-
Notifications
You must be signed in to change notification settings - Fork 524
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
reminder: wiki page #1218
Comments
@youdontneedtoknow22 .. I'll answer here (rather than add noise at the other topic) ... and it fits this issue anyway
fxbrit and I haven't said much about it (we're both busy: one private post each on it), and I only stated part of the below in mine - I skipped the parts about FPing + entropy etc as assumed. So this is more of a third iteration, hopefully more structured. I'm sure fxbrit will chime in if he feels the need RECAP🔻 the real issue Users do not understand FPing (at least not fully), and they are not expected to. Users get upset at thing like breakage (fair enough), and unexpected consequences (like timezone, prefers-color). Or they don't even know that it's RFP doing it, or do not know about canvas exceptions, and create issues and complain etc. FAIR ENOUGH too .. no one told them anything about how this shit works or what to expect 🔻 the perceived issues Because they can't make exceptions (except site ones for canvas), they look to either abandon RFP or alter those things (e.g. Dark Reader) - which might make things worse, or not, depending on the metric and how they implement it. trying to equate 🔻 the reality RFP ultimately relies on numbers (see technical below about how everything is about lowering entropy), and uptake requires usability. Uptake in Firefox is a bit of a moot point - don't get me wrong, it has lots of benefits (e.g. timing attacks, and certainly can't hurt fingerprinting: you're unique if you do nothing). The reality is really one of threat modelling, and understanding that Firefox is not an enforced set of users like Tor Browser, and that other solutions to FPing exists (like blocking the scripts, and sucking in naive ones that get through) Dropping RFP means a user loses protection against naive scripts (canvas is a poison pill). They need to be given an alternative, that's all - tell em to use Canvas Blocker's canvas if they can't handle RFP
So there's a fine line between keeping robust protection, and users accepting what they get in return. RFP hasn't really changed for almost two years, since FF68. It took a break at Mozilla due to other priorities. At some stage (it absolutely has not been forgotten), the last pieces will be worked on - the aim is to get RFP front facing (a UI presence), increase usability (site exceptions?, less canvas breakage? better solutions for new window sizes, fixing blurry images, etc) and maybe turn it on for PB windows. Ultimately, they want to have a Tor Browser window mode (and Tor Project to stop putting out a Tor Browser) - these things all take time. Anyway, the answer to all of that is EDUCATION, and waiting for upstream solutions. Also see my post above about using extensions for select sites. Exposing RFP via the UI is great, and an opportunity to educate (with a learn more link) 🔻 proposed solution let the noisy uneducated great dirty unwashed plebs and luddite complainers about RFP have on/off toggles for parts of RFP (I'm simplifying - they did raise concerns, it's not final, they want to add locks etc) TECHNICALAnyway, away we go, some of which was in my private reply to fxbrit the proposed "solution" (of allowing users to opt into changing a RFP protected metric) is not a good idea on a number of levels
[1] entropy: everything is ultimate about lowered entropy, even randomizing. All randomizing can be detected, and rendered to a static value = lowered entropy via the same analyzed value PS: I typed this out for myself as much as for anyone else, it got a bit long, sorry, not sorry. Maybe I can't be assed adding a wiki entry |
Indeed. Using multiple profiles, or secondary browsers, is a legit method to reduce breakage - depends on the user's experience. So that could maybe be mentioned in the wiki page - I do need to keep it as simple and short as possible though. The issue is really about what users can live with in their everyday browsing
I'm not sure it can get any simpler: assess and either go with RFP or use a minimal effort via CB. Both do the same job at a minimum of fooling naive scripts that may run |
I don't want to get bogged down with detail. RFP and FPI fundamentally change the browser in big ways. WebGL is a single API - but yes, added specifically for FPing purposes - so maybe that can be added in the can't handle bit: i.e enabled webGL and install CB or something |
