rebrand RFP ALTS [was look at dom.enable_performance_navigation_timing]

[sr093906]

dom.enable_performance_navigation_timing = false

saw it on https://www.privacy-handbuch.de/handbuch_21n.htm#29_07_21

[rusty-snake]

The arkenfox user.js uses RFP (unlike the user.js from privacy-handbuch.de) which reduces timer precision and enables jittering for javascript timers. I'm not sure whether dom.enable_performance_navigation_timing = false is FPable (i.e. adding it would have negative consequences) but it has no benefit IMHO.

edit: I always forget about RFP Alts

[Thorin-Oakenpants]

• RFP mitigates a lot of timing attacks
  • one exception may be dom.enable_resource_timing see this coment
  • PerformanceNavigationTiming is disabled by RFP
  • you can test here - you need to reload the page for Performance Navigation Timing API changes to take effect
  • FF78+ 1511941 - tweaks the already mitigated API to return disabled
  • hence Tor Browser has dom.enable_performance_navigation_timing at default true and arkenfox doesn't have it
• note: there are still ways get high resolution timers despite TB's efforts and RFP, and is not something that is easily solved, e.g. see FuzzyFox

dom.enable_performance_navigation_timing would fit the 4600 section. It was introduced in FF58 I think, not sure what FF version RFP protected it: assuming I read FF78's 1511941 correctly. I'll have to check, maybe RFP mitigation was built into the patch that added the API in FF58. And I need that info in order to add it to 4600s

But I think anything outside of RFP is a waste of time: the RFP ALTS section doesn't achieve anything IMO. In terms of fingerprinting you're better off using an extension like Canvas Blocker and randomizing canvas and maybe audio for some extra depth. I do get that timing attacks covers more than fingerprinting risks - but disabling all these APIs generally just causes breakage. At this threat level the user should be using Tor Browser

So I'm actually in a mind to relabel the RFP ALTs section, strip it down a bit, and make it all inactive like the 4700's with a DO NOT USE warning and add "use Tor Browser if your threat model fits it... for FPing use CB"

@earthlng What are thoughts on

• adding the pref to rfp alts
• doing something about RFP ALTs

---

PS: I've seen that guide for at least five or six, it does seem to be maintained (e.g. FF85+ Total Cookie Protection), but it doesn't always revise what it already has, and there are quite a few dubious entries

• screenshots, pocket, clipboard, OMFG extensions blocklist, all of safe browsing
  • I don't read German, so I'm not sure if those are extra suggestions with warnings or what, but they offer various levels of preconfigured user.js files. But when I see security being compromised as a default, and non-privacy items being added to a privacy project .. all I see is a guide that drank some cool aid isn't up to MY OUR standards
• some cookie suggestions are whack: e.g. it suggests cookie lifetime at 2 (session only) and sanitizes all site data on close: which is duplicitous as well as limiting some functionality (session cookies block access to some shared workers + service workers)
  • IDK: maybe that's the plan, to stop some workers? There's a bit of labyrinth and weird side-effects with cookie settings + site data + storage quota + sanitizing
• HOLY SHIT it promotes Waterfox and Palemoon

I'm not going to deep dive that guide.. the point is I do not trust anyone else, and some of the things there instantly raise flags for me (but overall it's not too bad from my quick glance). But I do my own research and get it from the source. I have a good relationship with a number of Mozilla devs and Tor Project people.

[rusty-snake]

some cookie suggestions are whack: e.g. it suggests cookie lifetime at 2 (session only) and sanitizes all site data on close

FYI the changelog entry for this

Es gibt zwei Möglichkeiten, um die Surf-History inklusive Cookies, Cache usw. zu löschen. Während des Surfens kann man mit SHIFT-STRG-ENTF einen Dialog aufrufen, alle Häkchen aktivieren und es werden alle Daten gelöscht. Außerdem kann man beim Beenden alle Daten löschen. Allerdings reicht es hier nicht, in der Konfiguration alle Häckchen zu aktivieren, um alle Daten zu löschen (Bug oder Feature?) Zusätzlich muss folgender Wert gesetzt werden, damit wirklich alle Daten verschwinden: network.cookie.lifetimePolicy = 2

There are two ways to delete the browsing history including cookies, cache, etc. While surfing you can call a dialog with SHIFT-STRG-ENTF, activate all checkmarks and all data will be deleted. Also, when exiting, one can delete all data. However, it is not enough to activate all checkmarks in the configuration to delete all data (bug or feature?) In addition, the following value must be set so that all data really disappear: network.cookie.lifetimePolicy = 2

Translated with www.DeepL.com/Translator (free version)

[rusty-snake]

adding the pref to rfp alts

As I understand your comment, this makes sense.

doing something about RFP ALTs

I would say to change this to "Use together with CB" and remove everything that is covered by CB.

