife/all-in-one combine?

RAS stands for Random Agent Spoofer, one would expect it to change UserAgent of the browser randomly (following some rules, obviously).

What I really never liked about RAS is that it was more than just that and instead provided a bunch of features: some of them were very nice and some I didn't want to because I had a better add-on for that particular function.

Apart from spoofing UserAgent - it also was capable of spoofing referrer (the 'headers' tab in the extension's window). I use Referrer Control (it is abandonware too but it still [kind of] works [with some tricks]) to forge referrers in a smart way than RAS can.

And apart from that it was able to enable and disable various options of the browser, some of which are only accessible via about:config preferences (hidden or not).

Thus RAS's functionality can be decomposed into these three groups: spoof useragent, spoof referrers and tweak browser's options completely unrelated to useragent and referrer but are related to fingerprinting.

I'm asking you to please, please, please make RAS work only with user agent and nothing more. If you feel like other functions are important too - that's fine, I think so too, but they don't have to be a part of this add-on, in my opinion it would be way better if they existed as separate ones.

[RoxKilly]

Thanks @dillbyrne for making this addon. It was one of my great finds once I realized that there was more to the browser than the native experience (I don't think most people are even aware of addons), and it definitely helped sway the balance in Firefox's favor when I considered other browsers.

Best of luck with your future endeavors.

[grezovzky]

@Drugoy I think you have completely misunderstood what RAS is. It is NOT a user agent switcher/spoofer. Had you bothered reading the readme on its GitHub page you would have known that it goes beyond merely spoofing the user agent.

RAS is a privacy enhancing firefox addon which aims to hinder browser fingerprinting. It does this by changing the browser/device profile on a timer. Each browser profile has been tailored to match the actual values used by the target browser as much as possible, within the limits set by firefox.

[Drugoy]

@grezovzky

I think you have completely misunderstood what RAS is. It is NOT a user agent switcher/spoofer.

What does RAS abbreviation stand for?

[grezovzky]

@Drugoy The name is irrelevant because it's clearly stated that RAS is meant to do more than simply changing the user agent. As far as the name goes though, Random Profile Spoofer would be more accurate since what RAS does is change the complete browser profile to match another browser and/or operating system. If you want an addon that only changes the user agent then there are plenty of them for you to choice form. There's no need to cripple the functionality of RAS just for that.

Since this discussion is off-topic and it seems meaningless since you're unable to grasp the concept of RAS I won't be replying anymore.

[akwala]

I also recommend freezing the current version of RAS, like @Drugoy suggested. I am, at the moment, agnostic wrt Mozilla's addon development platform/infrastructure. The example I am thinking of is RequestPolicy, which was resurrected as RequestPolicy Continued. Since RAS would be ported to Web Extensions, this makes all the more sense, especially for those users who want to stick with the pre-Web Extensions version of Firefox.

[anatoli26]

@dillbyrne, thanks for this great add-on! This is the best privacy add-on I've found so far. Have you considered starting a crowd-funding campaign to finance the migration to WE?

@akwala, you can just fork the project and maintain it the way you wish. If there'll be use for the current non-ME version, someone would have to maintain it anyway (even for the most basic things), so if there's enough interest, IMO a fork with a new name would be the most appropriate solution.

[Atavic]

As a long time user who won't go onto the Webextensions bandwagon, I agree with @Drugoy & @akwala

[mylainos]

A lot of features won't work with WE because we can't change the settings anymore.

Should we rewrite everything to WE or should we progressively move part of the extension until being full WE?

[alct]

Hello,

RAS or, to avoid digressing about "is this a proper acronym or not ?", a "tool to help prevent browser fingerprinting" is much needed. It is needed in various aspects:

• scientific: gather scientific papers, research new fingerprinting techniques, counter-measures, document the process (there is no comprehensive knowledge base so far that achieve this goal) ;
• technical: implement these counter-measures into a cross-browser extension ; ask browser vendors to provide us with the right tools/API to achieve our goal ;
• political: raise awareness about the issue and help/encourage browser vendors to natively implement counter-measures.