This is a draft - merge 4700's into 4600s - remove old numbers in the square brackets - remove notation of when RFP kicked in (that info is in 4500s) - since we now do not recommend this section - cleanup info on each release in README section - do away with one char flip - move 4616 to deprecated where it belongs - remove "optional if..." lines - start cleaning up references, descriptions to shorten the section - will list what I removed: e.g. bugzillas to when the pref was added are a bit useless todo / consider - 4600 title - 4600 section description can be a lot better - 4600 link to wiki page on RFP ( issue #1218 - that is, if RFP is not for you, then just use Canvas Blocker, which can leak but should fool naive scripts if any get thru etc ) - do we want to add dom.enable_performance_navigation_timing while these all fit together as "covered by RFP", some of these seem out of place - maybe we could split this into two - 4600: "optional without RFP" - these won't hurt RFP but they also won't help your fingerprinting - e.g. font vis, prefers-color, prefers-reduced-motion - 4700: "do not use EVER especially with RFP" - these will affect RFP, can break shit, etc, and won't help your fingerprinting - e.g. all the timing stuff, disabling APIs, etc - also. the webgl one seems a bit out of place since we disable webgl - we could always move some items back to their relevant sections as inactive with some sort of RFP tag/warning I'm not sure what's the cleanest way to convey this. Anyway, pushing a PR to get some discussion going
valid points for sure, but on the other end I would like to point out some disadvantages related to using something like dark reader (no knock on them in particular, just to be clear):
thank you for breaking that into more details (even more than our previous discussion), I need to let this breath and think more about this (me and the rest of the team) so this discussion is very appreciated. I did consider the fact that you are outside of the RFP-pack by changing that single pref but 'unusual set with extra unusual change' sounds worst. |
some quick notes
Extension detection is via two main methods
This is different to detection of spoofing/lies, but those too can be used to fingerprint the extension: e.g. how canvas is altered from a known canvas, what items are changed But after that it can become a bit of a game of number theory, trying to actually state X extension is used, because many extensions show the same symptoms, and multi extensions can be in play. It's also important to remember that some of these can be enabled for some sites and not for others, or the extension randomizes what it being altered - so it's not a perfect FP, but the science of linkifying FPs is a thing, so just because you differ across sites, they can still be linked Sorry, just dropped in after having a massive poop .. back to the Olympics .. so will add some MOAR later. I think the thing is either use RFP (with whitelisted select only sites for say dark reader, timezone if we can find an extension) or don't bother, just get a canvas + audio randomizer and be a happy little camper - and if you're not using RFP then prefers colors, timezone and shit don't matter etc = you do not need all these extensions, We shouldn't be sending mixed messages. I'm going to do my wiki page hopefully next week |
I've been using RFP for a long time without serious problems. However, one aspect not mentioned here: If I load with FF 90, e.g., https://www.deviceinfo.me/ it will tell me:
And in the user agent section it reports:
So on the one hand the user agent set by RFP is detected but also the real correct user agent/OS (with the incorrect FF version, though). Doesn't this add entropy? Perhaps not for Windows users but for users of other OSs. |
|
@rusty-snake : Thanks, I was actually aware of that. My remark was meant to add that aspect to this discussion (as it had been not mentioned before) and to raise the question if for non-Windows users it might be better to use Canvas Blocker instead. Thoughts? |
|
No. You can't hide your OS. And RFP is not trying to hide (and can't be either). As a set, all RFP users per platform are still identical |