[sr093906]

@Thorin-Oakenpants The guide suggests disabling screenshots, pocket, clipboard and extensions blacklist not enabling them, with a warning for setting 'dom.event.clipboardevents.enabled' to false.

It doesn't recommend Waterfox, and for Palemoon, it says

Palemoon is a Firefox fork based on an earlier version of the code. The developers take on new features of Firefox very conservative. The GUI is not chrome-plated but rather retro and the browser reacts faster than Firefox ESR.

i don't think it is a recommendation.

[rusty-snake]

The guide suggests disabling screenshots, pocket, clipboard and extensions blacklist not enabling them

and that's the problem.

[sr093906]

@rusty-snake With same configuration in this project?

/* 0515: disable Screenshots ***/
// user_pref("extensions.screenshots.disabled", true); // [FF55+]

// user_pref("extensions.pocket.enabled", false); // Pocket Account [FF46+]

[rusty-snake]

Note: Some prefs in this user.js are only as a FYI there and some are there to tell people to not use them.

screenshots

commented

pocket

commented in 5000

clipboard

commented with SETUP-HARDENED

extensions blacklist

enforced as true

safe browsing

commented with WARNING

[Thorin-Oakenpants]

quoted translation

However, it is not enough to activate all checkmarks in the configuration to delete all data (bug or feature?) In addition, the following value must be set so that all data really disappear: network.cookie.lifetimePolicy = 2

This is why you want LSNG. The only bug I know that left some data behind was the one discussed here (I think it failed to clear localStorage from memory - I could replicate 100% of the time, the moz Dev couldn't) - see #1059 and #658 . LSNG fixes this.

[Thorin-Oakenpants]

I'll just iterate all of this here so I can link to it later

current pr #1225

/*** [SECTION 4600]: NON-RFP
   [WARNING] DO NOT USE with RFP. RFP already covers these, and they can interfere
   [NOTE] These prefs will not help anti-fingerprinting. They are insufficient
   on their own, can cause breakage, and will make you stand out
***/
user_pref("_user.js.parrot", "4600 syntax error: the parrot's crossed the Jordan");
/* 4601: spoof number of CPU cores [FF48+] ***/
   // user_pref("dom.maxHardwareConcurrency", 2);
/* 4602: disable Resource Timing API ***/
   // user_pref("dom.enable_resource_timing", false);
/* 4603: disable Navigation Timing API ***/
   // user_pref("dom.enable_performance", false);
/* 4604: disable device Sensor APIs ***/
   // user_pref("device.sensors.enabled", false);
/* 4605: disable remembering site specific zoom ***/
   // user_pref("browser.zoom.siteSpecific", false);
/* 4606: disable gamepad API to prevent USB device ID enumeration ***/
   // user_pref("dom.gamepad.enabled", false);
/* 4607: disable Network Information API [FF31+] ***/
   // user_pref("dom.netinfo.enabled", false); // [DEFAULT: true on Android]
/* 4608: disable the SpeechSynthesis (Text-to-Speech) part of the Web Speech API ***/
   // user_pref("media.webspeech.synth.enabled", false);
/* 4610: disable video statistics to mitigate JS performance fingerprinting [FF25+] ***/
   // user_pref("media.video_stats.enabled", false);
/* 4611: disable touch events: 0=disabled, 1=enabled, 2=autodetect ***/
   // user_pref("dom.w3c_touch_events.enabled", 0);
/* 4612: disable media device enumeration [FF29+] ***/
   // user_pref("media.navigator.enabled", false);
/* 4613: disable MediaDevices change detection [FF51+] ***/
   // user_pref("media.ondevicechange.enabled", false);
/* 4614: disable WebGL debug info being available to websites ***/
   // user_pref("webgl.enable-debug-renderer-info", false);
/* 4615: enforce prefers-reduced-motion as no-preference: 0=no-preference, 1=reduce [FF63+] [RESTART] ***/
   // user_pref("ui.prefersReducedMotion", 0); // [HIDDEN PREF]
/* 4617: disable exposure of system colors to CSS or canvas [FF44+] ***/
   // user_pref("ui.use_standins_for_native_colors", true);
/* 4618: enforce prefers-color-scheme as light: 0=light, 1=dark [FF67+] ***/
   // user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF]
/* 4619: disable Web Audio API [FF51+] ***/
   // user_pref("dom.webaudio.enabled", false);
/* 4620: limit font visibility (Windows, Mac, some Linux) [FF79+]
 * Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1], bundled fonts are auto-allowed
 * 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts
 * [1] https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc ***/
   // user_pref("layout.css.font-visibility.level", 1);
/* 4650: navigator DOM object overrides
 * [WANRING] NO NOT USE: these prefs are insufficient and leak ***/
   // user_pref("general.appname.override", ""); // [HIDDEN PREF]
   // user_pref("general.appversion.override", ""); // [HIDDEN PREF]
   // user_pref("general.buildID.override", ""); // [HIDDEN PREF]
   // user_pref("general.oscpu.override", ""); // [HIDDEN PREF]
   // user_pref("general.platform.override", ""); // [HIDDEN PREF]
   // user_pref("general.useragent.override", ""); // [HIDDEN PREF]