I have no strong opinion about Web Extensions (WE) because I have little knowledge about this technology, I had the opportunity to discuss with Mozilla developers working on the matter on several occasions and they were always open to discussion and asking for feedback from the community about lacking API / functionalities. Before calling it bullshit or whatever, we should at least try.

On the other hand, we are not living in a bubble, there are other people out there working on this very topic and doing it in an effective way: Tor Browser devs, BrowserLeaks, Panopticlick,... We should try to gather forces.

This being said, I am willing to help for technical aspects related to UX/UI, for scientific aspects related to research and documentation, for political aspects (that's what we already do at NURPA).

To sum all this up, this is what I would suggest:

0. Given that people have shown interest to help/stay around to help, we should make some noise about the fact that RAS, an extension with around 170 000 privacy aware users, is looking for help (reddit, hn, various mailing lists,...) ;
1. We should gather a comprehensive and extensive list of functionalities needed by RAS that are not available as WE yet (@dillbyrne , I think that you are the best suited for this task) and get back to Mozilla about it ;
2. We should get in touch with Tor Browser, BrowserLeaks and Panopticlick/EFF to see how and if we can collaborate together ;
3. We should set up a new maintaining team ;
4. We should lay down a plan about the future of this "tool to help prevent browser fingerprinting".

What do you think?

Best, André

[Atavic]

André I wont say BS about Webextensions, but there are many points that stink about these 'improvements'

• a long paced effort by Mozilla to align Firefox with Google Chrome in both lack of features and stronger corporate control on browser modifications.

• added telemetry both direct and indirect through the various Safebrowsing efforts, and the appearance of entries like datareporting.sessions.current.activeTicks; 0which goes alongside with Windows 10 Telemetry OS.

[mylainos]

Here the list of features of RAS and the compatibility with WE.

When something won't work it will be marked like this:

Won't work Feature

A tick mean it's sure and nothing mean we need to search more (what the feature does or what API or workaround can be used).

Your help is welcome :wink:

Profile

• [X] Work with webRequest

Headers (by modifying the header with webRequest)

• [X] Disable Authorization
• [X] Enable DNT (Do Not Track)
• [X] Spoof If-None-Match (ETags)
• [X] Spoof Via using a ***
• [X] Spoof X-Forwarded-For using a ***
• [X] Disable Referer (with privacy.websites.referrersEnabled - not supported in Firefox wet - but maybe with webRequest)
• [X] Spoof Source Referer
• [X] Spoof Accept
• [X] Spoof Accept-Encoding
• [X] Spoof Accept-Language as ***

Options

Script Injection Options (No need to change something from the current implementation)

• [X] script injection (with content_scripts in manifest.json)
• [X] Screen size spoofing
• [X] Protect window.name
• [X] Disable canvas support
• [X] Limit tab history to 2
• [X] Block plugins

Standard Options (Most will work with script injection, and a lot implementation are already done by dillbyrne)

• [X] Limit detectable fonts
• [X] Disable local dom storage
• [X] Disable browsing and download history
• [X] Disable memory cache
• [X] Disable disk cache
• [X] Enable geolocation (can't use a particular service *** I think)
• [X] Disable link prefetching and DNS prefetching (both or none with privacy.network.networkPredictionEnabled)
• [X] Disable webGL
• [X] Disable webRTC (possible to disable the leak of local address with privacy.network.webRTCIPHandlingPolicy)
• [X] Disable pdfjs
• [X] Disable search suggestions
• [X] Disable dom performance
• [X] Disable dom resource timing
• [X] Disable dom user timing
• [X] Disable battery api
• [X] Disable gamepad api
• [ ] Use click to play for plugins
• [X] Block active mixed content
• [X] Block display mixed content
• [X] Disable browser pings (with privacy.websites.hyperlinkAuditingEnabled)
• [X] Disable web beacons (with webRequest but it's maybe not the efficient way)
• [X] Disable clipboard events
• [X] Disable context menu events
• [ ] Enable tracking protection
• [X] Disable CSS visited links