@Thorin-Oakenpants - what do you mean by 'RFP + prefers dark'? is there some sort of native dark mode for the www at large that i missed? (slightly off topic): Dark Reader is a rather poor solution for making the web dark IMO - you'll find a ton of neg feedback regarding performance issues - Dark Background and Light Text is a better solution IMO - note that exactly NONE of these dark web add-ons work very well, but some work better than others |
It's not a Firefox thing - it's something LW wants to do (and in case anyone is not sure .. I find this really STUPID) For the record, I'm not advocating using any extension. Users should use RFP as is, not undermine it. But first they need to decide if they want or need RFP. If they don't, then there is nothing to discuss. If they do, then they need to accept the consequences. If they want to work around those consequences, then that's on them. The more I think about it, the more I'm not really interested in telling them the best way how TBH. |
@rusty-snake said:
that's the result of the Fedora-specific FF version right (the one that ships with the distro)? I wonder if that would be the same if one was to manually install the browser from Mozilla's website, I'd might have to check tomorrow. |
@fxbrit - firefox direct is not - the user agent changes come from distros because they feel the need to advertise themselves |
@Thorin-Oakenpants So here's my dilemma. I use RFP+FPI+Temporary Containers+Canvasblocker(faking all). I want every websites to get unique but random canvas as CB does. But if I use RFP in addition to it will it just rewrite CB and show all sites the Tor fingerprint? Also as all websites are in separate, temporary containers that is nuked when the tab/the browser is closed, maybe FPI is redundant. Unless FPI adds some extra benefit alongside Temp_containers and is perfectly fine to run together? Unfortunately I can't disable JS as it's a pain to reconfigure every sites I visit so I've chosen the CB way. Edit: Since JS reveals my OS anyway, I don't think using RFP just to spoof your OS to Windows is worth it. I want to keep the extensions as limited as possible. |
It doesn't "rewrite", RFP doesn't even release the canvas to WebExts, you need to set an RFP canvas site exception. There is no point in doing so unless to need to unbreak something, in which case CB then kicks in as fallback with subtle randomizing. not sure what you mean by "faking all" - I wouldn't fake anything already covered by RFP (but leave canvas on as fallback). Bad habit, bad practice
RFP doesn't just spoof your OS (it doesn't really), it has a lot of other protections. And extensions leak - your screen can be gained via css pseudo values, canvas, screen, useragent and more can leak via workers ... etc Up to you if you don't want RFP. In which case, yes, I suggest at least randomizing canvas and probably audio for good measure for any naive scripts that get through - but it's not foolpoof. But you're fucked anyway against an advanced script, so that's not the point of using CB
That's up to you and how you configure TC - see the wiki
personally, the repeat visit thing is a bit moot - except it's a great way to sanitize eg paywalls - did you change your IP (and cover ALL vectors)? You could also just use dFPI, it has shims and other benefits - it can't hurt, and TC probably also blocks those cross-site logins should you accidentally click a fuckbook button (but I'm sure you have uBO in some decent config anyway, if not annoyances list which removes, from memory, all those widgets) |
That's exactly what I mean, RFP doesn't even let sites to access my canvas, and I don't bother it to allow either (except some intrusive captcha like puzzle solving slider). I presume only then CB kicks in and randomizes a fake one. But doesn't it stand out more when one user is blocking all canvas extraction instead of giving out at least a fake one? Maybe I should make an exception for CB with RFP. I'm not sure, so would like your suggestions.
here's my CB config (what I mean by "faking" with CB)
that's indeed one of my use cases, bypassing soft paywalls and read limitations, TC works great for that. And of course I try to cover as much vectors I can, VPN with permanent killswitch and uBO with annoyances list. So, I guess my setup is alright now (RFP+FPI+TC+CB). All I need to be sure that should I use RFP with CB as usual or add an exception to make CB always randomize data. Thanks! |
Good. It's doing it's job then.
