Closed ghost closed 1 year ago
jakob11git
commented
1 year ago I see the same behavior in Tor Browser, so maybe that is intentional. Don't know the reason for this, though. On first thought it'd seem wise to have all MB users report the same values here.
Thorin-Oakenpants
commented
1 year ago Yes, it is intentional and part of RFP. Note, you can't hide the OS, even passively. In fact, some RFP protections return different results based on the OS (such as audio latency and indeed, look at your JS navigator properties). The HTTP header being different is that it targets passive logging (think if when you browse in safest mode) and raises the bar to determine the OS in that case
ghost
commented
1 year ago Thanks for the responses. I understand the principle of RFP and the nature to make certain values less unique and attempt to blend in with others. The properties such as navigator.userAgent and navigator.platform can indeed be changed and I was wondering if this was actually being done within this privacy-focused browser? It is also possible to modify the audio latency values but clearly, in such scenarios as gaming, delivering audio content, video calls and more could impact users drastically.
I get the balance between security, privacy, and usability factors. This will always be a balancing act because you don't want websites to display content for the user pertaining to the wrong operating system and causing havoc for users trying to get access to the required data. However, I think it would be a good option to have this as an additional setting so for those that want and need this type of additional control, as they would not be bothered as much having to manually make sure the data presented matches what their system requirements would be.
I also get that it can be quite difficult to completely control all the values being represented because operating systems and devices behave differently, each presenting opportunities to develop some form of fingerprinting data. However, what did shock me was the fingerprinting analysis screenshot I presented above basically stating, by using the time-zone UTC 00:00, this made the fingerprint instantly unique in nature.
Just one issue I have with many of these privacy-focused browsers is their use of promotional material and lack of further information to clearly state:
actually, we declare you can look like most other operating systems, but we CANNOT stop your true operating system from being reported
(letting the website know, you are indeed attempting to spoof the data, which could then result in additional fingerprinting actions being taken to try establish more data variables on the user - i.e., what are they hiding?).
It's all very interesting and gaining further knowledge on these topics is engaging and insightful to the challenges not just users are facing, but also privacy-focused software developers are constantly facing.
I guess, the only true way to stop this from happening is not allowing scripts to run at all but resulting in the majority of websites not functioning even to basic standards. There is the option to block all scripts and create your own whitelist as you browse the internet based on those websites you do trust (allowing scripts to run for those domains only). However, being able to monitor each website and maintain whether the site still follows the same practices would be a difficult task.
Eventually, it boils down to the 'trust' element and what data you are comfortable in sharing. Unfortunately, this does then tend to lead us down the road of extreme scales: to use or not to use debate (the all or nothing).
Appreciate your comments @yanagibashi-mt and @Thorin-Oakenpants
Thorin-Oakenpants
commented
1 year ago and I was wondering if this was actually being done
Yes. Certain values are always returned the same (my code for TZP to check RFP is being applied)
// RFP notation: nsRFPService.h
let oRFP = {
"android": {
"appVersion": "5.0 (Android 10)",
"oscpu": "Linux aarch64",
"platform": "Linux aarch64",
"ua_os": "Android 10; Mobile",
},
"linux": {
"appVersion": "5.0 (X11)",
"oscpu": "Linux x86_64",
"platform": "Linux x86_64",
"ua_os": "X11; Linux x86_64",
},
"mac": {
"appVersion": "5.0 (Macintosh)",
"oscpu": "Intel Mac OS X 10.15",
"platform": "MacIntel",
"ua_os": "Macintosh; Intel Mac OS X 10.15",
},
"windows": {
"appVersion": "5.0 (Windows)",
"platform": "Win32",
"oscpu": "Windows NT 10.0; Win64; x64",
"ua_os": "Windows NT 10.0; Win64; x64",
},
}userAgent (navigator + HTTP header) are being protected by RFP - navigator is limited to four responses, we are not trying to hide the OS (and we can't anyway) - it was found that limiting to two (android, windows) was causing breakage (we are after all, breaking web standards), so it was put back to four. But HTTP headers was kept at two for the previously aforementioned reasons
For Firefox (and maybe MB if they want it) this will be changed, as it still causes issues - see https://bugzilla.mozilla.org/show_bug.cgi?id=1826098 and https://bugzilla.mozilla.org/show_bug.cgi?id=1610762.
What would be better is if NoScript controlled the header based on the slider setting, but IDK where TB's reasoning lies on this exactly - I think they just want all passive logging to always reflect windows/android regardless
Thorin-Oakenpants
commented
1 year ago However, I think it would be a good option to have this as an additional setting
This is dangerous territory. Any change from allowing users to "tweak" what they want and do not want ruins the carefully crafted fingerprint and weakens the crowd. It's an all-in buy-in or nothing. This won't be the case much longer on Firefox, but it's essential to Tor Browser and MB
ghost
commented
1 year ago Thanks @Thorin-Oakenpants for the detailed response to my question. I am grateful for your time taken to respond to me about these important factors and the potential reasoning behind such decisions being made. It makes sense exactly for the reasons you have stated above. Appreciate the link to the code by the way.
I understand your concerns about allowing users to tweak the fingerprinting protections, as it could potentially weaken the crowd and compromise the privacy of users who rely on the browser for anonymity. I also agree that it's important to maintain a carefully crafted fingerprint that is consistent across all users.
Your idea of NoScript controlling the header seems completely reasonable based on the slider settings. I am always interested to learn about the data facts that were used to determine certain generalised behaviours regarding privacy settings, and the attempt to mitigate the potential for creating unique fingerprints of users.
I do believe MB is far more secure than the standard FF browser especially considering telemetry by default within FF upon installation (kind of defeats the objective and reminds me of MS tactics), and additional controls either off by default or completely removed. I believe MB is a really good step in the right direction moving forward which in my opinion, the standard FF is losing some form of privacy focus.
By these actions, it has paved way for such browsers as MB, TB, and Brave to really become an essential part of a user system and control mechanisms.
Again, I appreciate your comments and the information provided to me @Thorin-Oakenpants
Thorin-Oakenpants
commented
1 year ago I do believe MB is far more secure than the standard FF browser ...
please don't confuse security with privacy
please don't confuse "phoning home" such as telemetry as a privacy issue - many outbound calls are for security (extension blocklists, crlite, updates checks, SB updates - and all of them contain no PII and everyone does it (e.g. local files for sponsored/pocket) - there is no entropy. TB/MB simply do not need or require most of these outbound calls. I know of many Firefox devs, I have meet some in person, I have been to an All-Hands, and I have seen/read/scanned a lot (a bajillion giliion at last count) of bugzillas - Firefox cares about privacy, all of them, passionately. Don't listen to the crackpots
ghost
commented
1 year ago Don't listen to the crackpots
Fully agree there is much information out there that confuses, and uses nothing bu scare-tactics to change perceptions and behaviours to the author's preferred choices.
The confusion between privacy and security is very prevalent across many sources everywhere you look. I think there are still many software platforms that use telemetry measures to collect more than they should (including PPI). However, I am aware FF does this in a manner that preserves user privacy. However, because of the constant privacy invasive tactics employed across the board from other software packages, it can become much easier to feel the need to disable, stop, or develop an opinion of 'this should not be on by default'.
Something's I have noticed regarding FF, is upon updates, certain settings are reverted regarding the GUI, and even the Pocket icons reappear on the toolbar. I came to the conclusion that a more privacy-focused, let intrusive, and 'decisions remaining with the user' are more important.
However, I fully understand the primary focus of FF and the staff involved. I in no way would take away their commitment to retaining and protecting privacy for all using their browser. I have used FF for many many years now and fully recommend it to everyone I come across, both personally and professionally (even mobile and other portable devices).
Privacy-focused solutions have made a tremendous impact on protecting individual rights to privacy. The developers behind these solutions (including FF, TB, MD, Brave, LW, and AF) have tirelessly worked to create innovative technologies that prioritise privacy and security, while still maintaining the user experience. By prioritising privacy, developers such as yourself and those t FF have allowed users to safely navigate the internet without the fear of being tracked or targeted by malicious actors. Their work has made it possible for individuals to protect their sensitive data and maintain control over their personal information, giving users the confidence to engage with the internet on their own terms. Thanks to the dedication and hard work of these developers (yourself included), the public has access to powerful tools that provide a greater sense of privacy and security online, empowering users to take back control of their digital lives.
I am forever grateful to those whom focus on protecting the rights and privileges of others around privacy and security. I have long been an advocate for better security and privacy protections for all.
Again, I am appreciative of your time and detail you have provided within this thread. It just supports and demonstrates the commitment to a shared objective.
Thorin-Oakenpants
commented
1 year ago Something's I have noticed regarding FF, is upon updates, certain settings are reverted
then you're not doing it right. Firefox does not change modified prefs (unless a migration is needed which is super rare)
this is getting off topic, so I'm ending my comments unless relevant
ghost
commented
1 year ago then you're not doing it right
This is an automated process; no involvement from the user in general so blaming the long-term user is not a great approach.
It's important to note that browser updates can sometimes affect user preferences and settings, but it's not always intentional. Developers are constantly making improvements to browser features and security, which can sometimes lead to changes in how certain settings are handled. However, it's also true that some updates may cause unintended consequences, such as resetting user preferences.
However, I agree it is true getting off topic and did not mean for this to happen. Additional issues came to mind and nothing intentional to redirect the thread. Thanks for responding @Thorin-Oakenpants as your work is appreciated as always.
Thorin-Oakenpants
commented
1 year ago no involvement from the user in general
exactly, you're not doing it right. How do you expect mozilla's code to determine your intent. If you want to disable pocket, modify the pref
ghost
commented
1 year ago Just to back this up even though I agree, this is getting completely off topic:
Thanks for the input. Will refrain from off topic comments :smile:
I have tested the browser with many fingerprinting websites and most still detect the browser is being run on Linux even though the browser agent states, Windows. I can confirm, the browser is running on Linux Ubuntu 22.10 for this test performed.
This is a standard installation with no changes made. I tried new identities with the same issues.
Here is the current browser agent in this case:
Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0Also, a fingerprint analysis clearly states, 0.00% are using UTC-00:00 with Firefox 102 on Linux making it pretty easy to identify:
Not sure what is happening here but clearly, something is not functioning as it should. I can only assume the fingerprinting processes are running additional checks in Java, CSS property checking or other circumventions.
I have placed the browser in the
safer modeand Linux is still detected as the OS. I then placed the browser insafest modeand clearly, most things don't load and checks cannot complete due to blocking scripts etc.When in the
safest mode,mybrowserinfostates the same as above,whatsmybrowserstates Windows but nothing else as it needs JS,privacy.netdoes not load,coderstooldoes not load the data, andwhatismybrowserdisplays this:I think this demonstrates the fingerprinting techniques being used by websites are able to bypass protections from this browser instance by detecting something specific related to running it on Linux but setting the
user agentas Windows.UPDATED: It has already been confirmed below that the 'userAgent (navigator + HTTP header) is being protected by RFP' but there is no true, real way to protect the OS from being detected. This has nothing to do with Mullvad Browser or indeed Firefox in general. It is just how the OS and other systems respond.