Cookie Options (Self-Destructing Cookies might do a better job here)

• [ ] Cookie Policy:
  • [ ] Allow all
  • [ ] Block all
  • [X] Block third party (with privacy.websites.thirdPartyCookiesAllowed - not supported in Firefox wet)
  • [ ] Allow third party from visited
• [ ] Keep Until:
  • [ ] They Expire
  • [ ] Browser is closed

Reporting Options (Pretty sure addons can't access webrequest of the browser)

• [x] Won't work Disable safe browsing (Google)
• [X] Won't work Disable safe browsing downloads check (Google)
• [X] Won't work Disable safe browsing malware check (Google)
• [X] Won't work Disable health report uploads
• [X] Won't work Disable telemetry reports

Whitelist

• [X] but not all features can be enable only for 1 website

[mylainos]

And Self-Destructing Cookies also need to be rewrite to WE.

[mylainos]

4. We should lay down a plan about the future of this "tool to help prevent browser fingerprinting".

I think the extension should be updated on AMO and we shouldn't create a new one because 170 000 users will be updated automatically and those who want to stay without WebExt can still have it, just need to set the right version in the compatibility version tag.

The cookies part should be dropped, people who want it will install an WebExt dedicated to that and people who don't want a "tool to help prevent browser fingerprinting" can still have a "tool to help manage cookies".

Look to new way or API that can help us fight browser fingerprinting, like contextualIdentities.

[dillbyrne]

@alct @Mylainos Glad to know you are both interested. My personal circumstances have changed such that I no longer have the time I used to , to devote to Addons. In essence I will be stepping away from the project but will still try to provide advice and PRs from time to time. Once things settle down I would most likely be able to contribute again more regularly as It is something I am passionate about.

To start I'll reply to @alct first

Given that people have shown interest to help/stay around to help, we should make some noise about the fact that RAS, an extension with around 170 000 privacy aware users, is looking for help (reddit, hn, various mailing lists,...)

This is a good idea. It is probably better to wait until we have discussed some issues here first and have a set plan in mind. We don't want a lot of users filling up comments with arguments for example

We should gather a comprehensive and extensive list of functionalities needed by RAS that are not available as WE yet (@dillbyrne , I think that you are the best suited for this task) and get back to Mozilla about it

The thing removing most of the functionality is the not being allowed to modify web extensions. This will not be implemented according to the links below

https://discourse.mozilla-community.org/t/webextension-read-write-access-to-about-config/12268

https://wiki.mozilla.org/WebExtensions/FAQ#Will_I_have_access_to_about:config_or_the_preferences.3F

I have not looked at WE as extensively as the (now old) addon SDK API but going forward I think we would have to write alternate API's for everything that is finger printable and inject them on every page or specific pages. Eg Canvas, WebGL, Audio, Date/Time and so on

So the bulk of the work will be the injection scripts. This approach would keep most of the functionality in the injection scripts and would then be less likely to break as long as mozilla left that particular API alone. General JS seems to be more accessible to the average web dev than addon code so that apporach might be more welcoming to devs too.

I was trying to take this approach with the current injection script with a separate scripts for each API.

We should get in touch with Tor Browser, BrowserLeaks and Panopticlick/EFF to see how and if we can collaborate together

I was aiming to implement as much of the tor browser design document as I could. Also mozilla is slowly integrating certain patches of the tor browser which we should benefit from as long as we don't need to set a preference for it.

https://wiki.mozilla.org/Security/Tor_Uplift

We should set up a new maintaining team

That is what this issue is for :)

We should lay down a plan about the future of this "tool to help prevent browser fingerprinting

I think rewriting offending APIs or at least privacy wrappers around them to strip them or randomize them of identifiable information would be the best approach,

If it is possible to use other scripts inside a content script in WE, Then have a main content script to check what addon specific options the user has chosen an apply the relevant parts of the script to that . This is how it is done now.

