[Talk] alternative to plugins.enumerable_names

[berrythesoftwarecodeprogrammar]

mozilla removed the plugins.enumerable_names leaving people's plugins list exposed but in this thread some solutions were found: https://github.com/dillbyrne/random-agent-spoofer/issues/283

a user created a userscript which can easily be a noscript surrogate instead https://github.com/dillbyrne/random-agent-spoofer/issues/283#issuecomment-172157842

noscript.surrogate.noplugin.exceptions = ` noscript.surrogate.noplugin.replacement=Object.defineProperty(navigator, "plugins", {value: []}); noscript.surrogate.noplugin.sources=@^https?://`

this hides plugins from websites for noscript users. not sure if this is something to include in user.js but i hope people will find it useful

[berrythesoftwarecodeprogrammar]

it doesnt actually break anything though. i've yet to come across a website which relies on navigator.plugins to decide whether or not to show plugin content. plugins are also barely used these days. the most popular one is probably adobe flash and i havent seen a single flash website break with this hack. i dont think its used for anything except fingerprinting and thats what people are more worried about i think

and if one does ever stumble upon a website broken by navigator.plugins being empty, an exception can easily be added in noscript.surrogate.noplugin.exceptions. it accepts space separated domains e.g. .youtube.com .videosite.com :)

[L-a-n-g-o-l-i-e-r-s]

@CHEF-KOCH I am 100% sure that plugins can still be fingerprinted when not active and in click to play mode. I haven't tested disabled mode but probably. (I don't use user.js but I am reading into it to decide.) I wonder if there's some documentation kicking around here. I have many extensions that do things better without breaking them by disabling them like canvasing so yeah.. not related anyway.

Side note, some websites will default to html5 player if they cannot detect flash or ask you to install, but you can easily add exceptions for them. Porn sites are a good example.

[berrythesoftwarecodeprogrammar]

my method for hiding plugins works fine. ive only encountered 2 websites so far which i added exceptions for. you're right, most websites these days default to a html5 player or the built in firefox player now. flash is rarely needed to be enabled. and yes it can be detected while in click to play mode

[berrythesoftwarecodeprogrammar]

its not about distrusting plugins, its about websites being able to fingerprint you by knowing every plugin you have on your browser. they are detected even if they are click to play. they are only hidden from the list if disabled. and there are more plugins than just flash. google talk plugins, adobe reader, silverlight, java, IETab. the majority of websites dont need to know that you have ANY of these installed. the websites which DO rely on these plugins most of the time use better methods to detect/activate the plugins than going through the list that this disables. the majority of flash sites DONT need to see this list to use flash

so hiding this list from websites by default and having a whitelist is certainly the best way to handle this list, unless one doesnt care about their plugin list being leaked. of course this is a personal preference, so i never intended it to be an addition to user.js. i just see many people asking for alternatives to plugins.enumerable_names so i want them to be able to see my working method. ill close it eventually, or let pyllyukko close it

panopticlick.eff.org result before noscript surrogate:

Plugin 0: Google Talk Plugin Video Renderer; Version 5.41.2.0; npo1d.dll; (Google Talk Plugin Video Renderer; application/o1d; o1d).
Plugin 1: Google Talk Plugin; Version 5.41.2.0; npgoogletalk.dll; (Google voice and video chat; application/googletalk; googletalk).
Plugin 2: IE Tab Plug-in; IE Tab 2 Plug-in for Mozilla/Firefox; npietab2.dll; (IE Tab 2 Plug-in; application/ietab2; ).
Plugin 3: Shockwave Flash; Shockwave Flash 20.0 r0; NPSWF32_20_0_0_286.dll; (Adobe Flash movie; application/x-shockwave-flash; swf) (FutureSplash movie; application/futuresplash; spl). 

after:

undefined

of course it can also be modified to spoof plugin names or versions, whatever suits peoples preferences

[L-a-n-g-o-l-i-e-r-s]

@CHEF-KOCH specifically to your point, why give them an option? I'd rather not give them a slim chance something goes hokey pokey on my side or allow a website to have access to a piece of a bigger puzzle. We could debate panoptoclick until blue but the truth is, it was made because those things can be used. Is everything being used? Well, possibly not, but the trend suggests the more people blocking conventional methods the more they will use the unconventional methods.

Never forget that these companies spend millions if not more trying to exploit any seemingly benign feature for their own agenda. I see nothing wrong with an option to stop a browser from having loose lips that potentially sink ships. Not every plugin is like java in the way that it responds. (I presume this last bit.)

Opinions are divergent on this subject, however OP's goal is to inform people of alternatives to a preference that has been removed. (I would still be operating under the assumption that it worked if not for s/he.) For that I thank you @berrythesoftwarecodeprogrammar .

[L-a-n-g-o-l-i-e-r-s]

Oh, no, I agree it is optional.

I don't quite understand the first two paragraphs of your comment but... I would much prefer something that spoofs the information to be the most common average list, since firefox by default broadcasts this information to every website, if one user disables plugin announcements it could make them more unique, I believe that is also stated on panopto in generalized terms.

But the same can be said obviously of obscure/less known plugins that get announced making a user unique. I think anything that finger printable browser information should be randomized and or spoofed to the highest average, that would be ideal. I will be keeping my eyes on this in the future in hopes that someone with more skill than I comes up with a better solution. This is more a stopgap measure.