No one is blocking canvas extraction. RFP randomizes, CB randomizes. |
@Thorin-Oakenpants Thank you and cheers EDIT: I have found your answer at #767 (comment)... sorry to bother you. |
I'm not entirely sure of all the factors that effect textmetrics/domrect, and my gut instinct is it is mostly equivalency (of language). Maybe clear type, and subpixels (devicePixelRatio) play a role how many times do I need to say in this thread (and elsewhere) that if you're not using RFP then all you need is canvas and maybe audio. Read the wiki .. also the bit at the end tat says if you don;t use RFP you;re on your own. Extensions leak, but at least they'll fuck up naive scripts |
I am using RFP and TC, but not FPI. 😉 Thank you Pants. ❤️ |
So the next step I think is to merge section webrtc doesn't fit nicely here IMO ... I don't consider it a FPing item, but rather a leak (yes IP's can link data). And that's OK because the implementation page can say
Whaddaya think. I'm holding off on the FPI page, because it looks like we'll soon be able to move to dFPI with a hardened optional knob, FF94'ish at the earliest |
Am I right that ¹ This makes IP-based Geolocation more accurate and can leak your MAC-addr if you did not configured your OS to be privacy-friendly. |
IDK, @fxbrit knows way more than me about networking, but sure, some of these don't really achieve anything if you're not already hiding your real IP - but the same can be said for a lot of other items, like RFP. It's an assumption that you hide your digital IP footprints. They also don't cause any issues AFAIK left as are - except for |
imo it is mostly dangerous for non-vpn users that don't have privacy addresses configured by default, so it's mostly a matter of outside browser settings. it remains to be seen how many OSs / distros still ship without privacy addresses. I think privacy addresses are actually good, the linked myth number 5 bashes it because it makes net admins work harder: it is true, but who cares, the same could be said about ipsec for example. |
closing, this is being dealt with elsewhere and will land when it lands |
@Thorin-Oakenpants I just did a basic code search for this attribute in the repos of both Dark Reader, and Dark Background Light Text. DR: https://github.com/darkreader/darkreader/search?q=prefers-color-scheme DBLT shows no code related to this, but DR does. Does this mean it is safer to use DBLT? I use uBO in hard mode, if that matters. |
If something touches the dom it can be detected and measured. Why don't you test it. I do not care about people's obsessions with dark themes |
@rusty-snake I've read your comment. I'm just specifically asking if it's better to use DBLT over DR, since it doesn't touch the prefers-color-scheme value, which Thorin says is easily detected. I've quoted that part of the text, so I'm aware that advanced scripts may still detect the extension, which I hope will be mitigated by keeping uBO in medium (or stricter) mode. |
ATM Maybe (pants will likely not care and I actually don't care either). The question is, is this guaranteed or can any update of DBLT change the implementation (because of bug/feature) and become detectable like DR? |
And link to them in the implementation page. This is to help the user decide if they want these two things - i.e threat model, what it protects, what to expect in terms of usability/breakage. People seem to be surprised, and yet the list is really small, and can be worked around - everyone's mileage will differ
🔻 FPI
only breaks some cross site logins, e.g. SSOs - either use a different browser for those sites or switch to dFPI now that it exists - e.g. override recipe - pretty simple page
🔻 RFP
🔹 breakage (compat)
🔹 usability (not compat issues)
Of ~100+ things RFP protects, that's it (will be the other odd item). I'm sick and tired of people claiming (reddit a billion times) that RFP generally breaks everything. Timezone is not breakage. Using en-US is not breakage (and en-US is optional). Prefers light is not breakage. They are expectation issues, not breakage.
There are solutions, but first of all the user needs to decide if RFP is for them = threat model. If they can't handle minor things like looks and feel (prefers-light, non-native widgets, letterboxing etc : yes widgets is not RFP and LBing is separate: just pointing out other FPing examples) then maybe it's not for them. The FPing threat and what RFP can do also needs to be put into context. For most users, just randomizing canvas will achieve the same result in most cases: e.g. just use Canvas Blocker
And something should be said about not undermining RFP protected metrics - like installing Dark Reader. There are solutions - the user just needs to be selective
I laid out something like this for someone else, and despite talking about this shit for years, realized I didn't really have something about it here (it's mostly in the user.js if people looked) certainly not nicely all explained in a nice single wiki page
The text was updated successfully, but these errors were encountered: