A few questions

[popogomo]

Hi guys,

Thank you so much for creating such a great browser. As a long-time Mullvad VPN user, I absolutely love the idea of this browser!

Now, I have a few questions regarding fingerprinting and hope you could shed some light on this. I think this will be useful for other users too.

1. Will my fingerprint be affected if I install 1Password extension? If yes, how much will it affect the fingerprint? I rely on 1Password a lot as it makes my life so much easier (its very inconvenient to copy-paste from the desktop app every time).
2. Likewise, I want to add British dictionary for spellcheck. Will this also affect my fingerprint?
3. What about setting uBlock to Advanced mode? My understanding is that adding/changing existing subscriptions will affect fingerprints, so I am happy to leave these as they are.
4. Generally, are there any specific settings within Mullvad browser that can affect fingerprinting (apart from obvious ones such as use https in all windows or use permanently private mode)? For example, if I untick things in Search Shortcuts or untick "Search Engines" in Address Bar settings, will it be ok?
5. I assume that with default Security level (Standard) most websites will work as expected so no breakage, correct?
6. What if I customize the toolbar (like remove Clean Session button, etc)?

Thanks for this. I will appreciate your insights on these.

[justin025]

1. It is difficult to say, this depends on how the 1Password extension operates and injects itself into the page
2. See above, generally the more extensions you add to a browser the greater you increase your attack surface and modify your fingerprint. I do know that dark reader modifies the browsers fingerprint on creepyjs. Similar to the tor browser, the mullvad browser (I believe) recommends keeping modifications to settings and extensions to a minimum to fit in with the crowd. You can test your fingerprint on the following website and see if any extensions or modifications affect it, https://abrahamjuliot.github.io/creepjs/
3. Advanced mode itself will not affect the fingerprint, applying new filters and rules will. Apply modifications at your own discretion.
4. Modifications that affect how the webpage renders will affect fingerprint, such as letterboxing webgl etc. Modifications that affect the ui / user experience in general do not affect the fingerprint, such as deleting search engines, moving toolbar buttons, enabling history to be cleared on exit, etc.
5. Yes
6. See 4

[popogomo]

1. It is difficult to say, this depends on how the 1Password extension operates and injects itself into the page

   2. See above, generally the more extensions you add to a browser the greater you increase your attack surface and modify your fingerprint. I do know that dark reader modifies the browsers fingerprint on creepyjs. Similar to the tor browser, the mullvad browser (I believe) recommends keeping modifications to settings and extensions to a minimum to fit in with the crowd. You can test your fingerprint on the following website and see if any extensions or modifications affect it, https://abrahamjuliot.github.io/creepjs/

   3. Advanced mode itself will not affect the fingerprint, applying new filters and rules will. Apply modifications at your own discretion.

   4. Modifications that affect how the webpage renders will affect fingerprint, such as letterboxing webgl etc. Modifications that affect the ui / user experience in general do not affect the fingerprint, such as deleting search engines, moving toolbar buttons, enabling history to be cleared on exit, etc.

   5. Yes

   6. See 4

Thanks a lot for clarification, helps a lot!

[ruihildt]

@Thorin-Oakenpants Anything else to add?

[1z5q]

Don't want to open a separate ticket, it's a really minor question I thought about while reading this thread :) Was wandering whether adding Mozilla's dictionary for spellchecking (not addon!) will affect my fingerprint? It should not, but... better ask the experts😉. I mean this modification, here:

[Thorin-Oakenpants]

dictionaries are fine

Modifications that affect how the webpage renders will affect fingerprint

extensions don't have to modify the "webpage render" to create entropy - they can add entropy via pure JS such as checking prototype and proxy functions, unexpected values, unexpected properties, keys inserted after constructor, etc.

I assume that with default Security level (Standard) most websites will work as expected so no breakage, correct

we would expect less breakage. Standard -> Safer disables about 8 extra things, which aren't super critical in terms of websites working, but may cause weird side effects (e.g. ion and jit are old-timey prefs not really tested anymore in production upstream). However, you will get "breakage" in bothm depending on how you define breakage - we literally break web standards in hundreds of metrics

are there any specific settings within Mullvad browser that can affect fingerprinting

The settings UI needs an overhaul as many items in it alter your fingerprint. This is an ongoing process with issues at Tor Browser. We can hide settings (e.g. RFP ignores the setting so this creates confusion that it doesn't worjk), or we can change their wording (theming's light/dark/use-OS-setting does not alter web content with RFP), or we could add warnings. The trouble is UX is swamped, and we can't just remove everything affected as it also includes accessibility (which is another large and complex issue). And UX is weary of removing user choices and driving people into about:config (which we plan to make the interstitial sticky per session with more information - i.e warning and MOAR scary!!)

I don't expect any of this to get proper;y addressed until ESR140, where upstream Firefox will hopefully by then, have overhauled the entire Settings UI