As for the future of the addon. I think it makes sense to use @Mylainos branch as the main one as the work has been started or we could make a RAS group and have it under that.

As I said before I would be happy to transfer the AMO account over to you both if you want to make a partial update with WE while the rest of the stuff is worked on.

From a brief read transferring preferences between Addons developed with the SDK to WE is not a straight forward process. Since most of the preferences will be lost anyway I would argue to start the preferences fresh. Normally I would argue against this as the it would mess with the user but in this case (WE) would couldn't change the preferences even if we wanted to.

As for the name It was something I came up with when I was developing it. It is a recognizable name now but if there was a better one proposed I wouldn't be against it, however I think it would be best to wait until a WE version has been released and has gained some traction before any possible re-branding or some users will think the project is dead

@Mylainos

I think the extension should be updated on AMO and we shouldn't create a new one because 170 000 users will be updated automatically and those who want to stay without WebExt can still have it, just need to set the right version in the compatibility version tag.

This makes sense although I'm not sure how we would handle reverting the now unusable about config preferences.

One approach is to put a big warning to before updating to uninstall the current version and the OnUninstall method will be triggered and reset all the preferences, the custom ones will then be removed at the next browser restart.

This would be the cleanest approach since we can't change them in a WE and since most of them will not be applicable in the new version.

The cookies part should be dropped, people who want it will install an WebExt dedicated to that and people who don't want a "tool to help prevent browser fingerprinting" can still have a "tool to help manage cookies".

I think the cookies should be considered in the future at least in a style similar to SDC. something like remove cookies for all sites that are not active on a profile change. This will allow sessions to persist and not log users out while limiting tracking via cookies.

Look to new way or API that can help us fight browser fingerprinting, like contextual Identities

Thanks for the effort you put forward with WE. :+1:

EDIT: fixed formatting

[Drugoy]

Seems like you already made your choice in favor of populism and becoming a combine. As a power user - this saddens me, that's the same approach Mozilla chose. I only hope that someone will write a better add-on to spoof UserAgents in a smarter way.

[Atavic]

People who finds these addons still useful can stay on Firefox ESR (I'll definitely do).

[Drugoy]

@Atavic what does Firefox's version have to do with add-on's version? If you stay on Firefox ESR your RAS add-on will get updated to the web-extensions version and you will lose functionality.

[anatoli26]

@Drugoy, just put the desired version of the add-on in the distribution/bundles or extensions directory where the executable is located. This way it won't be overwritten with newer versions.

[Atavic]

I mean that I don't update neither the browser nor the addons. I keep the ESR as is, in its current working state.

[Drugoy]

@anatoli26 @Atavic I know of that way to preserve the current versions, but it's not comfortable. You go to another PC and need to configure the firefox there. You install the desired ESR version and then have to guess the version that was best compatible with it.

[Drugoy]

This is what can happen to RAS on AMO if you don't let it die and update the existing add-on instead of forking it into a separate extension. Take a look at latest reviews there.

[Atavic]

@Drugoy That's the workaround (explained on top reviews from the AMO link) that I use for the addons I like.

[RdKoyoe]

so the question is who will be maintaining our great RAS?

ps: please dont let it die just like that

[danielcra]

I think the most valuable features in RAS are those based on HTML injection. Is HTML injection still possible with web extensions? If so, why not create a hybrid solution: a guideline how to do changes in about:config manually, plus a new add-on that injects HTML to randomize the return values of the various APIs? Some header spoofing on top and we are done, aren't we?

[Atavic]

Request Control Webextension: filters HTTP requests and trims URL parameters.

[RoxKilly]

My own approach to the demise of RAS has been:

• to use ghacks-user.js to control prefs (can't say enough how comprehensively awesome this is),
• to use uBlock Origin (hands down my fav extension) to cut down on scripting (denied everywhere by default),
• to use CanvasBlocker to deal with canvas fingerprinting, and
• to allow Firefox's privacy.resistFingerprinting config along with the ongoing implementation of the Tor Uplift project to take care of the spoofing and fingerprinting protection that RAS used to handle

[danielcra]

@RoxKilly: your proposal does unfortunately not cover font profiling, which is one of the biggest risks according to studies.