---

remembering that arkenfox is aimed at desktop and that all these alone are not enough, and you just end up standing out or breaking things

🔻 previously inactive (no change)

• 4603 navigation timing api
  • made inactive a few releases ago as it's not enough to protect and caused breakage
• 4606 gamepad API - was optional depending on you device
  • if you don't have a gamepad, don't disable it
  • if you have a gamepad plugged in, maybe it was for a different browser/game client, otherwise you meant to
• 4607 net info api
  • effectively inactive: default false for desktop
  • you'll stand out on mobile: you're either going to be on wifi (at home etc) or cellular (on the road) .. maybe bluetooth
• 4611 touch API - was optional depending on your device
  • if your desktop doesn't have touch, don't disable it
  • if you're on a phone, you'll want/need it
• 4650 nav dom overrides
  • leaky AF

🔻 timing stuff (insufficient)
🔺 these aren't really going to do much without other timing mitigations e.g. from RFP and even then high-res timing can still be achieved. If a timing attack is your threat model, go use Tor Browser on safest

• 4602 resource timing api
• 4603 navigation timing api (which was inactive)
• not listed - dom.enable_performance_navigation_timing from this issue
• 4604 sensor api: motion high res time stamps

🔻 100% pointless

• 4604 sensor apis - orientation is not a threat
  • desktops: are generally going to be landscape and not adaptive
  • mobile: you're adaptive, who cares: it doesn't mean anything
  • you're still going to reveal your screen/orientation without sensor APIs
• 4613 media devices onchange event
  • detect devices changes is 100% pointless: it just stops sites knowing to re-enumerate
  • the issue is not onchange, it is enumeration
• 4615 prefers- reduced-motion
  • default is no-preference, if you need reduced motion, then FFS, don't get epileptic
• 4618 prefers-color-scheme
  • default is light, if you need dark, then FFS, don't get migraines etc
• 4619 webaudio was explained in FYI: 2510: webaudio #1194
  • the number of Firefox results is very low: looks like about 3 for desktop see this

🔻 the rest: probably totally pointless
🔺 ^ the best you can do here is not break your experience, instead randomize canvas and audio for good measure with CB to fool naive scripts - this is a far superior solution to all these RFP "alternatives"

• 4601 hardwareConcurrency at 2
  • especially weird on mobile
• 4605 site specific zoom
  • changing zoom on select sites is not global: akin to allowing canvas on a few select sites
• 4608 speech synthesis
• 4610 video stats - I doubt anyone bothers
• 4612 device enumeration
• 4614 webgl debug info
  • we disable webgl
  • if you did enable webgl, then this isn't really going to help. Mozilla has already removed some entropy without RFP being involved, for example, see 1715690 .. one of a number of initiatives by Jeff Gilbert et al
• 4617 system colors
• 4620 fonts