[berrythesoftwarecodeprogrammar]

you keep mentioning irrelevant things. there isnt any downside to blocking the plugin list from websites. you havent listed one real disadvantage

that site is also unable to fingerprint me properly

[L-a-n-g-o-l-i-e-r-s]

@berrythesoftwarecodeprogrammar just wanted to update and say that exceptions for the grease monkey variant do not work. I will try your noscript variant.

@CHEF-KOCH Mozilla and Google have given the clowns the key to the asylum and after much debate clown implementations have been made for user privacy. You're in clown town when you're using "protection" mode. Maybe if you wait a bit, the clowns will finish debating last years tracking mechanism and shake hands with other clowns like avalon. honk honk

In my opinion the users are more concerned about their privacy and the users drive the innovation because they are not mired down and beholden to a foundation or a company trying to make and spend revenue. That's the great thing about the freedom to choose what you want when you want. Another mans trash is another mans treasure, etc.

@berrythesoftwarecodeprogrammar How do I go about spoofing the plugins via noscript as you mentioned was possible? thanks (like different versions etc)

[berrythesoftwarecodeprogrammar]

@CHEF-KOCH so the only real downside you mentioned is websites complaining that a plugin isnt installed, for which i said there is a whitelist that can be used, and that the majority of websites dont even rely on that list for plugin detection. e.g. the majority of flash using websites just load the flash or detect it through other methods instead of using that list. this is an optional method for power users, not the kind of person who will disable the plugin list and then fall for a fake plugin notice on a sketchy website

its a personal preference thing. you can choose to use it or you can think it doesnt do much for you and rely on browser vendors etc to do everything for you

@L-a-n-g-o-l-i-e-r-s i havent tried the userscript, i only use my noscript surrogate and can confirm that the whitelist works. the spoofing however i haven't been able to figure out yet as i am not that experienced with that sort of javascript. but i'm sure it is possible. hopefully somebody can figure out how the Plugin and PluginArray objects work and be able to write a line which can spoof the list or modify the list. but for now, at least in my case, hiding the list from all websites and showing it to the merely 3 websites ive found which rely on it, has been a good solution

[pyllyukko]

@berrythesoftwarecodeprogrammar Thanks for this tip! I think we'll leave this trick out of the user.js itself, as I'd like to keep it mostly about Firefox's own stuff and not that much add-on related settings. But it's good to have it documented here.

Of course the best approach to all this would be to keep the count of installed add-ons in Firefox to minimum, so there wouldn't be that much to enumerate to begin with, but it's still good to be able to do this, as plugin/add-on enumeration indeed contributes to fingerprinting browsers.

[pyllyukko]

Related: Bug 1281963 - Hide navigator.plugins and navigator.mimeTypes when resisting fingerprinting (from #166)

[Thorin-Oakenpants]

Might make sense to note that 1281963 is still a work in progress

Edit: never mind that. The ticket is closed - man these guys are working fast. Guess it will land soon.

[Thorin-Oakenpants]

FYI: Flash when set to click to play now hidden from plugins + mimetypes

• https://www.fxsitecompat.com/en-CA/docs/2016/navigator-plugins-and-navigator-mimetypes-no-longer-list-flash-when-it-s-click-to-activate/
• https://bugzilla.mozilla.org/show_bug.cgi?id=1186948

[Thorin-Oakenpants]

This can probably also be closed @pyllyukko - it's covered under resistFingerprinting

[L-a-n-g-o-l-i-e-r-s]

@berrythesoftwarecodeprogrammar Hello,

jscher2000 or "Jefferson Scher" added mimeType protection see here: https://greasyfork.org/en/scripts/18256-hide-all-plugins If the link is down :8ball::

// ==UserScript== // @name Hide All Plugins // @description Shows empty navigator.plugins and navigator.mimeTypes collections to selected websites // @author Jefferson "jscher2000" Scher // @namespace JeffersonScher // @copyright Copyright 2016 Jefferson Scher // @license BSD 3-clause // @include http* // @version 0.5 // @grant none // @run-at document-start // ==/UserScript== // See: https://github.com/dillbyrne/random-agent-spoofer/issues/283#issuecomment-163059386 Object.defineProperty(navigator, "plugins", {value: []}); Object.defineProperty(navigator, "mimeTypes", {value: []});

I copied the mimeType value from his script and edited your @berrythesoftwarecodeprogrammar noscript surrogate to include mimeType:

noscript.surrogate.nomimeTypes.exceptions = noscript.surrogate.nomimeTypes.replacement = Object.defineProperty(navigator, "mimeTypes", {value: []}); noscript.surrogate.nomimeTypes.sources = @^https?://

noscript.surrogate.noplugin.exceptions = noscript.surrogate.noplugin.replacement = Object.defineProperty(navigator, "plugins", {value: []}); noscript.surrogate.noplugin.sources = @^https?://

The NoScript surrogate way is the only way to get exceptions to work, exceptions will not work with the UserScript. I have tried. This is useful for folks whom don't want to enable privacy.resistFingerprinting because I have read it has caused problems in the past. (Unsure if this is still the case, I am also unsure if it included hiding/spoofing mimeTypes as part of privacy.resistFingerprinting's feature.)

I have no idea if webextension userscript managers are capable of changing these specific values any more, I'm using the last XUL/XPCOM GreaseMonkey, it can apply stuff to pretty much anything in the browser, using Waterfox here, at least for now. I'm also not sure if NoScript's surrogates for these values will have any effect as a webextension in the future, but I thought I would post this anyway. 🔎 🌵 😀 😅

Edit: changed @include to "// @include http*" in userscript paste, if installing from greasyfork, you will need to change it as well.