Another alternative is to use Torbrowser (without Tor network). Torbrowser eliminates font fingerprinting and most other loopholes, but having a Torbrowser signature not coming from a Tor exit node will in itself create a unique fingerprint.

[Atavic]

@danielcra maybe you'll find fluxfonts interesting.

[RoxKilly]

@danielcra My last point (privacy.resistFingerprinting and the Tor Uplift Project) will try to address font fingerprinting as Tor does, which is probably better than a WebExtension addon could do. see this issue

[danielcra]

There are at least three variants of font fingerprinting: 1) Read out a list of all installed fonts from the host. This is where fluxfonts will help. 2) Probe for a list of (potentially hundreds) of known fonts. Fluxfonts will not help because it creates fonts with fantasy names. 3) Render some text and read out the result, similar to canvas fingerprinting. Fluxfonts will not help here either.

https://browserleaks.com/fonts seems to do 2) and 3) and Torbrowser beats it apparently. Not sure how Firefox will do in the future. We have to wait and hope.

[mylainos]

It's possible to use webextension experiments on release, the experiment need to be on AMO. Maybe we will be able to change settings after all.

I've almost re-implemented the user agent spoofing feature, there just a problem with random platform UA and the exclusion of UA.

But as ghacks suggest, I think that changing the UA is not a good solution. I think it's better to have the same UA for everyone than to change it with random value.

I will update my repo and work on the referer header. I've seen that it's not possible to spoof ETags...

[kekkc]

It's possible to use webextension experiments on release, the experiment need to be on AMO.

Puh, great news. Thanks for the update.

I've almost re-implemented the user agent spoofing feature, there just a problem with random platform UA and the exclusion of UA. I will update my repo and work on the referer header.

Think you already mentioned every important feature to port in your summary https://github.com/dillbyrne/random-agent-spoofer/issues/544#issuecomment-298816252

Some thinks like the general referer are just settings "network.http.referer.XOriginPolicy" that might be handled directly with webextension experiments (should cover almost 50% of the current RAS), but maybe you can update your summary post with the points that are problematic or where you need support.

(At least I would be able to add the current related about:config settings for some things, if that'd be of any help ;) )

[ghost]

@Mylainos One of the major downfalls about RAS is the inability to spoof the order in which headers are sent. Browsers handle the ordering differently, so changing the UA string has the opposite intended effect - regardless of JavaScript being executed.

I think in order to go forward, we need to address the problems with JavaScript and shift away from changing the UA. This would be a drastic change from the original project - but perhaps @dillbyrne had the wrong idea about browser privacy as there are too many unique identifiers to spoof.

A more practical approach is for people to use the same profile, similar to how Torbutton is implemented in the Tor Browser.

[tdev100]

Please place and let this issue always on the top of all issues.

I or maybe anyone else interested would maybe not have written a request (as I did) if one had read this before. But also to have this topic in the state: discussion.

By the way: not nice to read this. I started to love it as my anti-fingerprint tool. Therefore I actual wanted suggest to add some of the other anti-fingerprinting tools features what I miss in the current RAS:

(and aside of this - maybe one of them is interested in maintaining!?):

• StopFingerprint plugin developers
• CanvasBlocker plugin developers
• ResourceURILeak plugin developers
• ... and other plugins against fingerprint/leaks I dont know

Someone already proposed it: combine forces. Maybe you could take all this fingerprint/leak plugin devevelopers together and form a new team for one single tool.

If development hopefully continous I want suggest following:

I would suggest to think if it is not better to make a new tool that way: Instead of a RAS (Random AS) make a CAS (Common AS) ! What I mean: I think the privacy is better protected if all users send in all circumstances the same profile instead of random profiles which are more or less still unique and thus trackable. Try it out: "am i unique" website

[ilikenwf]

Considering the implications of the directions Mozilla is taking lately, have any of you considered helping out with Waterfox by building the core functionalities into it's core as options?

If you could even build these features that UAS provides into the core functionality as privacy options, perhaps @MrAlex94 would merge them in? Doing it that way would negate the need to wait for/get adjusted the various APIs involved.

[dillbyrne]

@Mylainos Many people are interested in a web extentions version, It is ok to point people to your repo going forward ? as I intend to lock the issues on this repo soon as I'm no longer maintaining it.

I think in order to go forward, we need to address the problems with JavaScript and shift away from changing the UA. This would be a drastic change from the original project - but perhaps @dillbyrne had the wrong idea about browser privacy as there are too many unique identifiers to spoof.

@DrunkenSasquatch the point was / is to attack the fingerprinting process and make the data useless. The UA was just one part of it but much of the data is used together. the more readouts that can be faked or blocked the more useless that fragment of the fingerprint becomes.

With regards to profiles the intent was to have the community update them. This didn't happen as most people thought a profile was a user agent which is not the case for things like phones where the screen size can uniquely identify the model etc.

The key to successfully doing it is building it into the browser like brave is doing or rewriting offending JS API's and injecting the spoofed versions. I read a lot of different documentation and papers on fingerprinting as well as trying out the addon on many tests during development.

I would encourage everyone to try out brave and report any issues to improve it. They have the right approach, privacy by design.

[blubop]

This might be of some interest? If someone ever decides to make a webextension version of RAS you can probably reuse much from this one https://github.com/snapper26/shapeshifter or else it might serve as an alternative for those who will use Firefox 57+

[mylainos]

I think it's impossible to resist fingerprinting with a webextension, there's too much things that are inaccessible from a webext...

But mozilla is already working on this! See https://wiki.mozilla.org/Security/FirstPartyIsolation, https://wiki.mozilla.org/Security/Fingerprinting and https://wiki.mozilla.org/Security/Tor_Uplift/Tracking. It's far better than what's possible with an webext.

(To use these set to true the preferences at about:config?filter=resistFingerprinting and about:config?filter=firstparty or use a user.js file (this one for example))

So what I propose is to:

• help mozilla by trying and test fingerprinting techniques, fill the maximum of bugs and help them implementing the solution.
• improve or write new webext (like UblockOrigin, Decentraleyes, PrivacyBadger, NoScript, ...)
• write or improve a guide on how to resist fingerprinting on Firefox.

By the way, No Ressource URI Leak is no more needed thanks to resistFingerprinting.

What do you think?

(If some functionality of RAS are needed by someone, ask me, I will create a new webext.)

[kekkc]

Thanks for the info with resistFingerprinting mylainos (in general there are great additional scripts, tools & links in this report). Mozilla's Tor uplifting seems to go in the same direction as the Brave Firefox fork.

If some functionality of RAS are needed by someone, ask me, I will create a new webext.

In general I use the RAS core function mostly. Random user agents that also change the related JS properties like navigator.appName is unique and absolutely awesome. Apart from that I use

• Spoof X-Forwarded-For using a ***
• Referer X Origin Policy = Base Domain (only option that works with most sites, however some video sites or yahoo group images require the real referer, therefore a quick option in RAS is necessary)
• Some of the JS options in "Standard Options"

Do you plan on maintaining your WebExt fork? Do we have a possibility now to change settings & more impotantly, to spoof UA & JS properties?

[kekkc]

OK, 3 weeks until doomsday when RAS is completely disabled in FF 57. Here are all options that were used by RAS (go to about:config and copy your current values in a text file to restore at least some functionality later, values were extracted from lib\PrefServ.js of RAS 0.9.5.6):

• extensions.agentSpoof.xff
• extensions.agentSpoof.via
• extensions.agentSpoof.ifnone
• extensions.agentSpoof.disableRef
• extensions.agentSpoof.authorization
• extensions.agentSpoof.scriptInjection
• browser.display.use_document_fonts
• dom.storage.enabled
• browser.cache.memory.enable
• browser.cache.disk.enable
• geo.enabled
• network.dns.disablePrefetch
• network.prefetch-next
• webgl.disabled
• media.peerconnection.enabled
• plugins.click_to_play
• places.history.enabled
• pdfjs.disabled
• browser.search.suggest.enabled
• dom.enable_performance
• dom.enable_resource_timing
• dom.enable_user_timing
• dom.battery.enabled
• dom.gamepad.enabled
• security.mixed_content.block_active_content
• security.mixed_content.block_display_content
• browser.send_pings
• beacon.enabled
• dom.event.clipboardevents.enabled
• dom.event.contextmenu.enabled
• privacy.trackingprotection.enabled
• layout.css.visited_links_enabled
• privacy.donottrackheader.enabled
• network.http.referer.XOriginPolicy
• network.http.referer.trimmingPolicy
• network.http.referer.spoofSource
• geo.wifi.uri
• browser.safebrowsing.enabled
• browser.safebrowsing.downloads.enabled
• browser.safebrowsing.malware.enabled
• datareporting.healthreport.uploadEnabled
• toolkit.telemetry.enabled
• network.cookie.cookieBehavior
• network.cookie.lifetimePolicy

[anatoli26]

Hi @mylainos,

Thanks for offering to support some features.

My list is:

1. Randomize UA both in HTTP headers (U-A, Accept*, etc. + the order of headers, i.e. emulate the headers as a specific UA would send them) and to spoof accordingly what JS can access;
2. Spoof screen resolution (both display res & viewport size) with an option for random and for an exact value
3. Spoof time zone (random and exact value)
4. Options from RAS -> Options -> Standard Options: from Disable link prefetching to Disable context menu events
5. Protect from font fingerprinting (if it's not yet working in the new FF with the TOR uplift initiative)

What is NOT needed (already implemented and working fine on FF57): canvas (CanvasBlocker), referrer (Smart Referer), cookies (Cookie AutoDelete).

Maybe someone could mention other add-ons working with FF57 for some of the options from my list above.

[kekkc]

It's possible to use webextension experiments on release, the experiment need to be on AMO. Maybe we will be able to change settings after all.

1 week with FF 57 and I'm already tired toggling preferences in about:config. Was the Preference API ever proposed to Mozilla / reviewed or is there any chance that I can use this experiment in release to create a simple button to toggle preferences like "network.http.referer.XOriginPolicy"?

There are several UA and header spoof addons, but none work as great as these FF config settings. Nevertheless, these settings sometimes break sites and need to be toggled. I saved them as bookmarks to access about:config quickly, but entering values for each setting because of one temporary site is extremely strenuous :P

[anonsubmitter]

RandomUA is another option. You should set a version range in the add-on that the user agent rotates between, so this page makes the selection process a lot easier. These two pages also have browser version statistics.

[kekkc]

Don't know if anyone is still here. We don't get direct access to preferences, but Mozilla will verify each requested pref and provide an API eventually. There's already one bug for overriding navigator, but I think we need plenty more: Provide API to get and set override navigator properties https://bugzilla.mozilla.org/show_bug.cgi?id=1414078

Please open a new bug for prefs we need and make it block the tracking meta bug (I have no idea what other preferences RAS used internally for the actual spoofing https://github.com/dillbyrne/random-agent-spoofer/issues/544#issuecomment-338505030): [tracker] Implement WebExtensions API to give access to specific preferences https://bugzilla.mozilla.org/show_bug.cgi?id=1363856

Apart from that you can list the bug here. Please vote for the bugs then (also for https://bugzilla.mozilla.org/show_bug.cgi?id=1414078 , we definitely need that) to get a positive decision from Mozilla. @mylainos seems we don't get a preferences API, but the approved prefs above can then be changed via https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/types/BrowserSetting